<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[278945] trunk/Source/JavaScriptCore</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/278945">278945</a></dd>
<dt>Author</dt> <dd>rmorisset@apple.com</dd>
<dt>Date</dt> <dd>2021-06-16 11:34:23 -0700 (Wed, 16 Jun 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>Drop the FTL(DFG) graph after lowering to B3
https://bugs.webkit.org/show_bug.cgi?id=226556

Reviewed by Phil Pizlo.

This patch originally landed as <a href="http://trac.webkit.org/projects/webkit/changeset/278463">r278463</a>, was reverted in <a href="http://trac.webkit.org/projects/webkit/changeset/278463">r278463</a>.
I believe that the bug for which it was reverted actually comes from <a href="http://trac.webkit.org/projects/webkit/changeset/278371">r278371</a>, which was also reverted at the same time. So I am now relanding this.

The challenge in this patch was dealing with all of the Patchpoints created by FTLLowerDFGToB3: they get a lambda at that time, which they execute at the end of Air, and many of these lambdas were capturing a pointer to some parts of the DFG graph and reading through it when being executed.
In all cases but one it was easily fixed: they were only reading a few bits from a given node, so I just read these bits in FTLLowerDFGToB3, and captured them (by value) instead of the pointer to the node.
The exception was compileCallOrConstructVarargsSpread(): its patchpoint generator was walking through the graph, flattening a tree of PhantomSpread/PhantomNewArrayWithSpread/PhantomNewArrayBuffer/PhantomCreateRest, emitting some code along the way.
We now do this flattening of the tree in FTLLowerDFGToB3, store just enough information to later emit the required code in a vector, and capture that vector in the lambda (through a move capture, which is allowed since C++14). See `struct VarargsSpreadArgumentToEmit` for the information that we need to store in that vector.

I tested this change by completing a full run of JetStream2 with ASAN.
I also ran the stress tests with "spread" in their name in Debug mode.

* b3/B3SparseCollection.h:
(JSC::B3::SparseCollection::clearAll):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::freeDFGIRAfterLowering):
* dfg/DFGGraph.h:
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
(JSC::FTL::DFG::LowerDFGToB3::getPrivateName):
(JSC::FTL::DFG::LowerDFGToB3::compilePrivateBrandAccess):
(JSC::FTL::DFG::LowerDFGToB3::cachedPutById):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
(JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
(JSC::FTL::DFG::LowerDFGToB3::VarargsSpreadArgumentToEmit::VarargsSpreadArgumentToEmit):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
(JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
(JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
(JSC::FTL::DFG::LowerDFGToB3::compileInById):
(JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
(JSC::FTL::DFG::LowerDFGToB3::getById):
(JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
(JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
(JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
(JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
(JSC::FTL::DFG::LowerDFGToB3::crash):</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphcpp">trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphh">trunk/Source/JavaScriptCore/dfg/DFGGraph.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCompilecpp">trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLSnippetParamscpp">trunk/Source/JavaScriptCore/ftl/FTLSnippetParams.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLSnippetParamsh">trunk/Source/JavaScriptCore/ftl/FTLSnippetParams.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (278944 => 278945)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog    2021-06-16 18:26:43 UTC (rev 278944)
+++ trunk/Source/JavaScriptCore/ChangeLog       2021-06-16 18:34:23 UTC (rev 278945)
</span><span class="lines">@@ -1,3 +1,52 @@
</span><ins>+2021-06-16  Robin Morisset  <rmorisset@apple.com>
+
+        Drop the FTL(DFG) graph after lowering to B3
+        https://bugs.webkit.org/show_bug.cgi?id=226556
+
+        Reviewed by Phil Pizlo.
+
+        This patch originally landed as r278463, was reverted in r278463.
+        I believe that the bug for which it was reverted actually comes from r278371, which was also reverted at the same time. So I am now relanding this.
+
+        The challenge in this patch was dealing with all of the Patchpoints created by FTLLowerDFGToB3: they get a lambda at that time, which they execute at the end of Air, and many of these lambdas were capturing a pointer to some parts of the DFG graph and reading through it when being executed.
+        In all cases but one it was easily fixed: they were only reading a few bits from a given node, so I just read these bits in FTLLowerDFGToB3, and captured them (by value) instead of the pointer to the node.
+        The exception was compileCallOrConstructVarargsSpread(): its patchpoint generator was walking through the graph, flattening a tree of PhantomSpread/PhantomNewArrayWithSpread/PhantomNewArrayBuffer/PhantomCreateRest, emitting some code along the way.
+        We now do this flattening of the tree in FTLLowerDFGToB3, store just enough information to later emit the required code in a vector, and capture that vector in the lambda (through a move capture, which is allowed since C++14). See `struct VarargsSpreadArgumentToEmit` for the information that we need to store in that vector.
+
+        I tested this change by completing a full run of JetStream2 with ASAN.
+        I also ran the stress tests with "spread" in their name in Debug mode.
+
+        * b3/B3SparseCollection.h:
+        (JSC::B3::SparseCollection::clearAll):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::freeDFGIRAfterLowering):
+        * dfg/DFGGraph.h:
+        * ftl/FTLCompile.cpp:
+        (JSC::FTL::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileUnaryMathIC):
+        (JSC::FTL::DFG::LowerDFGToB3::compileBinaryMathIC):
+        (JSC::FTL::DFG::LowerDFGToB3::getPrivateName):
+        (JSC::FTL::DFG::LowerDFGToB3::compilePrivateBrandAccess):
+        (JSC::FTL::DFG::LowerDFGToB3::cachedPutById):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileDirectCallOrConstruct):
+        (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
+        (JSC::FTL::DFG::LowerDFGToB3::VarargsSpreadArgumentToEmit::VarargsSpreadArgumentToEmit):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallEval):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInById):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
+        (JSC::FTL::DFG::LowerDFGToB3::getById):
+        (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
+        (JSC::FTL::DFG::LowerDFGToB3::emitBinarySnippet):
+        (JSC::FTL::DFG::LowerDFGToB3::emitBinaryBitOpSnippet):
+        (JSC::FTL::DFG::LowerDFGToB3::emitRightShiftSnippet):
+        (JSC::FTL::DFG::LowerDFGToB3::crash):
+
</ins><span class="cx"> 2021-06-16  Filip Pizlo  <fpizlo@apple.com>
</span><span class="cx"> 
</span><span class="cx">         RegisterSet should be smaller
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp (278944 => 278945)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp     2021-06-16 18:26:43 UTC (rev 278944)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp        2021-06-16 18:34:23 UTC (rev 278945)
</span><span class="lines">@@ -1861,6 +1861,26 @@
</span><span class="cx">     m_cpsCFG = nullptr;
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+void Graph::freeDFGIRAfterLowering()
+{
+    m_blocks.clear();
+    m_roots.clear();
+    m_varArgChildren.clear();
+    m_nodes.clearAll();
+
+    m_bytecodeLiveness.clear();
+    m_safeToLoad.clear();
+    m_cpsDominators = nullptr;
+    m_ssaDominators = nullptr;
+    m_cpsNaturalLoops = nullptr;
+    m_ssaNaturalLoops = nullptr;
+    m_ssaCFG = nullptr;
+    m_cpsCFG = nullptr;
+    m_backwardsCFG = nullptr;
+    m_backwardsDominators = nullptr;
+    m_controlEquivalenceAnalysis = nullptr;
+}
+
</ins><span class="cx"> void Prefix::dump(PrintStream& out) const
</span><span class="cx"> {
</span><span class="cx">     if (!m_enabled)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.h (278944 => 278945)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.h       2021-06-16 18:26:43 UTC (rev 278944)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.h  2021-06-16 18:34:23 UTC (rev 278945)
</span><span class="lines">@@ -1074,6 +1074,8 @@
</span><span class="cx">         m_catchEntrypoints.append(CatchEntrypointData { machineCode, FixedVector<FlushFormat>(WTFMove(argumentFormats)), bytecodeIndex });
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    void freeDFGIRAfterLowering();
+
</ins><span class="cx">     StackCheck m_stackChecker;
</span><span class="cx">     VM& m_vm;
</span><span class="cx">     Plan& m_plan;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCompilecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp (278944 => 278945)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp   2021-06-16 18:26:43 UTC (rev 278944)
+++ trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp      2021-06-16 18:34:23 UTC (rev 278945)
</span><span class="lines">@@ -58,6 +58,9 @@
</span><span class="cx">     if (shouldDumpDisassembly())
</span><span class="cx">         state.proc->code().setDisassembler(makeUnique<B3::Air::Disassembler>());
</span><span class="cx"> 
</span><ins>+    if (!shouldDumpDisassembly() && !Options::asyncDisassembly() && !graph.compilation() && !state.proc->needsPCToOriginMap())
+        graph.freeDFGIRAfterLowering();
+
</ins><span class="cx">     {
</span><span class="cx">         GraphSafepoint safepoint(state.graph, safepointResult);
</span><span class="cx"> 
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (278944 => 278945)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp      2021-06-16 18:26:43 UTC (rev 278944)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2021-06-16 18:34:23 UTC (rev 278945)
</span><span class="lines">@@ -2384,6 +2384,7 @@
</span><span class="cx">         patchpoint->numGPScratchRegisters = 1;
</span><span class="cx">         patchpoint->clobber(RegisterSet::macroScratchRegisters());
</span><span class="cx">         State* state = &m_ftlState;
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="lines">@@ -2414,12 +2415,12 @@
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><span class="cx">                         if (mathICGenerationState->shouldSlowPathRepatch) {
</span><del>-                            SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
-                                repatchingFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(node->origin.semantic), params[1].gpr(), CCallHelpers::TrustedImmPtr(mathIC));
</del><ins>+                            SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, semanticNodeOrigin, exceptions.get(),
+                                repatchingFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(semanticNodeOrigin), params[1].gpr(), CCallHelpers::TrustedImmPtr(mathIC));
</ins><span class="cx">                             mathICGenerationState->slowPathCall = call.call();
</span><span class="cx">                         } else {
</span><del>-                            SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic,
-                                exceptions.get(), nonRepatchingFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(node->origin.semantic), params[1].gpr());
</del><ins>+                            SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, semanticNodeOrigin,
+                                exceptions.get(), nonRepatchingFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(semanticNodeOrigin), params[1].gpr());
</ins><span class="cx">                             mathICGenerationState->slowPathCall = call.call();
</span><span class="cx">                         }
</span><span class="cx">                         jit.jump().linkTo(done, &jit);
</span><span class="lines">@@ -2438,8 +2439,8 @@
</span><span class="cx">                     });
</span><span class="cx">                 } else {
</span><span class="cx">                     callOperation(
</span><del>-                        *state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
-                        nonRepatchingFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(node->origin.semantic), params[1].gpr());
</del><ins>+                        *state, params.unavailableRegisters(), jit, semanticNodeOrigin, exceptions.get(),
+                        nonRepatchingFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(semanticNodeOrigin), params[1].gpr());
</ins><span class="cx">                 }
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(MATH_IC_STATS)
</span><span class="lines">@@ -2491,6 +2492,7 @@
</span><span class="cx">         patchpoint->numFPScratchRegisters = 2;
</span><span class="cx">         patchpoint->clobber(RegisterSet::macroScratchRegisters());
</span><span class="cx">         State* state = &m_ftlState;
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="lines">@@ -2524,12 +2526,12 @@
</span><span class="cx"> #endif
</span><span class="cx"> 
</span><span class="cx">                         if (mathICGenerationState->shouldSlowPathRepatch) {
</span><del>-                            SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
-                                repatchingFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(node->origin.semantic), params[1].gpr(), params[2].gpr(), CCallHelpers::TrustedImmPtr(mathIC));
</del><ins>+                            SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, semanticNodeOrigin, exceptions.get(),
+                                repatchingFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(semanticNodeOrigin), params[1].gpr(), params[2].gpr(), CCallHelpers::TrustedImmPtr(mathIC));
</ins><span class="cx">                             mathICGenerationState->slowPathCall = call.call();
</span><span class="cx">                         } else {
</span><del>-                            SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, node->origin.semantic,
-                                exceptions.get(), nonRepatchingFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(node->origin.semantic), params[1].gpr(), params[2].gpr());
</del><ins>+                            SlowPathCall call = callOperation(*state, params.unavailableRegisters(), jit, semanticNodeOrigin,
+                                exceptions.get(), nonRepatchingFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(semanticNodeOrigin), params[1].gpr(), params[2].gpr());
</ins><span class="cx">                             mathICGenerationState->slowPathCall = call.call();
</span><span class="cx">                         }
</span><span class="cx">                         jit.jump().linkTo(done, &jit);
</span><span class="lines">@@ -2548,8 +2550,8 @@
</span><span class="cx">                     });
</span><span class="cx">                 } else {
</span><span class="cx">                     callOperation(
</span><del>-                        *state, params.unavailableRegisters(), jit, node->origin.semantic, exceptions.get(),
-                        nonRepatchingFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(node->origin.semantic), params[1].gpr(), params[2].gpr());
</del><ins>+                        *state, params.unavailableRegisters(), jit, semanticNodeOrigin, exceptions.get(),
+                        nonRepatchingFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(semanticNodeOrigin), params[1].gpr(), params[2].gpr());
</ins><span class="cx">                 }
</span><span class="cx"> 
</span><span class="cx"> #if ENABLE(MATH_IC_STATS)
</span><span class="lines">@@ -3994,10 +3996,11 @@
</span><span class="cx"> 
</span><span class="cx">         State* state = &m_ftlState;
</span><span class="cx">         bool baseIsCell = abstractValue(node->child1()).isType(SpecCell);
</span><ins>+        CodeOrigin nodeSemanticOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx"> 
</span><del>-                CallSiteIndex callSiteIndex = state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(node->origin.semantic);
</del><ins>+                CallSiteIndex callSiteIndex = state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(nodeSemanticOrigin);
</ins><span class="cx"> 
</span><span class="cx">                 // This is the direct exit target for operation calls.
</span><span class="cx">                 Box<CCallHelpers::JumpList> exceptions = exceptionHandle->scheduleExitCreation(params)->jumps(jit);
</span><span class="lines">@@ -4013,7 +4016,7 @@
</span><span class="cx">                 GPRReg stubInfoGPR = JITCode::useDataIC(JITType::FTLJIT) ? params.gpScratch(0) : InvalidGPRReg;
</span><span class="cx"> 
</span><span class="cx">                 auto generator = Box<JITGetByValGenerator>::create(
</span><del>-                    jit.codeBlock(), JITType::FTLJIT, node->origin.semantic, callSiteIndex, AccessType::GetPrivateName,
</del><ins>+                    jit.codeBlock(), JITType::FTLJIT, nodeSemanticOrigin, callSiteIndex, AccessType::GetPrivateName,
</ins><span class="cx">                     params.unavailableRegisters(), JSValueRegs(baseGPR), JSValueRegs(propertyGPR), JSValueRegs(resultGPR), stubInfoGPR);
</span><span class="cx"> 
</span><span class="cx">                 CCallHelpers::Jump notCell;
</span><span class="lines">@@ -4036,15 +4039,15 @@
</span><span class="cx">                         jit.move(CCallHelpers::TrustedImmPtr(generator->stubInfo()), stubInfoGPR);
</span><span class="cx">                         generator->stubInfo()->m_slowOperation = operationGetPrivateNameOptimize;
</span><span class="cx">                         slowPathCall = callOperation(
</span><del>-                            *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                            *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
</ins><span class="cx">                             exceptions.get(), CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), resultGPR,
</span><del>-                            jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                            jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
</ins><span class="cx">                             stubInfoGPR, baseGPR, propertyGPR).call();
</span><span class="cx">                     } else {
</span><span class="cx">                         slowPathCall = callOperation(
</span><del>-                            *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                            *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
</ins><span class="cx">                             exceptions.get(), operationGetPrivateNameOptimize, resultGPR,
</span><del>-                            jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                            jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
</ins><span class="cx">                             CCallHelpers::TrustedImmPtr(generator->stubInfo()), baseGPR, propertyGPR).call();
</span><span class="cx">                     }
</span><span class="cx">                     jit.jump().linkTo(done, &jit);
</span><span class="lines">@@ -4140,10 +4143,11 @@
</span><span class="cx"> 
</span><span class="cx">         State* state = &m_ftlState;
</span><span class="cx">         bool baseIsCell = abstractValue(m_node->child1()).isType(SpecCell);
</span><ins>+        CodeOrigin nodeSemanticOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">             AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx"> 
</span><del>-            CallSiteIndex callSiteIndex = state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(node->origin.semantic);
</del><ins>+            CallSiteIndex callSiteIndex = state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(nodeSemanticOrigin);
</ins><span class="cx"> 
</span><span class="cx">             // This is the direct exit target for operation calls.
</span><span class="cx">             Box<CCallHelpers::JumpList> exceptions = exceptionHandle->scheduleExitCreation(params)->jumps(jit);
</span><span class="lines">@@ -4158,7 +4162,7 @@
</span><span class="cx">             GPRReg stubInfoGPR = JITCode::useDataIC(JITType::FTLJIT) ? params.gpScratch(0) : InvalidGPRReg;
</span><span class="cx"> 
</span><span class="cx">             auto generator = Box<JITPrivateBrandAccessGenerator>::create(
</span><del>-                jit.codeBlock(), JITType::FTLJIT, node->origin.semantic, callSiteIndex, accessType,
</del><ins>+                jit.codeBlock(), JITType::FTLJIT, nodeSemanticOrigin, callSiteIndex, accessType,
</ins><span class="cx">                 params.unavailableRegisters(), JSValueRegs(baseGPR), JSValueRegs(brandGPR), stubInfoGPR);
</span><span class="cx"> 
</span><span class="cx">             CCallHelpers::Jump notCell;
</span><span class="lines">@@ -4193,15 +4197,15 @@
</span><span class="cx">                     jit.move(CCallHelpers::TrustedImmPtr(generator->stubInfo()), stubInfoGPR);
</span><span class="cx">                     generator->stubInfo()->m_slowOperation = appropriatePrivateAccessFunction(accessType);
</span><span class="cx">                     slowPathCall = callOperation(
</span><del>-                        *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                        *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
</ins><span class="cx">                         exceptions.get(), CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), InvalidGPRReg,
</span><del>-                        jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                        jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
</ins><span class="cx">                         stubInfoGPR, baseGPR, brandGPR).call();
</span><span class="cx">                 } else {
</span><span class="cx">                     slowPathCall = callOperation(
</span><del>-                        *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                        *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
</ins><span class="cx">                         exceptions.get(), appropriatePrivateAccessFunction(accessType), InvalidGPRReg,
</span><del>-                        jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                        jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
</ins><span class="cx">                         CCallHelpers::TrustedImmPtr(generator->stubInfo()), baseGPR, brandGPR).call();
</span><span class="cx">                 }
</span><span class="cx">                 jit.jump().linkTo(done, &jit);
</span><span class="lines">@@ -4563,13 +4567,14 @@
</span><span class="cx">             preparePatchpointForExceptions(patchpoint);
</span><span class="cx"> 
</span><span class="cx">         State* state = &m_ftlState;
</span><del>-        
</del><ins>+
+        CodeOrigin nodeSemanticOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx"> 
</span><span class="cx">                 CallSiteIndex callSiteIndex =
</span><del>-                    state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(node->origin.semantic);
</del><ins>+                    state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(nodeSemanticOrigin);
</ins><span class="cx"> 
</span><span class="cx">                 Box<CCallHelpers::JumpList> exceptions =
</span><span class="cx">                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
</span><span class="lines">@@ -4580,7 +4585,7 @@
</span><span class="cx">                 GPRReg stubInfoGPR = JITCode::useDataIC(JITType::FTLJIT) ? params.gpScratch(0) : InvalidGPRReg;
</span><span class="cx"> 
</span><span class="cx">                 auto generator = Box<JITPutByIdGenerator>::create(
</span><del>-                    jit.codeBlock(), JITType::FTLJIT, node->origin.semantic, callSiteIndex,
</del><ins>+                    jit.codeBlock(), JITType::FTLJIT, nodeSemanticOrigin, callSiteIndex,
</ins><span class="cx">                     params.unavailableRegisters(), identifier, JSValueRegs(params[0].gpr()),
</span><span class="cx">                     JSValueRegs(params[1].gpr()), stubInfoGPR, GPRInfo::patchpointScratchRegister, ecmaMode,
</span><span class="cx">                     putKind);
</span><span class="lines">@@ -4599,16 +4604,16 @@
</span><span class="cx">                             jit.move(CCallHelpers::TrustedImmPtr(generator->stubInfo()), stubInfoGPR);
</span><span class="cx">                             generator->stubInfo()->m_slowOperation = generator->slowPathFunction();
</span><span class="cx">                             slowPathCall = callOperation(
</span><del>-                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
</ins><span class="cx">                                 exceptions.get(), CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), InvalidGPRReg,
</span><del>-                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
</ins><span class="cx">                                 stubInfoGPR, params[1].gpr(),
</span><span class="cx">                                 params[0].gpr(), identifier.rawBits()).call();
</span><span class="cx">                         } else {
</span><span class="cx">                             slowPathCall = callOperation(
</span><del>-                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
</ins><span class="cx">                                 exceptions.get(), generator->slowPathFunction(), InvalidGPRReg,
</span><del>-                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
</ins><span class="cx">                                 CCallHelpers::TrustedImmPtr(generator->stubInfo()), params[1].gpr(),
</span><span class="cx">                                 params[0].gpr(), identifier.rawBits()).call();
</span><span class="cx">                         }
</span><span class="lines">@@ -5297,10 +5302,11 @@
</span><span class="cx">             RefPtr<PatchpointExceptionHandle> exceptionHandle = preparePatchpointForExceptions(patchpoint);
</span><span class="cx"> 
</span><span class="cx">             State* state = &m_ftlState;
</span><ins>+            CodeOrigin nodeSemanticOrigin = node->origin.semantic;
</ins><span class="cx">             patchpoint->setGenerator([=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx"> 
</span><del>-                CallSiteIndex callSiteIndex = state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(node->origin.semantic);
</del><ins>+                CallSiteIndex callSiteIndex = state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(nodeSemanticOrigin);
</ins><span class="cx"> 
</span><span class="cx">                 // This is the direct exit target for operation calls.
</span><span class="cx">                 Box<CCallHelpers::JumpList> exceptions = exceptionHandle->scheduleExitCreation(params)->jumps(jit);
</span><span class="lines">@@ -5316,7 +5322,7 @@
</span><span class="cx">                 GPRReg stubInfoGPR = JITCode::useDataIC(JITType::FTLJIT) ? params.gpScratch(0) : InvalidGPRReg;
</span><span class="cx"> 
</span><span class="cx">                 auto generator = Box<JITGetByValGenerator>::create(
</span><del>-                    jit.codeBlock(), JITType::FTLJIT, node->origin.semantic, callSiteIndex, AccessType::GetByVal,
</del><ins>+                    jit.codeBlock(), JITType::FTLJIT, nodeSemanticOrigin, callSiteIndex, AccessType::GetByVal,
</ins><span class="cx">                     params.unavailableRegisters(), JSValueRegs(baseGPR), JSValueRegs(propertyGPR), JSValueRegs(resultGPR), stubInfoGPR);
</span><span class="cx"> 
</span><span class="cx">                 generator->stubInfo()->propertyIsString = propertyIsString;
</span><span class="lines">@@ -5343,15 +5349,15 @@
</span><span class="cx">                         jit.move(CCallHelpers::TrustedImmPtr(generator->stubInfo()), stubInfoGPR);
</span><span class="cx">                         generator->stubInfo()->m_slowOperation = operationGetByValOptimize;
</span><span class="cx">                         slowPathCall = callOperation(
</span><del>-                            *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                            *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
</ins><span class="cx">                             exceptions.get(), CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), resultGPR,
</span><del>-                            jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                            jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
</ins><span class="cx">                             stubInfoGPR, CCallHelpers::TrustedImmPtr(nullptr), baseGPR, propertyGPR).call();
</span><span class="cx">                     } else {
</span><span class="cx">                         slowPathCall = callOperation(
</span><del>-                            *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                            *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
</ins><span class="cx">                             exceptions.get(), operationGetByValOptimize, resultGPR,
</span><del>-                            jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                            jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
</ins><span class="cx">                             CCallHelpers::TrustedImmPtr(generator->stubInfo()), CCallHelpers::TrustedImmPtr(nullptr), baseGPR, propertyGPR).call();
</span><span class="cx">                     }
</span><span class="cx">                     jit.jump().linkTo(done, &jit);
</span><span class="lines">@@ -5910,12 +5916,16 @@
</span><span class="cx"> 
</span><span class="cx">         State* state = &m_ftlState;
</span><span class="cx">         Node* node = m_node;
</span><ins>+        CodeOrigin nodeSemanticOrigin = node->origin.semantic;
+        auto child1UseKind = node->child1().useKind();
+        auto child2UseKind = node->child2().useKind();
+        auto ecmaMode = node->ecmaMode().value();
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx"> 
</span><span class="cx">                 CallSiteIndex callSiteIndex =
</span><del>-                    state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(node->origin.semantic);
</del><ins>+                    state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(nodeSemanticOrigin);
</ins><span class="cx"> 
</span><span class="cx">                 Box<CCallHelpers::JumpList> exceptions =
</span><span class="cx">                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
</span><span class="lines">@@ -5929,7 +5939,7 @@
</span><span class="cx">                 ASSERT(base.gpr() != scratchGPR);
</span><span class="cx">                 ASSERT(returnGPR != scratchGPR);
</span><span class="cx"> 
</span><del>-                if (node->child1().useKind() == UntypedUse)
</del><ins>+                if (child1UseKind)
</ins><span class="cx">                     slowCases.append(jit.branchIfNotCell(base));
</span><span class="cx"> 
</span><span class="cx">                 constexpr auto optimizationFunction = [&] () {
</span><span class="lines">@@ -5944,7 +5954,7 @@
</span><span class="cx">                         return CCallHelpers::TrustedImmPtr(subscriptValue.rawBits());
</span><span class="cx">                     else {
</span><span class="cx">                         ASSERT(scratchGPR != params[2].gpr());
</span><del>-                        if (node->child2().useKind() == UntypedUse)
</del><ins>+                        if (child2UseKind == UntypedUse)
</ins><span class="cx">                             slowCases.append(jit.branchIfNotCell(JSValueRegs(params[2].gpr())));
</span><span class="cx">                         return JSValueRegs(params[2].gpr());
</span><span class="cx">                     }
</span><span class="lines">@@ -5953,12 +5963,12 @@
</span><span class="cx">                 const auto generator = [&] {
</span><span class="cx">                     if constexpr (kind == DelByKind::ById) {
</span><span class="cx">                         return Box<JITDelByIdGenerator>::create(
</span><del>-                            jit.codeBlock(), JITType::FTLJIT, node->origin.semantic, callSiteIndex,
</del><ins>+                            jit.codeBlock(), JITType::FTLJIT, nodeSemanticOrigin, callSiteIndex,
</ins><span class="cx">                             params.unavailableRegisters(), subscriptValue, base,
</span><span class="cx">                             JSValueRegs(returnGPR), stubInfoGPR, scratchGPR);
</span><span class="cx">                     } else {
</span><span class="cx">                         return Box<JITDelByValGenerator>::create(
</span><del>-                            jit.codeBlock(), JITType::FTLJIT, node->origin.semantic, callSiteIndex,
</del><ins>+                            jit.codeBlock(), JITType::FTLJIT, nodeSemanticOrigin, callSiteIndex,
</ins><span class="cx">                             params.unavailableRegisters(), base,
</span><span class="cx">                             subscript, JSValueRegs(returnGPR), stubInfoGPR, scratchGPR);
</span><span class="cx">                     }
</span><span class="lines">@@ -5980,18 +5990,18 @@
</span><span class="cx">                             jit.move(CCallHelpers::TrustedImmPtr(generator->stubInfo()), stubInfoGPR);
</span><span class="cx">                             generator->stubInfo()->m_slowOperation = optimizationFunction;
</span><span class="cx">                             slowPathCall = callOperation(
</span><del>-                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
</ins><span class="cx">                                 exceptions.get(), CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), returnGPR,
</span><del>-                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
</ins><span class="cx">                                 stubInfoGPR, base,
</span><del>-                                subscript, CCallHelpers::TrustedImm32(node->ecmaMode().value())).call();
</del><ins>+                                subscript, CCallHelpers::TrustedImm32(ecmaMode)).call();
</ins><span class="cx">                         } else {
</span><span class="cx">                             slowPathCall = callOperation(
</span><del>-                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                *state, params.unavailableRegisters(), jit, nodeSemanticOrigin,
</ins><span class="cx">                                 exceptions.get(), optimizationFunction, returnGPR,
</span><del>-                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                jit.codeBlock()->globalObjectFor(nodeSemanticOrigin),
</ins><span class="cx">                                 CCallHelpers::TrustedImmPtr(generator->stubInfo()), base,
</span><del>-                                subscript, CCallHelpers::TrustedImm32(node->ecmaMode().value())).call();
</del><ins>+                                subscript, CCallHelpers::TrustedImm32(ecmaMode)).call();
</ins><span class="cx">                         }
</span><span class="cx">                         jit.jump().linkTo(done, &jit);
</span><span class="cx"> 
</span><span class="lines">@@ -9837,6 +9847,8 @@
</span><span class="cx">         CodeOrigin codeOrigin = codeOriginDescriptionOfCallSite();
</span><span class="cx">         State* state = &m_ftlState;
</span><span class="cx">         VM* vm = &this->vm();
</span><ins>+        CodeOrigin nodeSemanticOrigin = node->origin.semantic;
+        auto nodeOp = node->op();
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="lines">@@ -9848,9 +9860,9 @@
</span><span class="cx">                     CCallHelpers::TrustedImm32(callSiteIndex.bits()),
</span><span class="cx">                     CCallHelpers::tagFor(VirtualRegister(CallFrameSlot::argumentCountIncludingThis)));
</span><span class="cx"> 
</span><del>-                CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo(node->origin.semantic);
</del><ins>+                CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo(nodeSemanticOrigin);
</ins><span class="cx">                 callLinkInfo->setUpCall(
</span><del>-                    node->op() == Construct ? CallLinkInfo::Construct : CallLinkInfo::Call, GPRInfo::regT0);
</del><ins>+                    nodeOp == Construct ? CallLinkInfo::Construct : CallLinkInfo::Call, GPRInfo::regT0);
</ins><span class="cx"> 
</span><span class="cx">                 auto slowPath = callLinkInfo->emitFastPath(jit, GPRInfo::regT0, InvalidGPRReg, CallLinkInfo::UseDataIC::No);
</span><span class="cx">                 CCallHelpers::Jump done = jit.jump();
</span><span class="lines">@@ -9857,7 +9869,7 @@
</span><span class="cx"> 
</span><span class="cx">                 slowPath.link(&jit);
</span><span class="cx">                 auto slowPathStart = jit.label();
</span><del>-                jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()->globalObjectFor(node->origin.semantic)), GPRInfo::regT3);
</del><ins>+                jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()->globalObjectFor(nodeSemanticOrigin)), GPRInfo::regT3);
</ins><span class="cx">                 callLinkInfo->emitSlowPath(*vm, jit);
</span><span class="cx"> 
</span><span class="cx">                 done.link(&jit);
</span><span class="lines">@@ -9947,6 +9959,7 @@
</span><span class="cx">         }
</span><span class="cx">         
</span><span class="cx">         CodeOrigin codeOrigin = codeOriginDescriptionOfCallSite();
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         State* state = &m_ftlState;
</span><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="lines">@@ -9980,7 +9993,7 @@
</span><span class="cx">                     shuffleData.numPassedArgs = numPassedArgs;
</span><span class="cx">                     shuffleData.setupCalleeSaveRegisters(jit.codeBlock());
</span><span class="cx">                     
</span><del>-                    CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo(node->origin.semantic);
</del><ins>+                    CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo(semanticNodeOrigin);
</ins><span class="cx">                     callLinkInfo->setUpCall(CallLinkInfo::DirectTailCall, InvalidGPRReg);
</span><span class="cx">                     
</span><span class="cx">                     CCallHelpers::Label mainPath = jit.label();
</span><span class="lines">@@ -9997,7 +10010,7 @@
</span><span class="cx">                     CCallHelpers::Label slowPath = jit.label();
</span><span class="cx">                     callOperation(
</span><span class="cx">                         *state, toSave, jit,
</span><del>-                        node->origin.semantic, exceptions.get(), operationLinkDirectCall,
</del><ins>+                        semanticNodeOrigin, exceptions.get(), operationLinkDirectCall,
</ins><span class="cx">                         InvalidGPRReg, CCallHelpers::TrustedImmPtr(callLinkInfo), calleeGPR).call();
</span><span class="cx">                     jit.jump().linkTo(mainPath, &jit);
</span><span class="cx">                     callLinkInfo->setExecutableDuringCompilation(executable);
</span><span class="lines">@@ -10012,7 +10025,7 @@
</span><span class="cx">                     return;
</span><span class="cx">                 }
</span><span class="cx">                 
</span><del>-                CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo(node->origin.semantic);
</del><ins>+                CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo(semanticNodeOrigin);
</ins><span class="cx">                 callLinkInfo->setUpCall(
</span><span class="cx">                     isConstruct ? CallLinkInfo::DirectConstruct : CallLinkInfo::DirectCall, InvalidGPRReg);
</span><span class="cx"> 
</span><span class="lines">@@ -10039,7 +10052,7 @@
</span><span class="cx">                         
</span><span class="cx">                         callOperation(
</span><span class="cx">                             *state, params.unavailableRegisters(), jit,
</span><del>-                            node->origin.semantic, exceptions.get(), operationLinkDirectCall,
</del><ins>+                            semanticNodeOrigin, exceptions.get(), operationLinkDirectCall,
</ins><span class="cx">                             InvalidGPRReg, CCallHelpers::TrustedImmPtr(callLinkInfo),
</span><span class="cx">                             calleeGPR).call();
</span><span class="cx">                         jit.jump().linkTo(mainPath, &jit);
</span><span class="lines">@@ -10115,6 +10128,7 @@
</span><span class="cx">         CodeOrigin codeOrigin = codeOriginDescriptionOfCallSite();
</span><span class="cx">         State* state = &m_ftlState;
</span><span class="cx">         VM* vm = &this->vm();
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="lines">@@ -10152,7 +10166,7 @@
</span><span class="cx">                 slowPathShuffler.setCalleeJSValueRegs(JSValueRegs(GPRInfo::regT0));
</span><span class="cx">                 slowPathShuffler.prepareForSlowPath();
</span><span class="cx"> 
</span><del>-                jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()->globalObjectFor(node->origin.semantic)), GPRInfo::regT3);
</del><ins>+                jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()->globalObjectFor(semanticNodeOrigin)), GPRInfo::regT3);
</ins><span class="cx">                 callLinkInfo->emitSlowPath(*vm, jit);
</span><span class="cx"> 
</span><span class="cx">                 auto doneLocation = jit.label();
</span><span class="lines">@@ -10166,7 +10180,60 @@
</span><span class="cx">                     });
</span><span class="cx">             });
</span><span class="cx">     }
</span><del>-    
</del><ins>+
+    struct CapturedForPhantomNewArrayWithSpreadCase {
+        unsigned parameterOffset;
+    };
+    struct CapturedForPhantomNewArrayBufferCase {
+        int64_t value;
+        int32_t currentStoreOffset;
+    };
+    struct CapturedForPhantomNewArrayBufferEnd {
+        unsigned arrayLength;
+    };
+    struct CapturedForPhantomCreateRest {
+        InlineCallFrame* inlineCallFrame;
+        unsigned numberOfArgumentsToSkip;
+        unsigned parameterOffset;
+    };
+    struct VarargsSpreadArgumentToEmit {
+        enum Type {
+            PhantomNewArrayWithSpreadCase,
+            PhantomNewArrayBufferCase,
+            PhantomNewArrayBufferEnd,
+            PhantomCreateRest
+        } m_type;
+        union {
+            CapturedForPhantomNewArrayWithSpreadCase m_phantomNewArrayWithSpreadCase;
+            CapturedForPhantomNewArrayBufferCase m_phantomNewArrayBufferCase;
+            CapturedForPhantomNewArrayBufferEnd m_phantomNewArrayBufferEnd;
+            CapturedForPhantomCreateRest m_phantomCreateRest;
+        };
+
+        VarargsSpreadArgumentToEmit(VarargsSpreadArgumentToEmit::Type t, unsigned arg)
+            : m_type(t)
+        {
+            if (m_type == PhantomNewArrayWithSpreadCase)
+                m_phantomNewArrayWithSpreadCase = { arg };
+            else {
+                ASSERT(t == PhantomNewArrayBufferEnd);
+                m_phantomNewArrayBufferEnd = { arg };
+            }
+        }
+        VarargsSpreadArgumentToEmit(VarargsSpreadArgumentToEmit::Type t, int64_t value, int32_t currentStoreOffset)
+            : m_type(t)
+            , m_phantomNewArrayBufferCase({ value, currentStoreOffset })
+        {
+            ASSERT(t == PhantomNewArrayBufferCase);
+        }
+        VarargsSpreadArgumentToEmit(VarargsSpreadArgumentToEmit::Type t, InlineCallFrame* inlineCallFrame, unsigned numberOfArgumentsToSkip, unsigned parameterOffset)
+            : m_type(t)
+            , m_phantomCreateRest({ inlineCallFrame, numberOfArgumentsToSkip, parameterOffset })
+        {
+            ASSERT(t == PhantomCreateRest);
+        }
+    };
+
</ins><span class="cx">     void compileCallOrConstructVarargsSpread()
</span><span class="cx">     {
</span><span class="cx">         Node* node = m_node;
</span><span class="lines">@@ -10181,13 +10248,20 @@
</span><span class="cx">         Vector<LValue, 2> spreadLengths;
</span><span class="cx">         Vector<LValue, 8> patchpointArguments;
</span><span class="cx">         HashMap<InlineCallFrame*, LValue, WTF::DefaultHash<InlineCallFrame*>, WTF::NullableHashTraits<InlineCallFrame*>> cachedSpreadLengths;
</span><ins>+        // Because the patchpoint generator runs late in Air, the dfg graph will be long gone.
+        // So we must load everything relevant right now, and make sure that they are captured by value by the lambda that acts as the generator
+        // One particularly tricky point is that the generator would like to walk over the tree rooted at this node, exploring through PhantomNewArrayWithSpread and PhantomNewArrayBuffer, emitting code along the way.
+        // Instead, we do that walk here, and record just enough information in the following vector to emit the right code at the end of Air.
+        Vector<VarargsSpreadArgumentToEmit> argumentsToEmitFromRightToLeft;
+        int storeOffset = CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register));
+        unsigned paramsOffset = 4;
+        unsigned index = 0;
</ins><span class="cx">         auto pushAndCountArgumentsFromRightToLeft = recursableLambda([&](auto self, Node* target) -> void {
</span><del>-            if (target->op() == PhantomSpread) {
</del><ins>+            switch (target->op()) {
+            case PhantomSpread:
</ins><span class="cx">                 self(target->child1().node());
</span><span class="cx">                 return;
</span><del>-            }
-
-            if (target->op() == PhantomNewArrayWithSpread) {
</del><ins>+            case PhantomNewArrayWithSpread: {
</ins><span class="cx">                 BitVector* bitVector = target->bitVector();
</span><span class="cx">                 for (unsigned i = target->numChildren(); i--; ) {
</span><span class="cx">                     if (bitVector->get(i))
</span><span class="lines">@@ -10196,27 +10270,45 @@
</span><span class="cx">                         ++staticArgumentCount;
</span><span class="cx">                         LValue argument = this->lowJSValue(m_graph.varArgChild(target, i));
</span><span class="cx">                         patchpointArguments.append(argument);
</span><ins>+                        argumentsToEmitFromRightToLeft.append({ VarargsSpreadArgumentToEmit::Type::PhantomNewArrayWithSpreadCase, paramsOffset + (index++)});
</ins><span class="cx">                     }
</span><span class="cx">                 }
</span><span class="cx">                 return;
</span><span class="cx">             }
</span><del>-
-            if (target->op() == PhantomNewArrayBuffer) {
-                staticArgumentCount += target->castOperand<JSImmutableButterfly*>()->length();
</del><ins>+            case PhantomNewArrayBuffer: {
+                auto* array = target->castOperand<JSImmutableButterfly*>();
+                unsigned arrayLength = array->length();
+                staticArgumentCount += arrayLength;
+                Checked<int32_t> offsetCount { 1 };
+                for (unsigned i = arrayLength; i--; ++offsetCount) {
+                    Checked<int32_t> currentStoreOffset { storeOffset };
+                    currentStoreOffset -= (offsetCount * static_cast<int32_t>(sizeof(Register)));
+                    // Because varargs values are drained as JSValue, we should not generate value
+                    // in Double form even if PhantomNewArrayBuffer's indexingType is ArrayWithDouble.
+                    int64_t value = JSValue::encode(array->get(i));
+                    argumentsToEmitFromRightToLeft.append({ VarargsSpreadArgumentToEmit::Type::PhantomNewArrayBufferCase, value, currentStoreOffset.value() });
+                }
+                argumentsToEmitFromRightToLeft.append({ VarargsSpreadArgumentToEmit::Type::PhantomNewArrayBufferEnd, arrayLength });
</ins><span class="cx">                 return;
</span><span class="cx">             }
</span><del>-
-            RELEASE_ASSERT(target->op() == PhantomCreateRest);
-            InlineCallFrame* inlineCallFrame = target->origin.semantic.inlineCallFrame();
-            unsigned numberOfArgumentsToSkip = target->numberOfArgumentsToSkip();
-            LValue length = cachedSpreadLengths.ensure(inlineCallFrame, [&] () {
-                return m_out.zeroExtPtr(this->getSpreadLengthFromInlineCallFrame(inlineCallFrame, numberOfArgumentsToSkip));
-            }).iterator->value;
-            patchpointArguments.append(length);
-            spreadLengths.append(length);
</del><ins>+            case PhantomCreateRest: {
+                InlineCallFrame* inlineCallFrame = target->origin.semantic.inlineCallFrame();
+                unsigned numberOfArgumentsToSkip = target->numberOfArgumentsToSkip();
+                unsigned parameterOffset = paramsOffset + (index++);
+                LValue length = cachedSpreadLengths.ensure(inlineCallFrame, [&] () {
+                    return m_out.zeroExtPtr(this->getSpreadLengthFromInlineCallFrame(inlineCallFrame, numberOfArgumentsToSkip));
+                }).iterator->value;
+                patchpointArguments.append(length);
+                spreadLengths.append(length);
+                argumentsToEmitFromRightToLeft.append({ VarargsSpreadArgumentToEmit::Type::PhantomCreateRest, inlineCallFrame, numberOfArgumentsToSkip, parameterOffset });
+                return;
+            }
+            default:
+                RELEASE_ASSERT_NOT_REACHED();
+            }
</ins><span class="cx">         });
</span><ins>+        pushAndCountArgumentsFromRightToLeft(arguments);
</ins><span class="cx"> 
</span><del>-        pushAndCountArgumentsFromRightToLeft(arguments);
</del><span class="cx">         LValue argumentCountIncludingThis = m_out.constIntPtr(staticArgumentCount + 1);
</span><span class="cx">         for (LValue length : spreadLengths)
</span><span class="cx">             argumentCountIncludingThis = m_out.add(length, argumentCountIncludingThis);
</span><span class="lines">@@ -10244,12 +10336,14 @@
</span><span class="cx">             WTF::roundUpToMultipleOf(stackAlignmentBytes(), 5 * sizeof(EncodedJSValue));
</span><span class="cx"> 
</span><span class="cx">         m_proc.requestCallArgAreaSizeInBytes(minimumJSCallAreaSize);
</span><del>-        
</del><ins>+
</ins><span class="cx">         CodeOrigin codeOrigin = codeOriginDescriptionOfCallSite();
</span><span class="cx">         State* state = &m_ftlState;
</span><span class="cx">         VM* vm = &this->vm();
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
+        auto nodeOp = node->op();
</ins><span class="cx">         patchpoint->setGenerator(
</span><del>-            [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</del><ins>+            [=, argumentsToEmit = WTFMove(argumentsToEmitFromRightToLeft)] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</ins><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx">                 CallSiteIndex callSiteIndex =
</span><span class="cx">                     state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(codeOrigin);
</span><span class="lines">@@ -10263,7 +10357,7 @@
</span><span class="cx">                     CCallHelpers::TrustedImm32(callSiteIndex.bits()),
</span><span class="cx">                     CCallHelpers::tagFor(VirtualRegister(CallFrameSlot::argumentCountIncludingThis)));
</span><span class="cx"> 
</span><del>-                CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo(node->origin.semantic);
</del><ins>+                CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo(semanticNodeOrigin);
</ins><span class="cx"> 
</span><span class="cx">                 RegisterSet usedRegisters = RegisterSet::allRegisters();
</span><span class="cx">                 usedRegisters.exclude(RegisterSet::volatileRegistersForJSCall());
</span><span class="lines">@@ -10327,74 +10421,54 @@
</span><span class="cx"> 
</span><span class="cx">                     jit.store32(scratchGPR2, CCallHelpers::Address(scratchGPR1, CallFrameSlot::argumentCountIncludingThis * static_cast<int>(sizeof(Register)) + PayloadOffset));
</span><span class="cx"> 
</span><del>-                    int storeOffset = CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register));
-
-                    unsigned paramsOffset = 4;
-                    unsigned index = 0;
-                    auto emitArgumentsFromRightToLeft = recursableLambda([&](auto self, Node* target) -> void {
-                        if (target->op() == PhantomSpread) {
-                            self(target->child1().node());
-                            return;
</del><ins>+                    for (const auto& argumentToEmit : argumentsToEmit) {
+                        switch (argumentToEmit.m_type) {
+                        case VarargsSpreadArgumentToEmit::PhantomNewArrayWithSpreadCase: {
+                            unsigned parameterOffset = argumentToEmit.m_phantomNewArrayWithSpreadCase.parameterOffset;
+                            jit.subPtr(CCallHelpers::TrustedImmPtr(static_cast<size_t>(1)), scratchGPR2);
+                            getValueFromRep(params[parameterOffset], scratchGPR3);
+                            jit.store64(scratchGPR3, CCallHelpers::BaseIndex(scratchGPR1, scratchGPR2, CCallHelpers::TimesEight, storeOffset));
+                            continue;
</ins><span class="cx">                         }
</span><del>-
-                        if (target->op() == PhantomNewArrayWithSpread) {
-                            BitVector* bitVector = target->bitVector();
-                            for (unsigned i = target->numChildren(); i--; ) {
-                                if (bitVector->get(i))
-                                    self(state->graph.varArgChild(target, i).node());
-                                else {
-                                    jit.subPtr(CCallHelpers::TrustedImmPtr(static_cast<size_t>(1)), scratchGPR2);
-                                    getValueFromRep(params[paramsOffset + (index++)], scratchGPR3);
-                                    jit.store64(scratchGPR3,
-                                        CCallHelpers::BaseIndex(scratchGPR1, scratchGPR2, CCallHelpers::TimesEight, storeOffset));
-                                }
-                            }
-                            return;
</del><ins>+                        case VarargsSpreadArgumentToEmit::PhantomNewArrayBufferCase: {
+                            int64_t value = argumentToEmit.m_phantomNewArrayBufferCase.value;
+                            int32_t currentStoreOffset = argumentToEmit.m_phantomNewArrayBufferCase.currentStoreOffset;
+                            jit.move(CCallHelpers::TrustedImm64(value), scratchGPR3);
+                            jit.store64(scratchGPR3, CCallHelpers::BaseIndex(scratchGPR1, scratchGPR2, CCallHelpers::TimesEight, currentStoreOffset));
+                            continue;
</ins><span class="cx">                         }
</span><del>-
-                        if (target->op() == PhantomNewArrayBuffer) {
-                            auto* array = target->castOperand<JSImmutableButterfly*>();
-                            Checked<int32_t> offsetCount { 1 };
-                            for (unsigned i = array->length(); i--; ++offsetCount) {
-                                // Because varargs values are drained as JSValue, we should not generate value
-                                // in Double form even if PhantomNewArrayBuffer's indexingType is ArrayWithDouble.
-                                int64_t value = JSValue::encode(array->get(i));
-                                jit.move(CCallHelpers::TrustedImm64(value), scratchGPR3);
-                                Checked<int32_t> currentStoreOffset { storeOffset };
-                                currentStoreOffset -= (offsetCount * static_cast<int32_t>(sizeof(Register)));
-                                jit.store64(scratchGPR3,
-                                    CCallHelpers::BaseIndex(scratchGPR1, scratchGPR2, CCallHelpers::TimesEight, currentStoreOffset));
-                            }
-                            jit.subPtr(CCallHelpers::TrustedImmPtr(static_cast<size_t>(array->length())), scratchGPR2);
-                            return;
</del><ins>+                        case VarargsSpreadArgumentToEmit::PhantomNewArrayBufferEnd: {
+                            size_t arrayLength = static_cast<size_t>(argumentToEmit.m_phantomNewArrayBufferEnd.arrayLength);
+                            jit.subPtr(CCallHelpers::TrustedImmPtr(arrayLength), scratchGPR2);
+                            continue;
</ins><span class="cx">                         }
</span><ins>+                        case VarargsSpreadArgumentToEmit::PhantomCreateRest: {
+                            InlineCallFrame* inlineCallFrame = argumentToEmit.m_phantomCreateRest.inlineCallFrame;
+                            unsigned numberOfArgumentsToSkip = argumentToEmit.m_phantomCreateRest.numberOfArgumentsToSkip;
+                            unsigned parameterOffset = argumentToEmit.m_phantomCreateRest.parameterOffset;
</ins><span class="cx"> 
</span><del>-                        RELEASE_ASSERT(target->op() == PhantomCreateRest);
-                        InlineCallFrame* inlineCallFrame = target->origin.semantic.inlineCallFrame();
</del><ins>+                            B3::ValueRep numArgumentsToCopy = params[parameterOffset];
+                            getValueFromRep(numArgumentsToCopy, scratchGPR3);
+                            int loadOffset = (AssemblyHelpers::argumentsStart(inlineCallFrame).offset() + numberOfArgumentsToSkip) * static_cast<int>(sizeof(Register));
</ins><span class="cx"> 
</span><del>-                        unsigned numberOfArgumentsToSkip = target->numberOfArgumentsToSkip();
-
-                        B3::ValueRep numArgumentsToCopy = params[paramsOffset + (index++)];
-                        getValueFromRep(numArgumentsToCopy, scratchGPR3);
-                        int loadOffset = (AssemblyHelpers::argumentsStart(inlineCallFrame).offset() + numberOfArgumentsToSkip) * static_cast<int>(sizeof(Register));
-
-                        auto done = jit.branchTestPtr(MacroAssembler::Zero, scratchGPR3);
-                        auto loopStart = jit.label();
-                        jit.subPtr(CCallHelpers::TrustedImmPtr(static_cast<size_t>(1)), scratchGPR3);
-                        jit.subPtr(CCallHelpers::TrustedImmPtr(static_cast<size_t>(1)), scratchGPR2);
-                        jit.load64(CCallHelpers::BaseIndex(GPRInfo::callFrameRegister, scratchGPR3, CCallHelpers::TimesEight, loadOffset), scratchGPR4);
-                        jit.store64(scratchGPR4,
-                            CCallHelpers::BaseIndex(scratchGPR1, scratchGPR2, CCallHelpers::TimesEight, storeOffset));
-                        jit.branchTestPtr(CCallHelpers::NonZero, scratchGPR3).linkTo(loopStart, &jit);
-                        done.link(&jit);
-                    });
-                    emitArgumentsFromRightToLeft(arguments);
</del><ins>+                            auto done = jit.branchTestPtr(MacroAssembler::Zero, scratchGPR3);
+                            auto loopStart = jit.label();
+                            jit.subPtr(CCallHelpers::TrustedImmPtr(static_cast<size_t>(1)), scratchGPR3);
+                            jit.subPtr(CCallHelpers::TrustedImmPtr(static_cast<size_t>(1)), scratchGPR2);
+                            jit.load64(CCallHelpers::BaseIndex(GPRInfo::callFrameRegister, scratchGPR3, CCallHelpers::TimesEight, loadOffset), scratchGPR4);
+                            jit.store64(scratchGPR4,
+                                CCallHelpers::BaseIndex(scratchGPR1, scratchGPR2, CCallHelpers::TimesEight, storeOffset));
+                            jit.branchTestPtr(CCallHelpers::NonZero, scratchGPR3).linkTo(loopStart, &jit);
+                            done.link(&jit);
+                        }
+                        }
+                    }
</ins><span class="cx">                 }
</span><span class="cx"> 
</span><span class="cx">                 {
</span><span class="cx">                     CCallHelpers::Jump dontThrow = jit.jump();
</span><span class="cx">                     slowCase.link(&jit);
</span><del>-                    jit.setupArguments<decltype(operationThrowStackOverflowForVarargs)>(jit.codeBlock()->globalObjectFor(node->origin.semantic));
</del><ins>+                    jit.setupArguments<decltype(operationThrowStackOverflowForVarargs)>(jit.codeBlock()->globalObjectFor(semanticNodeOrigin));
</ins><span class="cx">                     jit.prepareCallOperation(jit.vm());
</span><span class="cx">                     callWithExceptionCheck(operationThrowStackOverflowForVarargs);
</span><span class="cx">                     jit.abortWithReason(DFGVarargsThrowingPathDidNotThrow);
</span><span class="lines">@@ -10408,9 +10482,9 @@
</span><span class="cx">                 jit.store64(scratchGPR3, CCallHelpers::calleeArgumentSlot(0));
</span><span class="cx">                 
</span><span class="cx">                 CallLinkInfo::CallType callType;
</span><del>-                if (node->op() == ConstructVarargs || node->op() == ConstructForwardVarargs)
</del><ins>+                if (nodeOp == ConstructVarargs || nodeOp == ConstructForwardVarargs)
</ins><span class="cx">                     callType = CallLinkInfo::ConstructVarargs;
</span><del>-                else if (node->op() == TailCallVarargs || node->op() == TailCallForwardVarargs)
</del><ins>+                else if (nodeOp == TailCallVarargs || nodeOp == TailCallForwardVarargs)
</ins><span class="cx">                     callType = CallLinkInfo::TailCallVarargs;
</span><span class="cx">                 else
</span><span class="cx">                     callType = CallLinkInfo::CallVarargs;
</span><span class="lines">@@ -10438,7 +10512,7 @@
</span><span class="cx"> 
</span><span class="cx">                 if (isTailCall)
</span><span class="cx">                     jit.emitRestoreCalleeSaves();
</span><del>-                jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()->globalObjectFor(node->origin.semantic)), GPRInfo::regT3);
</del><ins>+                jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()->globalObjectFor(semanticNodeOrigin)), GPRInfo::regT3);
</ins><span class="cx">                 callLinkInfo->emitSlowPath(*vm, jit);
</span><span class="cx">                 
</span><span class="cx">                 if (isTailCall)
</span><span class="lines">@@ -10544,6 +10618,14 @@
</span><span class="cx">         CodeOrigin codeOrigin = codeOriginDescriptionOfCallSite();
</span><span class="cx">         State* state = &m_ftlState;
</span><span class="cx">         VM* vm = &this->vm();
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
+        InlineCallFrame* inlineCallFrame;
+        if (node->child3())
+            inlineCallFrame = node->child3()->origin.semantic.inlineCallFrame();
+        else
+            inlineCallFrame = semanticNodeOrigin.inlineCallFrame();
+        CallVarargsData* data = node->callVarargsData();
+        auto nodeOp = node->op();
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="lines">@@ -10559,8 +10641,7 @@
</span><span class="cx">                     CCallHelpers::TrustedImm32(callSiteIndex.bits()),
</span><span class="cx">                     CCallHelpers::tagFor(VirtualRegister(CallFrameSlot::argumentCountIncludingThis)));
</span><span class="cx"> 
</span><del>-                CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo(node->origin.semantic);
-                CallVarargsData* data = node->callVarargsData();
</del><ins>+                CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo(semanticNodeOrigin);
</ins><span class="cx"> 
</span><span class="cx">                 unsigned argIndex = 1;
</span><span class="cx">                 GPRReg calleeGPR = params[argIndex++].gpr();
</span><span class="lines">@@ -10644,11 +10725,6 @@
</span><span class="cx">                     jit.move(CCallHelpers::TrustedImm32(originalStackHeight / sizeof(EncodedJSValue)), scratchGPR2);
</span><span class="cx">                     
</span><span class="cx">                     CCallHelpers::JumpList slowCase;
</span><del>-                    InlineCallFrame* inlineCallFrame;
-                    if (node->child3())
-                        inlineCallFrame = node->child3()->origin.semantic.inlineCallFrame();
-                    else
-                        inlineCallFrame = node->origin.semantic.inlineCallFrame();
</del><span class="cx"> 
</span><span class="cx">                     // emitSetupVarargsFrameFastCase modifies the stack pointer if it succeeds.
</span><span class="cx">                     emitSetupVarargsFrameFastCase(*vm, jit, scratchGPR2, scratchGPR1, scratchGPR2, scratchGPR3, inlineCallFrame, data->firstVarArgOffset, slowCase);
</span><span class="lines">@@ -10655,7 +10731,7 @@
</span><span class="cx"> 
</span><span class="cx">                     CCallHelpers::Jump done = jit.jump();
</span><span class="cx">                     slowCase.link(&jit);
</span><del>-                    jit.setupArguments<decltype(operationThrowStackOverflowForVarargs)>(jit.codeBlock()->globalObjectFor(node->origin.semantic));
</del><ins>+                    jit.setupArguments<decltype(operationThrowStackOverflowForVarargs)>(jit.codeBlock()->globalObjectFor(semanticNodeOrigin));
</ins><span class="cx">                     jit.prepareCallOperation(jit.vm());
</span><span class="cx">                     callWithExceptionCheck(bitwise_cast<void(*)()>(operationThrowStackOverflowForVarargs));
</span><span class="cx">                     jit.abortWithReason(DFGVarargsThrowingPathDidNotThrow);
</span><span class="lines">@@ -10663,7 +10739,7 @@
</span><span class="cx">                     done.link(&jit);
</span><span class="cx">                 } else {
</span><span class="cx">                     jit.move(CCallHelpers::TrustedImm32(originalStackHeight / sizeof(EncodedJSValue)), scratchGPR1);
</span><del>-                    jit.setupArguments<decltype(operationSizeFrameForVarargs)>(jit.codeBlock()->globalObjectFor(node->origin.semantic), argumentsGPR, scratchGPR1, CCallHelpers::TrustedImm32(data->firstVarArgOffset));
</del><ins>+                    jit.setupArguments<decltype(operationSizeFrameForVarargs)>(jit.codeBlock()->globalObjectFor(semanticNodeOrigin), argumentsGPR, scratchGPR1, CCallHelpers::TrustedImm32(data->firstVarArgOffset));
</ins><span class="cx">                     jit.prepareCallOperation(jit.vm());
</span><span class="cx">                     callWithExceptionCheck(bitwise_cast<void(*)()>(operationSizeFrameForVarargs));
</span><span class="cx"> 
</span><span class="lines">@@ -10672,7 +10748,7 @@
</span><span class="cx">                     argumentsLateRep.emitRestore(jit, argumentsGPR);
</span><span class="cx">                     emitSetVarargsFrame(jit, scratchGPR1, false, scratchGPR2, scratchGPR2);
</span><span class="cx">                     jit.addPtr(CCallHelpers::TrustedImm32(-minimumJSCallAreaSize), scratchGPR2, CCallHelpers::stackPointerRegister);
</span><del>-                    jit.setupArguments<decltype(operationSetupVarargsFrame)>(jit.codeBlock()->globalObjectFor(node->origin.semantic), scratchGPR2, argumentsGPR, CCallHelpers::TrustedImm32(data->firstVarArgOffset), scratchGPR1);
</del><ins>+                    jit.setupArguments<decltype(operationSetupVarargsFrame)>(jit.codeBlock()->globalObjectFor(semanticNodeOrigin), scratchGPR2, argumentsGPR, CCallHelpers::TrustedImm32(data->firstVarArgOffset), scratchGPR1);
</ins><span class="cx">                     jit.prepareCallOperation(jit.vm());
</span><span class="cx">                     callWithExceptionCheck(bitwise_cast<void(*)()>(operationSetupVarargsFrame));
</span><span class="cx">                     
</span><span class="lines">@@ -10689,9 +10765,9 @@
</span><span class="cx">                 jit.store64(thisGPR, CCallHelpers::calleeArgumentSlot(0));
</span><span class="cx">                 
</span><span class="cx">                 CallLinkInfo::CallType callType;
</span><del>-                if (node->op() == ConstructVarargs || node->op() == ConstructForwardVarargs)
</del><ins>+                if (nodeOp == ConstructVarargs || nodeOp == ConstructForwardVarargs)
</ins><span class="cx">                     callType = CallLinkInfo::ConstructVarargs;
</span><del>-                else if (node->op() == TailCallVarargs || node->op() == TailCallForwardVarargs)
</del><ins>+                else if (nodeOp == TailCallVarargs || nodeOp == TailCallForwardVarargs)
</ins><span class="cx">                     callType = CallLinkInfo::TailCallVarargs;
</span><span class="cx">                 else
</span><span class="cx">                     callType = CallLinkInfo::CallVarargs;
</span><span class="lines">@@ -10717,7 +10793,7 @@
</span><span class="cx"> 
</span><span class="cx">                 if (isTailCall)
</span><span class="cx">                     jit.emitRestoreCalleeSaves();
</span><del>-                jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()->globalObjectFor(node->origin.semantic)), GPRInfo::regT3);
</del><ins>+                jit.move(CCallHelpers::TrustedImmPtr(jit.codeBlock()->globalObjectFor(semanticNodeOrigin)), GPRInfo::regT3);
</ins><span class="cx">                 callLinkInfo->emitSlowPath(*vm, jit);
</span><span class="cx">                 
</span><span class="cx">                 if (isTailCall)
</span><span class="lines">@@ -10791,6 +10867,8 @@
</span><span class="cx">         CodeOrigin codeOrigin = codeOriginDescriptionOfCallSite();
</span><span class="cx">         State* state = &m_ftlState;
</span><span class="cx">         VM& vm = this->vm();
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
+        auto ecmaMode = node->ecmaMode().value();
</ins><span class="cx">         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
</span><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=, &vm] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="lines">@@ -10805,7 +10883,7 @@
</span><span class="cx">                     CCallHelpers::TrustedImm32(callSiteIndex.bits()),
</span><span class="cx">                     CCallHelpers::tagFor(VirtualRegister(CallFrameSlot::argumentCountIncludingThis)));
</span><span class="cx">                 
</span><del>-                CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo(node->origin.semantic);
</del><ins>+                CallLinkInfo* callLinkInfo = jit.codeBlock()->addCallLinkInfo(semanticNodeOrigin);
</ins><span class="cx">                 callLinkInfo->setUpCall(CallLinkInfo::Call, GPRInfo::regT0);
</span><span class="cx">                 
</span><span class="cx">                 jit.addPtr(CCallHelpers::TrustedImm32(-static_cast<ptrdiff_t>(sizeof(CallerFrameAndPC))), CCallHelpers::stackPointerRegister, GPRInfo::regT1);
</span><span class="lines">@@ -10817,7 +10895,7 @@
</span><span class="cx">                 unsigned requiredBytes = sizeof(CallerFrameAndPC) + sizeof(CallFrame*) * 2;
</span><span class="cx">                 requiredBytes = WTF::roundUpToMultipleOf(stackAlignmentBytes(), requiredBytes);
</span><span class="cx">                 jit.subPtr(CCallHelpers::TrustedImm32(requiredBytes), CCallHelpers::stackPointerRegister);
</span><del>-                jit.move(CCallHelpers::TrustedImm32(node->ecmaMode().value()), GPRInfo::regT2);
</del><ins>+                jit.move(CCallHelpers::TrustedImm32(ecmaMode), GPRInfo::regT2);
</ins><span class="cx">                 jit.setupArguments<decltype(operationCallEval)>(globalObject, GPRInfo::regT1, GPRInfo::regT2);
</span><span class="cx">                 jit.prepareCallOperation(vm);
</span><span class="cx">                 jit.move(CCallHelpers::TrustedImmPtr(tagCFunction<OperationPtrTag>(operationCallEval)), GPRInfo::nonPreservedNonArgumentGPR0);
</span><span class="lines">@@ -12368,11 +12446,12 @@
</span><span class="cx"> 
</span><span class="cx">         State* state = &m_ftlState;
</span><span class="cx">         Node* node = m_node;
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx"> 
</span><del>-                CallSiteIndex callSiteIndex = state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(node->origin.semantic);
</del><ins>+                CallSiteIndex callSiteIndex = state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(semanticNodeOrigin);
</ins><span class="cx"> 
</span><span class="cx">                 // This is the direct exit target for operation calls.
</span><span class="cx">                 Box<CCallHelpers::JumpList> exceptions = exceptionHandle->scheduleExitCreation(params)->jumps(jit);
</span><span class="lines">@@ -12391,12 +12470,12 @@
</span><span class="cx">                 const auto generator = [&] {
</span><span class="cx">                     if constexpr (kind == InByKind::ById) {
</span><span class="cx">                         return Box<JITInByIdGenerator>::create(
</span><del>-                            jit.codeBlock(), JITType::FTLJIT, node->origin.semantic, callSiteIndex,
</del><ins>+                            jit.codeBlock(), JITType::FTLJIT, semanticNodeOrigin, callSiteIndex,
</ins><span class="cx">                             params.unavailableRegisters(), subscriptValue, base,
</span><span class="cx">                             JSValueRegs(returnGPR), stubInfoGPR);
</span><span class="cx">                     } else {
</span><span class="cx">                         return Box<JITInByValGenerator>::create(
</span><del>-                            jit.codeBlock(), JITType::FTLJIT, node->origin.semantic, callSiteIndex,
</del><ins>+                            jit.codeBlock(), JITType::FTLJIT, semanticNodeOrigin, callSiteIndex,
</ins><span class="cx">                             params.unavailableRegisters(), base, subscript,
</span><span class="cx">                             JSValueRegs(returnGPR), stubInfoGPR);
</span><span class="cx">                     }
</span><span class="lines">@@ -12424,15 +12503,15 @@
</span><span class="cx">                                 jit.move(CCallHelpers::TrustedImmPtr(generator->stubInfo()), stubInfoGPR);
</span><span class="cx">                                 generator->stubInfo()->m_slowOperation = operationInByIdOptimize;
</span><span class="cx">                                 slowPathCall = callOperation(
</span><del>-                                    *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                    *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                                     exceptions.get(), CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), returnGPR,
</span><del>-                                    jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                    jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                                     stubInfoGPR, base, subscript).call();
</span><span class="cx">                             } else {
</span><span class="cx">                                 slowPathCall = callOperation(
</span><del>-                                    *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                    *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                                     exceptions.get(), operationInByIdOptimize, returnGPR,
</span><del>-                                    jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                    jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                                     CCallHelpers::TrustedImmPtr(generator->stubInfo()), base, subscript).call();
</span><span class="cx">                             }
</span><span class="cx">                         } else {
</span><span class="lines">@@ -12440,16 +12519,16 @@
</span><span class="cx">                                 jit.move(CCallHelpers::TrustedImmPtr(generator->stubInfo()), stubInfoGPR);
</span><span class="cx">                                 generator->stubInfo()->m_slowOperation = operationInByValOptimize;
</span><span class="cx">                                 slowPathCall = callOperation(
</span><del>-                                    *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                    *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                                     exceptions.get(), CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), returnGPR,
</span><del>-                                    jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                    jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                                     stubInfoGPR,
</span><span class="cx">                                     CCallHelpers::TrustedImmPtr(nullptr), base, subscript).call();
</span><span class="cx">                             } else {
</span><span class="cx">                                 slowPathCall = callOperation(
</span><del>-                                    *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                    *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                                     exceptions.get(), operationInByValOptimize, returnGPR,
</span><del>-                                    jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                    jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                                     CCallHelpers::TrustedImmPtr(generator->stubInfo()),
</span><span class="cx">                                     CCallHelpers::TrustedImmPtr(nullptr), base, subscript).call();
</span><span class="cx">                             }
</span><span class="lines">@@ -12677,6 +12756,7 @@
</span><span class="cx">         RefPtr<PatchpointExceptionHandle> exceptionHandle =
</span><span class="cx">             preparePatchpointForExceptions(patchpoint);
</span><span class="cx"> 
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="lines">@@ -12701,7 +12781,7 @@
</span><span class="cx">                     slowCases.append(jit.branchIfNotCell(prototypeGPR));
</span><span class="cx">                 
</span><span class="cx">                 CallSiteIndex callSiteIndex =
</span><del>-                    state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(node->origin.semantic);
</del><ins>+                    state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(semanticNodeOrigin);
</ins><span class="cx">                 
</span><span class="cx">                 // This is the direct exit target for operation calls.
</span><span class="cx">                 Box<CCallHelpers::JumpList> exceptions =
</span><span class="lines">@@ -12708,7 +12788,7 @@
</span><span class="cx">                     exceptionHandle->scheduleExitCreation(params)->jumps(jit);
</span><span class="cx">                 
</span><span class="cx">                 auto generator = Box<JITInstanceOfGenerator>::create(
</span><del>-                    jit.codeBlock(), JITType::FTLJIT, node->origin.semantic, callSiteIndex,
</del><ins>+                    jit.codeBlock(), JITType::FTLJIT, semanticNodeOrigin, callSiteIndex,
</ins><span class="cx">                     params.unavailableRegisters(), resultGPR, valueGPR, prototypeGPR, stubInfoGPR, scratchGPR,
</span><span class="cx">                     scratch2GPR, prototypeIsObject);
</span><span class="cx">                 generator->generateFastPath(jit);
</span><span class="lines">@@ -12729,16 +12809,16 @@
</span><span class="cx">                             jit.move(CCallHelpers::TrustedImmPtr(generator->stubInfo()), stubInfoGPR);
</span><span class="cx">                             generator->stubInfo()->m_slowOperation = optimizationFunction;
</span><span class="cx">                             slowPathCall = callOperation(
</span><del>-                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                                 exceptions.get(), CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), resultGPR,
</span><del>-                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                                 stubInfoGPR, valueGPR,
</span><span class="cx">                                 prototypeGPR).call();
</span><span class="cx">                         } else {
</span><span class="cx">                             slowPathCall = callOperation(
</span><del>-                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                                 exceptions.get(), optimizationFunction, resultGPR,
</span><del>-                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                                 CCallHelpers::TrustedImmPtr(generator->stubInfo()), valueGPR,
</span><span class="cx">                                 prototypeGPR).call();
</span><span class="cx">                         }
</span><span class="lines">@@ -14198,12 +14278,13 @@
</span><span class="cx">             preparePatchpointForExceptions(patchpoint);
</span><span class="cx"> 
</span><span class="cx">         State* state = &m_ftlState;
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx"> 
</span><span class="cx">                 CallSiteIndex callSiteIndex =
</span><del>-                    state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(node->origin.semantic);
</del><ins>+                    state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(semanticNodeOrigin);
</ins><span class="cx"> 
</span><span class="cx">                 // This is the direct exit target for operation calls.
</span><span class="cx">                 Box<CCallHelpers::JumpList> exceptions =
</span><span class="lines">@@ -14217,7 +14298,7 @@
</span><span class="cx">                 GPRReg stubInfoGPR = JITCode::useDataIC(JITType::FTLJIT) ? params.gpScratch(0) : InvalidGPRReg;
</span><span class="cx"> 
</span><span class="cx">                 auto generator = Box<JITGetByIdGenerator>::create(
</span><del>-                    jit.codeBlock(), JITType::FTLJIT, node->origin.semantic, callSiteIndex,
</del><ins>+                    jit.codeBlock(), JITType::FTLJIT, semanticNodeOrigin, callSiteIndex,
</ins><span class="cx">                     params.unavailableRegisters(), identifier, JSValueRegs(params[1].gpr()),
</span><span class="cx">                     JSValueRegs(params[0].gpr()), stubInfoGPR, type);
</span><span class="cx"> 
</span><span class="lines">@@ -14237,16 +14318,16 @@
</span><span class="cx">                             jit.move(CCallHelpers::TrustedImmPtr(generator->stubInfo()), stubInfoGPR);
</span><span class="cx">                             generator->stubInfo()->m_slowOperation = optimizationFunction;
</span><span class="cx">                             slowPathCall = callOperation(
</span><del>-                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                                 exceptions.get(), CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), params[0].gpr(),
</span><del>-                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                                 stubInfoGPR, params[1].gpr(),
</span><span class="cx">                                 CCallHelpers::TrustedImmPtr(identifier.rawBits())).call();
</span><span class="cx">                         } else {
</span><span class="cx">                             slowPathCall = callOperation(
</span><del>-                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                                 exceptions.get(), optimizationFunction, params[0].gpr(),
</span><del>-                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                                 CCallHelpers::TrustedImmPtr(generator->stubInfo()), params[1].gpr(),
</span><span class="cx">                                 CCallHelpers::TrustedImmPtr(identifier.rawBits())).call();
</span><span class="cx">                         }
</span><span class="lines">@@ -14281,12 +14362,13 @@
</span><span class="cx">             preparePatchpointForExceptions(patchpoint);
</span><span class="cx"> 
</span><span class="cx">         State* state = &m_ftlState;
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="cx"> 
</span><span class="cx">                 CallSiteIndex callSiteIndex =
</span><del>-                    state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(node->origin.semantic);
</del><ins>+                    state->jitCode->common.codeOrigins->addUniqueCallSiteIndex(semanticNodeOrigin);
</ins><span class="cx"> 
</span><span class="cx">                 // This is the direct exit target for operation calls.
</span><span class="cx">                 Box<CCallHelpers::JumpList> exceptions =
</span><span class="lines">@@ -14300,7 +14382,7 @@
</span><span class="cx">                 GPRReg stubInfoGPR = JITCode::useDataIC(JITType::FTLJIT) ? params.gpScratch(0) : InvalidGPRReg;
</span><span class="cx"> 
</span><span class="cx">                 auto generator = Box<JITGetByIdWithThisGenerator>::create(
</span><del>-                    jit.codeBlock(), JITType::FTLJIT, node->origin.semantic, callSiteIndex,
</del><ins>+                    jit.codeBlock(), JITType::FTLJIT, semanticNodeOrigin, callSiteIndex,
</ins><span class="cx">                     params.unavailableRegisters(), identifier, JSValueRegs(params[0].gpr()),
</span><span class="cx">                     JSValueRegs(params[1].gpr()), JSValueRegs(params[2].gpr()), stubInfoGPR);
</span><span class="cx"> 
</span><span class="lines">@@ -14320,16 +14402,16 @@
</span><span class="cx">                             jit.move(CCallHelpers::TrustedImmPtr(generator->stubInfo()), stubInfoGPR);
</span><span class="cx">                             generator->stubInfo()->m_slowOperation = optimizationFunction;
</span><span class="cx">                             slowPathCall = callOperation(
</span><del>-                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                                 exceptions.get(), CCallHelpers::Address(stubInfoGPR, StructureStubInfo::offsetOfSlowOperation()), params[0].gpr(),
</span><del>-                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                                 stubInfoGPR, params[1].gpr(),
</span><span class="cx">                                 params[2].gpr(), CCallHelpers::TrustedImmPtr(identifier.rawBits())).call();
</span><span class="cx">                         } else {
</span><span class="cx">                             slowPathCall = callOperation(
</span><del>-                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                                 exceptions.get(), optimizationFunction, params[0].gpr(),
</span><del>-                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                                 CCallHelpers::TrustedImmPtr(generator->stubInfo()), params[1].gpr(),
</span><span class="cx">                                 params[2].gpr(), CCallHelpers::TrustedImmPtr(identifier.rawBits())).call();
</span><span class="cx">                         }
</span><span class="lines">@@ -14725,6 +14807,7 @@
</span><span class="cx">         State* state = &m_ftlState;
</span><span class="cx">         Node* node = m_node;
</span><span class="cx">         NodeType op = m_node->op();
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         JSValue child1Constant = m_state.forNode(m_node->child1()).value();
</span><span class="cx"> 
</span><span class="cx">         auto nodeIndex = m_nodeIndexInGraph;
</span><span class="lines">@@ -14746,7 +14829,7 @@
</span><span class="cx"> 
</span><span class="cx">                 RefPtr<OSRExitHandle> handle = exitDescriptor->emitOSRExitLater(*state, BadType, origin, params, nodeIndex, osrExitArgumentOffset);
</span><span class="cx"> 
</span><del>-                SnippetParams domJITParams(*state, params, node, nullptr, WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch));
</del><ins>+                SnippetParams domJITParams(*state, params, semanticNodeOrigin, nullptr, WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch));
</ins><span class="cx">                 CCallHelpers::JumpList failureCases = domJIT->generator()->run(jit, domJITParams);
</span><span class="cx">                 CCallHelpers::JumpList notJSCastFailureCases;
</span><span class="cx">                 if (op == CheckNotJSCast) {
</span><span class="lines">@@ -14866,6 +14949,7 @@
</span><span class="cx"> 
</span><span class="cx">         State* state = &m_ftlState;
</span><span class="cx">         Node* node = m_node;
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="lines">@@ -14887,7 +14971,7 @@
</span><span class="cx"> 
</span><span class="cx">                 Box<CCallHelpers::JumpList> exceptions = exceptionHandle->scheduleExitCreation(params)->jumps(jit);
</span><span class="cx"> 
</span><del>-                SnippetParams domJITParams(*state, params, node, exceptions, WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch));
</del><ins>+                SnippetParams domJITParams(*state, params, semanticNodeOrigin, exceptions, WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch));
</ins><span class="cx">                 domJIT->generator()->run(jit, domJITParams);
</span><span class="cx">             });
</span><span class="cx">         patchpoint->effects = Effects::forCall();
</span><span class="lines">@@ -15644,6 +15728,7 @@
</span><span class="cx">         patchpoint->clobber(RegisterSet::macroScratchRegisters());
</span><span class="cx">         patchpoint->resultConstraints = { ValueRep::SomeEarlyRegister };
</span><span class="cx">         State* state = &m_ftlState;
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="lines">@@ -15669,16 +15754,16 @@
</span><span class="cx">                             
</span><span class="cx">                             generator->slowPathJumpList().link(&jit);
</span><span class="cx">                             callOperation(
</span><del>-                                *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                                *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                                 exceptions.get(), slowPathFunction, params[0].gpr(),
</span><del>-                                jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                                jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                                 params[1].gpr(), params[2].gpr());
</span><span class="cx">                             jit.jump().linkTo(done, &jit);
</span><span class="cx">                         });
</span><span class="cx">                 } else {
</span><span class="cx">                     callOperation(
</span><del>-                        *state, params.unavailableRegisters(), jit, node->origin.semantic,
-                        exceptions.get(), slowPathFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(node->origin.semantic), params[1].gpr(),
</del><ins>+                        *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
+                        exceptions.get(), slowPathFunction, params[0].gpr(), jit.codeBlock()->globalObjectFor(semanticNodeOrigin), params[1].gpr(),
</ins><span class="cx">                         params[2].gpr());
</span><span class="cx">                 }
</span><span class="cx">             });
</span><span class="lines">@@ -15711,6 +15796,7 @@
</span><span class="cx">         patchpoint->clobber(RegisterSet::macroScratchRegisters());
</span><span class="cx">         patchpoint->resultConstraints = { ValueRep::SomeEarlyRegister };
</span><span class="cx">         State* state = &m_ftlState;
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="lines">@@ -15732,9 +15818,9 @@
</span><span class="cx">                             
</span><span class="cx">                         generator->slowPathJumpList().link(&jit);
</span><span class="cx">                         callOperation(
</span><del>-                            *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                            *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                             exceptions.get(), slowPathFunction, params[0].gpr(),
</span><del>-                            jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                            jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                             params[1].gpr(), params[2].gpr());
</span><span class="cx">                         jit.jump().linkTo(done, &jit);
</span><span class="cx">                     });
</span><span class="lines">@@ -15768,6 +15854,7 @@
</span><span class="cx">         patchpoint->clobber(RegisterSet::macroScratchRegisters());
</span><span class="cx">         patchpoint->resultConstraints = { ValueRep::SomeEarlyRegister };
</span><span class="cx">         State* state = &m_ftlState;
</span><ins>+        CodeOrigin semanticNodeOrigin = node->origin.semantic;
</ins><span class="cx">         patchpoint->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="lines">@@ -15795,9 +15882,9 @@
</span><span class="cx">                             ? operationValueBitRShift : operationValueBitURShift;
</span><span class="cx">                         
</span><span class="cx">                         callOperation(
</span><del>-                            *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+                            *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">                             exceptions.get(), slowPathFunction, params[0].gpr(),
</span><del>-                            jit.codeBlock()->globalObjectFor(node->origin.semantic),
</del><ins>+                            jit.codeBlock()->globalObjectFor(semanticNodeOrigin),
</ins><span class="cx">                             params[1].gpr(), params[2].gpr());
</span><span class="cx">                         jit.jump().linkTo(done, &jit);
</span><span class="cx">                     });
</span><span class="lines">@@ -20140,6 +20227,7 @@
</span><span class="cx">         BlockIndex blockIndex = block->index;
</span><span class="cx">         unsigned nodeIndex = node ? node->index() : UINT_MAX;
</span><span class="cx"> #if !ASSERT_ENABLED
</span><ins>+        auto nodeOp = node ? node->op() : LastNodeType;
</ins><span class="cx">         m_out.patchpoint(Void)->setGenerator(
</span><span class="cx">             [=] (CCallHelpers& jit, const StackmapGenerationParams&) {
</span><span class="cx">                 AllowMacroScratchRegisterUsage allowScratch(jit);
</span><span class="lines">@@ -20147,7 +20235,7 @@
</span><span class="cx">                 jit.move(CCallHelpers::TrustedImm32(blockIndex), GPRInfo::regT0);
</span><span class="cx">                 jit.move(CCallHelpers::TrustedImm32(nodeIndex), GPRInfo::regT1);
</span><span class="cx">                 if (node)
</span><del>-                    jit.move(CCallHelpers::TrustedImm32(node->op()), GPRInfo::regT2);
</del><ins>+                    jit.move(CCallHelpers::TrustedImm32(nodeOp), GPRInfo::regT2);
</ins><span class="cx">                 jit.abortWithReason(FTLCrash);
</span><span class="cx">             });
</span><span class="cx"> #else // ASSERT_ENABLED
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLSnippetParamscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLSnippetParams.cpp (278944 => 278945)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLSnippetParams.cpp     2021-06-16 18:26:43 UTC (rev 278944)
+++ trunk/Source/JavaScriptCore/ftl/FTLSnippetParams.cpp        2021-06-16 18:34:23 UTC (rev 278945)
</span><span class="lines">@@ -34,7 +34,7 @@
</span><span class="cx"> namespace JSC { namespace FTL {
</span><span class="cx"> 
</span><span class="cx"> template<typename OperationType, typename ResultType, typename Arguments, size_t... ArgumentsIndex>
</span><del>-static void dispatch(CCallHelpers& jit, FTL::State* state, const B3::StackmapGenerationParams& params, DFG::Node* node, Box<CCallHelpers::JumpList> exceptions, CCallHelpers::JumpList from, OperationType operation, ResultType result, Arguments arguments, std::index_sequence<ArgumentsIndex...>)
</del><ins>+static void dispatch(CCallHelpers& jit, FTL::State* state, const B3::StackmapGenerationParams& params, CodeOrigin semanticNodeOrigin, Box<CCallHelpers::JumpList> exceptions, CCallHelpers::JumpList from, OperationType operation, ResultType result, Arguments arguments, std::index_sequence<ArgumentsIndex...>)
</ins><span class="cx"> {
</span><span class="cx">     CCallHelpers::Label done = jit.label();
</span><span class="cx">     params.addLatePath([=] (CCallHelpers& jit) {
</span><span class="lines">@@ -42,7 +42,7 @@
</span><span class="cx"> 
</span><span class="cx">         from.link(&jit);
</span><span class="cx">         callOperation(
</span><del>-            *state, params.unavailableRegisters(), jit, node->origin.semantic,
</del><ins>+            *state, params.unavailableRegisters(), jit, semanticNodeOrigin,
</ins><span class="cx">             exceptions.get(), operation, extractResult(result), std::get<ArgumentsIndex>(arguments)...);
</span><span class="cx">         jit.jump().linkTo(done, &jit);
</span><span class="cx">     });
</span><span class="lines">@@ -51,7 +51,7 @@
</span><span class="cx"> #define JSC_DEFINE_CALL_OPERATIONS(OperationType, ResultType, ...) \
</span><span class="cx">     void SnippetParams::addSlowPathCallImpl(CCallHelpers::JumpList from, CCallHelpers& jit, OperationType operation, ResultType result, std::tuple<__VA_ARGS__> args) \
</span><span class="cx">     { \
</span><del>-        dispatch(jit, &m_state, m_params, m_node, m_exceptions, from, operation, result, args, std::make_index_sequence<std::tuple_size<decltype(args)>::value>()); \
</del><ins>+        dispatch(jit, &m_state, m_params, m_semanticNodeOrigin, m_exceptions, from, operation, result, args, std::make_index_sequence<std::tuple_size<decltype(args)>::value>()); \
</ins><span class="cx">     } \
</span><span class="cx"> 
</span><span class="cx"> SNIPPET_SLOW_PATH_CALLS(JSC_DEFINE_CALL_OPERATIONS)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLSnippetParamsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLSnippetParams.h (278944 => 278945)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLSnippetParams.h       2021-06-16 18:26:43 UTC (rev 278944)
+++ trunk/Source/JavaScriptCore/ftl/FTLSnippetParams.h  2021-06-16 18:34:23 UTC (rev 278945)
</span><span class="lines">@@ -38,11 +38,11 @@
</span><span class="cx"> 
</span><span class="cx"> class SnippetParams final : public JSC::SnippetParams {
</span><span class="cx"> public:
</span><del>-    SnippetParams(State& state, const B3::StackmapGenerationParams& params, DFG::Node* node, Box<CCallHelpers::JumpList> exceptions, Vector<Value>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
</del><ins>+    SnippetParams(State& state, const B3::StackmapGenerationParams& params, CodeOrigin semanticNodeOrigin, Box<CCallHelpers::JumpList> exceptions, Vector<Value>&& regs, Vector<GPRReg>&& gpScratch, Vector<FPRReg>&& fpScratch)
</ins><span class="cx">         : JSC::SnippetParams(state.vm(), WTFMove(regs), WTFMove(gpScratch), WTFMove(fpScratch))
</span><span class="cx">         , m_state(state)
</span><span class="cx">         , m_params(params)
</span><del>-        , m_node(node)
</del><ins>+        , m_semanticNodeOrigin(semanticNodeOrigin)
</ins><span class="cx">         , m_exceptions(exceptions)
</span><span class="cx">     {
</span><span class="cx">     }
</span><span class="lines">@@ -54,7 +54,7 @@
</span><span class="cx"> 
</span><span class="cx">     State& m_state;
</span><span class="cx">     const B3::StackmapGenerationParams& m_params;
</span><del>-    DFG::Node* m_node;
</del><ins>+    CodeOrigin m_semanticNodeOrigin;
</ins><span class="cx">     Box<CCallHelpers::JumpList> m_exceptions;
</span><span class="cx"> };
</span><span class="cx"> 
</span></span></pre>
</div>
</div>

</body>
</html>