fourthTier: Rationalized 'this' conversion, includes subsequent FTL branch fixes
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 25 Jul 2013 03:59:41 +0000 (03:59 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 25 Jul 2013 03:59:41 +0000 (03:59 +0000)
commita10d5d0280a245e810c500660590cefc2c97cca0
tree90b85745dd37e6ac859e258d0b67ef25c7785423
parent84d0ec56818027d6e7505e50e0424e1ccd2a416a
fourthTier: Rationalized 'this' conversion, includes subsequent FTL branch fixes

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

    Rationalized 'this' value conversion
    https://bugs.webkit.org/show_bug.cgi?id=115542

    This fixes a bunch of Sputnik tests, and some bad pointer access.

    The new model is that the callee always performs 'this' value conversion.

    My ultimate goal is to break up resolve_with_this into single-result
    opcodes. This step avoids having to add a special form of convert_this
    that distinguishes callers vs callees.

    Only the callee knows whether it uses 'this' and/or whether 'this'
    conversion should use StrictMode, so it's most natural to perform
    convert_this in the callee.

    * API/JSCallbackFunction.cpp:
    (JSC::JSCallbackFunction::call): Perform 'this' value conversion for
    our callee, since it may observe 'this'.

    * API/JSCallbackObjectFunctions.h:
    (JSC::::call): Ditto.

    * API/JSContextRef.cpp:
    (JSGlobalContextCreateInGroup): Use a proxy 'this' object in global scope
    even when we're not in the browser. This eliminates some odd cases where
    API clients used to be able to get a direct reference to an environment
    record. Now, any reference to an environment record unambiguously means
    that the VM resolved that record in the scope chain.

    (JSContextGetGlobalObject): Removed an incorrect comment. Now that JSC
    participates in the proxy 'this' object scheme, the behavior is not
    WebCore-only.

    * API/JSObjectRef.cpp:
    (JSObjectSetPrototype):
    (JSObjectCallAsFunction): Don't perform 'this' value conversion in the
    caller; the callee will do it if needed.

    * JavaScriptCore.order: Order!

    * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
    * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
    What are the chances that this will work?

    * bytecode/CodeBlock.cpp:
    (JSC::CodeBlock::dumpBytecode):
    (JSC::CodeBlock::CodeBlock): Renamed convert_this to to_this, to match our
    other conversion opcodes.

    * bytecode/CodeOrigin.h:
    (CodeOrigin):
    (InlineCallFrame):
    (JSC::CodeOrigin::codeOriginOwner): Use the more precise type for our
    executable, so compilation can discover where we're in strict mode.

    * bytecode/Opcode.h:
    (JSC::padOpcodeName): Updated for rename.

    * bytecompiler/BytecodeGenerator.cpp:
    (JSC::BytecodeGenerator::BytecodeGenerator): Always emit to_this when
    'this' is in use -- strict mode still needs to convert environment
    records to 'undefined'.

    * dfg/DFGAbstractState.cpp:
    (JSC::DFG::AbstractState::executeEffects):
    * dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::parseBlock):
    * dfg/DFGCapabilities.h:
    (JSC::DFG::canCompileOpcode): Updated for renames.

    * dfg/DFGFixupPhase.cpp:
    (JSC::DFG::FixupPhase::fixupNode): Tightened up this code to consider
    strict mode (a new requirement) and to consider the global object (which
    was always a requirement).

    * dfg/DFGGraph.h:
    (JSC::DFG::Graph::globalThisObjectFor):
    (JSC::DFG::Graph::executableFor):
    * dfg/DFGNodeType.h:
    * dfg/DFGOperations.cpp:
    * dfg/DFGOperations.h:
    * dfg/DFGPredictionPropagationPhase.cpp:
    (JSC::DFG::PredictionPropagationPhase::propagate):
    * dfg/DFGSpeculativeJIT32_64.cpp:
    (JSC::DFG::SpeculativeJIT::compile):
    * dfg/DFGSpeculativeJIT64.cpp:
    (JSC::DFG::SpeculativeJIT::compile): Ditto.

    * interpreter/Interpreter.cpp:
    (JSC::eval):
    (JSC::Interpreter::execute):
    (JSC::Interpreter::executeCall):
    * interpreter/Interpreter.h: Don't ASSERT about 'this' -- it's our job
    to fix it up if needed.

    * jit/JIT.cpp:
    (JSC::JIT::privateCompileMainPass):
    (JSC::JIT::privateCompileSlowCases):
    * jit/JIT.h:
    (JIT):
    * jit/JITOpcodes.cpp:
    (JSC::JIT::emit_op_to_this):
    (JSC::JIT::emitSlow_op_to_this):
    * jit/JITOpcodes32_64.cpp:
    (JSC::JIT::emit_op_to_this):
    (JSC::JIT::emitSlow_op_to_this):
    * jit/JITStubs.cpp:
    (JSC::DEFINE_STUB_FUNCTION):
    * jit/JITStubs.h: Removed special-case code for various kinds of
    conversions. The baseline fast path is now final objects only. It hurt
    my brain to think through how to keep the other fast paths working, and
    our benchmarks do not object.

    * llint/LLIntData.cpp:
    (JSC::LLInt::Data::performAssertions):
    * llint/LLIntSlowPaths.cpp:
    (JSC::LLInt::LLINT_SLOW_PATH_DECL):
    * llint/LLIntSlowPaths.h:
    (LLInt):
    * llint/LowLevelInterpreter.asm:
    * llint/LowLevelInterpreter32_64.asm:
    * llint/LowLevelInterpreter64.asm: Updated for renames. Removed some
    special case code, as in the JIT above.

    * profiler/ProfileGenerator.cpp:
    (JSC::ProfileGenerator::addParentForConsoleStart):
    * runtime/CallData.cpp:
    (JSC::call):
    * runtime/ClassInfo.h:
    (MethodTable):
    * runtime/Completion.cpp:
    (JSC::evaluate):
    * runtime/DatePrototype.cpp:
    (JSC::dateProtoFuncToJSON): The callee performs 'this' conversion, not
    the caller.

    * runtime/GetterSetter.cpp:
    (JSC::callGetter):
    (JSC::callSetter):
    * runtime/GetterSetter.h: Added helper functions for invoking getters
    and setters from C++ code, since this was duplicated in a bunch of
    places.

    * runtime/JSActivation.cpp:
    (JSC::JSActivation::toThis):
    * runtime/JSActivation.h:
    (JSActivation):
    * runtime/JSCJSValue.cpp:
    (JSC::JSValue::toThisSlowCase):
    (JSC::JSValue::putToPrimitive):
    * runtime/JSCJSValue.h:
    (JSValue):
    * runtime/JSCJSValueInlines.h:
    (JSC::JSValue::toThis):
    * runtime/JSCell.cpp:
    (JSC::JSCell::toThis):
    * runtime/JSCell.h:
    (JSCell):
    * runtime/JSGlobalObject.cpp:
    (JSC::JSGlobalObject::toThis):
    * runtime/JSGlobalObject.h:
    (JSGlobalObject): Filled out runtime support for converting 'this'
    values as needed, according to the appropriate strictness, using
    helper functions where getter/setter code was duplicated.

    * runtime/JSGlobalObjectFunctions.cpp:
    (JSC::globalFuncProtoGetter):
    (JSC::globalFuncProtoSetter): Perform 'this' value conversion, since we
    observe 'this'.

    * runtime/JSNameScope.cpp:
    (JSC::JSNameScope::toThis):
    * runtime/JSNameScope.h:
    (JSNameScope): Same as JSActivation.

    * runtime/JSObject.cpp:
    (JSC::JSObject::put):
    (JSC::JSObject::setPrototypeWithCycleCheck): Bug fix. Don't peform
    'this' value conversion in this helper function. The __proto__
    setter does this for us, since it's the function that logically observes
    'this' -- and we can ASSERT so. Also, the previous code used
    "globalExec()->thisValue()", which is a read past the beginning of a
    buffer! I don't think this ever worked on purpose.

    (JSC::JSObject::toThis):
    (JSC::JSObject::fillGetterPropertySlot):
    * runtime/JSObject.h:
    (JSC::JSObject::inlineGetOwnPropertySlot):
    * runtime/JSScope.cpp:
    (JSC::JSScope::resolveWithThis):
    * runtime/JSString.cpp:
    (JSC::JSString::toThis):
    * runtime/JSString.h:
    (JSString):
    * runtime/PropertySlot.cpp:
    (JSC::PropertySlot::functionGetter):
    * runtime/PropertySlot.h:
    (JSC):
    (JSC::PropertySlot::setGetterSlot):
    (JSC::PropertySlot::setCacheableGetterSlot):
    * runtime/SparseArrayValueMap.cpp:
    (JSC::SparseArrayEntry::get):
    (JSC::SparseArrayEntry::put):
    * runtime/StrictEvalActivation.cpp:
    (JSC::StrictEvalActivation::toThis):
    * runtime/StrictEvalActivation.h:
    (StrictEvalActivation): Ditto.

Source/WebCore:

    Rationalized 'this' value conversion
    https://bugs.webkit.org/show_bug.cgi?id=115542

Source/WebKit/mac:

    Rationalized 'this' value conversion
    https://bugs.webkit.org/show_bug.cgi?id=115542

Source/WebKit2:

    Rationalized 'this' value conversion
    https://bugs.webkit.org/show_bug.cgi?id=115542

LayoutTests:

    Rationalized 'this' value conversion
    https://bugs.webkit.org/show_bug.cgi?id=115542

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153145 268f45cc-cd09-0410-ab3c-d52691b4dbfc
88 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/js/Object-defineProperty-expected.txt
LayoutTests/sputnik/Conformance/11_Expressions/11.1_Primary_Expressions/11.1.1_The_this_Keyword/S11.1.1_A2-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.11_String.prototype.replace/S15.5.4.11_A1_T3-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt
LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt
Source/JavaScriptCore/API/JSCallbackFunction.cpp
Source/JavaScriptCore/API/JSCallbackObjectFunctions.h
Source/JavaScriptCore/API/JSContextRef.cpp
Source/JavaScriptCore/API/JSObjectRef.cpp
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.order
Source/JavaScriptCore/bytecode/CodeBlock.cpp
Source/JavaScriptCore/bytecode/CodeOrigin.h
Source/JavaScriptCore/bytecode/Opcode.h
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
Source/JavaScriptCore/dfg/DFGAbstractState.cpp
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGCapabilities.h
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGGraph.h
Source/JavaScriptCore/dfg/DFGNodeType.h
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/dfg/DFGOperations.h
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Source/JavaScriptCore/interpreter/Interpreter.cpp
Source/JavaScriptCore/interpreter/Interpreter.h
Source/JavaScriptCore/jit/JIT.cpp
Source/JavaScriptCore/jit/JIT.h
Source/JavaScriptCore/jit/JITOpcodes.cpp
Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
Source/JavaScriptCore/jit/JITStubs.cpp
Source/JavaScriptCore/jit/JITStubs.h
Source/JavaScriptCore/llint/LLIntData.cpp
Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
Source/JavaScriptCore/llint/LLIntSlowPaths.h
Source/JavaScriptCore/llint/LowLevelInterpreter.asm
Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
Source/JavaScriptCore/profiler/ProfileGenerator.cpp
Source/JavaScriptCore/runtime/CallData.cpp
Source/JavaScriptCore/runtime/ClassInfo.h
Source/JavaScriptCore/runtime/Completion.cpp
Source/JavaScriptCore/runtime/DatePrototype.cpp
Source/JavaScriptCore/runtime/GetterSetter.cpp
Source/JavaScriptCore/runtime/GetterSetter.h
Source/JavaScriptCore/runtime/JSActivation.cpp
Source/JavaScriptCore/runtime/JSActivation.h
Source/JavaScriptCore/runtime/JSCJSValue.cpp
Source/JavaScriptCore/runtime/JSCJSValue.h
Source/JavaScriptCore/runtime/JSCJSValueInlines.h
Source/JavaScriptCore/runtime/JSCell.cpp
Source/JavaScriptCore/runtime/JSCell.h
Source/JavaScriptCore/runtime/JSGlobalObject.cpp
Source/JavaScriptCore/runtime/JSGlobalObject.h
Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
Source/JavaScriptCore/runtime/JSNameScope.cpp
Source/JavaScriptCore/runtime/JSNameScope.h
Source/JavaScriptCore/runtime/JSObject.cpp
Source/JavaScriptCore/runtime/JSObject.h
Source/JavaScriptCore/runtime/JSScope.cpp
Source/JavaScriptCore/runtime/JSString.cpp
Source/JavaScriptCore/runtime/JSString.h
Source/JavaScriptCore/runtime/PropertySlot.cpp
Source/JavaScriptCore/runtime/PropertySlot.h
Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp
Source/JavaScriptCore/runtime/StrictEvalActivation.cpp
Source/JavaScriptCore/runtime/StrictEvalActivation.h
Source/WebCore/ChangeLog
Source/WebCore/WebCore.order
Source/WebCore/bindings/js/JSErrorHandler.cpp
Source/WebCore/bindings/js/JSInjectedScriptHostCustom.cpp
Source/WebCore/bindings/js/JSMainThreadExecState.h
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
Source/WebCore/bridge/NP_jsobject.cpp
Source/WebCore/html/HTMLPlugInImageElement.cpp
Source/WebKit/mac/ChangeLog
Source/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp