commit 71684cbdcc19f1adfd06f86d9c72a245fe145691
author oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Oct 17 16:07:08 2014 +0000
committer oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Oct 17 16:07:08 2014 +0000
tree 3cf6965c31feb04e725dbef2fb6b3542396129a0
parent 086c098c8ceed6b6bc5f4a9ed704f2f3495a3020

Various arguments optimisations in codegen fail to account for arguments being in lexical record
https://bugs.webkit.org/show_bug.cgi?id=137617

Reviewed by Michael Saboff.

Rework the way we track |arguments| references so that we don't try
to use the |arguments| reference on the stack if it's not safe.

To do this without nuking performance it was necessary to update
the parser to track modification of the |arguments| reference
itself.

* bytecode/CodeBlock.cpp:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::willResolveToArguments):
(JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister):
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitConstruct):
(JSC::BytecodeGenerator::emitEnumeration):
(JSC::BytecodeGenerator::uncheckedRegisterForArguments): Deleted.
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister):
* bytecompiler/NodesCodegen.cpp:
(JSC::BracketAccessorNode::emitBytecode):
(JSC::DotAccessorNode::emitBytecode):
(JSC::getArgumentByVal):
(JSC::CallFunctionCallDotNode::emitBytecode):
(JSC::ApplyFunctionCallDotNode::emitBytecode):
(JSC::ArrayPatternNode::emitDirectBinding):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::existingArguments):
* parser/Nodes.h:
(JSC::ScopeNode::modifiesArguments):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
* parser/Parser.h:
(JSC::Scope::getCapturedVariables):
* parser/ParserModes.h:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@174821 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
index f7b1481..46d590d 100644
--- a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
+++ b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
@@ -277,7 +277,9 @@
         void setIsNumericCompareFunction(bool isNumericCompareFunction);
 
         bool willResolveToArguments(const Identifier&);
-        RegisterID* uncheckedRegisterForArguments();
+
+        bool hasSafeLocalArgumentsRegister() { return m_localArgumentsRegister; }
+        RegisterID* uncheckedLocalArgumentsRegister();
 
         bool isCaptured(int operand);
         CaptureMode captureMode(int operand) { return isCaptured(operand) ? IsCaptured : NotCaptured; }
@@ -752,6 +754,8 @@
         RegisterID* m_lexicalEnvironmentRegister;
         RegisterID* m_emptyValueRegister;
         RegisterID* m_globalObjectRegister;
+        RegisterID* m_localArgumentsRegister;
+
         Vector<Identifier, 16> m_watchableVariables;
         SegmentedVector<RegisterID, 32> m_constantPoolRegisters;
         SegmentedVector<RegisterID, 32> m_calleeRegisters;