Changeset 278029 in webkit

Timestamp:

May 25, 2021 11:03:20 AM (3 years ago)

Author:

mark.lam@apple.com

Message:

Reduce Baseline JIT emitted code size for op_jfalse, op_jtrue, op_get_from_scope, op_resolve_scope.
​https://bugs.webkit.org/show_bug.cgi?id=226107

Reviewed by Saam Barati.

Benchmarking with JetStream2 and Speedometer2 on M1 Mac shows that performance is
neutral.

This patch reduces Baseline JIT emitted code side on a run of JetStream2 CLI by
another ~6.6M:

Base New Diff

BaselineJIT: 64955116 (61.946026 MB) 57991704 (55.305199 MB) 0.89x (reduction)

DFG: 36382012 (34.696590 MB) 36540652 (34.847881 MB) 1.00x

Thunk: 23217692 (22.142117 MB) 23115852 (22.044994 MB) 1.00x

InlineCache: 22228140 (21.198406 MB) 22262572 (21.231243 MB) 1.00x

FTL: 6025320 (5.746193 MB) 6164332 (5.878765 MB) 1.02x

Wasm: 2327604 (2.219776 MB) 2297036 (2.190624 MB) 0.99x

YarrJIT: 1547172 (1.475498 MB) 1522584 (1.452049 MB) 0.98x

CSSJIT: 0 0

Uncategorized: 0 0

Cumulative diff since the start of this effort to reduce Baseline JIT code size:

Base New Diff

BaselineJIT: 89089964 (84.962811 MB) 57991704 (55.305199 MB) 0.65x (reduction)

DFG: 39117360 (37.305222 MB) 36540652 (34.847881 MB) 0.93x (reduction)

Thunk: 23230968 (22.154778 MB) 23115852 (22.044994 MB) 1.00x

InlineCache: 22027416 (21.006981 MB) 22262572 (21.231243 MB) 1.01x

FTL: 6575772 (6.271145 MB) 6164332 (5.878765 MB) 0.94x (reduction)

Wasm: 2302724 (2.196049 MB) 2297036 (2.190624 MB) 1.00x

YarrJIT: 1538956 (1.467663 MB) 1522584 (1.452049 MB) 0.99x

CSSJIT: 0 0

Uncategorized: 0 0

• bytecode/CodeBlock.h:

(JSC::CodeBlock::offsetInMetadataTable):
(JSC::CodeBlock::offsetOfMetadataTable):

• jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::branchIfValue):

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::branchIfTruthy):
(JSC::AssemblyHelpers::branchIfFalsey):

• jit/JIT.cpp:

(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:
• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_jfalse):
(JSC::JIT::valueIsFalseyGenerator):
(JSC::JIT::emit_op_jtrue):
(JSC::JIT::valueIsTruthyGenerator):

• jit/JITOperations.cpp:

(JSC::JSC_DEFINE_JIT_OPERATION):

• jit/JITOperations.h:
• jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_resolve_scope):
(JSC::JIT::generateOpResolveScopeThunk):
(JSC::JIT::slow_op_resolve_scopeGenerator):
(JSC::JIT::emitSlow_op_get_from_scope):
(JSC::JIT::emit_op_get_from_scope):
(JSC::JIT::generateOpGetFromScopeThunk):
(JSC::JIT::slow_op_get_from_scopeGenerator):

• jit/ThunkGenerators.cpp:

(JSC::popThunkStackPreservesAndHandleExceptionGenerator):

• runtime/GetPutInfo.h:
• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::offsetOfGlobalLexicalEnvironment):
(JSC::JSGlobalObject::offsetOfGlobalLexicalBindingEpoch):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/CodeBlock.h (modified) (2 diffs)
• jit/AssemblyHelpers.cpp (modified) (2 diffs)
• jit/AssemblyHelpers.h (modified) (2 diffs)
• jit/JIT.cpp (modified) (2 diffs)
• jit/JIT.h (modified) (3 diffs)
• jit/JITOpcodes.cpp (modified) (2 diffs)
• jit/JITOperations.cpp (modified) (1 diff)
• jit/JITOperations.h (modified) (1 diff)
• jit/JITPropertyAccess.cpp (modified) (8 diffs)
• jit/ThunkGenerators.cpp (modified) (1 diff)
• runtime/GetPutInfo.h (modified) (2 diffs)
• runtime/JSGlobalObject.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-05-25  Mark Lam  <mark.lam@apple.com>
+
+        Reduce Baseline JIT emitted code size for op_jfalse, op_jtrue, op_get_from_scope, op_resolve_scope.
+        https://bugs.webkit.org/show_bug.cgi?id=226107
+
+        Reviewed by Saam Barati.
+
+        Benchmarking with JetStream2 and Speedometer2 on M1 Mac shows that performance is
+        neutral.
+
+        This patch reduces Baseline JIT emitted code side on a run of JetStream2 CLI by
+        another ~6.6M:
+                        Base                     New                      Diff
+
+           BaselineJIT: 64955116 (61.946026 MB)  57991704 (55.305199 MB)  0.89x (reduction)
+                   DFG: 36382012 (34.696590 MB)  36540652 (34.847881 MB)  1.00x
+                 Thunk: 23217692 (22.142117 MB)  23115852 (22.044994 MB)  1.00x
+           InlineCache: 22228140 (21.198406 MB)  22262572 (21.231243 MB)  1.00x
+                   FTL: 6025320 (5.746193 MB)    6164332 (5.878765 MB)    1.02x
+                  Wasm: 2327604 (2.219776 MB)    2297036 (2.190624 MB)    0.99x
+               YarrJIT: 1547172 (1.475498 MB)    1522584 (1.452049 MB)    0.98x
+                CSSJIT: 0                        0
+         Uncategorized: 0                        0
+
+        Cumulative diff since the start of this effort to reduce Baseline JIT code size:
+
+                        Base                     New                      Diff
+
+           BaselineJIT: 89089964 (84.962811 MB)  57991704 (55.305199 MB)  0.65x (reduction)
+                   DFG: 39117360 (37.305222 MB)  36540652 (34.847881 MB)  0.93x (reduction)
+                 Thunk: 23230968 (22.154778 MB)  23115852 (22.044994 MB)  1.00x
+           InlineCache: 22027416 (21.006981 MB)  22262572 (21.231243 MB)  1.01x
+                   FTL: 6575772 (6.271145 MB)    6164332 (5.878765 MB)    0.94x (reduction)
+                  Wasm: 2302724 (2.196049 MB)    2297036 (2.190624 MB)    1.00x
+               YarrJIT: 1538956 (1.467663 MB)    1522584 (1.452049 MB)    0.99x
+                CSSJIT: 0                        0
+         Uncategorized: 0                        0
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::offsetInMetadataTable):
+        (JSC::CodeBlock::offsetOfMetadataTable):
+        * jit/AssemblyHelpers.cpp:
+        (JSC::AssemblyHelpers::branchIfValue):
+        * jit/AssemblyHelpers.h:
+        (JSC::AssemblyHelpers::branchIfTruthy):
+        (JSC::AssemblyHelpers::branchIfFalsey):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_jfalse):
+        (JSC::JIT::valueIsFalseyGenerator):
+        (JSC::JIT::emit_op_jtrue):
+        (JSC::JIT::valueIsTruthyGenerator):
+        * jit/JITOperations.cpp:
+        (JSC::JSC_DEFINE_JIT_OPERATION):
+        * jit/JITOperations.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_resolve_scope):
+        (JSC::JIT::generateOpResolveScopeThunk):
+        (JSC::JIT::slow_op_resolve_scopeGenerator):
+        (JSC::JIT::emitSlow_op_get_from_scope):
+        (JSC::JIT::emit_op_get_from_scope):
+        (JSC::JIT::generateOpGetFromScopeThunk):
+        (JSC::JIT::slow_op_get_from_scopeGenerator):
+        * jit/ThunkGenerators.cpp:
+        (JSC::popThunkStackPreservesAndHandleExceptionGenerator):
+        * runtime/GetPutInfo.h:
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::offsetOfGlobalLexicalEnvironment):
+        (JSC::JSGlobalObject::offsetOfGlobalLexicalBindingEpoch):
+
 2021-05-24  Robin Morisset  <rmorisset@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

@@ -891 +891 @@
     }
 
+    template<typename Metadata>
+    ptrdiff_t offsetInMetadataTable(Metadata* metadata)
+    {
+        return bitwise_cast<uint8_t*>(metadata) - bitwise_cast<uint8_t*>(metadataTable());
+    }
+
     size_t metadataSizeInBytes()
     {
@@ -899 +905 @@
     const void* instructionsRawPointer() { return m_instructionsRawPointer; }
 
+    static ptrdiff_t offsetOfMetadataTable() { return OBJECT_OFFSETOF(CodeBlock, m_metadata); }
     static ptrdiff_t offsetOfInstructionsRawPointer() { return OBJECT_OFFSETOF(CodeBlock, m_instructionsRawPointer); }
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -798 +798 @@
 }
 
-AssemblyHelpers::JumpList AssemblyHelpers::branchIfValue(VM& vm, JSValueRegs value, GPRReg scratch, GPRReg scratchIfShouldCheckMasqueradesAsUndefined, FPRReg valueAsFPR, FPRReg tempFPR, bool shouldCheckMasqueradesAsUndefined, JSGlobalObject* globalObject, bool invert)
+AssemblyHelpers::JumpList AssemblyHelpers::branchIfValue(VM& vm, JSValueRegs value, GPRReg scratch, GPRReg scratchIfShouldCheckMasqueradesAsUndefined, FPRReg valueAsFPR, FPRReg tempFPR, bool shouldCheckMasqueradesAsUndefined, Variant<JSGlobalObject*, GPRReg> globalObject, bool invert)
 {
     // Implements the following control flow structure:
@@ -830 +830 @@
         isNotMasqueradesAsUndefined.append(branchTest8(Zero, Address(value.payloadGPR(), JSCell::typeInfoFlagsOffset()), TrustedImm32(MasqueradesAsUndefined)));
         emitLoadStructure(vm, value.payloadGPR(), scratch, scratchIfShouldCheckMasqueradesAsUndefined);
-        move(TrustedImmPtr(globalObject), scratchIfShouldCheckMasqueradesAsUndefined);
+        if (WTF::holds_alternative<JSGlobalObject*>(globalObject))
+            move(TrustedImmPtr(WTF::get<JSGlobalObject*>(globalObject)), scratchIfShouldCheckMasqueradesAsUndefined);
+        else
+            move(WTF::get<GPRReg>(globalObject), scratchIfShouldCheckMasqueradesAsUndefined);
         isNotMasqueradesAsUndefined.append(branchPtr(NotEqual, Address(scratch, Structure::globalObjectOffset()), scratchIfShouldCheckMasqueradesAsUndefined));
 

trunk/Source/JavaScriptCore/jit/AssemblyHelpers.h

@@ -45 +45 @@
 #include "TypeofType.h"
 #include "VM.h"
+#include <wtf/Variant.h>
 
 namespace JSC {
@@ -1897 +1898 @@
     }
 
-    JumpList branchIfValue(VM&, JSValueRegs, GPRReg scratch, GPRReg scratchIfShouldCheckMasqueradesAsUndefined, FPRReg, FPRReg, bool shouldCheckMasqueradesAsUndefined, JSGlobalObject*, bool negateResult);
-    JumpList branchIfTruthy(VM& vm, JSValueRegs value, GPRReg scratch, GPRReg scratchIfShouldCheckMasqueradesAsUndefined, FPRReg scratchFPR0, FPRReg scratchFPR1, bool shouldCheckMasqueradesAsUndefined, JSGlobalObject* globalObject)
+    JumpList branchIfValue(VM&, JSValueRegs, GPRReg scratch, GPRReg scratchIfShouldCheckMasqueradesAsUndefined, FPRReg, FPRReg, bool shouldCheckMasqueradesAsUndefined, Variant<JSGlobalObject*, GPRReg>, bool negateResult);
+    JumpList branchIfTruthy(VM& vm, JSValueRegs value, GPRReg scratch, GPRReg scratchIfShouldCheckMasqueradesAsUndefined, FPRReg scratchFPR0, FPRReg scratchFPR1, bool shouldCheckMasqueradesAsUndefined, Variant<JSGlobalObject*, GPRReg> globalObject)
     {
         return branchIfValue(vm, value, scratch, scratchIfShouldCheckMasqueradesAsUndefined, scratchFPR0, scratchFPR1, shouldCheckMasqueradesAsUndefined, globalObject, false);
     }
-    JumpList branchIfFalsey(VM& vm, JSValueRegs value, GPRReg scratch, GPRReg scratchIfShouldCheckMasqueradesAsUndefined, FPRReg scratchFPR0, FPRReg scratchFPR1, bool shouldCheckMasqueradesAsUndefined, JSGlobalObject* globalObject)
+    JumpList branchIfFalsey(VM& vm, JSValueRegs value, GPRReg scratch, GPRReg scratchIfShouldCheckMasqueradesAsUndefined, FPRReg scratchFPR0, FPRReg scratchFPR1, bool shouldCheckMasqueradesAsUndefined, Variant<JSGlobalObject*, GPRReg> globalObject)
     {
         return branchIfValue(vm, value, scratch, scratchIfShouldCheckMasqueradesAsUndefined, scratchFPR0, scratchFPR1, shouldCheckMasqueradesAsUndefined, globalObject, true);

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -590 +590 @@
         DEFINE_SLOWCASE_OP(op_sub)
         DEFINE_SLOWCASE_OP(op_has_enumerable_indexed_property)
+#if !ENABLE(EXTRA_CTI_THUNKS)
         DEFINE_SLOWCASE_OP(op_get_from_scope)
+#endif
         DEFINE_SLOWCASE_OP(op_put_to_scope)
 
@@ -625 +627 @@
         DEFINE_SLOWCASE_SLOW_OP(has_own_structure_property)
         DEFINE_SLOWCASE_SLOW_OP(in_structure_property)
+#if !ENABLE(EXTRA_CTI_THUNKS)
         DEFINE_SLOWCASE_SLOW_OP(resolve_scope)
+#endif
         DEFINE_SLOWCASE_SLOW_OP(check_tdz)
         DEFINE_SLOWCASE_SLOW_OP(to_property_key)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -731 +731 @@
         void emit_op_get_from_arguments(const Instruction*);
         void emit_op_put_to_arguments(const Instruction*);
+#if !ENABLE(EXTRA_CTI_THUNKS)
         void emitSlow_op_get_from_scope(const Instruction*, Vector<SlowCaseEntry>::iterator&);
+#endif
         void emitSlow_op_put_to_scope(const Instruction*, Vector<SlowCaseEntry>::iterator&);
 
@@ -797 +799 @@
         static MacroAssemblerCodeRef<JITThunkPtrTag> slow_op_put_private_name_prepareCallGenerator(VM&);
         static MacroAssemblerCodeRef<JITThunkPtrTag> slow_op_put_to_scopeGenerator(VM&);
+        static MacroAssemblerCodeRef<JITThunkPtrTag> slow_op_resolve_scopeGenerator(VM&);
 
         static MacroAssemblerCodeRef<JITThunkPtrTag> op_check_traps_handlerGenerator(VM&);
@@ -802 +805 @@
         static MacroAssemblerCodeRef<JITThunkPtrTag> op_ret_handlerGenerator(VM&);
         static MacroAssemblerCodeRef<JITThunkPtrTag> op_throw_handlerGenerator(VM&);
-#endif
+
+        static constexpr bool thunkIsUsedForOpGetFromScope(ResolveType resolveType)
+        {
+            // GlobalVar because it is more efficient to emit inline than use a thunk.
+            // LocalClosureVar and ModuleVar because we don't use these types with op_get_from_scope.
+            return !(resolveType == GlobalVar || resolveType == LocalClosureVar || resolveType == ModuleVar);
+        }
+
+#define DECLARE_GET_FROM_SCOPE_GENERATOR(resolveType) \
+        static MacroAssemblerCodeRef<JITThunkPtrTag> op_get_from_scope_##resolveType##Generator(VM&);
+        FOR_EACH_RESOLVE_TYPE(DECLARE_GET_FROM_SCOPE_GENERATOR)
+#undef DECLARE_GET_FROM_SCOPE_GENERATOR
+
+        MacroAssemblerCodeRef<JITThunkPtrTag> generateOpGetFromScopeThunk(ResolveType, const char* thunkName);
+
+        static constexpr bool thunkIsUsedForOpResolveScope(ResolveType resolveType)
+        {
+            // ModuleVar because it is more efficient to emit inline than use a thunk.
+            // LocalClosureVar because we don't use these types with op_resolve_scope.
+            return !(resolveType == LocalClosureVar || resolveType == ModuleVar);
+        }
+
+#define DECLARE_RESOLVE_SCOPE_GENERATOR(resolveType) \
+        static MacroAssemblerCodeRef<JITThunkPtrTag> op_resolve_scope_##resolveType##Generator(VM&);
+        FOR_EACH_RESOLVE_TYPE(DECLARE_RESOLVE_SCOPE_GENERATOR)
+#undef DECLARE_RESOLVE_SCOPE_GENERATOR
+
+        MacroAssemblerCodeRef<JITThunkPtrTag> generateOpResolveScopeThunk(ResolveType, const char* thunkName);
+
+        static MacroAssemblerCodeRef<JITThunkPtrTag> valueIsFalseyGenerator(VM&);
+        static MacroAssemblerCodeRef<JITThunkPtrTag> valueIsTruthyGenerator(VM&);
+
+#endif // ENABLE(EXTRA_CTI_THUNKS)
 
         Jump getSlowCase(Vector<SlowCaseEntry>::iterator& iter)

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -448 +448 @@
     unsigned target = jumpTarget(currentInstruction, bytecode.m_targetLabel);
 
-    GPRReg value = regT0;
-    GPRReg scratch1 = regT1;
-    GPRReg scratch2 = regT2;
-    bool shouldCheckMasqueradesAsUndefined = true;
+    constexpr GPRReg value = regT0;
 
     emitGetVirtualRegister(bytecode.m_condition, value);
+#if !ENABLE(EXTRA_CTI_THUNKS)
+    constexpr GPRReg scratch1 = regT1;
+    constexpr GPRReg scratch2 = regT2;
+    constexpr bool shouldCheckMasqueradesAsUndefined = true;
     addJump(branchIfFalsey(vm(), JSValueRegs(value), scratch1, scratch2, fpRegT0, fpRegT1, shouldCheckMasqueradesAsUndefined, m_codeBlock->globalObject()), target);
-}
+#else
+    emitNakedNearCall(vm().getCTIStub(valueIsFalseyGenerator).retaggedCode<NoPtrTag>());
+    addJump(branchTest32(NonZero, regT0), target);
+#endif
+}
+
+#if ENABLE(EXTRA_CTI_THUNKS)
+MacroAssemblerCodeRef<JITThunkPtrTag> JIT::valueIsFalseyGenerator(VM& vm)
+{
+    // The thunk generated by this function can only work with the LLInt / Baseline JIT because
+    // it makes assumptions about the right globalObject being available from CallFrame::codeBlock().
+    // DFG/FTL may inline functions belonging to other globalObjects, which may not match
+    // CallFrame::codeBlock().
+    JIT jit(vm);
+
+    constexpr GPRReg value = regT0;
+    constexpr GPRReg scratch1 = regT1;
+    constexpr GPRReg scratch2 = regT2;
+    constexpr bool shouldCheckMasqueradesAsUndefined = true;
+
+    jit.tagReturnAddress();
+
+    constexpr GPRReg globalObjectGPR = regT3;
+    jit.loadPtr(addressFor(CallFrameSlot::codeBlock), globalObjectGPR);
+    jit.loadPtr(Address(globalObjectGPR, CodeBlock::offsetOfGlobalObject()), globalObjectGPR);
+    auto isFalsey = jit.branchIfFalsey(vm, JSValueRegs(value), scratch1, scratch2, fpRegT0, fpRegT1, shouldCheckMasqueradesAsUndefined, globalObjectGPR);
+    jit.move(TrustedImm32(0), regT0);
+    Jump done = jit.jump();
+
+    isFalsey.link(&jit);
+    jit.move(TrustedImm32(1), regT0);
+
+    done.link(&jit);
+    jit.ret();
+
+    LinkBuffer patchBuffer(jit, GLOBAL_THUNK_ID, LinkBuffer::Profile::Thunk);
+    return FINALIZE_CODE(patchBuffer, JITThunkPtrTag, "Baseline: valueIsfalsey");
+}
+#endif // ENABLE(EXTRA_CTI_THUNKS)
 
 void JIT::emit_op_jeq_null(const Instruction* currentInstruction)
@@ -569 +608 @@
     unsigned target = jumpTarget(currentInstruction, bytecode.m_targetLabel);
 
-    GPRReg value = regT0;
-    GPRReg scratch1 = regT1;
-    GPRReg scratch2 = regT2;
-    bool shouldCheckMasqueradesAsUndefined = true;
+    constexpr GPRReg value = regT0;
+
     emitGetVirtualRegister(bytecode.m_condition, value);
+#if !ENABLE(EXTRA_CTI_THUNKS)
+    constexpr GPRReg scratch1 = regT1;
+    constexpr GPRReg scratch2 = regT2;
+    constexpr bool shouldCheckMasqueradesAsUndefined = true;
     addJump(branchIfTruthy(vm(), JSValueRegs(value), scratch1, scratch2, fpRegT0, fpRegT1, shouldCheckMasqueradesAsUndefined, m_codeBlock->globalObject()), target);
-}
+#else
+    emitNakedNearCall(vm().getCTIStub(valueIsTruthyGenerator).retaggedCode<NoPtrTag>());
+    addJump(branchTest32(NonZero, regT0), target);
+#endif
+}
+
+#if ENABLE(EXTRA_CTI_THUNKS)
+MacroAssemblerCodeRef<JITThunkPtrTag> JIT::valueIsTruthyGenerator(VM& vm)
+{
+    // The thunk generated by this function can only work with the LLInt / Baseline JIT because
+    // it makes assumptions about the right globalObject being available from CallFrame::codeBlock().
+    // DFG/FTL may inline functions belonging to other globalObjects, which may not match
+    // CallFrame::codeBlock().
+    JIT jit(vm);
+
+    constexpr GPRReg value = regT0;
+    constexpr GPRReg scratch1 = regT1;
+    constexpr GPRReg scratch2 = regT2;
+    constexpr bool shouldCheckMasqueradesAsUndefined = true;
+
+    jit.tagReturnAddress();
+
+    constexpr GPRReg globalObjectGPR = regT3;
+    jit.loadPtr(addressFor(CallFrameSlot::codeBlock), globalObjectGPR);
+    jit.loadPtr(Address(globalObjectGPR, CodeBlock::offsetOfGlobalObject()), globalObjectGPR);
+    auto isTruthy = jit.branchIfTruthy(vm, JSValueRegs(value), scratch1, scratch2, fpRegT0, fpRegT1, shouldCheckMasqueradesAsUndefined, globalObjectGPR);
+    jit.move(TrustedImm32(0), regT0);
+    Jump done = jit.jump();
+
+    isTruthy.link(&jit);
+    jit.move(TrustedImm32(1), regT0);
+
+    done.link(&jit);
+    jit.ret();
+
+    LinkBuffer patchBuffer(jit, GLOBAL_THUNK_ID, LinkBuffer::Profile::Thunk);
+    return FINALIZE_CODE(patchBuffer, JITThunkPtrTag, "Baseline: valueIsfalsey");
+}
+#endif // ENABLE(EXTRA_CTI_THUNKS)
 
 void JIT::emit_op_neq(const Instruction* currentInstruction)

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -2899 +2899 @@
 }
 
+#if ENABLE(EXTRA_CTI_THUNKS)
+JSC_DEFINE_JIT_OPERATION(operationResolveScopeForBaseline, EncodedJSValue, (JSGlobalObject* globalObject, const Instruction* pc))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+    auto throwScope = DECLARE_THROW_SCOPE(vm);
+
+    CodeBlock* codeBlock = callFrame->codeBlock();
+
+    auto bytecode = pc->as<OpResolveScope>();
+    const Identifier& ident = codeBlock->identifier(bytecode.m_var);
+    JSScope* scope = callFrame->uncheckedR(bytecode.m_scope).Register::scope();
+    JSObject* resolvedScope = JSScope::resolve(globalObject, scope, ident);
+    // Proxy can throw an error here, e.g. Proxy in with statement's @unscopables.
+    RETURN_IF_EXCEPTION(throwScope, { });
+
+    auto& metadata = bytecode.metadata(codeBlock);
+    ResolveType resolveType = metadata.m_resolveType;
+
+    // ModuleVar does not keep the scope register value alive in DFG.
+    ASSERT(resolveType != ModuleVar);
+
+    switch (resolveType) {
+    case GlobalProperty:
+    case GlobalPropertyWithVarInjectionChecks:
+    case UnresolvedProperty:
+    case UnresolvedPropertyWithVarInjectionChecks: {
+        if (resolvedScope->isGlobalObject()) {
+            JSGlobalObject* globalObject = jsCast<JSGlobalObject*>(resolvedScope);
+            bool hasProperty = globalObject->hasProperty(globalObject, ident);
+            RETURN_IF_EXCEPTION(throwScope, { });
+            if (hasProperty) {
+                ConcurrentJSLocker locker(codeBlock->m_lock);
+                metadata.m_resolveType = needsVarInjectionChecks(resolveType) ? GlobalPropertyWithVarInjectionChecks : GlobalProperty;
+                metadata.m_globalObject.set(vm, codeBlock, globalObject);
+                metadata.m_globalLexicalBindingEpoch = globalObject->globalLexicalBindingEpoch();
+            }
+        } else if (resolvedScope->isGlobalLexicalEnvironment()) {
+            JSGlobalLexicalEnvironment* globalLexicalEnvironment = jsCast<JSGlobalLexicalEnvironment*>(resolvedScope);
+            ConcurrentJSLocker locker(codeBlock->m_lock);
+            metadata.m_resolveType = needsVarInjectionChecks(resolveType) ? GlobalLexicalVarWithVarInjectionChecks : GlobalLexicalVar;
+            metadata.m_globalLexicalEnvironment.set(vm, codeBlock, globalLexicalEnvironment);
+        }
+        break;
+    }
+    default:
+        break;
+    }
+
+    return JSValue::encode(resolvedScope);
+}
+#endif
+
 JSC_DEFINE_JIT_OPERATION(operationGetFromScope, EncodedJSValue, (JSGlobalObject* globalObject, const Instruction* pc))
 {

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -286 +286 @@
 JSC_DECLARE_JIT_OPERATION(operationSwitchImmWithUnknownKeyType, char*, (VM*, EncodedJSValue key, size_t tableIndex, int32_t min));
 JSC_DECLARE_JIT_OPERATION(operationSwitchStringWithUnknownKeyType, char*, (JSGlobalObject*, EncodedJSValue key, size_t tableIndex));
+#if ENABLE(EXTRA_CTI_THUNKS)
+JSC_DECLARE_JIT_OPERATION(operationResolveScopeForBaseline, EncodedJSValue, (JSGlobalObject*, const Instruction* bytecodePC));
+#endif
 JSC_DECLARE_JIT_OPERATION(operationGetFromScope, EncodedJSValue, (JSGlobalObject*, const Instruction* bytecodePC));
 JSC_DECLARE_JIT_OPERATION(operationPutToScope, void, (JSGlobalObject*, const Instruction* bytecodePC));

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -1590 +1590 @@
 }
 
+#if !ENABLE(EXTRA_CTI_THUNKS)
 void JIT::emit_op_resolve_scope(const Instruction* currentInstruction)
 {
@@ -1693 +1694 @@
     }
 }
+#else // ENABLE(EXTRA_CTI_THUNKS)
+
+void JIT::emit_op_resolve_scope(const Instruction* currentInstruction)
+{
+    auto bytecode = currentInstruction->as<OpResolveScope>();
+    auto& metadata = bytecode.metadata(m_codeBlock);
+    VirtualRegister dst = bytecode.m_dst;
+    VirtualRegister scope = bytecode.m_scope;
+    ResolveType resolveType = metadata.m_resolveType;
+
+    VM& vm = this->vm();
+    uint32_t bytecodeOffset = m_bytecodeIndex.offset();
+    ASSERT(BytecodeIndex(bytecodeOffset) == m_bytecodeIndex);
+    ASSERT(m_codeBlock->instructionAt(m_bytecodeIndex) == currentInstruction);
+
+    constexpr GPRReg metadataGPR = regT7;
+    constexpr GPRReg scopeGPR = regT6;
+    constexpr GPRReg bytecodeOffsetGPR = regT5;
+
+    if (resolveType == ModuleVar)
+        move(TrustedImmPtr(metadata.m_lexicalEnvironment.get()), regT0);
+    else {
+        ptrdiff_t metadataOffset = m_codeBlock->offsetInMetadataTable(&metadata);
+
+#define RESOLVE_SCOPE_GENERATOR(resolveType) op_resolve_scope_##resolveType##Generator,
+        static const ThunkGenerator generators[] = {
+            FOR_EACH_RESOLVE_TYPE(RESOLVE_SCOPE_GENERATOR)
+        };
+#undef RESOLVE_SCOPE_GENERATOR
+
+        emitGetVirtualRegister(scope, scopeGPR);
+        move(TrustedImmPtr(metadataOffset), metadataGPR);
+        move(TrustedImm32(bytecodeOffset), bytecodeOffsetGPR);
+        emitNakedNearCall(vm.getCTIStub(generators[resolveType]).retaggedCode<NoPtrTag>());
+    }
+
+    emitPutVirtualRegister(dst);
+}
+
+MacroAssemblerCodeRef<JITThunkPtrTag> JIT::generateOpResolveScopeThunk(ResolveType resolveType, const char* thunkName)
+{
+    // The thunk generated by this function can only work with the LLInt / Baseline JIT because
+    // it makes assumptions about the right globalObject being available from CallFrame::codeBlock().
+    // DFG/FTL may inline functions belonging to other globalObjects, which may not match
+    // CallFrame::codeBlock().
+    using Metadata = OpResolveScope::Metadata;
+    constexpr GPRReg metadataGPR = regT7; // incoming
+    constexpr GPRReg scopeGPR = regT6; // incoming
+    constexpr GPRReg bytecodeOffsetGPR = regT5; // incoming - pass thru to slow path.
+    constexpr GPRReg globalObjectGPR = regT4;
+    UNUSED_PARAM(bytecodeOffsetGPR);
+    RELEASE_ASSERT(thunkIsUsedForOpResolveScope(resolveType));
+
+    tagReturnAddress();
+
+    loadPtr(addressFor(CallFrameSlot::codeBlock), regT3);
+    loadPtr(Address(regT3, CodeBlock::offsetOfMetadataTable()), regT3);
+    addPtr(regT3, metadataGPR);
+
+    JumpList slowCase;
+
+    auto emitVarInjectionCheck = [&] (bool needsVarInjectionChecks, GPRReg globalObjectGPR = InvalidGPRReg) {
+        if (!needsVarInjectionChecks)
+            return;
+        if (globalObjectGPR == InvalidGPRReg) {
+            globalObjectGPR = regT4;
+            loadPtr(addressFor(CallFrameSlot::codeBlock), regT3);
+            loadPtr(Address(regT3, CodeBlock::offsetOfGlobalObject()), globalObjectGPR);
+        }
+        loadPtr(Address(globalObjectGPR, OBJECT_OFFSETOF(JSGlobalObject, m_varInjectionWatchpoint)), regT3);
+        slowCase.append(branch8(Equal, Address(regT3, WatchpointSet::offsetOfState()), TrustedImm32(IsInvalidated)));
+    };
+
+    auto emitResolveClosure = [&] (bool needsVarInjectionChecks) {
+        emitVarInjectionCheck(needsVarInjectionChecks);
+        move(scopeGPR, regT0);
+        load32(Address(metadataGPR, OBJECT_OFFSETOF(Metadata, m_localScopeDepth)), regT1);
+
+        Label loop = label();
+        Jump done = branchTest32(Zero, regT1);
+        {
+            loadPtr(Address(regT0, JSScope::offsetOfNext()), regT0);
+            sub32(TrustedImm32(1), regT1);
+            jump().linkTo(loop, this);
+        }
+        done.link(this);
+    };
+
+    auto emitCode = [&] (ResolveType resolveType) {
+        switch (resolveType) {
+        case GlobalProperty:
+        case GlobalPropertyWithVarInjectionChecks: {
+            // JSScope::constantScopeForCodeBlock() loads codeBlock->globalObject().
+            loadPtr(addressFor(CallFrameSlot::codeBlock), regT3);
+            loadPtr(Address(regT3, CodeBlock::offsetOfGlobalObject()), globalObjectGPR);
+            emitVarInjectionCheck(needsVarInjectionChecks(resolveType), globalObjectGPR);
+            load32(Address(metadataGPR, OBJECT_OFFSETOF(Metadata, m_globalLexicalBindingEpoch)), regT1);
+            slowCase.append(branch32(NotEqual, Address(globalObjectGPR, JSGlobalObject::offsetOfGlobalLexicalBindingEpoch()), regT1));
+            move(globalObjectGPR, regT0);
+            break;
+        }
+
+        case GlobalVar:
+        case GlobalVarWithVarInjectionChecks:
+        case GlobalLexicalVar:
+        case GlobalLexicalVarWithVarInjectionChecks: {
+            // JSScope::constantScopeForCodeBlock() loads codeBlock->globalObject() for GlobalVar*,
+            // and codeBlock->globalObject()->globalLexicalEnvironment() for GlobalLexicalVar*.
+            loadPtr(addressFor(CallFrameSlot::codeBlock), regT3);
+            loadPtr(Address(regT3, CodeBlock::offsetOfGlobalObject()), regT0);
+            emitVarInjectionCheck(needsVarInjectionChecks(resolveType), regT0);
+            if (resolveType == GlobalLexicalVar || resolveType == GlobalLexicalVarWithVarInjectionChecks)
+                loadPtr(Address(regT0, JSGlobalObject::offsetOfGlobalLexicalEnvironment()), regT0);
+            break;
+        }
+        case ClosureVar:
+        case ClosureVarWithVarInjectionChecks:
+            emitResolveClosure(needsVarInjectionChecks(resolveType));
+            break;
+        case Dynamic:
+            slowCase.append(jump());
+            break;
+        case LocalClosureVar:
+        case ModuleVar:
+        case UnresolvedProperty:
+        case UnresolvedPropertyWithVarInjectionChecks:
+            RELEASE_ASSERT_NOT_REACHED();
+        }
+    };
+
+    switch (resolveType) {
+    case GlobalProperty:
+    case GlobalPropertyWithVarInjectionChecks: {
+        JumpList skipToEnd;
+        load32(Address(metadataGPR, OBJECT_OFFSETOF(Metadata, m_resolveType)), regT0);
+
+        Jump notGlobalProperty = branch32(NotEqual, regT0, TrustedImm32(resolveType));
+        emitCode(resolveType);
+        skipToEnd.append(jump());
+
+        notGlobalProperty.link(this);
+        emitCode(needsVarInjectionChecks(resolveType) ? GlobalLexicalVarWithVarInjectionChecks : GlobalLexicalVar);
+
+        skipToEnd.link(this);
+        break;
+    }
+    case UnresolvedProperty:
+    case UnresolvedPropertyWithVarInjectionChecks: {
+        JumpList skipToEnd;
+        load32(Address(metadataGPR, OBJECT_OFFSETOF(Metadata, m_resolveType)), regT0);
+
+        Jump notGlobalProperty = branch32(NotEqual, regT0, TrustedImm32(GlobalProperty));
+        emitCode(GlobalProperty);
+        skipToEnd.append(jump());
+        notGlobalProperty.link(this);
+
+        Jump notGlobalPropertyWithVarInjections = branch32(NotEqual, regT0, TrustedImm32(GlobalPropertyWithVarInjectionChecks));
+        emitCode(GlobalPropertyWithVarInjectionChecks);
+        skipToEnd.append(jump());
+        notGlobalPropertyWithVarInjections.link(this);
+
+        Jump notGlobalLexicalVar = branch32(NotEqual, regT0, TrustedImm32(GlobalLexicalVar));
+        emitCode(GlobalLexicalVar);
+        skipToEnd.append(jump());
+        notGlobalLexicalVar.link(this);
+
+        Jump notGlobalLexicalVarWithVarInjections = branch32(NotEqual, regT0, TrustedImm32(GlobalLexicalVarWithVarInjectionChecks));
+        emitCode(GlobalLexicalVarWithVarInjectionChecks);
+        skipToEnd.append(jump());
+        notGlobalLexicalVarWithVarInjections.link(this);
+
+        slowCase.append(jump());
+        skipToEnd.link(this);
+        break;
+    }
+
+    default:
+        emitCode(resolveType);
+        break;
+    }
+
+    ret();
+
+    LinkBuffer patchBuffer(*this, GLOBAL_THUNK_ID, LinkBuffer::Profile::Thunk);
+    auto slowCaseHandler = vm().getCTIStub(slow_op_resolve_scopeGenerator);
+    patchBuffer.link(slowCase, CodeLocationLabel(slowCaseHandler.retaggedCode<NoPtrTag>()));
+    return FINALIZE_CODE(patchBuffer, JITThunkPtrTag, thunkName);
+}
+
+#define DEFINE_RESOLVE_SCOPE_GENERATOR(resolveType) \
+MacroAssemblerCodeRef<JITThunkPtrTag> JIT::op_resolve_scope_##resolveType##Generator(VM& vm) \
+    { \
+        if constexpr (!thunkIsUsedForOpResolveScope(resolveType)) \
+            return { }; \
+        JIT jit(vm); \
+        return jit.generateOpResolveScopeThunk(resolveType, "Baseline: op_resolve_scope_" #resolveType); \
+    }
+FOR_EACH_RESOLVE_TYPE(DEFINE_RESOLVE_SCOPE_GENERATOR)
+#undef DEFINE_RESOLVE_SCOPE_GENERATOR
+
+MacroAssemblerCodeRef<JITThunkPtrTag> JIT::slow_op_resolve_scopeGenerator(VM& vm)
+{
+    // The thunk generated by this function can only work with the LLInt / Baseline JIT because
+    // it makes assumptions about the right globalObject being available from CallFrame::codeBlock().
+    // DFG/FTL may inline functions belonging to other globalObjects, which may not match
+    // CallFrame::codeBlock().
+    JIT jit(vm);
+
+    // The fast path already pushed the return address.
+#if CPU(X86_64)
+    jit.push(X86Registers::ebp);
+#elif CPU(ARM64)
+    jit.pushPair(framePointerRegister, linkRegister);
+#endif
+
+    constexpr GPRReg bytecodeOffsetGPR = regT5;
+    jit.store32(bytecodeOffsetGPR, tagFor(CallFrameSlot::argumentCountIncludingThis));
+
+    constexpr GPRReg codeBlockGPR = argumentGPR3;
+    constexpr GPRReg globalObjectGPR = argumentGPR0;
+    constexpr GPRReg instructionGPR = argumentGPR1;
+
+    jit.loadPtr(addressFor(CallFrameSlot::codeBlock), codeBlockGPR);
+    jit.loadPtr(Address(codeBlockGPR, CodeBlock::offsetOfGlobalObject()), globalObjectGPR);
+    jit.loadPtr(Address(codeBlockGPR, CodeBlock::offsetOfInstructionsRawPointer()), instructionGPR);
+    jit.addPtr(bytecodeOffsetGPR, instructionGPR);
+
+    jit.setupArguments<decltype(operationResolveScopeForBaseline)>(globalObjectGPR, instructionGPR);
+    jit.prepareCallOperation(vm);
+    Call operation = jit.call(OperationPtrTag);
+    Jump exceptionCheck = jit.emitNonPatchableExceptionCheck(vm);
+
+#if CPU(X86_64)
+    jit.pop(X86Registers::ebp);
+#elif CPU(ARM64)
+    jit.popPair(CCallHelpers::framePointerRegister, CCallHelpers::linkRegister);
+#endif
+    jit.ret();
+
+    LinkBuffer patchBuffer(jit, GLOBAL_THUNK_ID, LinkBuffer::Profile::Thunk);
+    patchBuffer.link(operation, FunctionPtr<OperationPtrTag>(operationResolveScopeForBaseline));
+    auto handler = vm.getCTIStub(popThunkStackPreservesAndHandleExceptionGenerator);
+    patchBuffer.link(exceptionCheck, CodeLocationLabel(handler.retaggedCode<NoPtrTag>()));
+    return FINALIZE_CODE(patchBuffer, JITThunkPtrTag, "Baseline: slow_op_resolve_scope");
+}
+#endif // ENABLE(EXTRA_CTI_THUNKS)
 
 void JIT::emitLoadWithStructureCheck(VirtualRegister scope, Structure** structureSlot)
@@ -1720 +1967 @@
 }
 
+#if !ENABLE(EXTRA_CTI_THUNKS)
 void JIT::emit_op_get_from_scope(const Instruction* currentInstruction)
 {
@@ -1845 +2093 @@
     auto& metadata = bytecode.metadata(m_codeBlock);
     VirtualRegister dst = bytecode.m_dst;
-
-#if !ENABLE(EXTRA_CTI_THUNKS)
     callOperationWithProfile(metadata, operationGetFromScope, dst, TrustedImmPtr(m_codeBlock->globalObject()), currentInstruction);
-#else
+}
+
+#else // ENABLE(EXTRA_CTI_THUNKS)
+
+void JIT::emit_op_get_from_scope(const Instruction* currentInstruction)
+{
+    auto bytecode = currentInstruction->as<OpGetFromScope>();
+    auto& metadata = bytecode.metadata(m_codeBlock);
+    VirtualRegister dst = bytecode.m_dst;
+    VirtualRegister scope = bytecode.m_scope;
+    ResolveType resolveType = metadata.m_getPutInfo.resolveType();
+
     VM& vm = this->vm();
     uint32_t bytecodeOffset = m_bytecodeIndex.offset();
@@ -1854 +2111 @@
     ASSERT(m_codeBlock->instructionAt(m_bytecodeIndex) == currentInstruction);
 
-    constexpr GPRReg bytecodeOffsetGPR = argumentGPR2;
-    move(TrustedImm32(bytecodeOffset), bytecodeOffsetGPR);
-
-    emitNakedNearCall(vm.getCTIStub(slow_op_get_from_scopeGenerator).retaggedCode<NoPtrTag>());
-
-    emitValueProfilingSite(metadata, returnValueGPR);
-    emitPutVirtualRegister(dst, returnValueGPR);
-#endif // ENABLE(EXTRA_CTI_THUNKS)
-}
-
-#if ENABLE(EXTRA_CTI_THUNKS)
+    constexpr GPRReg metadataGPR = regT7;
+    constexpr GPRReg scopeGPR = regT6;
+    constexpr GPRReg bytecodeOffsetGPR = regT5;
+
+    if (resolveType == GlobalVar) {
+        uintptr_t* operandSlot = reinterpret_cast<uintptr_t*>(&metadata.m_operand);
+        emitGetVarFromPointer(bitwise_cast<JSValue*>(*operandSlot), regT0);
+    } else {
+        ptrdiff_t metadataOffset = m_codeBlock->offsetInMetadataTable(&metadata);
+
+#define GET_FROM_SCOPE_GENERATOR(resolveType) op_get_from_scope_##resolveType##Generator,
+        static const ThunkGenerator generators[] = {
+            FOR_EACH_RESOLVE_TYPE(GET_FROM_SCOPE_GENERATOR)
+        };
+#undef GET_FROM_SCOPE_GENERATOR
+
+        emitGetVirtualRegister(scope, scopeGPR);
+        move(TrustedImmPtr(metadataOffset), metadataGPR);
+        move(TrustedImm32(bytecodeOffset), bytecodeOffsetGPR);
+        emitNakedNearCall(vm.getCTIStub(generators[resolveType]).retaggedCode<NoPtrTag>());
+    }
+    emitPutVirtualRegister(dst);
+}
+
+MacroAssemblerCodeRef<JITThunkPtrTag> JIT::generateOpGetFromScopeThunk(ResolveType resolveType, const char* thunkName)
+{
+    // The thunk generated by this function can only work with the LLInt / Baseline JIT because
+    // it makes assumptions about the right globalObject being available from CallFrame::codeBlock().
+    // DFG/FTL may inline functions belonging to other globalObjects, which may not match
+    // CallFrame::codeBlock().
+    using Metadata = OpGetFromScope::Metadata;
+    constexpr GPRReg metadataGPR = regT7;
+    constexpr GPRReg scopeGPR = regT6;
+    RELEASE_ASSERT(thunkIsUsedForOpGetFromScope(resolveType));
+
+    tagReturnAddress();
+
+    loadPtr(addressFor(CallFrameSlot::codeBlock), regT3);
+    loadPtr(Address(regT3, CodeBlock::offsetOfMetadataTable()), regT3);
+    addPtr(regT3, metadataGPR);
+
+    JumpList slowCase;
+
+    auto emitLoadWithStructureCheck = [&] (GPRReg scopeGPR, int32_t metadataStructureOffset) {
+        loadPtr(Address(metadataGPR, metadataStructureOffset), regT1);
+        move(scopeGPR, regT0);
+        slowCase.append(branchTestPtr(Zero, regT1));
+        load32(Address(regT1, Structure::structureIDOffset()), regT1);
+        slowCase.append(branch32(NotEqual, Address(regT0, JSCell::structureIDOffset()), regT1));
+    };
+
+    auto emitVarInjectionCheck = [&] (bool needsVarInjectionChecks) {
+        if (!needsVarInjectionChecks)
+            return;
+        loadPtr(addressFor(CallFrameSlot::codeBlock), regT3);
+        loadPtr(Address(regT3, CodeBlock::offsetOfGlobalObject()), regT3);
+        loadPtr(Address(regT3, OBJECT_OFFSETOF(JSGlobalObject, m_varInjectionWatchpoint)), regT3);
+        slowCase.append(branch8(Equal, Address(regT3, WatchpointSet::offsetOfState()), TrustedImm32(IsInvalidated)));
+    };
+    
+    auto emitGetVarFromPointer = [&] (int32_t operand, GPRReg reg) {
+        loadPtr(Address(metadataGPR, operand), reg);
+        loadPtr(reg, reg);
+    };
+
+    auto emitGetVarFromIndirectPointer = [&] (int32_t operand, GPRReg reg) {
+        loadPtr(Address(metadataGPR, operand), reg);
+        loadPtr(reg, reg);
+    };
+
+    auto emitGetClosureVar = [&] (GPRReg scopeGPR, GPRReg operandGPR) {
+        static_assert(1 << 3 == sizeof(Register));
+        lshift64(TrustedImm32(3), operandGPR);
+        addPtr(scopeGPR, operandGPR);
+        loadPtr(Address(operandGPR, JSLexicalEnvironment::offsetOfVariables()), regT0);
+    };
+
+    auto emitCode = [&] (ResolveType resolveType, bool indirectLoadForOperand) {
+        switch (resolveType) {
+        case GlobalProperty:
+        case GlobalPropertyWithVarInjectionChecks: {
+            emitLoadWithStructureCheck(scopeGPR, OBJECT_OFFSETOF(Metadata, m_structure)); // Structure check covers var injection since we don't cache structures for anything but the GlobalObject. Additionally, resolve_scope handles checking for the var injection.
+
+            constexpr GPRReg base = regT0;
+            constexpr GPRReg result = regT0;
+            constexpr GPRReg offset = regT1;
+            constexpr GPRReg scratch = regT2;
+
+            jitAssert(scopedLambda<Jump(void)>([&] () -> Jump {
+                loadPtr(addressFor(CallFrameSlot::codeBlock), regT3);
+                loadPtr(Address(regT3, CodeBlock::offsetOfGlobalObject()), regT3);
+                return branchPtr(Equal, base, regT3);
+            }));
+
+            loadPtr(Address(metadataGPR, OBJECT_OFFSETOF(Metadata, m_operand)), offset);
+            if (ASSERT_ENABLED) {
+                Jump isOutOfLine = branch32(GreaterThanOrEqual, offset, TrustedImm32(firstOutOfLineOffset));
+                abortWithReason(JITOffsetIsNotOutOfLine);
+                isOutOfLine.link(this);
+            }
+            loadPtr(Address(base, JSObject::butterflyOffset()), scratch);
+            neg32(offset);
+            signExtend32ToPtr(offset, offset);
+            load64(BaseIndex(scratch, offset, TimesEight, (firstOutOfLineOffset - 2) * sizeof(EncodedJSValue)), result);
+            break;
+        }
+        case GlobalVar:
+        case GlobalVarWithVarInjectionChecks:
+        case GlobalLexicalVar:
+        case GlobalLexicalVarWithVarInjectionChecks:
+            emitVarInjectionCheck(needsVarInjectionChecks(resolveType));
+            if (indirectLoadForOperand)
+                emitGetVarFromIndirectPointer(OBJECT_OFFSETOF(Metadata, m_operand), regT0);
+            else
+                emitGetVarFromPointer(OBJECT_OFFSETOF(Metadata, m_operand), regT0);
+            if (resolveType == GlobalLexicalVar || resolveType == GlobalLexicalVarWithVarInjectionChecks) // TDZ check.
+                slowCase.append(branchIfEmpty(regT0));
+            break;
+        case ClosureVar:
+        case ClosureVarWithVarInjectionChecks:
+            emitVarInjectionCheck(needsVarInjectionChecks(resolveType));
+            loadPtr(Address(metadataGPR, OBJECT_OFFSETOF(Metadata, m_operand)), regT3);
+            emitGetClosureVar(scopeGPR, regT3);
+            break;
+        case Dynamic:
+            slowCase.append(jump());
+            break;
+        case LocalClosureVar:
+        case ModuleVar:
+        case UnresolvedProperty:
+        case UnresolvedPropertyWithVarInjectionChecks:
+            RELEASE_ASSERT_NOT_REACHED();
+        }
+    };
+
+    switch (resolveType) {
+    case GlobalProperty:
+    case GlobalPropertyWithVarInjectionChecks: {
+        JumpList skipToEnd;
+        load32(Address(metadataGPR, OBJECT_OFFSETOF(Metadata, m_getPutInfo)), regT0);
+        and32(TrustedImm32(GetPutInfo::typeBits), regT0); // Load ResolveType into T0
+
+        Jump isNotGlobalProperty = branch32(NotEqual, regT0, TrustedImm32(resolveType));
+        emitCode(resolveType, false);
+        skipToEnd.append(jump());
+
+        isNotGlobalProperty.link(this);
+        emitCode(needsVarInjectionChecks(resolveType) ? GlobalLexicalVarWithVarInjectionChecks : GlobalLexicalVar, true);
+
+        skipToEnd.link(this);
+        break;
+    }
+    case UnresolvedProperty:
+    case UnresolvedPropertyWithVarInjectionChecks: {
+        JumpList skipToEnd;
+        load32(Address(metadataGPR, OBJECT_OFFSETOF(Metadata, m_getPutInfo)), regT0);
+        and32(TrustedImm32(GetPutInfo::typeBits), regT0); // Load ResolveType into T0
+
+        Jump isGlobalProperty = branch32(Equal, regT0, TrustedImm32(GlobalProperty));
+        Jump notGlobalPropertyWithVarInjections = branch32(NotEqual, regT0, TrustedImm32(GlobalPropertyWithVarInjectionChecks));
+        isGlobalProperty.link(this);
+        emitCode(GlobalProperty, false);
+        skipToEnd.append(jump());
+        notGlobalPropertyWithVarInjections.link(this);
+
+        Jump notGlobalLexicalVar = branch32(NotEqual, regT0, TrustedImm32(GlobalLexicalVar));
+        emitCode(GlobalLexicalVar, true);
+        skipToEnd.append(jump());
+        notGlobalLexicalVar.link(this);
+
+        Jump notGlobalLexicalVarWithVarInjections = branch32(NotEqual, regT0, TrustedImm32(GlobalLexicalVarWithVarInjectionChecks));
+        emitCode(GlobalLexicalVarWithVarInjectionChecks, true);
+        skipToEnd.append(jump());
+        notGlobalLexicalVarWithVarInjections.link(this);
+
+        slowCase.append(jump());
+
+        skipToEnd.link(this);
+        break;
+    }
+
+    default:
+        emitCode(resolveType, false);
+        break;
+    }
+
+    static_assert(ValueProfile::numberOfBuckets == 1);
+    store64(regT0, Address(metadataGPR, OBJECT_OFFSETOF(Metadata, m_profile)));
+
+    ret();
+
+    LinkBuffer patchBuffer(*this, GLOBAL_THUNK_ID, LinkBuffer::Profile::Thunk);
+    auto slowCaseHandler = vm().getCTIStub(slow_op_get_from_scopeGenerator);
+    patchBuffer.link(slowCase, CodeLocationLabel(slowCaseHandler.retaggedCode<NoPtrTag>()));
+    return FINALIZE_CODE(patchBuffer, JITThunkPtrTag, thunkName);
+}
+
+#define DEFINE_GET_FROM_SCOPE_GENERATOR(resolveType) \
+MacroAssemblerCodeRef<JITThunkPtrTag> JIT::op_get_from_scope_##resolveType##Generator(VM& vm) \
+    { \
+        if constexpr (!thunkIsUsedForOpGetFromScope(resolveType)) \
+            return { }; \
+        JIT jit(vm); \
+        return jit.generateOpGetFromScopeThunk(resolveType, "Baseline: op_get_from_scope_" #resolveType); \
+    }
+FOR_EACH_RESOLVE_TYPE(DEFINE_GET_FROM_SCOPE_GENERATOR)
+#undef DEFINE_GET_FROM_SCOPE_GENERATOR
+
 MacroAssemblerCodeRef<JITThunkPtrTag> JIT::slow_op_get_from_scopeGenerator(VM& vm)
 {
@@ -1876 +2330 @@
     jit.push(X86Registers::ebp);
 #elif CPU(ARM64)
-    jit.tagReturnAddress();
     jit.pushPair(framePointerRegister, linkRegister);
 #endif
 
-    constexpr GPRReg bytecodeOffsetGPR = argumentGPR2;
+    using Metadata = OpGetFromScope::Metadata;
+    constexpr GPRReg metadataGPR = regT7;
+    constexpr GPRReg bytecodeOffsetGPR = regT5;
     jit.store32(bytecodeOffsetGPR, tagFor(CallFrameSlot::argumentCountIncludingThis));
 
@@ -1892 +2347 @@
     jit.addPtr(bytecodeOffsetGPR, instructionGPR);
 
+    ASSERT(RegisterSet::calleeSaveRegisters().contains(GPRInfo::numberTagRegister));
+    jit.move(metadataGPR, GPRInfo::numberTagRegister); // Preserve metadata in a callee saved register.
     jit.setupArguments<decltype(operationGetFromScope)>(globalObjectGPR, instructionGPR);
     jit.prepareCallOperation(vm);
-    CCallHelpers::Call operation = jit.call(OperationPtrTag);
-    CCallHelpers::Jump exceptionCheck = jit.emitNonPatchableExceptionCheck(vm);
+    Call operation = jit.call(OperationPtrTag);
+    Jump exceptionCheck = jit.emitNonPatchableExceptionCheck(vm);
+
+    jit.store64(regT0, Address(GPRInfo::numberTagRegister, OBJECT_OFFSETOF(Metadata, m_profile)));
+    jit.move(TrustedImm64(JSValue::NumberTag), GPRInfo::numberTagRegister);
 
 #if CPU(X86_64)
@@ -1904 +2364 @@
     jit.ret();
 
+    exceptionCheck.link(&jit);
+    jit.move(TrustedImm64(JSValue::NumberTag), GPRInfo::numberTagRegister);
+    Jump jumpToHandler = jit.jump();
+
     LinkBuffer patchBuffer(jit, GLOBAL_THUNK_ID, LinkBuffer::Profile::ExtraCTIThunk);
     patchBuffer.link(operation, FunctionPtr<OperationPtrTag>(operationGetFromScope));
     auto handler = vm.getCTIStub(popThunkStackPreservesAndHandleExceptionGenerator);
-    patchBuffer.link(exceptionCheck, CodeLocationLabel(handler.retaggedCode<NoPtrTag>()));
+    patchBuffer.link(jumpToHandler, CodeLocationLabel(handler.retaggedCode<NoPtrTag>()));
     return FINALIZE_CODE(patchBuffer, JITThunkPtrTag, "Baseline: slow_op_get_from_scope");
 }

trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp

@@ -92 +92 @@
     LinkBuffer patchBuffer(jit, GLOBAL_THUNK_ID, LinkBuffer::Profile::ExtraCTIThunk);
     auto handler = vm.getCTIStub(handleExceptionGenerator);
-    RELEASE_ASSERT(handler);
     patchBuffer.link(continuation, CodeLocationLabel(handler.retaggedCode<NoPtrTag>()));
     return FINALIZE_CODE(patchBuffer, JITThunkPtrTag, "popThunkStackPreservesAndHandleException");

trunk/Source/JavaScriptCore/runtime/GetPutInfo.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2015-2020 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2015-2021 Apple Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -40 +40 @@
 };
 
+#define FOR_EACH_RESOLVE_TYPE(v) \
+    v(GlobalProperty) \
+    v(GlobalVar) \
+    v(GlobalLexicalVar) \
+    v(ClosureVar) \
+    v(LocalClosureVar) \
+    v(ModuleVar) \
+    v(GlobalPropertyWithVarInjectionChecks) \
+    v(GlobalVarWithVarInjectionChecks) \
+    v(GlobalLexicalVarWithVarInjectionChecks) \
+    v(ClosureVarWithVarInjectionChecks) \
+    v(UnresolvedProperty) \
+    v(UnresolvedPropertyWithVarInjectionChecks) \
+    v(Dynamic)
+
 enum ResolveType : unsigned {
     // Lexical scope guaranteed a certain type of variable access.

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -884 +884 @@
 
     static ptrdiff_t offsetOfVM() { return OBJECT_OFFSETOF(JSGlobalObject, m_vm); }
+    static ptrdiff_t offsetOfGlobalLexicalEnvironment() { return OBJECT_OFFSETOF(JSGlobalObject, m_globalLexicalEnvironment); }
+    static ptrdiff_t offsetOfGlobalLexicalBindingEpoch() { return OBJECT_OFFSETOF(JSGlobalObject, m_globalLexicalBindingEpoch); }
 
 #if ENABLE(REMOTE_INSPECTOR)