Getter and setter on super are called with wrong "this" object
https://bugs.webkit.org/show_bug.cgi?id=147064
<rdar://problem/21885916>
Reviewed by Filip Pizlo.
This patch implements calls to 'super' getters and setters.
The problem before is we were passing the 'super' (i.e, the prototype
object) as the this value to these getters/setters, which is wrong.
We should be passing the caller's this value.
To implement this behavior, I've introduced four new opcodes and their corresponding DFG nodes:
- op_get_by_id_with_this | GetByIdWithThis
- op_put_by_id_with_this | PutByIdWithThis
- op_get_by_val_with_this | GetByValWithThis
- op_put_by_val_with_this | PutByValWithThis
These are implemented with no optimizations. The future plan is
to unite them with the *by_id and *by_val opcodes and nodes:
https://bugs.webkit.org/show_bug.cgi?id=157215
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitGetById):
(JSC::BytecodeGenerator::emitPutById):
(JSC::BytecodeGenerator::emitDirectPutById):
(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::emitPutByVal):
(JSC::BytecodeGenerator::emitDirectPutByVal):
(JSC::BytecodeGenerator::emitLoadDerivedConstructorFromArrowFunctionLexicalEnvironment):
(JSC::BytecodeGenerator::ensureThis):
(JSC::BytecodeGenerator::isThisUsedInInnerArrowFunction):
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::ThisNode::emitBytecode):
(JSC::emitHomeObjectForCallee):
(JSC::emitSuperBaseForCallee):
(JSC::emitGetSuperFunctionForConstruct):
(JSC::SuperNode::emitBytecode):
(JSC::NewTargetNode::emitBytecode):
(JSC::TaggedTemplateNode::emitBytecode):
(JSC::BracketAccessorNode::emitBytecode):
(JSC::DotAccessorNode::emitBytecode):
(JSC::FunctionCallValueNode::emitBytecode):
(JSC::FunctionCallBracketNode::emitBytecode):
(JSC::FunctionCallDotNode::emitBytecode):
(JSC::CallFunctionCallDotNode::emitBytecode):
(JSC::ApplyFunctionCallDotNode::emitBytecode):
(JSC::PostfixNode::emitBracket):
(JSC::PostfixNode::emitDot):
(JSC::PrefixNode::emitBracket):
(JSC::PrefixNode::emitDot):
(JSC::AssignDotNode::emitBytecode):
(JSC::ReadModifyDotNode::emitBytecode):
(JSC::AssignBracketNode::emitBytecode):
(JSC::ReadModifyBracketNode::emitBytecode):
(JSC::ForInNode::emitLoopHeader):
(JSC::ForOfNode::emitBytecode):
(JSC::AssignmentElementNode::bindValue):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::hasIdentifier):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
(JSC::DFG::newTypedArrayWithSize):
(JSC::DFG::putWithThis):
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileGetById):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByValWithThis):
(JSC::FTL::DFG::LowerDFGToB3::compilePutByIdWithThis):
(JSC::FTL::DFG::LowerDFGToB3::compilePutByValWithThis):
(JSC::FTL::DFG::LowerDFGToB3::compilePutById):
* jit/CCallHelpers.cpp:
(JSC::CCallHelpers::setupShadowChickenPacket):
(JSC::CCallHelpers::setupFourStubArgsGPR):
* jit/CCallHelpers.h:
(JSC::CCallHelpers::setupArgumentsWithExecState):
(JSC::CCallHelpers::setupThreeStubArgsGPR):
(JSC::CCallHelpers::setupTwoStubArgsFPR):
(JSC::CCallHelpers::setupStubArguments134):
* jit/GPRInfo.h:
(JSC::argumentRegisterFor): Deleted.
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JIT.h:
* jit/JITOperations.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_by_val):
(JSC::JIT::emit_op_put_by_val_with_this):
(JSC::JIT::emitGenericContiguousPutByVal):
(JSC::JIT::emit_op_get_by_id):
(JSC::JIT::emit_op_get_by_id_with_this):
(JSC::JIT::emit_op_get_by_val_with_this):
(JSC::JIT::emitSlow_op_get_by_id):
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emit_op_put_by_id_with_this):
(JSC::JIT::emitSlow_op_put_by_id):
* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_to_arguments):
(JSC::JIT::emit_op_get_by_id_with_this):
(JSC::JIT::emit_op_get_by_val_with_this):
(JSC::JIT::emit_op_put_by_id_with_this):
(JSC::JIT::emit_op_put_by_val_with_this):
* llint/LowLevelInterpreter.asm:
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
* runtime/CommonSlowPaths.h:
* tests/stress/super-property-access-exceptions.js: Added.
(assert):
(test):
(test.fooProp):
(test.A.prototype.get foo):
(test.A.prototype.get x):
(test.A):
(test.B):
(test.B.prototype.bar):
(test.B.prototype.baz):
(test.foo):
(test.func):
(test.A.prototype.set foo):
* tests/stress/super-property-access-tdz.js: Added.
(assert):
(test):
(shouldThrowTDZ):
(test.A.prototype.get foo):
(test.A.prototype.set foo):
(test.A):
(test.fooProp):
(test.B):
(test.C):
(test.D):
(test.E):
(test.F):
* tests/stress/super-property-access.js: Added.
(assert):
(test):
(func):
(test.A):
(test.A.prototype.set value):
(test.A.prototype.get value):
(test.B.prototype.set value):
(test.B.prototype.get value):
(test.B):
(test.value):
(test.A.prototype.get func):
(test.B.prototype.inc):
(test.B.prototype.dec):
(test.B.prototype.preInc):
(test.B.prototype.preDec):
(test.B.prototype.plusEq):
(test.B.prototype.minusEq):
(test.B.prototype.timesEq):
(test.B.prototype.divEq):
(test.B.prototype.funcDot):
(test.B.prototype.funcBracket):
(test.foo):
(test.B.prototype.baz):
(test.B.prototype.jaz):
(test.B.prototype.bar):
(test.B.prototype.index):
(test.):
(test.prototype.bar):
(test.A.prototype.set foo):
(test.A.prototype.get array):
(test.A.prototype.get foo):
(test.obj):
(test.A.prototype.get call):
(test.A.prototype.get apply):
(test.B.prototype.foo):
(test.A.prototype.get i):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@200586 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
index 6c1eb96..09091ec 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
@@ -2179,6 +2179,12 @@
forNode(node).makeHeapTop();
break;
}
+
+ case GetByValWithThis:
+ case GetByIdWithThis:
+ clobberWorld(node->origin.semantic, clobberLimit);
+ forNode(node).makeHeapTop();
+ break;
case GetArrayLength: {
JSArrayBufferView* view = m_graph.tryGetFoldableView(
@@ -2678,6 +2684,11 @@
break;
}
+ case PutByValWithThis:
+ case PutByIdWithThis:
+ clobberWorld(node->origin.semantic, clobberLimit);
+ break;
+
case PutGetterById:
case PutSetterById:
case PutGetterSetterById:
diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
index c21afa1..0b41c06 100644
--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
@@ -4029,6 +4029,16 @@
NEXT_OPCODE(op_get_by_val);
}
+ case op_get_by_val_with_this: {
+ Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
+ Node* thisValue = get(VirtualRegister(currentInstruction[3].u.operand));
+ Node* property = get(VirtualRegister(currentInstruction[4].u.operand));
+ Node* getByValWithThis = addToGraph(GetByValWithThis, base, thisValue, property);
+ set(VirtualRegister(currentInstruction[1].u.operand), getByValWithThis);
+
+ NEXT_OPCODE(op_get_by_val_with_this);
+ }
+
case op_put_by_val_direct:
case op_put_by_val: {
Node* base = get(VirtualRegister(currentInstruction[1].u.operand));
@@ -4070,6 +4080,21 @@
NEXT_OPCODE(op_put_by_val);
}
+ case op_put_by_val_with_this: {
+ Node* base = get(VirtualRegister(currentInstruction[1].u.operand));
+ Node* thisValue = get(VirtualRegister(currentInstruction[2].u.operand));
+ Node* property = get(VirtualRegister(currentInstruction[3].u.operand));
+ Node* value = get(VirtualRegister(currentInstruction[4].u.operand));
+
+ addVarArgChild(base);
+ addVarArgChild(thisValue);
+ addVarArgChild(property);
+ addVarArgChild(value);
+ addToGraph(Node::VarArg, PutByValWithThis, OpInfo(0), OpInfo(0));
+
+ NEXT_OPCODE(op_put_by_val_with_this);
+ }
+
case op_try_get_by_id: {
Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
unsigned identifierNumber = m_inlineStackTop->m_identifierRemap[currentInstruction[3].u.operand];
@@ -4103,6 +4128,16 @@
NEXT_OPCODE(op_get_by_id);
}
+ case op_get_by_id_with_this: {
+ Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
+ Node* thisValue = get(VirtualRegister(currentInstruction[3].u.operand));
+ unsigned identifierNumber = m_inlineStackTop->m_identifierRemap[currentInstruction[4].u.operand];
+
+ set(VirtualRegister(currentInstruction[1].u.operand),
+ addToGraph(GetByIdWithThis, OpInfo(identifierNumber), base, thisValue));
+
+ NEXT_OPCODE(op_get_by_id_with_this);
+ }
case op_put_by_id: {
Node* value = get(VirtualRegister(currentInstruction[3].u.operand));
Node* base = get(VirtualRegister(currentInstruction[1].u.operand));
@@ -4118,6 +4153,16 @@
NEXT_OPCODE(op_put_by_id);
}
+ case op_put_by_id_with_this: {
+ Node* base = get(VirtualRegister(currentInstruction[1].u.operand));
+ Node* thisValue = get(VirtualRegister(currentInstruction[2].u.operand));
+ Node* value = get(VirtualRegister(currentInstruction[4].u.operand));
+ unsigned identifierNumber = m_inlineStackTop->m_identifierRemap[currentInstruction[3].u.operand];
+
+ addToGraph(PutByIdWithThis, OpInfo(identifierNumber), base, thisValue, value);
+ NEXT_OPCODE(op_put_by_id_with_this);
+ }
+
case op_put_getter_by_id:
case op_put_setter_by_id: {
Node* base = get(VirtualRegister(currentInstruction[1].u.operand));
diff --git a/Source/JavaScriptCore/dfg/DFGCapabilities.cpp b/Source/JavaScriptCore/dfg/DFGCapabilities.cpp
index 198f1a8..cc2d474 100644
--- a/Source/JavaScriptCore/dfg/DFGCapabilities.cpp
+++ b/Source/JavaScriptCore/dfg/DFGCapabilities.cpp
@@ -156,8 +156,12 @@
case op_put_by_val_direct:
case op_try_get_by_id:
case op_get_by_id:
+ case op_get_by_id_with_this:
+ case op_get_by_val_with_this:
case op_get_array_length:
case op_put_by_id:
+ case op_put_by_id_with_this:
+ case op_put_by_val_with_this:
case op_put_getter_by_id:
case op_put_setter_by_id:
case op_put_getter_setter_by_id:
diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
index 387a61d..f637549 100644
--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
@@ -439,7 +439,11 @@
case GetById:
case GetByIdFlush:
+ case GetByIdWithThis:
+ case GetByValWithThis:
case PutById:
+ case PutByIdWithThis:
+ case PutByValWithThis:
case PutByIdFlush:
case PutByIdDirect:
case PutGetterById:
diff --git a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
index 997de3b..6cf0d0b 100644
--- a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
+++ b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
@@ -99,8 +99,11 @@
case TryGetById:
case GetById:
case GetByIdFlush:
+ case GetByIdWithThis:
case PutById:
case PutByIdFlush:
+ case PutByIdWithThis:
+ case PutByValWithThis:
case PutByIdDirect:
case PutGetterById:
case PutSetterById:
@@ -203,6 +206,7 @@
case GetGetter:
case GetSetter:
case GetByVal:
+ case GetByValWithThis:
case GetIndexedPropertyStorage:
case GetArrayLength:
case ArrayPush:
diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index a766839..75ea3b9 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -1147,7 +1147,7 @@
fixEdge<CellUse>(node->child1());
break;
}
-
+
case PutById:
case PutByIdFlush:
case PutByIdDirect: {
@@ -1575,6 +1575,12 @@
case ExitOK:
case BottomValue:
case TypeOf:
+ case GetByIdWithThis:
+ case PutByIdWithThis:
+ case PutByValWithThis:
+ case GetByValWithThis:
+ break;
+
break;
#else
default:
diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h
index 4fb694c..98a7b18 100644
--- a/Source/JavaScriptCore/dfg/DFGNode.h
+++ b/Source/JavaScriptCore/dfg/DFGNode.h
@@ -862,9 +862,11 @@
case TryGetById:
case GetById:
case GetByIdFlush:
+ case GetByIdWithThis:
case PutById:
case PutByIdFlush:
case PutByIdDirect:
+ case PutByIdWithThis:
case PutGetterById:
case PutSetterById:
case PutGetterSetterById:
diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h
index 1be6738..181c790 100644
--- a/Source/JavaScriptCore/dfg/DFGNodeType.h
+++ b/Source/JavaScriptCore/dfg/DFGNodeType.h
@@ -176,6 +176,7 @@
/* this must be the directly subsequent property put. Note that PutByVal */\
/* opcodes use VarArgs beause they may have up to 4 children. */\
macro(GetByVal, NodeResultJS | NodeMustGenerate) \
+ macro(GetByValWithThis, NodeResultJS | NodeMustGenerate) \
macro(GetMyArgumentByVal, NodeResultJS | NodeMustGenerate) \
macro(GetMyArgumentByValOutOfBounds, NodeResultJS | NodeMustGenerate) \
macro(LoadVarargs, NodeMustGenerate) \
@@ -186,9 +187,12 @@
macro(TryGetById, NodeResultJS) \
macro(GetById, NodeResultJS | NodeMustGenerate) \
macro(GetByIdFlush, NodeResultJS | NodeMustGenerate) \
+ macro(GetByIdWithThis, NodeResultJS | NodeMustGenerate) \
macro(PutById, NodeMustGenerate) \
macro(PutByIdFlush, NodeMustGenerate) \
macro(PutByIdDirect, NodeMustGenerate) \
+ macro(PutByIdWithThis, NodeMustGenerate) \
+ macro(PutByValWithThis, NodeMustGenerate | NodeHasVarArgs) \
macro(PutGetterById, NodeMustGenerate) \
macro(PutSetterById, NodeMustGenerate) \
macro(PutGetterSetterById, NodeMustGenerate) \
diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp
index adb18bc..ce4c283 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp
+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp
@@ -144,6 +144,16 @@
return bitwise_cast<char*>(ViewClass::create(exec, structure, size));
}
+template <bool strict>
+static ALWAYS_INLINE void putWithThis(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedThis, EncodedJSValue encodedValue, const Identifier& ident)
+{
+ JSValue baseValue = JSValue::decode(encodedBase);
+ JSValue thisVal = JSValue::decode(encodedThis);
+ JSValue putValue = JSValue::decode(encodedValue);
+ PutPropertySlot slot(thisVal, strict);
+ baseValue.putInline(exec, ident, putValue, slot);
+}
+
extern "C" {
EncodedJSValue JIT_OPERATION operationToThis(ExecState* exec, EncodedJSValue encodedOp)
@@ -773,6 +783,94 @@
return JSValue::encode(JSValue::decode(value).toPrimitive(exec));
}
+EncodedJSValue JIT_OPERATION operationGetByIdWithThis(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedThis, UniquedStringImpl* impl)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+
+ JSValue baseValue = JSValue::decode(encodedBase);
+ JSValue thisVal = JSValue::decode(encodedThis);
+ PropertySlot slot(thisVal, PropertySlot::PropertySlot::InternalMethodType::Get);
+ JSValue result = baseValue.get(exec, Identifier::fromUid(exec, impl), slot);
+ return JSValue::encode(result);
+}
+
+EncodedJSValue JIT_OPERATION operationGetByValWithThis(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedThis, EncodedJSValue encodedSubscript)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+
+ JSValue baseValue = JSValue::decode(encodedBase);
+ JSValue thisVal = JSValue::decode(encodedThis);
+ JSValue subscript = JSValue::decode(encodedSubscript);
+
+ if (LIKELY(baseValue.isCell() && subscript.isString())) {
+ Structure& structure = *baseValue.asCell()->structure(vm);
+ if (JSCell::canUseFastGetOwnProperty(structure)) {
+ if (RefPtr<AtomicStringImpl> existingAtomicString = asString(subscript)->toExistingAtomicString(exec)) {
+ if (JSValue result = baseValue.asCell()->fastGetOwnProperty(vm, structure, existingAtomicString.get()))
+ return JSValue::encode(result);
+ }
+ }
+ }
+
+ PropertySlot slot(thisVal, PropertySlot::PropertySlot::InternalMethodType::Get);
+ if (subscript.isUInt32()) {
+ uint32_t i = subscript.asUInt32();
+ if (isJSString(baseValue) && asString(baseValue)->canGetIndex(i))
+ return JSValue::encode(asString(baseValue)->getIndex(exec, i));
+
+ return JSValue::encode(baseValue.get(exec, i, slot));
+ }
+
+ baseValue.requireObjectCoercible(exec);
+ if (vm.exception())
+ return JSValue::encode(JSValue());
+
+ auto property = subscript.toPropertyKey(exec);
+ if (vm.exception())
+ return JSValue::encode(JSValue());
+ return JSValue::encode(baseValue.get(exec, property, slot));
+}
+
+void JIT_OPERATION operationPutByIdWithThisStrict(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedThis, EncodedJSValue encodedValue, UniquedStringImpl* impl)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+
+ putWithThis<true>(exec, encodedBase, encodedThis, encodedValue, Identifier::fromUid(exec, impl));
+}
+
+void JIT_OPERATION operationPutByIdWithThis(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedThis, EncodedJSValue encodedValue, UniquedStringImpl* impl)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+
+ putWithThis<false>(exec, encodedBase, encodedThis, encodedValue, Identifier::fromUid(exec, impl));
+}
+
+void JIT_OPERATION operationPutByValWithThisStrict(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedThis, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+
+ Identifier property = JSValue::decode(encodedSubscript).toPropertyKey(exec);
+ if (vm.exception())
+ return;
+ putWithThis<true>(exec, encodedBase, encodedThis, encodedValue, property);
+}
+
+void JIT_OPERATION operationPutByValWithThis(ExecState* exec, EncodedJSValue encodedBase, EncodedJSValue encodedThis, EncodedJSValue encodedSubscript, EncodedJSValue encodedValue)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+
+ Identifier property = JSValue::decode(encodedSubscript).toPropertyKey(exec);
+ if (vm.exception())
+ return;
+ putWithThis<false>(exec, encodedBase, encodedThis, encodedValue, property);
+}
+
char* JIT_OPERATION operationNewArray(ExecState* exec, Structure* arrayStructure, void* buffer, size_t size)
{
VM* vm = &exec->vm();
diff --git a/Source/JavaScriptCore/dfg/DFGOperations.h b/Source/JavaScriptCore/dfg/DFGOperations.h
index 79262ff..b199dd7 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.h
+++ b/Source/JavaScriptCore/dfg/DFGOperations.h
@@ -61,6 +61,8 @@
EncodedJSValue JIT_OPERATION operationGetByValArrayInt(ExecState*, JSArray*, int32_t) WTF_INTERNAL;
EncodedJSValue JIT_OPERATION operationGetByValStringInt(ExecState*, JSString*, int32_t) WTF_INTERNAL;
EncodedJSValue JIT_OPERATION operationToPrimitive(ExecState*, EncodedJSValue) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationGetByIdWithThis(ExecState*, EncodedJSValue, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationGetByValWithThis(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue) WTF_INTERNAL;
char* JIT_OPERATION operationNewArray(ExecState*, Structure*, void*, size_t) WTF_INTERNAL;
char* JIT_OPERATION operationNewArrayBuffer(ExecState*, Structure*, size_t, size_t) WTF_INTERNAL;
char* JIT_OPERATION operationNewEmptyArray(ExecState*, Structure*) WTF_INTERNAL;
@@ -98,6 +100,10 @@
void JIT_OPERATION operationPutByValDirectBeyondArrayBoundsNonStrict(ExecState*, JSObject*, int32_t index, EncodedJSValue encodedValue) WTF_INTERNAL;
void JIT_OPERATION operationPutDoubleByValBeyondArrayBoundsStrict(ExecState*, JSObject*, int32_t index, double value) WTF_INTERNAL;
void JIT_OPERATION operationPutDoubleByValBeyondArrayBoundsNonStrict(ExecState*, JSObject*, int32_t index, double value) WTF_INTERNAL;
+void JIT_OPERATION operationPutByIdWithThis(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL;
+void JIT_OPERATION operationPutByIdWithThisStrict(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL;
+void JIT_OPERATION operationPutByValWithThis(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, EncodedJSValue) WTF_INTERNAL;
+void JIT_OPERATION operationPutByValWithThisStrict(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue, EncodedJSValue) WTF_INTERNAL;
EncodedJSValue JIT_OPERATION operationArrayPush(ExecState*, EncodedJSValue encodedValue, JSArray*) WTF_INTERNAL;
EncodedJSValue JIT_OPERATION operationArrayPushDouble(ExecState*, double value, JSArray*) WTF_INTERNAL;
EncodedJSValue JIT_OPERATION operationArrayPop(ExecState*, JSArray*) WTF_INTERNAL;
diff --git a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
index b14dccb..212dc79 100644
--- a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
@@ -661,6 +661,11 @@
break;
}
+ case GetByValWithThis:
+ case GetByIdWithThis: {
+ setPrediction(SpecBytecodeTop);
+ break;
+ }
case TryGetById: {
setPrediction(SpecBytecodeTop);
break;
@@ -988,6 +993,8 @@
#ifndef NDEBUG
// These get ignored because they don't return anything.
case PutByValDirect:
+ case PutByValWithThis:
+ case PutByIdWithThis:
case PutByVal:
case PutClosureVar:
case PutToArguments:
diff --git a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
index a74c878..f9bdeb9 100644
--- a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
+++ b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
@@ -195,9 +195,13 @@
case DeleteById:
case DeleteByVal:
case GetById:
+ case GetByIdWithThis:
+ case GetByValWithThis:
case GetByIdFlush:
case PutById:
case PutByIdFlush:
+ case PutByIdWithThis:
+ case PutByValWithThis:
case PutByIdDirect:
case PutGetterById:
case PutSetterById:
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
index 1beb199..da797d7 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
@@ -1270,6 +1270,21 @@
#if USE(JSVALUE64)
+ JITCompiler::Call callOperation(J_JITOperation_EJJI operation, GPRReg result, GPRReg arg1, GPRReg arg2, UniquedStringImpl* uid)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, TrustedImmPtr(uid));
+ return appendCallSetResult(operation, result);
+ }
+ JITCompiler::Call callOperation(V_JITOperation_EJJJI operation, GPRReg arg1, GPRReg arg2, GPRReg arg3, UniquedStringImpl* uid)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3, TrustedImmPtr(uid));
+ return appendCall(operation);
+ }
+ JITCompiler::Call callOperation(V_JITOperation_EJJJJ operation, GPRReg arg1, GPRReg arg2, GPRReg arg3, GPRReg arg4)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3, arg4);
+ return appendCall(operation);
+ }
JITCompiler::Call callOperation(V_JITOperation_EOJIUi operation, GPRReg arg1, GPRReg arg2, UniquedStringImpl* impl, unsigned value)
{
m_jit.setupArgumentsWithExecState(arg1, arg2, TrustedImmPtr(impl), TrustedImm32(value));
@@ -1689,6 +1704,22 @@
#define SH4_32BIT_DUMMY_ARG
#endif
+ JITCompiler::Call callOperation(J_JITOperation_EJJI operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2Tag, GPRReg arg2Payload, UniquedStringImpl* uid)
+ {
+ m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2Payload, arg2Tag, TrustedImmPtr(uid));
+ return appendCallSetResult(operation, resultPayload, resultTag);
+ }
+ JITCompiler::Call callOperation(V_JITOperation_EJJJI operation, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2Tag, GPRReg arg2Payload, GPRReg arg3Tag, GPRReg arg3Payload, UniquedStringImpl* uid)
+ {
+ m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2Payload, arg2Tag, arg3Payload, arg3Tag, TrustedImmPtr(uid));
+ return appendCall(operation);
+ }
+ JITCompiler::Call callOperation(V_JITOperation_EJJJJ operation, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2Tag, GPRReg arg2Payload, GPRReg arg3Tag, GPRReg arg3Payload, GPRReg arg4Tag, GPRReg arg4Payload)
+ {
+ m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2Payload, arg2Tag, arg3Payload, arg3Tag, arg4Payload, arg4Tag);
+ return appendCall(operation);
+ }
+
JITCompiler::Call callOperation(V_JITOperation_EOJIUi operation, GPRReg arg1, GPRReg arg2Tag, GPRReg arg2Payload, UniquedStringImpl* impl, unsigned value)
{
m_jit.setupArgumentsWithExecState(arg1, arg2Payload, arg2Tag, TrustedImmPtr(impl), TrustedImm32(value));
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
index 9b07898..d740d77 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -2681,6 +2681,30 @@
break;
}
+ case GetByValWithThis: {
+ JSValueOperand base(this, node->child1());
+ GPRReg baseTag = base.tagGPR();
+ GPRReg basePayload = base.payloadGPR();
+ JSValueOperand thisValue(this, node->child2());
+ GPRReg thisValueTag = thisValue.tagGPR();
+ GPRReg thisValuePayload = thisValue.payloadGPR();
+ JSValueOperand subscript(this, node->child3());
+ GPRReg subscriptTag = subscript.tagGPR();
+ GPRReg subscriptPayload = subscript.payloadGPR();
+
+ GPRFlushedCallResult resultPayload(this);
+ GPRFlushedCallResult2 resultTag(this);
+ GPRReg resultPayloadGPR = resultPayload.gpr();
+ GPRReg resultTagGPR = resultTag.gpr();
+
+ flushRegisters();
+ callOperation(operationGetByValWithThis, resultTagGPR, resultPayloadGPR, baseTag, basePayload, thisValueTag, thisValuePayload, subscriptTag, subscriptPayload);
+ m_jit.exceptionCheck();
+
+ jsValueResult(resultTagGPR, resultPayloadGPR, node);
+ break;
+ }
+
case PutByValDirect:
case PutByVal:
case PutByValAlias: {
@@ -2859,6 +2883,76 @@
break;
}
+ case PutByValWithThis: {
+#if CPU(X86)
+ // We don't have enough registers on X86 to do this
+ // without setting up the call frame incrementally.
+ unsigned index = 0;
+ m_jit.poke(GPRInfo::callFrameRegister, index++);
+
+ {
+ JSValueOperand base(this, m_jit.graph().varArgChild(node, 0));
+ GPRReg baseTag = base.tagGPR();
+ GPRReg basePayload = base.payloadGPR();
+
+ JSValueOperand thisValue(this, m_jit.graph().varArgChild(node, 1));
+ GPRReg thisValueTag = thisValue.tagGPR();
+ GPRReg thisValuePayload = thisValue.payloadGPR();
+
+ JSValueOperand property(this, m_jit.graph().varArgChild(node, 2));
+ GPRReg propertyTag = property.tagGPR();
+ GPRReg propertyPayload = property.payloadGPR();
+
+ m_jit.poke(basePayload, index++);
+ m_jit.poke(baseTag, index++);
+
+ m_jit.poke(thisValuePayload, index++);
+ m_jit.poke(thisValueTag, index++);
+
+ m_jit.poke(propertyPayload, index++);
+ m_jit.poke(propertyTag, index++);
+
+ flushRegisters();
+ }
+
+ JSValueOperand value(this, m_jit.graph().varArgChild(node, 3));
+ GPRReg valueTag = value.tagGPR();
+ GPRReg valuePayload = value.payloadGPR();
+ m_jit.poke(valuePayload, index++);
+ m_jit.poke(valueTag, index++);
+
+ flushRegisters();
+ appendCall(m_jit.isStrictModeFor(node->origin.semantic) ? operationPutByValWithThisStrict : operationPutByValWithThis);
+ m_jit.exceptionCheck();
+#else
+ static_assert(GPRInfo::numberOfRegisters >= 8, "We are assuming we have enough registers to make this call without incrementally setting up the arguments.");
+
+ JSValueOperand base(this, m_jit.graph().varArgChild(node, 0));
+ GPRReg baseTag = base.tagGPR();
+ GPRReg basePayload = base.payloadGPR();
+
+ JSValueOperand thisValue(this, m_jit.graph().varArgChild(node, 1));
+ GPRReg thisValueTag = thisValue.tagGPR();
+ GPRReg thisValuePayload = thisValue.payloadGPR();
+
+ JSValueOperand property(this, m_jit.graph().varArgChild(node, 2));
+ GPRReg propertyTag = property.tagGPR();
+ GPRReg propertyPayload = property.payloadGPR();
+
+ JSValueOperand value(this, m_jit.graph().varArgChild(node, 3));
+ GPRReg valueTag = value.tagGPR();
+ GPRReg valuePayload = value.payloadGPR();
+
+ flushRegisters();
+ callOperation(m_jit.isStrictModeFor(node->origin.semantic) ? operationPutByValWithThisStrict : operationPutByValWithThis,
+ NoResult, baseTag, basePayload, thisValueTag, thisValuePayload, propertyTag, propertyPayload, valueTag, valuePayload);
+ m_jit.exceptionCheck();
+#endif // CPU(X86)
+
+ noResult(node);
+ break;
+ }
+
case RegExpExec: {
SpeculateCellOperand globalObject(this, node->child1());
GPRReg globalObjectGPR = globalObject.gpr();
@@ -4038,6 +4132,27 @@
break;
}
+ case GetByIdWithThis: {
+ JSValueOperand base(this, node->child1());
+ GPRReg baseTag = base.tagGPR();
+ GPRReg basePayload = base.payloadGPR();
+ JSValueOperand thisValue(this, node->child2());
+ GPRReg thisTag = thisValue.tagGPR();
+ GPRReg thisPayload = thisValue.payloadGPR();
+
+ GPRFlushedCallResult resultPayload(this);
+ GPRFlushedCallResult2 resultTag(this);
+ GPRReg resultPayloadGPR = resultPayload.gpr();
+ GPRReg resultTagGPR = resultTag.gpr();
+
+ flushRegisters();
+ callOperation(operationGetByIdWithThis, resultTagGPR, resultPayloadGPR, baseTag, basePayload, thisTag, thisPayload, identifierUID(node->identifierNumber()));
+ m_jit.exceptionCheck();
+
+ jsValueResult(resultTagGPR, resultPayloadGPR, node);
+ break;
+ }
+
case GetByIdFlush: {
if (!node->prediction()) {
terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
@@ -4315,6 +4430,26 @@
break;
}
+ case PutByIdWithThis: {
+ JSValueOperand base(this, node->child1());
+ GPRReg baseTag = base.tagGPR();
+ GPRReg basePayload = base.payloadGPR();
+ JSValueOperand thisValue(this, node->child2());
+ GPRReg thisValueTag = thisValue.tagGPR();
+ GPRReg thisValuePayload = thisValue.payloadGPR();
+ JSValueOperand value(this, node->child3());
+ GPRReg valueTag = value.tagGPR();
+ GPRReg valuePayload = value.payloadGPR();
+
+ flushRegisters();
+ callOperation(m_jit.isStrictModeFor(node->origin.semantic) ? operationPutByIdWithThisStrict : operationPutByIdWithThis,
+ NoResult, baseTag, basePayload, thisValueTag, thisValuePayload, valueTag, valuePayload, identifierUID(node->identifierNumber()));
+ m_jit.exceptionCheck();
+
+ noResult(node);
+ break;
+ }
+
case PutGetterById:
case PutSetterById: {
compilePutAccessorById(node);
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
index 16e1778..d3a8ba8 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
@@ -2763,6 +2763,25 @@
break;
}
+ case GetByValWithThis: {
+ JSValueOperand base(this, node->child1());
+ GPRReg baseGPR = base.gpr();
+ JSValueOperand thisValue(this, node->child2());
+ GPRReg thisValueGPR = thisValue.gpr();
+ JSValueOperand subscript(this, node->child3());
+ GPRReg subscriptGPR = subscript.gpr();
+
+ GPRFlushedCallResult result(this);
+ GPRReg resultGPR = result.gpr();
+
+ flushRegisters();
+ callOperation(operationGetByValWithThis, resultGPR, baseGPR, thisValueGPR, subscriptGPR);
+ m_jit.exceptionCheck();
+
+ jsValueResult(resultGPR, node);
+ break;
+ }
+
case PutByValDirect:
case PutByVal:
case PutByValAlias: {
@@ -4135,6 +4154,23 @@
break;
}
+ case GetByIdWithThis: {
+ JSValueOperand base(this, node->child1());
+ GPRReg baseGPR = base.gpr();
+ JSValueOperand thisValue(this, node->child2());
+ GPRReg thisValueGPR = thisValue.gpr();
+
+ GPRFlushedCallResult result(this);
+ GPRReg resultGPR = result.gpr();
+
+ flushRegisters();
+ callOperation(operationGetByIdWithThis, resultGPR, baseGPR, thisValueGPR, identifierUID(node->identifierNumber()));
+ m_jit.exceptionCheck();
+
+ jsValueResult(resultGPR, node);
+ break;
+ }
+
case GetArrayLength:
compileGetArrayLength(node);
break;
@@ -4319,6 +4355,40 @@
break;
}
+ case PutByIdWithThis: {
+ JSValueOperand base(this, node->child1());
+ GPRReg baseGPR = base.gpr();
+ JSValueOperand thisValue(this, node->child2());
+ GPRReg thisValueGPR = thisValue.gpr();
+ JSValueOperand value(this, node->child3());
+ GPRReg valueGPR = value.gpr();
+
+ flushRegisters();
+ callOperation(m_jit.isStrictModeFor(node->origin.semantic) ? operationPutByIdWithThisStrict : operationPutByIdWithThis, NoResult, baseGPR, thisValueGPR, valueGPR, identifierUID(node->identifierNumber()));
+ m_jit.exceptionCheck();
+
+ noResult(node);
+ break;
+ }
+
+ case PutByValWithThis: {
+ JSValueOperand base(this, m_jit.graph().varArgChild(node, 0));
+ GPRReg baseGPR = base.gpr();
+ JSValueOperand thisValue(this, m_jit.graph().varArgChild(node, 1));
+ GPRReg thisValueGPR = thisValue.gpr();
+ JSValueOperand property(this, m_jit.graph().varArgChild(node, 2));
+ GPRReg propertyGPR = property.gpr();
+ JSValueOperand value(this, m_jit.graph().varArgChild(node, 3));
+ GPRReg valueGPR = value.gpr();
+
+ flushRegisters();
+ callOperation(m_jit.isStrictModeFor(node->origin.semantic) ? operationPutByValWithThisStrict : operationPutByValWithThis, NoResult, baseGPR, thisValueGPR, propertyGPR, valueGPR);
+ m_jit.exceptionCheck();
+
+ noResult(node);
+ break;
+ }
+
case PutByIdDirect: {
SpeculateCellOperand base(this, node->child1());
JSValueOperand value(this, node->child2());
