• oliver@apple.com's avatar
    fourthTier: Rationalized 'this' conversion, includes subsequent FTL branch fixes · e2fe4ceb
    oliver@apple.com authored
    Reviewed by Oliver Hunt.
    
    Source/JavaScriptCore:
    
        Rationalized 'this' value conversion
        https://bugs.webkit.org/show_bug.cgi?id=115542
    
        This fixes a bunch of Sputnik tests, and some bad pointer access.
    
        The new model is that the callee always performs 'this' value conversion.
    
        My ultimate goal is to break up resolve_with_this into single-result
        opcodes. This step avoids having to add a special form of convert_this
        that distinguishes callers vs callees.
    
        Only the callee knows whether it uses 'this' and/or whether 'this'
        conversion should use StrictMode, so it's most natural to perform
        convert_this in the callee.
    
        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::call): Perform 'this' value conversion for
        our callee, since it may observe 'this'.
    
        * API/JSCallbackObjectFunctions.h:
        (JSC::::call): Ditto.
    
        * API/JSContextRef.cpp:
        (JSGlobalContextCreateInGroup): Use a proxy 'this' object in global scope
        even when we're not in the browser. This eliminates some odd cases where
        API clients used to be able to get a direct reference to an environment
        record. Now, any reference to an environment record unambiguously means
        that the VM resolved that record in the scope chain.
    
        (JSContextGetGlobalObject): Removed an incorrect comment. Now that JSC
        participates in the proxy 'this' object scheme, the behavior is not
        WebCore-only.
    
        * API/JSObjectRef.cpp:
        (JSObjectSetPrototype):
        (JSObjectCallAsFunction): Don't perform 'this' value conversion in the
        caller; the callee will do it if needed.
    
        * JavaScriptCore.order: Order!
    
        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
        What are the chances that this will work?
    
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::dumpBytecode):
        (JSC::CodeBlock::CodeBlock): Renamed convert_this to to_this, to match our
        other conversion opcodes.
    
        * bytecode/CodeOrigin.h:
        (CodeOrigin):
        (InlineCallFrame):
        (JSC::CodeOrigin::codeOriginOwner): Use the more precise type for our
        executable, so compilation can discover where we're in strict mode.
    
        * bytecode/Opcode.h:
        (JSC::padOpcodeName): Updated for rename.
    
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator): Always emit to_this when
        'this' is in use -- strict mode still needs to convert environment
        records to 'undefined'.
    
        * dfg/DFGAbstractState.cpp:
        (JSC::DFG::AbstractState::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.h:
        (JSC::DFG::canCompileOpcode): Updated for renames.
    
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode): Tightened up this code to consider
        strict mode (a new requirement) and to consider the global object (which
        was always a requirement).
    
        * dfg/DFGGraph.h:
        (JSC::DFG::Graph::globalThisObjectFor):
        (JSC::DFG::Graph::executableFor):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        (JSC::DFG::PredictionPropagationPhase::propagate):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile): Ditto.
    
        * interpreter/Interpreter.cpp:
        (JSC::eval):
        (JSC::Interpreter::execute):
        (JSC::Interpreter::executeCall):
        * interpreter/Interpreter.h: Don't ASSERT about 'this' -- it's our job
        to fix it up if needed.
    
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        (JIT):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_to_this):
        (JSC::JIT::emitSlow_op_to_this):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_to_this):
        (JSC::JIT::emitSlow_op_to_this):
        * jit/JITStubs.cpp:
        (JSC::DEFINE_STUB_FUNCTION):
        * jit/JITStubs.h: Removed special-case code for various kinds of
        conversions. The baseline fast path is now final objects only. It hurt
        my brain to think through how to keep the other fast paths working, and
        our benchmarks do not object.
    
        * llint/LLIntData.cpp:
        (JSC::LLInt::Data::performAssertions):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        (LLInt):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm: Updated for renames. Removed some
        special case code, as in the JIT above.
    
        * profiler/ProfileGenerator.cpp:
        (JSC::ProfileGenerator::addParentForConsoleStart):
        * runtime/CallData.cpp:
        (JSC::call):
        * runtime/ClassInfo.h:
        (MethodTable):
        * runtime/Completion.cpp:
        (JSC::evaluate):
        * runtime/DatePrototype.cpp:
        (JSC::dateProtoFuncToJSON): The callee performs 'this' conversion, not
        the caller.
    
        * runtime/GetterSetter.cpp:
        (JSC::callGetter):
        (JSC::callSetter):
        * runtime/GetterSetter.h: Added helper functions for invoking getters
        and setters from C++ code, since this was duplicated in a bunch of
        places.
    
        * runtime/JSActivation.cpp:
        (JSC::JSActivation::toThis):
        * runtime/JSActivation.h:
        (JSActivation):
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toThisSlowCase):
        (JSC::JSValue::putToPrimitive):
        * runtime/JSCJSValue.h:
        (JSValue):
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::toThis):
        * runtime/JSCell.cpp:
        (JSC::JSCell::toThis):
        * runtime/JSCell.h:
        (JSCell):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::toThis):
        * runtime/JSGlobalObject.h:
        (JSGlobalObject): Filled out runtime support for converting 'this'
        values as needed, according to the appropriate strictness, using
        helper functions where getter/setter code was duplicated.
    
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::globalFuncProtoGetter):
        (JSC::globalFuncProtoSetter): Perform 'this' value conversion, since we
        observe 'this'.
    
        * runtime/JSNameScope.cpp:
        (JSC::JSNameScope::toThis):
        * runtime/JSNameScope.h:
        (JSNameScope): Same as JSActivation.
    
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        (JSC::JSObject::setPrototypeWithCycleCheck): Bug fix. Don't peform
        'this' value conversion in this helper function. The __proto__
        setter does this for us, since it's the function that logically observes
        'this' -- and we can ASSERT so. Also, the previous code used
        "globalExec()->thisValue()", which is a read past the beginning of a
        buffer! I don't think this ever worked on purpose.
    
        (JSC::JSObject::toThis):
        (JSC::JSObject::fillGetterPropertySlot):
        * runtime/JSObject.h:
        (JSC::JSObject::inlineGetOwnPropertySlot):
        * runtime/JSScope.cpp:
        (JSC::JSScope::resolveWithThis):
        * runtime/JSString.cpp:
        (JSC::JSString::toThis):
        * runtime/JSString.h:
        (JSString):
        * runtime/PropertySlot.cpp:
        (JSC::PropertySlot::functionGetter):
        * runtime/PropertySlot.h:
        (JSC):
        (JSC::PropertySlot::setGetterSlot):
        (JSC::PropertySlot::setCacheableGetterSlot):
        * runtime/SparseArrayValueMap.cpp:
        (JSC::SparseArrayEntry::get):
        (JSC::SparseArrayEntry::put):
        * runtime/StrictEvalActivation.cpp:
        (JSC::StrictEvalActivation::toThis):
        * runtime/StrictEvalActivation.h:
        (StrictEvalActivation): Ditto.
    
    Source/WebCore:
    
        Rationalized 'this' value conversion
        https://bugs.webkit.org/show_bug.cgi?id=115542
    
    Source/WebKit/mac:
    
        Rationalized 'this' value conversion
        https://bugs.webkit.org/show_bug.cgi?id=115542
    
    Source/WebKit2:
    
        Rationalized 'this' value conversion
        https://bugs.webkit.org/show_bug.cgi?id=115542
    
    LayoutTests:
    
        Rationalized 'this' value conversion
        https://bugs.webkit.org/show_bug.cgi?id=115542
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153145 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    e2fe4ceb