<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[174821] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/174821">174821</a></dd>
<dt>Author</dt> <dd>oliver@apple.com</dd>
<dt>Date</dt> <dd>2014-10-17 09:07:08 -0700 (Fri, 17 Oct 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>Various arguments optimisations in codegen fail to account for arguments being in lexical record
https://bugs.webkit.org/show_bug.cgi?id=137617
Reviewed by Michael Saboff.
Rework the way we track |arguments| references so that we don't try
to use the |arguments| reference on the stack if it's not safe.
To do this without nuking performance it was necessary to update
the parser to track modification of the |arguments| reference
itself.
* bytecode/CodeBlock.cpp:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::willResolveToArguments):
(JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister):
(JSC::BytecodeGenerator::emitCall):
(JSC::BytecodeGenerator::emitConstruct):
(JSC::BytecodeGenerator::emitEnumeration):
(JSC::BytecodeGenerator::uncheckedRegisterForArguments): Deleted.
* bytecompiler/BytecodeGenerator.h:
(JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister):
* bytecompiler/NodesCodegen.cpp:
(JSC::BracketAccessorNode::emitBytecode):
(JSC::DotAccessorNode::emitBytecode):
(JSC::getArgumentByVal):
(JSC::CallFunctionCallDotNode::emitBytecode):
(JSC::ApplyFunctionCallDotNode::emitBytecode):
(JSC::ArrayPatternNode::emitDirectBinding):
* interpreter/StackVisitor.cpp:
(JSC::StackVisitor::Frame::existingArguments):
* parser/Nodes.h:
(JSC::ScopeNode::modifiesArguments):
* parser/Parser.cpp:
(JSC::Parser<LexerType>::parseInner):
* parser/Parser.h:
(JSC::Scope::getCapturedVariables):
* parser/ParserModes.h:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorh">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerNodesCodegencpp">trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreinterpreterStackVisitorcpp">trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserNodesh">trunk/Source/JavaScriptCore/parser/Nodes.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserParsercpp">trunk/Source/JavaScriptCore/parser/Parser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserParserh">trunk/Source/JavaScriptCore/parser/Parser.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreparserParserModesh">trunk/Source/JavaScriptCore/parser/ParserModes.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (174820 => 174821)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-10-17 10:51:08 UTC (rev 174820)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-10-17 16:07:08 UTC (rev 174821)
</span><span class="lines">@@ -1,3 +1,45 @@
</span><ins>+2014-10-10 Oliver Hunt <oliver@apple.com>
+
+ Various arguments optimisations in codegen fail to account for arguments being in lexical record
+ https://bugs.webkit.org/show_bug.cgi?id=137617
+
+ Reviewed by Michael Saboff.
+
+ Rework the way we track |arguments| references so that we don't try
+ to use the |arguments| reference on the stack if it's not safe.
+
+ To do this without nuking performance it was necessary to update
+ the parser to track modification of the |arguments| reference
+ itself.
+
+ * bytecode/CodeBlock.cpp:
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::BytecodeGenerator):
+ (JSC::BytecodeGenerator::willResolveToArguments):
+ (JSC::BytecodeGenerator::uncheckedLocalArgumentsRegister):
+ (JSC::BytecodeGenerator::emitCall):
+ (JSC::BytecodeGenerator::emitConstruct):
+ (JSC::BytecodeGenerator::emitEnumeration):
+ (JSC::BytecodeGenerator::uncheckedRegisterForArguments): Deleted.
+ * bytecompiler/BytecodeGenerator.h:
+ (JSC::BytecodeGenerator::hasSafeLocalArgumentsRegister):
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::BracketAccessorNode::emitBytecode):
+ (JSC::DotAccessorNode::emitBytecode):
+ (JSC::getArgumentByVal):
+ (JSC::CallFunctionCallDotNode::emitBytecode):
+ (JSC::ApplyFunctionCallDotNode::emitBytecode):
+ (JSC::ArrayPatternNode::emitDirectBinding):
+ * interpreter/StackVisitor.cpp:
+ (JSC::StackVisitor::Frame::existingArguments):
+ * parser/Nodes.h:
+ (JSC::ScopeNode::modifiesArguments):
+ * parser/Parser.cpp:
+ (JSC::Parser<LexerType>::parseInner):
+ * parser/Parser.h:
+ (JSC::Scope::getCapturedVariables):
+ * parser/ParserModes.h:
+
</ins><span class="cx"> 2014-10-17 Gyuyoung Kim <gyuyoung.kim@samsung.com>
</span><span class="cx">
</span><span class="cx"> Use WTF::move() instead of std::move() to help ensure move semantics in JavaScriptCore
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (174820 => 174821)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2014-10-17 10:51:08 UTC (rev 174820)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2014-10-17 16:07:08 UTC (rev 174821)
</span><span class="lines">@@ -3888,6 +3888,8 @@
</span><span class="cx">
</span><span class="cx"> if (codeBlock->usesArguments() && virtualReg == codeBlock->argumentsRegister())
</span><span class="cx"> return;
</span><ins>+ if (codeBlock->usesArguments() && virtualReg == unmodifiedArgumentsRegister(codeBlock->argumentsRegister()))
+ return;
</ins><span class="cx">
</span><span class="cx"> if (codeBlock->captureCount() && codeBlock->symbolTable()->isCaptured(operand)) {
</span><span class="cx"> codeBlock->beginValidationDidFail();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (174820 => 174821)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2014-10-17 10:51:08 UTC (rev 174820)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2014-10-17 16:07:08 UTC (rev 174821)
</span><span class="lines">@@ -167,6 +167,7 @@
</span><span class="cx"> , m_lexicalEnvironmentRegister(0)
</span><span class="cx"> , m_emptyValueRegister(0)
</span><span class="cx"> , m_globalObjectRegister(0)
</span><ins>+ , m_localArgumentsRegister(0)
</ins><span class="cx"> , m_finallyDepth(0)
</span><span class="cx"> , m_localScopeDepth(0)
</span><span class="cx"> , m_codeType(GlobalCode)
</span><span class="lines">@@ -211,6 +212,7 @@
</span><span class="cx"> , m_lexicalEnvironmentRegister(0)
</span><span class="cx"> , m_emptyValueRegister(0)
</span><span class="cx"> , m_globalObjectRegister(0)
</span><ins>+ , m_localArgumentsRegister(0)
</ins><span class="cx"> , m_finallyDepth(0)
</span><span class="cx"> , m_localScopeDepth(0)
</span><span class="cx"> , m_codeType(FunctionCode)
</span><span class="lines">@@ -250,6 +252,7 @@
</span><span class="cx"> emitOpcode(op_create_lexical_environment);
</span><span class="cx"> instructions().append(m_lexicalEnvironmentRegister->index());
</span><span class="cx"> }
</span><ins>+ RegisterID* localArgumentsRegister = nullptr;
</ins><span class="cx"> RegisterID* scratch = addVar();
</span><span class="cx"> m_symbolTable->setCaptureStart(virtualRegisterForLocal(m_codeBlock->m_numVars).offset());
</span><span class="cx">
</span><span class="lines">@@ -257,6 +260,8 @@
</span><span class="cx"> RegisterID* unmodifiedArgumentsRegister = addVar(); // Anonymous, so it can't be modified by user code.
</span><span class="cx"> RegisterID* argumentsRegister = addVar(propertyNames().arguments, IsVariable, NotWatchable); // Can be changed by assigning to 'arguments'.
</span><span class="cx">
</span><ins>+ localArgumentsRegister = argumentsRegister;
+
</ins><span class="cx"> // We can save a little space by hard-coding the knowledge that the two
</span><span class="cx"> // 'arguments' values are stored in consecutive registers, and storing
</span><span class="cx"> // only the index of the assignable one.
</span><span class="lines">@@ -274,6 +279,15 @@
</span><span class="cx"> initializeCapturedVariable(argumentsRegister, propertyNames().arguments, argumentsRegister);
</span><span class="cx"> RegisterID* uncheckedArgumentsRegister = &registerFor(JSC::unmodifiedArgumentsRegister(m_codeBlock->argumentsRegister()).offset());
</span><span class="cx"> initializeCapturedVariable(uncheckedArgumentsRegister, propertyNames().arguments, uncheckedArgumentsRegister);
</span><ins>+ if (functionBody->modifiesArguments()) {
+ emitOpcode(op_mov);
+ instructions().append(argumentsRegister->index());
+ instructions().append(addConstantValue(jsUndefined())->index());
+ emitOpcode(op_mov);
+ instructions().append(uncheckedArgumentsRegister->index());
+ instructions().append(addConstantValue(jsUndefined())->index());
+ localArgumentsRegister = nullptr;
+ }
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -386,6 +400,7 @@
</span><span class="cx"> int nextParameterIndex = CallFrame::thisArgumentOffset();
</span><span class="cx"> m_thisRegister.setIndex(nextParameterIndex++);
</span><span class="cx"> m_codeBlock->addParameter();
</span><ins>+
</ins><span class="cx"> for (size_t i = 0; i < parameters.size(); ++i, ++nextParameterIndex) {
</span><span class="cx"> int index = nextParameterIndex;
</span><span class="cx"> auto pattern = parameters.at(i);
</span><span class="lines">@@ -419,6 +434,7 @@
</span><span class="cx"> instructions().append(0);
</span><span class="cx"> instructions().append(0);
</span><span class="cx"> }
</span><ins>+ m_localArgumentsRegister = localArgumentsRegister;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> BytecodeGenerator::BytecodeGenerator(VM& vm, EvalNode* evalNode, UnlinkedEvalCodeBlock* codeBlock, DebuggerMode debuggerMode, ProfilerMode profilerMode)
</span><span class="lines">@@ -431,6 +447,7 @@
</span><span class="cx"> , m_lexicalEnvironmentRegister(0)
</span><span class="cx"> , m_emptyValueRegister(0)
</span><span class="cx"> , m_globalObjectRegister(0)
</span><ins>+ , m_localArgumentsRegister(0)
</ins><span class="cx"> , m_finallyDepth(0)
</span><span class="cx"> , m_localScopeDepth(0)
</span><span class="cx"> , m_codeType(EvalCode)
</span><span class="lines">@@ -545,19 +562,17 @@
</span><span class="cx"> if (entry.isNull())
</span><span class="cx"> return false;
</span><span class="cx">
</span><del>- if (m_codeBlock->usesArguments() && m_codeType == FunctionCode)
</del><ins>+ if (m_codeBlock->usesArguments() && m_codeType == FunctionCode && m_localArgumentsRegister)
</ins><span class="cx"> return true;
</span><span class="cx">
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-RegisterID* BytecodeGenerator::uncheckedRegisterForArguments()
</del><ins>+RegisterID* BytecodeGenerator::uncheckedLocalArgumentsRegister()
</ins><span class="cx"> {
</span><span class="cx"> ASSERT(willResolveToArguments(propertyNames().arguments));
</span><del>-
- SymbolTableEntry entry = symbolTable().get(propertyNames().arguments.impl());
- ASSERT(!entry.isNull());
- return &registerFor(entry.getIndex());
</del><ins>+ ASSERT(m_localArgumentsRegister);
+ return m_localArgumentsRegister;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> RegisterID* BytecodeGenerator::createLazyRegisterIfNecessary(RegisterID* reg)
</span><span class="lines">@@ -1828,7 +1843,7 @@
</span><span class="cx"> auto expression = static_cast<SpreadExpressionNode*>(n->m_expr)->expression();
</span><span class="cx"> RefPtr<RegisterID> argumentRegister;
</span><span class="cx"> if (expression->isResolveNode() && willResolveToArguments(static_cast<ResolveNode*>(expression)->identifier()) && !symbolTable().slowArguments())
</span><del>- argumentRegister = uncheckedRegisterForArguments();
</del><ins>+ argumentRegister = uncheckedLocalArgumentsRegister();
</ins><span class="cx"> else
</span><span class="cx"> argumentRegister = expression->emitBytecode(*this, callArguments.argumentRegister(0));
</span><span class="cx"> RefPtr<RegisterID> thisRegister = emitMove(newTemporary(), callArguments.thisRegister());
</span><span class="lines">@@ -1970,7 +1985,7 @@
</span><span class="cx"> auto expression = static_cast<SpreadExpressionNode*>(n->m_expr)->expression();
</span><span class="cx"> RefPtr<RegisterID> argumentRegister;
</span><span class="cx"> if (expression->isResolveNode() && willResolveToArguments(static_cast<ResolveNode*>(expression)->identifier()) && !symbolTable().slowArguments())
</span><del>- argumentRegister = uncheckedRegisterForArguments();
</del><ins>+ argumentRegister = uncheckedLocalArgumentsRegister();
</ins><span class="cx"> else
</span><span class="cx"> argumentRegister = expression->emitBytecode(*this, callArguments.argumentRegister(0));
</span><span class="cx"> return emitConstructVarargs(dst, func, argumentRegister.get(), newTemporary(), 0, callArguments.profileHookRegister(), divot, divotStart, divotEnd);
</span><span class="lines">@@ -2538,13 +2553,13 @@
</span><span class="cx"> emitJump(loopCondition.get());
</span><span class="cx"> emitLabel(loopStart.get());
</span><span class="cx"> emitLoopHint();
</span><del>- emitGetArgumentByVal(value.get(), uncheckedRegisterForArguments(), index.get());
</del><ins>+ emitGetArgumentByVal(value.get(), uncheckedLocalArgumentsRegister(), index.get());
</ins><span class="cx"> callBack(*this, value.get());
</span><span class="cx">
</span><span class="cx"> emitLabel(scope->continueTarget());
</span><span class="cx"> emitInc(index.get());
</span><span class="cx"> emitLabel(loopCondition.get());
</span><del>- RefPtr<RegisterID> length = emitGetArgumentsLength(newTemporary(), uncheckedRegisterForArguments());
</del><ins>+ RefPtr<RegisterID> length = emitGetArgumentsLength(newTemporary(), uncheckedLocalArgumentsRegister());
</ins><span class="cx"> emitJumpIfTrue(emitEqualityOp(op_less, newTemporary(), index.get(), length.get()), loopStart.get());
</span><span class="cx"> emitLabel(scope->breakTarget());
</span><span class="cx"> return;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (174820 => 174821)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h 2014-10-17 10:51:08 UTC (rev 174820)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h 2014-10-17 16:07:08 UTC (rev 174821)
</span><span class="lines">@@ -277,8 +277,10 @@
</span><span class="cx"> void setIsNumericCompareFunction(bool isNumericCompareFunction);
</span><span class="cx">
</span><span class="cx"> bool willResolveToArguments(const Identifier&);
</span><del>- RegisterID* uncheckedRegisterForArguments();
</del><span class="cx">
</span><ins>+ bool hasSafeLocalArgumentsRegister() { return m_localArgumentsRegister; }
+ RegisterID* uncheckedLocalArgumentsRegister();
+
</ins><span class="cx"> bool isCaptured(int operand);
</span><span class="cx"> CaptureMode captureMode(int operand) { return isCaptured(operand) ? IsCaptured : NotCaptured; }
</span><span class="cx">
</span><span class="lines">@@ -752,6 +754,8 @@
</span><span class="cx"> RegisterID* m_lexicalEnvironmentRegister;
</span><span class="cx"> RegisterID* m_emptyValueRegister;
</span><span class="cx"> RegisterID* m_globalObjectRegister;
</span><ins>+ RegisterID* m_localArgumentsRegister;
+
</ins><span class="cx"> Vector<Identifier, 16> m_watchableVariables;
</span><span class="cx"> SegmentedVector<RegisterID, 32> m_constantPoolRegisters;
</span><span class="cx"> SegmentedVector<RegisterID, 32> m_calleeRegisters;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerNodesCodegencpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (174820 => 174821)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp 2014-10-17 10:51:08 UTC (rev 174820)
+++ trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp 2014-10-17 16:07:08 UTC (rev 174821)
</span><span class="lines">@@ -386,7 +386,7 @@
</span><span class="cx"> && !generator.symbolTable().slowArguments()) {
</span><span class="cx"> RegisterID* property = generator.emitNode(m_subscript);
</span><span class="cx"> generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
</span><del>- return generator.emitGetArgumentByVal(generator.finalDestination(dst), generator.uncheckedRegisterForArguments(), property);
</del><ins>+ return generator.emitGetArgumentByVal(generator.finalDestination(dst), generator.uncheckedLocalArgumentsRegister(), property);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> RefPtr<RegisterID> base = generator.emitNodeForLeftHandSide(m_base, m_subscriptHasAssignments, m_subscript->isPure(generator));
</span><span class="lines">@@ -412,7 +412,7 @@
</span><span class="cx"> if (!generator.willResolveToArguments(resolveNode->identifier()))
</span><span class="cx"> goto nonArgumentsPath;
</span><span class="cx"> generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
</span><del>- return generator.emitGetArgumentsLength(generator.finalDestination(dst), generator.uncheckedRegisterForArguments());
</del><ins>+ return generator.emitGetArgumentsLength(generator.finalDestination(dst), generator.uncheckedLocalArgumentsRegister());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> nonArgumentsPath:
</span><span class="lines">@@ -593,7 +593,7 @@
</span><span class="cx"> && generator.willResolveToArguments(static_cast<ResolveNode*>(base)->identifier())
</span><span class="cx"> && !generator.symbolTable().slowArguments()) {
</span><span class="cx"> generator.emitExpressionInfo(divot, divotStart, divotEnd);
</span><del>- return generator.emitGetArgumentByVal(generator.finalDestination(dst), generator.uncheckedRegisterForArguments(), property);
</del><ins>+ return generator.emitGetArgumentByVal(generator.finalDestination(dst), generator.uncheckedLocalArgumentsRegister(), property);
</ins><span class="cx"> }
</span><span class="cx"> return nullptr;
</span><span class="cx"> }
</span><span class="lines">@@ -621,7 +621,7 @@
</span><span class="cx"> RefPtr<RegisterID> thisRegister = getArgumentByVal(generator, subject, generator.emitLoad(0, jsNumber(0)), 0, spread->divot(), spread->divotStart(), spread->divotEnd());
</span><span class="cx"> RefPtr<RegisterID> argumentsRegister;
</span><span class="cx"> if (thisRegister)
</span><del>- argumentsRegister = generator.uncheckedRegisterForArguments();
</del><ins>+ argumentsRegister = generator.uncheckedLocalArgumentsRegister();
</ins><span class="cx"> else {
</span><span class="cx"> argumentsRegister = generator.emitNode(subject);
</span><span class="cx"> generator.emitExpressionInfo(spread->divot(), spread->divotStart(), spread->divotEnd());
</span><span class="lines">@@ -749,7 +749,7 @@
</span><span class="cx"> RefPtr<RegisterID> argsRegister;
</span><span class="cx"> ArgumentListNode* args = m_args->m_listNode->m_next;
</span><span class="cx"> if (args->m_expr->isResolveNode() && generator.willResolveToArguments(static_cast<ResolveNode*>(args->m_expr)->identifier()) && !generator.symbolTable().slowArguments())
</span><del>- argsRegister = generator.uncheckedRegisterForArguments();
</del><ins>+ argsRegister = generator.uncheckedLocalArgumentsRegister();
</ins><span class="cx"> else
</span><span class="cx"> argsRegister = generator.emitNode(args->m_expr);
</span><span class="cx">
</span><span class="lines">@@ -2721,7 +2721,7 @@
</span><span class="cx"> {
</span><span class="cx"> if (rhs->isResolveNode()
</span><span class="cx"> && generator.willResolveToArguments(static_cast<ResolveNode*>(rhs)->identifier())
</span><del>- && !generator.symbolTable().slowArguments()) {
</del><ins>+ && generator.hasSafeLocalArgumentsRegister()&& !generator.symbolTable().slowArguments()) {
</ins><span class="cx"> for (size_t i = 0; i < m_targetPatterns.size(); i++) {
</span><span class="cx"> auto target = m_targetPatterns[i];
</span><span class="cx"> if (!target)
</span><span class="lines">@@ -2729,7 +2729,7 @@
</span><span class="cx">
</span><span class="cx"> RefPtr<RegisterID> temp = generator.newTemporary();
</span><span class="cx"> generator.emitLoad(temp.get(), jsNumber(i));
</span><del>- generator.emitGetArgumentByVal(temp.get(), generator.uncheckedRegisterForArguments(), temp.get());
</del><ins>+ generator.emitGetArgumentByVal(temp.get(), generator.uncheckedLocalArgumentsRegister(), temp.get());
</ins><span class="cx"> target->bindValue(generator, temp.get());
</span><span class="cx"> }
</span><span class="cx"> if (dst == generator.ignoredResult() || !dst)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreinterpreterStackVisitorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp (174820 => 174821)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp 2014-10-17 10:51:08 UTC (rev 174820)
+++ trunk/Source/JavaScriptCore/interpreter/StackVisitor.cpp 2014-10-17 16:07:08 UTC (rev 174821)
</span><span class="lines">@@ -296,6 +296,9 @@
</span><span class="cx"> else
</span><span class="cx"> #endif // ENABLE(DFG_JIT)
</span><span class="cx"> reg = codeBlock()->argumentsRegister();
</span><ins>+
+ if (codeBlock()->needsActivation())
+ return jsCast<Arguments*>(callFrame()->lexicalEnvironment()->registerAt(unmodifiedArgumentsRegister(reg).offset()).get());
</ins><span class="cx">
</span><span class="cx"> JSValue result = callFrame()->r(unmodifiedArgumentsRegister(reg).offset()).jsValue();
</span><span class="cx"> if (!result || !result.isCell()) // Protect against Undefined in case we throw in op_enter.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserNodesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/Nodes.h (174820 => 174821)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/Nodes.h 2014-10-17 10:51:08 UTC (rev 174820)
+++ trunk/Source/JavaScriptCore/parser/Nodes.h 2014-10-17 16:07:08 UTC (rev 174821)
</span><span class="lines">@@ -1440,6 +1440,7 @@
</span><span class="cx"> bool usesEval() const { return m_features & EvalFeature; }
</span><span class="cx"> bool usesArguments() const { return (m_features & ArgumentsFeature) && !(m_features & ShadowsArgumentsFeature); }
</span><span class="cx"> bool modifiesParameter() const { return m_features & ModifiedParameterFeature; }
</span><ins>+ bool modifiesArguments() const { return m_features & (EvalFeature | ModifiedArgumentsFeature); }
</ins><span class="cx"> bool isStrictMode() const { return m_features & StrictModeFeature; }
</span><span class="cx"> void setUsesArguments() { m_features |= ArgumentsFeature; }
</span><span class="cx"> bool usesThis() const { return m_features & ThisFeature; }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/Parser.cpp (174820 => 174821)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/Parser.cpp 2014-10-17 10:51:08 UTC (rev 174820)
+++ trunk/Source/JavaScriptCore/parser/Parser.cpp 2014-10-17 16:07:08 UTC (rev 174821)
</span><span class="lines">@@ -271,7 +271,8 @@
</span><span class="cx">
</span><span class="cx"> IdentifierSet capturedVariables;
</span><span class="cx"> bool modifiedParameter = false;
</span><del>- scope->getCapturedVariables(capturedVariables, modifiedParameter);
</del><ins>+ bool modifiedArguments = false;
+ scope->getCapturedVariables(capturedVariables, modifiedParameter, modifiedArguments);
</ins><span class="cx">
</span><span class="cx"> CodeFeatures features = context.features();
</span><span class="cx"> if (scope->strictMode())
</span><span class="lines">@@ -280,7 +281,8 @@
</span><span class="cx"> features |= ShadowsArgumentsFeature;
</span><span class="cx"> if (modifiedParameter)
</span><span class="cx"> features |= ModifiedParameterFeature;
</span><del>-
</del><ins>+ if (modifiedArguments)
+ features |= ModifiedArgumentsFeature;
</ins><span class="cx"> Vector<RefPtr<StringImpl>> closedVariables;
</span><span class="cx"> if (m_parsingBuiltin) {
</span><span class="cx"> RELEASE_ASSERT(!capturedVariables.size());
</span><span class="lines">@@ -292,6 +294,10 @@
</span><span class="cx">
</span><span class="cx"> if (scope->hasDeclaredParameter(Identifier(m_vm, variable.get())))
</span><span class="cx"> continue;
</span><ins>+
+ if (variable == m_vm->propertyNames->arguments.impl())
+ continue;
+
</ins><span class="cx"> closedVariables.append(variable);
</span><span class="cx"> }
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserParserh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/Parser.h (174820 => 174821)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/Parser.h 2014-10-17 10:51:08 UTC (rev 174820)
+++ trunk/Source/JavaScriptCore/parser/Parser.h 2014-10-17 16:07:08 UTC (rev 174821)
</span><span class="lines">@@ -279,7 +279,7 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void getCapturedVariables(IdentifierSet& capturedVariables, bool& modifiedParameter)
</del><ins>+ void getCapturedVariables(IdentifierSet& capturedVariables, bool& modifiedParameter, bool& modifiedArguments)
</ins><span class="cx"> {
</span><span class="cx"> if (m_needsFullActivation || m_usesEval) {
</span><span class="cx"> modifiedParameter = true;
</span><span class="lines">@@ -292,9 +292,13 @@
</span><span class="cx"> capturedVariables.add(*ptr);
</span><span class="cx"> }
</span><span class="cx"> modifiedParameter = false;
</span><ins>+ if (shadowsArguments())
+ modifiedArguments = true;
</ins><span class="cx"> if (m_declaredParameters.size()) {
</span><span class="cx"> IdentifierSet::iterator end = m_writtenVariables.end();
</span><span class="cx"> for (IdentifierSet::iterator ptr = m_writtenVariables.begin(); ptr != end; ++ptr) {
</span><ins>+ if (*ptr == m_vm->propertyNames->arguments.impl())
+ modifiedArguments = true;
</ins><span class="cx"> if (!m_declaredParameters.contains(*ptr))
</span><span class="cx"> continue;
</span><span class="cx"> modifiedParameter = true;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreparserParserModesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/parser/ParserModes.h (174820 => 174821)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/parser/ParserModes.h 2014-10-17 10:51:08 UTC (rev 174820)
+++ trunk/Source/JavaScriptCore/parser/ParserModes.h 2014-10-17 16:07:08 UTC (rev 174821)
</span><span class="lines">@@ -75,6 +75,7 @@
</span><span class="cx"> const CodeFeatures StrictModeFeature = 1 << 5;
</span><span class="cx"> const CodeFeatures ShadowsArgumentsFeature = 1 << 6;
</span><span class="cx"> const CodeFeatures ModifiedParameterFeature = 1 << 7;
</span><ins>+const CodeFeatures ModifiedArgumentsFeature = 1 << 8;
</ins><span class="cx">
</span><span class="cx"> const CodeFeatures AllFeatures = EvalFeature | ArgumentsFeature | WithFeature | CatchFeature | ThisFeature | StrictModeFeature | ShadowsArgumentsFeature | ModifiedParameterFeature;
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>