Disable function.arguments
https://bugs.webkit.org/show_bug.cgi?id=137167
Source/JavaScriptCore:
Rubber stamped by Geoffrey Garen.
Add an option to disable function.arguments. Add a test for disabling it.
Disabling function.arguments means that it returns an Arguments object that claims that
there were zero arguments. All other Arguments functionality still works, so any code
that tries to inspect this object will still think that it is looking at a perfectly
valid Arguments object.
This also makes function.arguments disabled by default. Note that the RJST harness will
enable them by default, to continue to get test coverage for the code that implements
the feature.
We will rip out that code once we're confident that it's really safe to remove this
feature. Only once we rip out that support will we be able to do optimizations to
leverage the lack of this feature. It's important to keep the support code, and the test
infrastructure, in place before we are confident. The logic to keep this working touches
the entire compiler and a large chunk of the runtime, so reimplementing it - or even
merging it back in - would be a nightmare. That's also basically the reason why we want
to rip it out if at all possible. It's a lot of terrible code.
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::createArguments):
* runtime/Arguments.h:
(JSC::Arguments::create):
(JSC::Arguments::finishCreation):
* runtime/Options.h:
* tests/stress/disable-function-dot-arguments.js: Added.
(foo):
(bar):
Tools:
Rubber stamped by Geoffrey Garen
Enable the feature by default during tests.
* Scripts/run-jsc-stress-tests:
LayoutTests:
Rubber stamped by Geoffrey Garen.
Don't remove the tests for this, yet - but mark them as failing. We will rebase these,
or remove them entirely, once we know that it's safe to rip out this feature entirely.
* TestExpectations:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@174036 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index d90b6ea..a715868 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,39 @@
+2014-09-26 Filip Pizlo <fpizlo@apple.com>
+
+ Disable function.arguments
+ https://bugs.webkit.org/show_bug.cgi?id=137167
+
+ Rubber stamped by Geoffrey Garen.
+
+ Add an option to disable function.arguments. Add a test for disabling it.
+
+ Disabling function.arguments means that it returns an Arguments object that claims that
+ there were zero arguments. All other Arguments functionality still works, so any code
+ that tries to inspect this object will still think that it is looking at a perfectly
+ valid Arguments object.
+
+ This also makes function.arguments disabled by default. Note that the RJST harness will
+ enable them by default, to continue to get test coverage for the code that implements
+ the feature.
+
+ We will rip out that code once we're confident that it's really safe to remove this
+ feature. Only once we rip out that support will we be able to do optimizations to
+ leverage the lack of this feature. It's important to keep the support code, and the test
+ infrastructure, in place before we are confident. The logic to keep this working touches
+ the entire compiler and a large chunk of the runtime, so reimplementing it - or even
+ merging it back in - would be a nightmare. That's also basically the reason why we want
+ to rip it out if at all possible. It's a lot of terrible code.
+
+ * interpreter/StackVisitor.cpp:
+ (JSC::StackVisitor::Frame::createArguments):
+ * runtime/Arguments.h:
+ (JSC::Arguments::create):
+ (JSC::Arguments::finishCreation):
+ * runtime/Options.h:
+ * tests/stress/disable-function-dot-arguments.js: Added.
+ (foo):
+ (bar):
+
2014-09-26 Joseph Pecoraro <pecoraro@apple.com>
Web Inspector: Automatic Inspection should continue once all breakpoints are loaded
diff --git a/Source/JavaScriptCore/interpreter/StackVisitor.cpp b/Source/JavaScriptCore/interpreter/StackVisitor.cpp
index 995ab6b..29dc967 100644
--- a/Source/JavaScriptCore/interpreter/StackVisitor.cpp
+++ b/Source/JavaScriptCore/interpreter/StackVisitor.cpp
@@ -261,15 +261,20 @@
CallFrame* physicalFrame = m_callFrame;
VM& vm = physicalFrame->vm();
Arguments* arguments;
+ ArgumentsMode mode;
+ if (Options::enableFunctionDotArguments())
+ mode = NormalArgumentsCreationMode;
+ else
+ mode = FakeArgumentValuesCreationMode;
#if ENABLE(DFG_JIT)
if (isInlinedFrame()) {
ASSERT(m_inlineCallFrame);
- arguments = Arguments::create(vm, physicalFrame, m_inlineCallFrame);
+ arguments = Arguments::create(vm, physicalFrame, m_inlineCallFrame, mode);
arguments->tearOff(physicalFrame, m_inlineCallFrame);
} else
#endif
{
- arguments = Arguments::create(vm, physicalFrame);
+ arguments = Arguments::create(vm, physicalFrame, mode);
arguments->tearOff(physicalFrame);
}
return arguments;
diff --git a/Source/JavaScriptCore/runtime/Arguments.h b/Source/JavaScriptCore/runtime/Arguments.h
index 2d4ada5..7c8e857 100644
--- a/Source/JavaScriptCore/runtime/Arguments.h
+++ b/Source/JavaScriptCore/runtime/Arguments.h
@@ -35,23 +35,28 @@
namespace JSC {
+enum ArgumentsMode {
+ NormalArgumentsCreationMode,
+ FakeArgumentValuesCreationMode
+};
+
class Arguments : public JSNonFinalObject {
friend class JIT;
friend class JSArgumentsIterator;
public:
typedef JSNonFinalObject Base;
- static Arguments* create(VM& vm, CallFrame* callFrame)
+ static Arguments* create(VM& vm, CallFrame* callFrame, ArgumentsMode mode = NormalArgumentsCreationMode)
{
Arguments* arguments = new (NotNull, allocateCell<Arguments>(vm.heap)) Arguments(callFrame);
- arguments->finishCreation(callFrame);
+ arguments->finishCreation(callFrame, mode);
return arguments;
}
- static Arguments* create(VM& vm, CallFrame* callFrame, InlineCallFrame* inlineCallFrame)
+ static Arguments* create(VM& vm, CallFrame* callFrame, InlineCallFrame* inlineCallFrame, ArgumentsMode mode = NormalArgumentsCreationMode)
{
Arguments* arguments = new (NotNull, allocateCell<Arguments>(vm.heap)) Arguments(callFrame);
- arguments->finishCreation(callFrame, inlineCallFrame);
+ arguments->finishCreation(callFrame, inlineCallFrame, mode);
return arguments;
}
@@ -107,8 +112,8 @@
protected:
static const unsigned StructureFlags = OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | OverridesGetPropertyNames | JSObject::StructureFlags;
- void finishCreation(CallFrame*);
- void finishCreation(CallFrame*, InlineCallFrame*);
+ void finishCreation(CallFrame*, ArgumentsMode);
+ void finishCreation(CallFrame*, InlineCallFrame*, ArgumentsMode);
private:
static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
@@ -271,62 +276,88 @@
return m_lexicalEnvironment->registerAt(index - m_slowArgumentData->bytecodeToMachineCaptureOffset());
}
-inline void Arguments::finishCreation(CallFrame* callFrame)
+inline void Arguments::finishCreation(CallFrame* callFrame, ArgumentsMode mode)
{
Base::finishCreation(callFrame->vm());
ASSERT(inherits(info()));
JSFunction* callee = jsCast<JSFunction*>(callFrame->callee());
- m_numArguments = callFrame->argumentCount();
- m_registers = reinterpret_cast<WriteBarrierBase<Unknown>*>(callFrame->registers());
m_callee.set(callFrame->vm(), this, callee);
m_overrodeLength = false;
m_overrodeCallee = false;
m_overrodeCaller = false;
m_isStrictMode = callFrame->codeBlock()->isStrictMode();
- CodeBlock* codeBlock = callFrame->codeBlock();
- if (codeBlock->hasSlowArguments()) {
- SymbolTable* symbolTable = codeBlock->symbolTable();
- const SlowArgument* slowArguments = codeBlock->machineSlowArguments();
- allocateSlowArguments(callFrame->vm());
- size_t count = std::min<unsigned>(m_numArguments, symbolTable->parameterCount());
- for (size_t i = 0; i < count; ++i)
- m_slowArgumentData->slowArguments()[i] = slowArguments[i];
- m_slowArgumentData->setBytecodeToMachineCaptureOffset(
- codeBlock->framePointerOffsetToGetActivationRegisters());
- }
+ switch (mode) {
+ case NormalArgumentsCreationMode: {
+ m_numArguments = callFrame->argumentCount();
+ m_registers = reinterpret_cast<WriteBarrierBase<Unknown>*>(callFrame->registers());
- // The bytecode generator omits op_tear_off_lexical_environment in cases of no
- // declared parameters, so we need to tear off immediately.
- if (m_isStrictMode || !callee->jsExecutable()->parameterCount())
+ CodeBlock* codeBlock = callFrame->codeBlock();
+ if (codeBlock->hasSlowArguments()) {
+ SymbolTable* symbolTable = codeBlock->symbolTable();
+ const SlowArgument* slowArguments = codeBlock->machineSlowArguments();
+ allocateSlowArguments(callFrame->vm());
+ size_t count = std::min<unsigned>(m_numArguments, symbolTable->parameterCount());
+ for (size_t i = 0; i < count; ++i)
+ m_slowArgumentData->slowArguments()[i] = slowArguments[i];
+ m_slowArgumentData->setBytecodeToMachineCaptureOffset(
+ codeBlock->framePointerOffsetToGetActivationRegisters());
+ }
+
+ // The bytecode generator omits op_tear_off_lexical_environment in cases of no
+ // declared parameters, so we need to tear off immediately.
+ if (m_isStrictMode || !callee->jsExecutable()->parameterCount())
+ tearOff(callFrame);
+ break;
+ }
+
+ case FakeArgumentValuesCreationMode: {
+ m_numArguments = 0;
+ m_registers = nullptr;
tearOff(callFrame);
+ break;
+ } }
+
}
-inline void Arguments::finishCreation(CallFrame* callFrame, InlineCallFrame* inlineCallFrame)
+inline void Arguments::finishCreation(CallFrame* callFrame, InlineCallFrame* inlineCallFrame, ArgumentsMode mode)
{
Base::finishCreation(callFrame->vm());
ASSERT(inherits(info()));
JSFunction* callee = inlineCallFrame->calleeForCallFrame(callFrame);
- m_numArguments = inlineCallFrame->arguments.size() - 1;
-
- if (m_numArguments) {
- int offsetForArgumentOne = inlineCallFrame->arguments[1].virtualRegister().offset();
- m_registers = reinterpret_cast<WriteBarrierBase<Unknown>*>(callFrame->registers()) + offsetForArgumentOne - virtualRegisterForArgument(1).offset();
- } else
- m_registers = 0;
m_callee.set(callFrame->vm(), this, callee);
m_overrodeLength = false;
m_overrodeCallee = false;
m_overrodeCaller = false;
m_isStrictMode = jsCast<FunctionExecutable*>(inlineCallFrame->executable.get())->isStrictMode();
- ASSERT(!jsCast<FunctionExecutable*>(inlineCallFrame->executable.get())->symbolTable(inlineCallFrame->specializationKind())->slowArguments());
- // The bytecode generator omits op_tear_off_lexical_environment in cases of no
- // declared parameters, so we need to tear off immediately.
- if (m_isStrictMode || !callee->jsExecutable()->parameterCount())
- tearOff(callFrame, inlineCallFrame);
+ switch (mode) {
+ case NormalArgumentsCreationMode: {
+ m_numArguments = inlineCallFrame->arguments.size() - 1;
+
+ if (m_numArguments) {
+ int offsetForArgumentOne = inlineCallFrame->arguments[1].virtualRegister().offset();
+ m_registers = reinterpret_cast<WriteBarrierBase<Unknown>*>(callFrame->registers()) + offsetForArgumentOne - virtualRegisterForArgument(1).offset();
+ } else
+ m_registers = 0;
+
+ ASSERT(!jsCast<FunctionExecutable*>(inlineCallFrame->executable.get())->symbolTable(inlineCallFrame->specializationKind())->slowArguments());
+
+ // The bytecode generator omits op_tear_off_lexical_environment in cases of no
+ // declared parameters, so we need to tear off immediately.
+ if (m_isStrictMode || !callee->jsExecutable()->parameterCount())
+ tearOff(callFrame, inlineCallFrame);
+ break;
+ }
+
+ case FakeArgumentValuesCreationMode: {
+ m_numArguments = 0;
+ m_registers = nullptr;
+ tearOff(callFrame);
+ break;
+ } }
}
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h
index 020795d..9e7eb52 100644
--- a/Source/JavaScriptCore/runtime/Options.h
+++ b/Source/JavaScriptCore/runtime/Options.h
@@ -112,6 +112,8 @@
v(bool, forceDebuggerBytecodeGeneration, false) \
v(bool, forceProfilerBytecodeGeneration, false) \
\
+ v(bool, enableFunctionDotArguments, false) \
+ \
/* showDisassembly implies showDFGDisassembly. */ \
v(bool, showDisassembly, false) \
v(bool, showDFGDisassembly, false) \
diff --git a/Source/JavaScriptCore/tests/stress/disable-function-dot-arguments.js b/Source/JavaScriptCore/tests/stress/disable-function-dot-arguments.js
new file mode 100644
index 0000000..ba94fc3
--- /dev/null
+++ b/Source/JavaScriptCore/tests/stress/disable-function-dot-arguments.js
@@ -0,0 +1,20 @@
+//@ run("function-dot-arguments", "--enableFunctionDotArguments=false")
+
+function foo() {
+ var a = bar.arguments;
+ if (a.length != 0)
+ throw "Error: arguments have non-zero length";
+ for (var i = 0; i < 100; ++i) {
+ if (a[i] !== void 0)
+ throw "Error: argument " + i + " has non-undefined value";
+ }
+}
+
+function bar() {
+ foo();
+}
+
+bar();
+bar(1);
+bar(1, 2, 3, 4, 5, 6, 7, 8, 9, 10);
+
