REGRESSION: Use of undefined CallFrame::ScopeChain value
https://bugs.webkit.org/show_bug.cgi?id=139533
Reviewed by Mark Lam.
Removed CallFrame::scope() and CallFrame::setScope() and eliminated or changed
all usages of these funcitons. In some cases the scope is passed in or determined
another way. In some cases the scope is used to calculate other values. Lastly
were places where these functions where used that are no longer needed. For
example when making a call, the caller's ScopeChain was copied to the callee's
ScopeChain. This change no longer uses the ScopeChain call frame header slot.
That slot will be removed in a future patch.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* runtime/JSLexicalEnvironment.h:
(JSC::JSLexicalEnvironment::create):
(JSC::JSLexicalEnvironment::JSLexicalEnvironment):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_create_lexical_environment):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_create_lexical_environment):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::handleHostCall):
(JSC::LLInt::setUpCall):
(JSC::LLInt::llint_throw_stack_overflow_error):
Pass the current scope value to the helper operationCreateActivation() and
the call to JSLexicalEnvironment::create() instead of using the stack frame
scope chain value.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
CreateActivation now has a second child, the scope.
* interpreter/CallFrame.h:
(JSC::ExecState::init): Deleted. This is dead code.
(JSC::ExecState::scope): Deleted.
(JSC::ExecState::setScope): Deleted.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::dumpRegisters): Changed so we didn't access the scope
chain slot.
(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):
(JSC::Interpreter::executeConstruct):
Changed process to find JSScope values on the stack or by some other means.
* runtime/JSWithScope.h:
(JSC::JSWithScope::JSWithScope): Deleted.
Eliminated unused constructor.
* runtime/StrictEvalActivation.cpp:
(JSC::StrictEvalActivation::StrictEvalActivation):
* runtime/StrictEvalActivation.h:
(JSC::StrictEvalActivation::create):
Changed to pass in the current scope.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@177146 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 8873e82..4a9e0ce 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,75 @@
+2014-12-11 Michael Saboff <msaboff@apple.com>
+
+ REGRESSION: Use of undefined CallFrame::ScopeChain value
+ https://bugs.webkit.org/show_bug.cgi?id=139533
+
+ Reviewed by Mark Lam.
+
+ Removed CallFrame::scope() and CallFrame::setScope() and eliminated or changed
+ all usages of these funcitons. In some cases the scope is passed in or determined
+ another way. In some cases the scope is used to calculate other values. Lastly
+ were places where these functions where used that are no longer needed. For
+ example when making a call, the caller's ScopeChain was copied to the callee's
+ ScopeChain. This change no longer uses the ScopeChain call frame header slot.
+ That slot will be removed in a future patch.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * jit/JIT.h:
+ * jit/JITInlines.h:
+ (JSC::JIT::callOperation):
+ * runtime/JSLexicalEnvironment.h:
+ (JSC::JSLexicalEnvironment::create):
+ (JSC::JSLexicalEnvironment::JSLexicalEnvironment):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_create_lexical_environment):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_create_lexical_environment):
+ * jit/JITOperations.cpp:
+ * jit/JITOperations.h:
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ (JSC::LLInt::handleHostCall):
+ (JSC::LLInt::setUpCall):
+ (JSC::LLInt::llint_throw_stack_overflow_error):
+ Pass the current scope value to the helper operationCreateActivation() and
+ the call to JSLexicalEnvironment::create() instead of using the stack frame
+ scope chain value.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ CreateActivation now has a second child, the scope.
+
+ * interpreter/CallFrame.h:
+ (JSC::ExecState::init): Deleted. This is dead code.
+ (JSC::ExecState::scope): Deleted.
+ (JSC::ExecState::setScope): Deleted.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::dumpRegisters): Changed so we didn't access the scope
+ chain slot.
+
+ (JSC::Interpreter::execute):
+ (JSC::Interpreter::executeCall):
+ (JSC::Interpreter::executeConstruct):
+ Changed process to find JSScope values on the stack or by some other means.
+
+ * runtime/JSWithScope.h:
+ (JSC::JSWithScope::JSWithScope): Deleted.
+ Eliminated unused constructor.
+
+ * runtime/StrictEvalActivation.cpp:
+ (JSC::StrictEvalActivation::StrictEvalActivation):
+ * runtime/StrictEvalActivation.h:
+ (JSC::StrictEvalActivation::create):
+ Changed to pass in the current scope.
+
2014-12-10 Gyuyoung Kim <gyuyoung.kim@samsung.com>
Use std::unique_ptr instead of OwnPtr in JSC - heap, jit, runtime, and parser directories
diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
index b91ff50..01fefae 100644
--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
@@ -3398,7 +3398,7 @@
}
case op_create_lexical_environment: {
- Node* lexicalEnvironment = addToGraph(CreateActivation, get(VirtualRegister(currentInstruction[1].u.operand)));
+ Node* lexicalEnvironment = addToGraph(CreateActivation, get(VirtualRegister(currentInstruction[1].u.operand)), get(VirtualRegister(currentInstruction[2].u.operand)));
set(VirtualRegister(currentInstruction[1].u.operand), lexicalEnvironment);
set(VirtualRegister(currentInstruction[2].u.operand), lexicalEnvironment);
NEXT_OPCODE(op_create_lexical_environment);
diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index 0e6e19d..5208b52 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -1172,6 +1172,8 @@
break;
}
+
+ case CreateActivation:
case NewFunction: {
fixEdge<CellUse>(node->child2());
break;
@@ -1216,7 +1218,6 @@
case IsNumber:
case IsObject:
case IsFunction:
- case CreateActivation:
case CreateArguments:
case PhantomArguments:
case TearOffArguments:
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
index e8969f1..a8c44b8 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
@@ -1204,6 +1204,11 @@
m_jit.setupArgumentsWithExecState(arg1);
return appendCallWithExceptionCheckSetResult(operation, result);
}
+ JITCompiler::Call callOperation(C_JITOperation_EJscZ operation, GPRReg result, GPRReg arg1, int32_t arg2)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, TrustedImm32(arg2));
+ return appendCallWithExceptionCheckSetResult(operation, result);
+ }
JITCompiler::Call callOperation(C_JITOperation_EZ operation, GPRReg result, GPRReg arg1)
{
m_jit.setupArgumentsWithExecState(arg1);
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
index e19d80d..a449fab 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -4180,9 +4180,11 @@
case CreateActivation: {
GPRTemporary result(this);
GPRReg resultGPR = result.gpr();
+ SpeculateCellOperand scope(this, node->child2());
+ GPRReg scopeGPR = scope.gpr();
flushRegisters();
- callOperation(operationCreateActivation, resultGPR, framePointerOffsetToGetActivationRegisters());
+ callOperation(operationCreateActivation, resultGPR, scopeGPR, framePointerOffsetToGetActivationRegisters());
cellResult(resultGPR, node);
break;
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
index 62c5d71..3f1fb7d 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
@@ -4243,9 +4243,11 @@
GPRTemporary result(this);
GPRReg resultGPR = result.gpr();
-
+ SpeculateCellOperand scope(this, node->child2());
+ GPRReg scopeGPR = scope.gpr();
+
flushRegisters();
- callOperation(operationCreateActivation, resultGPR, framePointerOffsetToGetActivationRegisters());
+ callOperation(operationCreateActivation, resultGPR, scopeGPR, framePointerOffsetToGetActivationRegisters());
cellResult(resultGPR, node);
break;
diff --git a/Source/JavaScriptCore/interpreter/CallFrame.h b/Source/JavaScriptCore/interpreter/CallFrame.h
index 0ba4bba..755746c 100644
--- a/Source/JavaScriptCore/interpreter/CallFrame.h
+++ b/Source/JavaScriptCore/interpreter/CallFrame.h
@@ -45,12 +45,6 @@
JSValue calleeAsValue() const { return this[JSStack::Callee].jsValue(); }
JSObject* callee() const { return this[JSStack::Callee].function(); }
CodeBlock* codeBlock() const { return this[JSStack::CodeBlock].Register::codeBlock(); }
- JSScope* scope() const
- {
- ASSERT(this[JSStack::ScopeChain].Register::scope());
- return this[JSStack::ScopeChain].Register::scope();
- }
-
JSScope* scope(int scopeRegisterOffset) const
{
ASSERT(this[scopeRegisterOffset].Register::scope());
@@ -191,23 +185,9 @@
#endif
void setCallerFrame(CallFrame* frame) { callerFrameAndPC().callerFrame = frame; }
- void setScope(JSScope* scope) { static_cast<Register*>(this)[JSStack::ScopeChain] = scope; }
void setScope(int scopeRegisterOffset, JSScope* scope) { static_cast<Register*>(this)[scopeRegisterOffset] = scope; }
void setActivation(JSLexicalEnvironment*);
- ALWAYS_INLINE void init(CodeBlock* codeBlock, Instruction* vPC, JSScope* scope,
- CallFrame* callerFrame, int argc, JSObject* callee)
- {
- ASSERT(callerFrame == noCaller() || callerFrame->stack()->containsAddress(this));
-
- setCodeBlock(codeBlock);
- setScope(scope);
- setCallerFrame(callerFrame);
- setReturnPC(vPC); // This is either an Instruction* or a pointer into JIT generated code stored as an Instruction*.
- setArgumentCountIncludingThis(argc); // original argument count (for the sake of the "arguments" object)
- setCallee(callee);
- }
-
// Read a register from the codeframe (or constant from the CodeBlock).
Register& r(int);
// Read a register for a non-constant
diff --git a/Source/JavaScriptCore/interpreter/Interpreter.cpp b/Source/JavaScriptCore/interpreter/Interpreter.cpp
index c679309..ded6bbd 100644
--- a/Source/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/Source/JavaScriptCore/interpreter/Interpreter.cpp
@@ -381,7 +381,7 @@
--it;
dataLogF("[Callee] | %10p | %p \n", it, callFrame->callee());
--it;
- dataLogF("[ScopeChain] | %10p | %p \n", it, callFrame->scope());
+ // FIXME: Remove the next decrement when the ScopeChain slot is removed from the call header
--it;
#if ENABLE(JIT)
AbstractPC pc = callFrame->abstractReturnPC(callFrame->vm());
@@ -767,8 +767,8 @@
JSValue Interpreter::execute(ProgramExecutable* program, CallFrame* callFrame, JSObject* thisObj)
{
SamplingScope samplingScope(this);
-
- JSScope* scope = callFrame->scope();
+
+ JSScope* scope = thisObj->globalObject();
VM& vm = *scope->vm();
ASSERT(!vm.exception());
@@ -929,18 +929,21 @@
return jsNull();
bool isJSCall = (callType == CallTypeJS);
- JSScope* scope;
+ JSScope* scope = nullptr;
CodeBlock* newCodeBlock;
size_t argsCount = 1 + args.size(); // implicit "this" parameter
- if (isJSCall)
+ JSGlobalObject* globalObject;
+
+ if (isJSCall) {
scope = callData.js.scope;
- else {
+ globalObject = scope->globalObject();
+ } else {
ASSERT(callType == CallTypeHost);
- scope = callFrame->scope();
+ globalObject = function->globalObject();
}
- VMEntryScope entryScope(vm, scope->globalObject());
+ VMEntryScope entryScope(vm, globalObject);
if (!vm.isSafeToRecurse())
return checkedReturn(throwStackOverflowError(callFrame));
@@ -997,18 +1000,21 @@
return checkedReturn(throwStackOverflowError(callFrame));
bool isJSConstruct = (constructType == ConstructTypeJS);
- JSScope* scope;
+ JSScope* scope = nullptr;
CodeBlock* newCodeBlock;
size_t argsCount = 1 + args.size(); // implicit "this" parameter
- if (isJSConstruct)
+ JSGlobalObject* globalObject;
+
+ if (isJSConstruct) {
scope = constructData.js.scope;
- else {
+ globalObject = scope->globalObject();
+ } else {
ASSERT(constructType == ConstructTypeHost);
- scope = callFrame->scope();
+ globalObject = constructor->globalObject();
}
- VMEntryScope entryScope(vm, scope->globalObject());
+ VMEntryScope entryScope(vm, globalObject);
if (!vm.isSafeToRecurse())
return checkedReturn(throwStackOverflowError(callFrame));
@@ -1138,7 +1144,7 @@
JSScope* variableObject;
if ((numVariables || numFunctions) && eval->isStrictMode()) {
- scope = StrictEvalActivation::create(callFrame);
+ scope = StrictEvalActivation::create(callFrame, scope);
variableObject = scope;
} else {
for (JSScope* node = scope; ; node = node->next()) {
diff --git a/Source/JavaScriptCore/jit/JIT.h b/Source/JavaScriptCore/jit/JIT.h
index 9e842c9..85149c3 100644
--- a/Source/JavaScriptCore/jit/JIT.h
+++ b/Source/JavaScriptCore/jit/JIT.h
@@ -699,6 +699,8 @@
MacroAssembler::Call callOperation(J_JITOperation_EJIdc, int, GPRReg, const Identifier*);
MacroAssembler::Call callOperation(J_JITOperation_EJJ, int, GPRReg, GPRReg);
MacroAssembler::Call callOperation(J_JITOperation_EJscC, int, GPRReg, JSCell*);
+ MacroAssembler::Call callOperation(C_JITOperation_EJscZ, GPRReg, int32_t);
+ MacroAssembler::Call callOperation(C_JITOperation_EJscZ, int, GPRReg, int32_t);
#if USE(JSVALUE64)
MacroAssembler::Call callOperation(WithProfileTag, J_JITOperation_EJJ, int, GPRReg, GPRReg);
#else
diff --git a/Source/JavaScriptCore/jit/JITInlines.h b/Source/JavaScriptCore/jit/JITInlines.h
index 2e4744d..494d2c2 100644
--- a/Source/JavaScriptCore/jit/JITInlines.h
+++ b/Source/JavaScriptCore/jit/JITInlines.h
@@ -210,6 +210,12 @@
return appendCallWithExceptionCheck(operation);
}
+ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(C_JITOperation_EJscZ operation, GPRReg arg1, int32_t arg2)
+{
+ setupArgumentsWithExecState(arg1, TrustedImm32(arg2));
+ return appendCallWithExceptionCheck(operation);
+}
+
ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(C_JITOperation_EO operation, GPRReg arg)
{
setupArgumentsWithExecState(arg);
diff --git a/Source/JavaScriptCore/jit/JITOpcodes.cpp b/Source/JavaScriptCore/jit/JITOpcodes.cpp
index 637a002..030184a 100644
--- a/Source/JavaScriptCore/jit/JITOpcodes.cpp
+++ b/Source/JavaScriptCore/jit/JITOpcodes.cpp
@@ -672,7 +672,8 @@
int dst = currentInstruction[1].u.operand;
int scope = currentInstruction[2].u.operand;
- callOperation(operationCreateActivation, 0);
+ emitGetVirtualRegister(scope, regT0);
+ callOperation(operationCreateActivation, regT0, 0);
emitStoreCell(dst, returnValueGPR);
emitStoreCell(scope, returnValueGPR);
}
diff --git a/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp b/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
index 886cd9c..a3dead2 100644
--- a/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
+++ b/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
@@ -901,7 +901,8 @@
int lexicalEnvironment = currentInstruction[1].u.operand;
int scope = currentInstruction[2].u.operand;
- callOperation(operationCreateActivation, 0);
+ emitLoadPayload(currentInstruction[2].u.operand, regT0);
+ callOperation(operationCreateActivation, regT0, 0);
emitStoreCell(lexicalEnvironment, returnValueGPR);
emitStoreCell(scope, returnValueGPR);
}
diff --git a/Source/JavaScriptCore/jit/JITOperations.cpp b/Source/JavaScriptCore/jit/JITOperations.cpp
index 633ec57..ce749ed 100644
--- a/Source/JavaScriptCore/jit/JITOperations.cpp
+++ b/Source/JavaScriptCore/jit/JITOperations.cpp
@@ -608,11 +608,11 @@
EncodedJSValue JIT_OPERATION operationCallEval(ExecState* exec, ExecState* execCallee)
{
- ASSERT(exec->codeBlock()->codeType() != FunctionCode
+
+ ASSERT_UNUSED(exec, exec->codeBlock()->codeType() != FunctionCode
|| !exec->codeBlock()->needsActivation()
|| exec->hasActivation());
- execCallee->setScope(exec->scope());
execCallee->setCodeBlock(0);
if (!isHostFunction(execCallee->calleeAsValue(), globalFuncEval))
@@ -631,7 +631,6 @@
ExecState* exec = execCallee->callerFrame();
VM* vm = &exec->vm();
- execCallee->setScope(exec->scope());
execCallee->setCodeBlock(0);
if (kind == CodeForCall) {
@@ -692,7 +691,6 @@
JSFunction* callee = jsCast<JSFunction*>(calleeAsFunctionCell);
JSScope* scope = callee->scopeUnchecked();
- execCallee->setScope(scope);
ExecutableBase* executable = callee->executable();
MacroAssemblerCodePtr codePtr;
@@ -702,7 +700,6 @@
else {
FunctionExecutable* functionExecutable = static_cast<FunctionExecutable*>(executable);
JSObject* error = functionExecutable->prepareForExecution(execCallee, callee, &scope, kind);
- execCallee->setScope(scope);
if (error) {
throwStackOverflowError(exec);
return reinterpret_cast<char*>(vm->getCTIStub(throwExceptionFromCallSlowPathGenerator).code().executableAddress());
@@ -757,12 +754,10 @@
JSFunction* function = jsCast<JSFunction*>(calleeAsFunctionCell);
JSScope* scope = function->scopeUnchecked();
- execCallee->setScope(scope);
ExecutableBase* executable = function->executable();
if (UNLIKELY(!executable->hasJITCodeFor(kind))) {
FunctionExecutable* functionExecutable = static_cast<FunctionExecutable*>(executable);
JSObject* error = functionExecutable->prepareForExecution(execCallee, function, &scope, kind);
- execCallee->setScope(scope);
if (error) {
exec->vm().throwException(exec, error);
return reinterpret_cast<char*>(vm->getCTIStub(throwExceptionFromCallSlowPathGenerator).code().executableAddress());
@@ -1401,12 +1396,11 @@
return JSValue::encode(JSValue());
}
-JSCell* JIT_OPERATION operationCreateActivation(ExecState* exec, int32_t offset)
+JSCell* JIT_OPERATION operationCreateActivation(ExecState* exec, JSScope* currentScope, int32_t offset)
{
VM& vm = exec->vm();
NativeCallFrameTracer tracer(&vm, exec);
- JSLexicalEnvironment* lexicalEnvironment = JSLexicalEnvironment::create(vm, exec, exec->registers() + offset, exec->codeBlock());
- exec->setScope(lexicalEnvironment);
+ JSLexicalEnvironment* lexicalEnvironment = JSLexicalEnvironment::create(vm, exec, exec->registers() + offset, currentScope, exec->codeBlock());
return lexicalEnvironment;
}
diff --git a/Source/JavaScriptCore/jit/JITOperations.h b/Source/JavaScriptCore/jit/JITOperations.h
index ffbc846..ae20147 100644
--- a/Source/JavaScriptCore/jit/JITOperations.h
+++ b/Source/JavaScriptCore/jit/JITOperations.h
@@ -132,6 +132,7 @@
typedef JSCell* JIT_OPERATION (*C_JITOperation_EJZ)(ExecState*, EncodedJSValue, int32_t);
typedef JSCell* JIT_OPERATION (*C_JITOperation_EJZC)(ExecState*, EncodedJSValue, int32_t, JSCell*);
typedef JSCell* JIT_OPERATION (*C_JITOperation_EJJC)(ExecState*, EncodedJSValue, EncodedJSValue, JSCell*);
+typedef JSCell* JIT_OPERATION (*C_JITOperation_EJscZ)(ExecState*, JSScope*, int32_t);
typedef JSCell* JIT_OPERATION (*C_JITOperation_EJssSt)(ExecState*, JSString*, Structure*);
typedef JSCell* JIT_OPERATION (*C_JITOperation_EJssJss)(ExecState*, JSString*, JSString*);
typedef JSCell* JIT_OPERATION (*C_JITOperation_EJssJssJss)(ExecState*, JSString*, JSString*, JSString*);
@@ -292,7 +293,7 @@
void JIT_OPERATION operationProfileDidCall(ExecState*, EncodedJSValue) WTF_INTERNAL;
void JIT_OPERATION operationProfileWillCall(ExecState*, EncodedJSValue) WTF_INTERNAL;
EncodedJSValue JIT_OPERATION operationCheckHasInstance(ExecState*, EncodedJSValue, EncodedJSValue baseVal) WTF_INTERNAL;
-JSCell* JIT_OPERATION operationCreateActivation(ExecState*, int32_t offset) WTF_INTERNAL;
+JSCell* JIT_OPERATION operationCreateActivation(ExecState*, JSScope* currentScope, int32_t offset) WTF_INTERNAL;
JSCell* JIT_OPERATION operationCreateArguments(ExecState*) WTF_INTERNAL;
JSCell* JIT_OPERATION operationCreateArgumentsDuringOSRExit(ExecState*) WTF_INTERNAL;
EncodedJSValue JIT_OPERATION operationGetArgumentsLength(ExecState*, int32_t) WTF_INTERNAL;
diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
index 9d019d3..c75253c 100644
--- a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
+++ b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
@@ -259,7 +259,7 @@
exec,
static_cast<intptr_t>(pc - exec->codeBlock()->instructions().begin()),
opcodeNames[exec->vm().interpreter->getOpcodeID(pc[0].u.opcode)],
- exec->scope(), pc);
+ exec->uncheckedR(exec->codeBlock()->scopeRegister().offset()).Register::scope(), pc);
if (exec->vm().interpreter->getOpcodeID(pc[0].u.opcode) == op_enter) {
dataLogF("Frame will eventually return to %p\n", exec->returnPC().value());
*bitwise_cast<volatile char*>(exec->returnPC().value());
@@ -503,7 +503,9 @@
#if LLINT_SLOW_PATH_TRACING
dataLogF("Creating an lexicalEnvironment, exec = %p!\n", exec);
#endif
- JSLexicalEnvironment* lexicalEnvironment = JSLexicalEnvironment::create(vm, exec, exec->codeBlock());
+ int scopeReg = pc[2].u.operand;
+ JSScope* scope = exec->uncheckedR(scopeReg).Register::scope();
+ JSLexicalEnvironment* lexicalEnvironment = JSLexicalEnvironment::create(vm, exec, scope, exec->codeBlock());
exec->uncheckedR(pc[2].u.operand) = lexicalEnvironment;
LLINT_RETURN(JSValue(lexicalEnvironment));
}
@@ -1030,7 +1032,6 @@
ExecState* exec = execCallee->callerFrame();
VM& vm = exec->vm();
- execCallee->setScope(exec->scope());
execCallee->setCodeBlock(0);
execCallee->clearReturnPC();
@@ -1094,7 +1095,6 @@
JSFunction* callee = jsCast<JSFunction*>(calleeAsFunctionCell);
JSScope* scope = callee->scopeUnchecked();
VM& vm = *scope->vm();
- execCallee->setScope(scope);
ExecutableBase* executable = callee->executable();
MacroAssemblerCodePtr codePtr;
@@ -1104,7 +1104,6 @@
else {
FunctionExecutable* functionExecutable = static_cast<FunctionExecutable*>(executable);
JSObject* error = functionExecutable->prepareForExecution(execCallee, callee, &scope, kind);
- execCallee->setScope(scope);
if (error)
LLINT_CALL_THROW(exec, error);
codeBlock = functionExecutable->codeBlockFor(kind);
@@ -1235,8 +1234,6 @@
execCallee->setArgumentCountIncludingThis(pc[3].u.operand);
execCallee->setCallerFrame(exec);
execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
- JSScope* callerScope = exec->uncheckedR(exec->codeBlock()->scopeRegister().offset()).Register::scope();
- execCallee->setScope(callerScope);
execCallee->setReturnPC(LLInt::getCodePtr(llint_generic_return_point));
execCallee->setCodeBlock(0);
exec->setCurrentVPC(pc);
@@ -1433,7 +1430,7 @@
{
ExecState* exec = vm->topCallFrame;
if (!exec)
- exec = protoFrame->scope()->globalObject()->globalExec();
+ exec = protoFrame->callee()->globalObject()->globalExec();
throwStackOverflowError(exec);
return encodeResult(0, 0);
}
diff --git a/Source/JavaScriptCore/runtime/JSLexicalEnvironment.h b/Source/JavaScriptCore/runtime/JSLexicalEnvironment.h
index cbe0076..9fb03c5 100644
--- a/Source/JavaScriptCore/runtime/JSLexicalEnvironment.h
+++ b/Source/JavaScriptCore/runtime/JSLexicalEnvironment.h
@@ -41,12 +41,12 @@
class JSLexicalEnvironment : public JSEnvironmentRecord {
private:
- JSLexicalEnvironment(VM&, CallFrame*, Register*, CodeBlock*);
+ JSLexicalEnvironment(VM&, CallFrame*, Register*, JSScope*, CodeBlock*);
public:
typedef JSEnvironmentRecord Base;
- static JSLexicalEnvironment* create(VM& vm, CallFrame* callFrame, Register* registers, CodeBlock* codeBlock)
+ static JSLexicalEnvironment* create(VM& vm, CallFrame* callFrame, Register* registers, JSScope* currentScope, CodeBlock* codeBlock)
{
SymbolTable* symbolTable = codeBlock->symbolTable();
ASSERT(codeBlock->codeType() == FunctionCode);
@@ -56,14 +56,14 @@
vm.heap,
allocationSize(symbolTable)
)
- ) JSLexicalEnvironment(vm, callFrame, registers, codeBlock);
+ ) JSLexicalEnvironment(vm, callFrame, registers, currentScope, codeBlock);
lexicalEnvironment->finishCreation(vm);
return lexicalEnvironment;
}
- static JSLexicalEnvironment* create(VM& vm, CallFrame* callFrame, CodeBlock* codeBlock)
+ static JSLexicalEnvironment* create(VM& vm, CallFrame* callFrame, JSScope* currentScope, CodeBlock* codeBlock)
{
- return create(vm, callFrame, callFrame->registers() + codeBlock->framePointerOffsetToGetActivationRegisters(), codeBlock);
+ return create(vm, callFrame, callFrame->registers() + codeBlock->framePointerOffsetToGetActivationRegisters(), currentScope, codeBlock);
}
static void visitChildren(JSCell*, SlotVisitor&);
@@ -108,12 +108,12 @@
extern int activationCount;
extern int allTheThingsCount;
-inline JSLexicalEnvironment::JSLexicalEnvironment(VM& vm, CallFrame* callFrame, Register* registers, CodeBlock* codeBlock)
+inline JSLexicalEnvironment::JSLexicalEnvironment(VM& vm, CallFrame* callFrame, Register* registers, JSScope* currentScope, CodeBlock* codeBlock)
: Base(
vm,
callFrame->lexicalGlobalObject()->activationStructure(),
registers,
- callFrame->scope(),
+ currentScope,
codeBlock->symbolTable())
{
SymbolTable* symbolTable = codeBlock->symbolTable();
diff --git a/Source/JavaScriptCore/runtime/JSWithScope.h b/Source/JavaScriptCore/runtime/JSWithScope.h
index fc3962d..8e5d09f 100644
--- a/Source/JavaScriptCore/runtime/JSWithScope.h
+++ b/Source/JavaScriptCore/runtime/JSWithScope.h
@@ -53,16 +53,6 @@
DECLARE_EXPORT_INFO;
private:
- JSWithScope(ExecState* exec, JSObject* object)
- : Base(
- exec->vm(),
- exec->lexicalGlobalObject()->withScopeStructure(),
- exec->scope()
- )
- , m_object(exec->vm(), this, object)
- {
- }
-
JSWithScope(ExecState* exec, JSObject* object, JSScope* next)
: Base(
exec->vm(),
diff --git a/Source/JavaScriptCore/runtime/StrictEvalActivation.cpp b/Source/JavaScriptCore/runtime/StrictEvalActivation.cpp
index 426d29d..4260e10 100644
--- a/Source/JavaScriptCore/runtime/StrictEvalActivation.cpp
+++ b/Source/JavaScriptCore/runtime/StrictEvalActivation.cpp
@@ -35,11 +35,11 @@
const ClassInfo StrictEvalActivation::s_info = { "Object", &Base::s_info, 0, CREATE_METHOD_TABLE(StrictEvalActivation) };
-StrictEvalActivation::StrictEvalActivation(ExecState* exec)
+StrictEvalActivation::StrictEvalActivation(ExecState* exec, JSScope* currentScope)
: Base(
exec->vm(),
exec->lexicalGlobalObject()->strictEvalActivationStructure(),
- exec->scope()
+ currentScope
)
{
}
diff --git a/Source/JavaScriptCore/runtime/StrictEvalActivation.h b/Source/JavaScriptCore/runtime/StrictEvalActivation.h
index fc88100..816a1a4 100644
--- a/Source/JavaScriptCore/runtime/StrictEvalActivation.h
+++ b/Source/JavaScriptCore/runtime/StrictEvalActivation.h
@@ -34,9 +34,9 @@
public:
typedef JSScope Base;
- static StrictEvalActivation* create(ExecState* exec)
+ static StrictEvalActivation* create(ExecState* exec, JSScope* currentScope)
{
- StrictEvalActivation* lexicalEnvironment = new (NotNull, allocateCell<StrictEvalActivation>(*exec->heap())) StrictEvalActivation(exec);
+ StrictEvalActivation* lexicalEnvironment = new (NotNull, allocateCell<StrictEvalActivation>(*exec->heap())) StrictEvalActivation(exec, currentScope);
lexicalEnvironment->finishCreation(exec->vm());
return lexicalEnvironment;
}
@@ -55,7 +55,7 @@
static const unsigned StructureFlags = IsEnvironmentRecord | Base::StructureFlags;
private:
- StrictEvalActivation(ExecState*);
+ StrictEvalActivation(ExecState*, JSScope*);
};
} // namespace JSC
