| blob | 344ce16a59e0c9b4c8740a800bcb67fa1c0b703c |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=99:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS bytecode generation.
43 */
44 #ifdef HAVE_MEMORY_H
45 #include <memory.h>
46 #endif
47 #include <new>
48 #include <string.h>
72 /* Allocation chunk counts, must be powers of two in general. */
77 /* Macros to compute byte sizes from typed element counts. */
78 #define BYTECODE_SIZE(n) ((n) * sizeof(jsbytecode))
79 #define SRCNOTE_SIZE(n) ((n) * sizeof(jssrcnote))
80 #define TRYNOTE_SIZE(n) ((n) * sizeof(JSTryNote))
84 static JSBool
90 uintN lineno)
101 {
109 }
112 {
114 }
117 {
121 /* NB: non-null only after OOM. */
127 }
129 static ptrdiff_t
131 {
143 ? BYTECODE_CHUNK
152 }
156 }
160 }
162 }
164 static void
166 {
168 JSOp op;
171 intN ndefs;
176 #ifdef JS_TRACER
179 #else
181 #endif
185 extra;
188 }
201 JSMSG_STACK_UNDERFLOW,
203 numBuf);
204 }
209 /* We just executed IndexParsedObject */
218 }
222 }
224 ptrdiff_t
226 {
232 }
234 }
236 ptrdiff_t
238 {
247 }
249 }
251 ptrdiff_t
253 jsbytecode op2)
254 {
264 }
266 }
268 ptrdiff_t
270 {
280 /*
281 * Don't UpdateDepth if op's use-count comes from the immediate
282 * operand yet to be stored in the extra bytes after op.
283 */
286 }
288 }
290 /* XXX too many "... statement" L10N gaffes below -- fix via js.msg! */
311 };
317 {
321 }
323 static void
325 {
328 }
330 /**
331 Span-dependent instructions in JS bytecode consist of the jump (JOF_JUMP)
332 and switch (JOF_LOOKUPSWITCH, JOF_TABLESWITCH) format opcodes, subdivided
333 into unconditional (gotos and gosubs), and conditional jumps or branches
334 (which pop a value, test it, and jump depending on its value). Most jumps
335 have just one immediate operand, a signed offset from the jump opcode's pc
336 to the target bytecode. The lookup and table switch opcodes may contain
337 many jump offsets.
339 Mozilla bug #80981 (http://bugzilla.mozilla.org/show_bug.cgi?id=80981) was
340 fixed by adding extended "X" counterparts to the opcodes/formats (NB: X is
341 suffixed to prefer JSOP_ORX thereby avoiding a JSOP_XOR name collision for
342 the extended form of the JSOP_OR branch opcode). The unextended or short
343 formats have 16-bit signed immediate offset operands, the extended or long
344 formats have 32-bit signed immediates. The span-dependency problem consists
345 of selecting as few long instructions as possible, or about as few -- since
346 jumps can span other jumps, extending one jump may cause another to need to
347 be extended.
349 Most JS scripts are short, so need no extended jumps. We optimize for this
350 case by generating short jumps until we know a long jump is needed. After
351 that point, we keep generating short jumps, but each jump's 16-bit immediate
352 offset operand is actually an unsigned index into cg->spanDeps, an array of
353 JSSpanDep structs. Each struct tells the top offset in the script of the
354 opcode, the "before" offset of the jump (which will be the same as top for
355 simplex jumps, but which will index further into the bytecode array for a
356 non-initial jump offset in a lookup or table switch), the after "offset"
357 adjusted during span-dependent instruction selection (initially the same
358 value as the "before" offset), and the jump target (more below).
360 Since we generate cg->spanDeps lazily, from within js_SetJumpOffset, we must
361 ensure that all bytecode generated so far can be inspected to discover where
362 the jump offset immediate operands lie within CG_CODE(cg). But the bonus is
363 that we generate span-dependency records sorted by their offsets, so we can
364 binary-search when trying to find a JSSpanDep for a given bytecode offset,
365 or the nearest JSSpanDep at or above a given pc.
367 To avoid limiting scripts to 64K jumps, if the cg->spanDeps index overflows
368 65534, we store SPANDEP_INDEX_HUGE in the jump's immediate operand. This
369 tells us that we need to binary-search for the cg->spanDeps entry by the
370 jump opcode's bytecode offset (sd->before).
372 Jump targets need to be maintained in a data structure that lets us look
373 up an already-known target by its address (jumps may have a common target),
374 and that also lets us update the addresses (script-relative, a.k.a. absolute
375 offsets) of targets that come after a jump target (for when a jump below
376 that target needs to be extended). We use an AVL tree, implemented using
377 recursion, but with some tricky optimizations to its height-balancing code
378 (see http://www.cmcrossroads.com/bradapp/ftp/src/libs/C++/AvlTrees.html).
380 A final wrinkle: backpatch chains are linked by jump-to-jump offsets with
381 positive sign, even though they link "backward" (i.e., toward lower bytecode
382 address). We don't want to waste space and search time in the AVL tree for
383 such temporary backpatch deltas, so we use a single-bit wildcard scheme to
384 tag true JSJumpTarget pointers and encode untagged, signed (positive) deltas
385 in JSSpanDep.target pointers, depending on whether the JSSpanDep has a known
386 target, or is still awaiting backpatching.
388 Note that backpatch chains would present a problem for BuildSpanDepTable,
389 which inspects bytecode to build cg->spanDeps on demand, when the first
390 short jump offset overflows. To solve this temporary problem, we emit a
391 proxy bytecode (JSOP_BACKPATCH; JSOP_BACKPATCH_POP for branch ops) whose
392 nuses/ndefs counts help keep the stack balanced, but whose opcode format
393 distinguishes its backpatch delta immediate operand from a normal jump
394 offset.
395 */
396 static int
398 {
401 JSBool doubleRotate;
414 }
438 }
441 }
450 static int
452 {
468 }
469 }
477 }
482 }
486 else
495 }
497 #ifdef DEBUG_brendan
499 {
508 }
509 #endif
511 static JSBool
514 {
515 AddJumpTargetArgs args;
520 }
530 #ifdef DEBUG_brendan
532 #endif
536 }
538 #define SPANDEPS_MIN 256
539 #define SPANDEPS_SIZE(n) ((n) * sizeof(JSSpanDep))
540 #define SPANDEPS_SIZE_MIN SPANDEPS_SIZE(SPANDEPS_MIN)
542 static JSBool
545 {
546 uintN index;
554 }
563 }
571 /* Jump offset will be backpatched if off is a non-zero "bpdelta". */
577 }
578 }
581 /* Jump offset will be patched directly, without backpatch chaining. */
584 /* The jump offset in off is non-zero, therefore it's already known. */
587 }
593 }
597 {
598 JSOp op;
622 }
630 }
632 }
634 static JSBool
636 {
638 JSOp op;
661 /* FALL THROUGH */
665 }
666 }
669 }
673 {
674 uintN index;
693 else
695 }
699 }
701 static JSBool
704 {
711 }
716 }
725 }
727 static void
729 {
734 }
737 }
742 {
757 else
759 }
765 }
767 static void
769 {
776 }
778 static JSBool
780 {
784 JSBool done;
785 JSOp op;
786 uint32 type;
792 #ifdef DEBUG_brendan
794 #endif
810 #ifdef DEBUG_brendan
811 passes++;
812 #endif
827 /*
828 * We already extended all the jump offset operands for
829 * the opcode at sd->top. Jumps and branches have only
830 * one jump offset operand, but switches have many, all
831 * of which are adjacent in cg->spanDeps.
832 */
834 }
839 }
862 }
867 /*
868 * sd2->offset already includes delta as it stood
869 * before we entered this loop, but it must also
870 * include the delta relative to top due to all the
871 * extended jump offset immediates for the opcode
872 * starting at top, which we extend in this loop.
873 *
874 * If there is only one extended jump offset, then
875 * sd2->offset won't change and this for loop will
876 * iterate once only.
877 */
881 /*
882 * sd2 comes after sd, and won't be revisited by
883 * the outer for loop, so we have to increase its
884 * offset by delta, not merely by deltaFromTop.
885 */
887 }
892 }
894 }
895 }
896 }
902 #ifdef DEBUG_brendan
909 #endif
911 /*
912 * Ensure that we have room for the extended jumps, but don't round up
913 * to a power of two -- we're done generating code, so we cut to fit.
914 */
926 }
929 }
932 /*
933 * Set up a fake span dependency record to guard the end of the code
934 * being generated. This guard record is returned as a fencepost by
935 * FindNearestSpanDep if there is no real spandep at or above a given
936 * unextended code offset.
937 */
942 }
944 /*
945 * Now work backwards through the span dependencies, copying chunks of
946 * bytecode between each extended jump toward the end of the grown code
947 * space, and restoring immediate offset operands for all jump bytecodes.
948 * The first chunk of bytecodes, starting at base and ending at the first
949 * extended jump offset (NB: this chunk includes the operation bytecode
950 * just before that immediate jump offset), doesn't need to be copied.
951 */
962 sd2++;
965 }
970 /*
971 * If this jump didn't need to be extended, restore its span immediate
972 * offset operand now, overwriting the index of sd within cg->spanDeps
973 * that was stored temporarily after *pc when BuildSpanDepTable ran.
974 *
975 * Note that span might fit in 16 bits even for an extended jump op,
976 * if the op has multiple span operands, not all of which overflowed
977 * (e.g. JSOP_LOOKUPSWITCH or JSOP_TABLESWITCH where some cases are in
978 * range for a short jump, but others are not).
979 */
984 }
986 /*
987 * Set up parameters needed to copy the next run of bytecode starting
988 * at offset (which is a cursor into the unextended, original bytecode
989 * vector), down to sd->before (a cursor of the same scale as offset,
990 * it's the index of the original jump pc). Reuse delta to count the
991 * nominal number of bytes to copy.
992 */
997 /*
998 * Don't bother copying the jump offset we're about to reset, but do
999 * copy the bytecode at oldpc (which comes just before its immediate
1000 * jump offset operand), on the next iteration through the loop, by
1001 * including it in offset's new value.
1002 */
1008 size);
1009 }
1012 }
1015 /*
1016 * Fix source note deltas. Don't hardwire the delta fixup adjustment,
1017 * even though currently it must be JUMPX_OFFSET_LEN - JUMP_OFFSET_LEN
1018 * at each sd that moved. The future may bring different offset sizes
1019 * for span-dependent instruction operands. However, we fix only main
1020 * notes here, not prolog notes -- we know that prolog opcodes are not
1021 * span-dependent, and aren't likely ever to be.
1022 */
1028 /*
1029 * Recall that the offset of a given note includes its delta, and
1030 * tells the offset of the annotated bytecode from the main entry
1031 * point of the script.
1032 */
1035 /*
1036 * To compute the delta to add to sn, we need to look at the
1037 * spandep after sd, whose offset - (before + growth) tells by
1038 * how many bytes sd's instruction grew.
1039 */
1051 }
1052 sd++;
1053 }
1055 /*
1056 * If sn has span-dependent offset operands, check whether each
1057 * covers further span-dependencies, and increase those operands
1058 * accordingly. Some source notes measure offset not from the
1059 * annotated pc, but from that pc plus some small bias. NB: we
1060 * assume that spec->offsetBias can't itself span span-dependent
1061 * instructions!
1062 */
1078 /*
1079 * Increase target by sd2's before-vs-after offset delta,
1080 * which is absolute (i.e., relative to start of script,
1081 * as is target). Recompute the span by subtracting its
1082 * adjusted pivot from target.
1083 */
1092 }
1093 }
1094 }
1097 /*
1098 * Fix try/catch notes (O(numTryNotes * log2(numSpanDeps)), but it's
1099 * not clear how we can beat that).
1100 */
1102 /*
1103 * First, look for the nearest span dependency at/above tn->start.
1104 * There may not be any such spandep, in which case the guard will
1105 * be returned.
1106 */
1112 /*
1113 * Next, find the nearest spandep at/above tn->start + tn->length.
1114 * Use its delta minus tn->start's delta to increase tn->length.
1115 */
1121 }
1122 }
1123 }
1125 #ifdef DEBUG_brendan
1126 {
1132 /* NB: sd->top cursors into the original, unextended bytecode vector. */
1149 }
1155 bigspans++;
1159 }
1162 }
1164 }
1166 }
1167 #endif
1169 /*
1170 * Reset so we optimize at most once -- cg may be used for further code
1171 * generation of successive, independent, top-level statements. No jump
1172 * can span top-level statements, because JS lacks goto.
1173 */
1182 }
1184 static ptrdiff_t
1186 {
1187 JSBool extend;
1200 }
1202 }
1204 static ptrdiff_t
1206 {
1222 sd++;
1224 }
1226 JSBool
1229 {
1234 }
1238 }
1241 }
1243 bool
1245 {
1249 }
1251 }
1253 bool
1255 {
1256 #if JS_HAS_SHARP_VARS
1262 }
1278 /*
1279 * Compiler::compileScript will rebase immediate operands indexing
1280 * the sharp slots to come at the end of the global script's |nfixed|
1281 * slots storage, after gvars and regexps.
1282 */
1284 }
1286 #endif
1288 }
1290 bool
1292 {
1299 }
1301 }
1303 void
1306 {
1320 }
1321 }
1323 void
1326 {
1334 }
1336 /*
1337 * Emit a backpatch op with offset pointing to the previous jump of this type,
1338 * so that we can walk back up the chain fixing up the op and jump offset.
1339 */
1340 static ptrdiff_t
1342 {
1350 }
1352 /*
1353 * Macro to emit a bytecode followed by a uint16 immediate operand stored in
1354 * big-endian order, used for arg and var numbers as well as for atomIndexes.
1355 * NB: We use cx and cg from our caller's lexical environment, and return
1356 * false on error.
1357 */
1358 #define EMIT_UINT16_IMM_OP(op, i) \
1359 JS_BEGIN_MACRO \
1360 if (js_Emit3(cx, cg, op, UINT16_HI(i), UINT16_LO(i)) < 0) \
1361 return JS_FALSE; \
1362 JS_END_MACRO
1364 #define EMIT_UINT16PAIR_IMM_OP(op, i, j) \
1365 JS_BEGIN_MACRO \
1366 ptrdiff_t off_ = js_EmitN(cx, cg, op, 2 * UINT16_LEN); \
1367 if (off_ < 0) \
1368 return JS_FALSE; \
1369 jsbytecode *pc_ = CG_CODE(cg, off_); \
1370 SET_UINT16(pc_, i); \
1371 pc_ += UINT16_LEN; \
1372 SET_UINT16(pc_, j); \
1373 JS_END_MACRO
1375 static JSBool
1377 {
1384 }
1386 /*
1387 * Emit additional bytecode(s) for non-local jumps.
1388 */
1389 static JSBool
1391 {
1395 /*
1396 * The non-local jump fixup we emit will unbalance cg->stackDepth, because
1397 * the fixup replicates balanced code such as JSOP_LEAVEWITH emitted at the
1398 * end of a with statement, so we save cg->stackDepth here and restore it
1399 * just before a successful return.
1400 */
1404 #define FLUSH_POPS() if (npops && !FlushPops(cx, cg, &npops)) return JS_FALSE
1417 /* There's a With object on the stack that we need to pop. */
1426 /*
1427 * The iterator and the object being iterated need to be popped.
1428 */
1437 /*
1438 * There's a [exception or hole, retsub pc-index] pair on the
1439 * stack that we need to pop.
1440 */
1445 }
1448 uintN i;
1450 /* There is a Block object with locals on the stack to pop. */
1456 }
1457 }
1463 #undef FLUSH_POPS
1464 }
1466 static ptrdiff_t
1469 {
1470 intN index;
1479 else
1485 }
1487 static JSBool
1490 {
1501 /*
1502 * Set *pc after jump offset in case bpdelta didn't overflow, but span
1503 * does (if so, CHECK_AND_SET_JUMP_OFFSET might call BuildSpanDepTable
1504 * and need to see the JSOP_BACKPATCH* op at *pc).
1505 */
1508 }
1510 }
1512 void
1514 {
1524 }
1525 }
1526 }
1528 JSBool
1530 {
1537 JSOP_GOTO))) {
1539 }
1542 }
1544 JSBool
1547 {
1548 jsdouble dval;
1549 jsint ival;
1551 jsval v;
1553 /* XXX just do numbers for now */
1559 /*
1560 * We atomize double to root a jsdouble instance that we wrap as
1561 * jsval and store in cg->constList. This works because atoms are
1562 * protected from GC during compilation.
1563 */
1568 }
1571 }
1573 }
1575 JSStmtInfo *
1577 {
1588 /* Skip "maybe scope" statements that don't contain let bindings. */
1603 }
1605 }
1606 }
1611 }
1613 /*
1614 * Check if the attributes describe a property holding a compile-time constant
1615 * or a permanent, read-only property without a getter.
1616 */
1617 #define IS_CONSTANT_PROPERTY(attrs) \
1618 (((attrs) & (JSPROP_READONLY | JSPROP_PERMANENT | JSPROP_GETTER)) == \
1619 (JSPROP_READONLY | JSPROP_PERMANENT))
1621 /*
1622 * The function sets vp to JSVAL_HOLE when the atom does not corresponds to a
1623 * name defining a constant.
1624 */
1625 static JSBool
1628 {
1629 JSBool ok;
1633 uintN attrs;
1635 /*
1636 * Chase down the cg stack, but only until we reach the outermost cg.
1637 * This enables propagating consts from top-level into switch cases in a
1638 * function compiled along with the top-level script.
1639 */
1643 /* XXX this will need revising if 'const' becomes block-scoped. */
1652 }
1654 /*
1655 * Try looking in the variable object for a direct property that
1656 * is readonly and permanent. We know such a property can't be
1657 * shadowed by another property on obj's prototype chain, or a
1658 * with object or catch variable; nor can prop's value be changed,
1659 * nor can prop be deleted.
1660 */
1671 /*
1672 * We're compiling code that will be executed immediately,
1673 * not re-executed against a different scope chain and/or
1674 * variable object. Therefore we can get constant values
1675 * from our variable object here.
1676 */
1681 }
1682 }
1689 }
1690 }
1693 }
1695 /*
1696 * Return JSOP_NOP to indicate that index fits 2 bytes and no index segment
1697 * reset instruction is necessary, JSOP_FALSE to indicate an error or either
1698 * JSOP_RESETBASE0 or JSOP_RESETBASE1 to indicate the reset bytecode to issue
1699 * after the main bytecode sequence.
1700 */
1701 static JSOp
1703 {
1704 uintN indexBase;
1706 /*
1707 * We have max 3 bytes for indexes and check for INDEX_LIMIT overflow only
1708 * for big indexes.
1709 */
1721 }
1725 JSMSG_TOO_MANY_LITERALS);
1727 }
1732 }
1734 /*
1735 * Emit a bytecode and its 2-byte constant index immediate operand. If the
1736 * index requires more than 2 bytes, emit a prefix op whose 8-bit immediate
1737 * operand effectively extends the 16-bit immediate of the prefixed opcode,
1738 * by changing index "segment" (see jsinterp.c). We optimize segments 1-3
1739 * with single-byte JSOP_INDEXBASE[123] codes.
1740 *
1741 * Such prefixing currently requires a suffix to restore the "zero segment"
1742 * register setting, but this could be optimized further.
1743 */
1744 static JSBool
1746 {
1747 JSOp bigSuffix;
1754 }
1756 /*
1757 * Slight sugar for EmitIndexOp, again accessing cx and cg from the macro
1758 * caller's lexical environment, and embedding a false return on error.
1759 */
1760 #define EMIT_INDEX_OP(op, index) \
1761 JS_BEGIN_MACRO \
1762 if (!EmitIndexOp(cx, op, index, cg)) \
1763 return JS_FALSE; \
1764 JS_END_MACRO
1766 static JSBool
1768 {
1775 }
1780 }
1782 static JSBool
1785 {
1788 }
1790 /*
1791 * What good are ARGNO_LEN and SLOTNO_LEN, you ask? The answer is that, apart
1792 * from EmitSlotIndexOp, they abstract out the detail that both are 2, and in
1793 * other parts of the code there's no necessary relationship between the two.
1794 * The abstraction cracks here in order to share EmitSlotIndexOp code among
1795 * the JSOP_DEFLOCALFUN and JSOP_GET{ARG,VAR,LOCAL}PROP cases.
1796 */
1800 static JSBool
1803 {
1804 JSOp bigSuffix;
1814 /* Emit [op, slot, index]. */
1823 }
1825 /*
1826 * Adjust the slot for a block local to account for the number of variables
1827 * that share the same index space with locals. Due to the incremental code
1828 * generation for top-level script, we do the adjustment via code patching in
1829 * Compiler::compileScript; see comments there.
1830 *
1831 * The function returns -1 on failures.
1832 */
1833 static jsint
1835 {
1842 }
1843 }
1845 }
1847 static bool
1849 {
1864 /* Beware the empty destructuring dummy. */
1868 }
1874 #ifdef DEBUG
1879 }
1880 #endif
1881 }
1885 }
1887 /*
1888 * When eval is called from a function, the eval code or function code it
1889 * compiles may reference upvars that live in the eval-calling function. The
1890 * eval-invoked compiler does not have explicit definitions for these upvars
1891 * and we do not attempt to create them a-priori (by inspecting the function's
1892 * args and vars) -- we could, but we'd take an avoidable penalty for each
1893 * function local not referenced by any upvar. Instead, we map such upvars
1894 * lazily, growing upvarMap.vector by powers of two.
1895 *
1896 * This function knows that it is called with pn pointing to a PN_NAME-arity
1897 * node, and cg->parser->callerFrame having a non-null fun member, and the
1898 * static level of cg at least one greater than the eval-calling function's
1899 * static level.
1900 */
1901 static bool
1903 {
1910 /*
1911 * Treat top-level function definitions as escaping (i.e., as funargs),
1912 * required since we compile each such top level function or statement
1913 * and throw away the AST, so we can't yet see all funarg uses of this
1914 * function being compiled (cg->funbox->object). See bug 493177.
1915 */
1921 }
1929 }
1930 }
1934 uintN index;
1948 }
1966 }
1974 }
1980 }
1982 /*
1983 * BindNameToSlot attempts to optimize name gets and sets to stack slot loads
1984 * and stores, given the compile-time information in cg and a TOK_NAME node pn.
1985 * It returns false on error, true on success.
1986 *
1987 * The caller can inspect pn->pn_cookie for FREE_UPVAR_COOKIE to tell whether
1988 * optimization occurred, in which case BindNameToSlot also updated pn->pn_op.
1989 * If pn->pn_cookie is still FREE_UPVAR_COOKIE on return, pn->pn_op still may
1990 * have been optimized, e.g., from JSOP_NAME to JSOP_CALLEE. Whether or not
1991 * pn->pn_op was modified, if this function finds an argument or local variable
1992 * name, PND_CONST will be set in pn_dflags for read-only properties after a
1993 * successful return.
1994 *
1995 * NB: if you add more opcodes specialized from JSOP_NAME, etc., don't forget
1996 * to update the TOK_FOR (for-in) and TOK_ASSIGN (op=, e.g. +=) special cases
1997 * in js_EmitTree.
1998 */
1999 static JSBool
2001 {
2003 JSOp op;
2005 uint32 cookie;
2008 uintN index;
2012 /* Idempotency tests come first, since we may be called more than once. */
2016 /* No cookie initialized for these two, they're pre-bound by definition. */
2019 /*
2020 * The parser linked all uses (including forward references) to their
2021 * definitions, unless a with statement or direct eval intervened.
2022 */
2034 }
2045 /*
2046 * Turn attempts to mutate const-declared bindings into get ops (for
2047 * pre-increment and pre-decrement ops, our caller will have to emit
2048 * JSOP_POS, JSOP_ONE, and JSOP_ADD as well).
2049 *
2050 * Turn JSOP_DELNAME into JSOP_FALSE if dn is known, as all declared
2051 * bindings visible to the compiler are permanent in JS unless the
2052 * declaration originates in eval code. We detect eval code by testing
2053 * cg->parser->callerFrame, which is set only by eval or a debugger
2054 * equivalent.
2055 *
2056 * Note that this callerFrame non-null test must be qualified by testing
2057 * !cg->funbox to exclude function code nested in eval code, which is not
2058 * subject to the deletable binding exception.
2059 */
2068 else
2072 }
2077 }
2084 /*
2085 * Don't generate upvars on the left side of a for loop. See
2086 * bug 470758.
2087 */
2095 /*
2096 * Make sure the variable object used by the compiler to initialize
2097 * parent links matches the caller's varobj. Compile-n-go compiler-
2098 * created function objects have the top-level cg's scopeChain set
2099 * as their parent by Parser::newFunction.
2100 */
2107 /*
2108 * We are compiling eval or debug script inside a function frame
2109 * and the scope chain matches the function's variable object.
2110 * Optimize access to function's arguments and variable and the
2111 * arguments object.
2112 */
2116 /*
2117 * Generator functions may be resumed from any call stack, which
2118 * defeats the display optimization to static link searching used
2119 * by JSOP_{GET,CALL}UPVAR.
2120 */
2128 }
2130 }
2133 /*
2134 * If this is a global reference from within a function, leave pn_op as
2135 * JSOP_NAME, etc. We could emit JSOP_*GVAR ops within function code if
2136 * only we could depend on the global frame's slots being valid for all
2137 * calls to the function, and if we could equate the atom index in the
2138 * function's atom map for every global name with its frame slot.
2139 */
2143 /*
2144 * We are optimizing global variables and there may be no pre-existing
2145 * global property named atom when this global script runs. If atom was
2146 * declared via const or var, optimize pn to access fp->vars using the
2147 * appropriate JSOP_*GVAR op.
2148 *
2149 * FIXME: should be able to optimize global function access too.
2150 */
2164 }
2169 }
2174 /*
2175 * A JSDefinition witnessed as a declaration by the parser cannot be an
2176 * upvar, unless it is the degenerate kind of upvar selected above (in the
2177 * code before the PND_GVAR test) for the special case of compile-and-go
2178 * code generated from eval called from a function, where the eval code
2179 * uses local vars defined in the function. We detect this upvar-for-eval
2180 * case by checking dn's op.
2181 */
2187 #ifdef DEBUG
2189 #endif
2202 /*
2203 * Don't generate upvars on the left side of a for loop. See
2204 * bug 470758 and bug 520513.
2205 */
2214 }
2217 }
2227 /*
2228 * If op is a mutating opcode, this upvar's static level is too big to
2229 * index into the display, or the function is heavyweight, we fall back
2230 * on JSOP_*NAME*.
2231 */
2242 /*
2243 * The function we're compiling may not be heavyweight, but if it
2244 * escapes as a funarg, we can't use JSOP_GETUPVAR/JSOP_CALLUPVAR.
2245 * Parser::analyzeFunctions has arranged for this function's
2246 * enclosing functions to be heavyweight, so we can safely stick
2247 * with JSOP_NAME/JSOP_CALLNAME.
2248 */
2252 /*
2253 * Generator functions may be resumed from any call stack, which
2254 * defeats the display optimization to static link searching used
2255 * by JSOP_{GET,CALL}UPVAR.
2256 */
2261 }
2284 }
2287 }
2297 }
2300 }
2306 }
2308 /*
2309 * We are compiling a function body and may be able to optimize name
2310 * to stack slot. Look for an argument or variable in the function and
2311 * rewrite pn_op and update pn accordingly.
2312 */
2327 }
2340 }
2349 /*
2350 * Leave pn->pn_op == JSOP_NAME if cg->fun is heavyweight, as we
2351 * cannot be sure cg->fun is not something of the form:
2352 *
2353 * var ff = (function f(s) { eval(s); return f; });
2354 *
2355 * where a caller invokes ff("var f = 42"). The result returned for
2356 * such an invocation must be 42, since the callee name is
2357 * lexically bound in an outer declarative environment from the
2358 * function's activation. See jsfun.cpp:call_resolve.
2359 */
2364 }
2369 }
2370 /* FALL THROUGH */
2386 }
2389 }
2396 }
2398 /*
2399 * If pn contains a useful expression, return true with *answer set to true.
2400 * If pn contains a useless expression, return true with *answer set to false.
2401 * Return false on error.
2402 *
2403 * The caller should initialize *answer to false and invoke this function on
2404 * an expression statement or similar subtree to decide whether the tree could
2405 * produce code that has any side effects. For an expression statement, we
2406 * define useless code as code with no side effects, because the main effect,
2407 * the value left on the stack after the code executes, will be discarded by a
2408 * pop bytecode.
2409 */
2410 static JSBool
2413 {
2414 JSBool ok;
2423 /*
2424 * A named function, contrary to ES3, is no longer useful, because we
2425 * bind its name lexically (using JSOP_CALLEE) instead of creating an
2426 * Object instance and binding a readonly, permanent property in it
2427 * (the object and binding can be detected and hijacked or captured).
2428 * This is a bug fix to ES3; it is fixed in ES3.1 drafts.
2429 */
2437 /*
2438 * Non-operators along with ||, &&, ===, and !== never invoke
2439 * toString or valueOf.
2440 */
2444 /*
2445 * All invocation operations (construct: TOK_NEW, call: TOK_LP)
2446 * are presumed to be useful, because they may have side effects
2447 * even if their main effect (their return value) is discarded.
2448 *
2449 * TOK_LB binary trees of 3 or more nodes are flattened into lists
2450 * to avoid too much recursion. All such lists must be presumed
2451 * to be useful because each index operation could invoke a getter
2452 * (the JSOP_ARGUMENTS special case below, in the PN_BINARY case,
2453 * does not apply here: arguments[i][j] might invoke a getter).
2454 *
2455 * Likewise, array and object initialisers may call prototype
2456 * setters (the __defineSetter__ built-in, and writable __proto__
2457 * on Array.prototype create this hazard). Initialiser list nodes
2458 * have JSOP_NEWINIT in their pn_op.
2459 */
2461 }
2472 /*
2473 * Assignment is presumed to be useful, even if the next operation
2474 * is another assignment overwriting this one's ostensible effect,
2475 * because the left operand may be a property with a setter that
2476 * has side effects.
2477 *
2478 * The only exception is assignment of a useless value to a const
2479 * declared in the function currently being compiled.
2480 */
2491 }
2495 /*
2496 * ||, &&, ===, and !== do not convert their operands via
2497 * toString or valueOf method calls.
2498 */
2502 /*
2503 * We can't easily prove that neither operand ever denotes an
2504 * object with a toString or valueOf method.
2505 */
2507 }
2508 }
2522 }
2523 /* FALL THROUGH */
2525 #if JS_HAS_XML_SUPPORT
2527 #endif
2530 /* All these delete addressing modes have effects too. */
2536 }
2541 /* ! does not convert its operand via toString or valueOf. */
2544 }
2545 /* FALL THROUGH */
2548 /*
2549 * All of TOK_INC, TOK_DEC, TOK_THROW, TOK_YIELD, and TOK_DEFSHARP
2550 * have direct effects. Of the remaining unary-arity node types,
2551 * we can't easily prove that the operand never denotes an object
2552 * with a toString or valueOf method.
2553 */
2556 }
2560 /*
2561 * Take care to avoid trying to bind a label name (labels, both for
2562 * statements and property values in object initialisers, have pn_op
2563 * defaulted to JSOP_NOP).
2564 */
2570 /*
2571 * Not an argument or local variable use, and not a use of a
2572 * unshadowed named function expression's given name, so this
2573 * expression could invoke a getter that has side effects.
2574 */
2576 }
2577 }
2584 /*
2585 * Any dotted property reference could call a getter, except
2586 * for arguments.length where arguments is unambiguous.
2587 */
2589 }
2590 }
2602 }
2604 }
2606 static JSBool
2608 JSBool callContext)
2609 {
2610 JSOp op;
2640 }
2641 }
2654 }
2655 }
2658 }
2660 #if JS_HAS_XML_SUPPORT
2661 static JSBool
2663 {
2665 uintN oldflags;
2680 }
2683 }
2684 #endif
2686 static JSBool
2688 {
2689 /*
2690 * Special case for obj.__proto__ to deoptimize away from fast paths in the
2691 * interpreter and trace recorder, which skip dense array instances by
2692 * going up to Array.prototype before looking up the property name.
2693 */
2702 }
2704 static JSBool
2706 JSBool callContext)
2707 {
2714 /* Special case deoptimization for __proto__. */
2720 }
2729 /* Fast path for gets of |this.foo|. */
2731 }
2733 /*
2734 * Try to optimize:
2735 * - arguments.length into JSOP_ARGCNT
2736 * - argname.prop into JSOP_GETARGPROP
2737 * - localname.prop into JSOP_GETLOCALPROP
2738 * but don't do this if the property is 'length' -- prefer to emit
2739 * JSOP_GETARG, etc., and then JSOP_LENGTH.
2740 */
2753 do_indexconst: {
2755 jsatomid atomIndex;
2762 }
2765 }
2766 }
2767 }
2768 }
2770 /*
2771 * If the object operand is also a dotted property reference, reverse the
2772 * list linked via pn_expr temporarily so we can iterate over it from the
2773 * bottom up (reversing again as we go), to avoid excessive recursion.
2774 */
2780 /* Reverse pndot->pn_expr to point up, not down. */
2789 }
2791 /* pndown is a primary expression, not a dotted property reference. */
2796 /* Walk back up the list, emitting annotated name ops. */
2800 }
2802 /* Special case deoptimization on __proto__, as above. */
2808 }
2810 /* Reverse the pn_expr link again. */
2818 }
2823 }
2826 }
2828 static JSBool
2830 {
2833 jsint slot;
2837 /* Left-associative operator chain to avoid too much recursion. */
2845 /*
2846 * Try to optimize arguments[0][j]... into JSOP_ARGSUB<0> followed by
2847 * one or more index expression and JSOP_GETELEM op pairs.
2848 */
2855 /*
2856 * arguments[i]() requires arguments object as "this".
2857 * Check that we never generates list for that usage.
2858 */
2864 }
2865 }
2867 /*
2868 * Check whether we generated JSOP_ARGSUB, just above, and have only
2869 * one more index expression to emit. Given arguments[0][j], we must
2870 * skip the while loop altogether, falling through to emit code for j
2871 * (in the subtree referenced by right), followed by the annotated op,
2872 * at the bottom of this function.
2873 */
2878 }
2887 }
2890 /*
2891 * Set left and right so pn appears to be a TOK_LB node, instead
2892 * of a TOK_DOT node. See the TOK_FOR/IN case in js_EmitTree, and
2893 * EmitDestructuringOps nearer below. In the destructuring case,
2894 * the base expression (pn_expr) of the name may be null, which
2895 * means we have to emit a JSOP_BINDNAME.
2896 */
2905 }
2910 ? JSOP_QNAMEPART
2919 }
2921 /* Try to optimize arguments[0] (e.g.) into JSOP_ARGSUB<0>. */
2933 }
2934 }
2938 }
2940 /* The right side of the descendant operator is implicitly quoted. */
2948 }
2950 static JSBool
2952 {
2953 jsint ival;
2954 uint32 u;
2983 }
2985 }
2995 }
2997 static JSBool
3000 {
3001 JSOp switchOp;
3007 jsdouble d;
3009 jsval v;
3012 intN noteIndex;
3015 #if JS_HAS_BLOCK_SCOPE
3016 jsint count;
3017 #endif
3019 /* Try for most optimal, fall back if not dense ints, and per ECMAv2. */
3025 /*
3026 * If the switch contains let variables scoped by its body, model the
3027 * resulting block on the stack first, before emitting the discriminant's
3028 * bytecode (in case the discriminant contains a stack-model dependency
3029 * such as a let expression).
3030 */
3032 #if JS_HAS_BLOCK_SCOPE
3034 /*
3035 * Push the body's block scope before discriminant code-gen for proper
3036 * static block scope linkage in case the discriminant contains a let
3037 * expression. The block's locals must lie under the discriminant on
3038 * the stack so that case-dispatch bytecodes can find the discriminant
3039 * on top of stack.
3040 */
3045 /* Emit JSOP_ENTERBLOCK before code to evaluate the discriminant. */
3049 /*
3050 * Pop the switch's statement info around discriminant code-gen. Note
3051 * how this leaves cg->blockChain referencing the switch's
3052 * block scope object, which is necessary for correct block parenting
3053 * in the case where the discriminant contains a let expression.
3054 */
3057 }
3058 #ifdef __GNUC__
3061 }
3062 #endif
3063 #endif
3065 /*
3066 * Emit code for the discriminant first (or nearly first, in the case of a
3067 * switch whose body is a block scope).
3068 */
3072 /* Switch bytecodes run from here till end of final case. */
3074 #if !JS_HAS_BLOCK_SCOPE
3076 #else
3080 /* Re-push the switch's statement info record. */
3083 /* Set the statement info record's idea of top. */
3086 /* Advance pn2 to refer to the switch case list. */
3088 }
3089 #endif
3102 #define INTMAP_LENGTH 256
3115 }
3134 }
3136 }
3148 /*
3149 * XXX JSOP_LOOKUPSWITCH does not support const-
3150 * propagated object values, see bug 407186.
3151 */
3154 }
3158 }
3159 }
3160 /* FALL THROUGH */
3165 }
3169 }
3173 }
3174 /* FALL THROUGH */
3178 }
3187 }
3192 }
3198 /*
3199 * Check for duplicates, which require a JSOP_LOOKUPSWITCH.
3200 * We bias i by 65536 if it's negative, and hope that's a rare
3201 * case (because it requires a malloc'd bitmap).
3202 */
3211 /* Just grab 8K for the worst-case bitmap. */
3219 }
3220 }
3222 }
3226 }
3228 }
3230 release:
3236 /*
3237 * Compute table length and select lookup instead if overlarge or
3238 * more than half-sparse.
3239 */
3245 /*
3246 * Lookup switch supports only atom indexes below 64K limit.
3247 * Conservatively estimate the maximum possible index during
3248 * switch generation and use conditional switch if it exceeds
3249 * the limit.
3250 */
3253 }
3254 }
3256 /*
3257 * Emit a note with two offsets: first tells total switch code length,
3258 * second tells offset to first JSOP_CASE if condswitch.
3259 */
3265 /*
3266 * 0 bytes of immediate for unoptimized ECMAv2 switch.
3267 */
3270 /*
3271 * 3 offsets (len, low, high) before the table, 1 per entry.
3272 */
3275 /*
3276 * JSOP_LOOKUPSWITCH:
3277 * 1 offset (len) and 1 atom index (npairs) before the table,
3278 * 1 atom index and 1 jump offset per entry.
3279 */
3282 }
3284 /*
3285 * Emit switchOp followed by switchSize bytes of jump or lookup table.
3286 *
3287 * If switchOp is JSOP_LOOKUPSWITCH or JSOP_TABLESWITCH, it is crucial
3288 * to emit the immediate operand(s) by which bytecode readers such as
3289 * BuildSpanDepTable discover the length of the switch opcode *before*
3290 * calling js_SetJumpOffset (which may call BuildSpanDepTable). It's
3291 * also important to zero all unknown jump offset immediate operands,
3292 * so they can be converted to span dependencies with null targets to
3293 * be computed later (js_EmitN zeros switchSize bytes after switchOp).
3294 */
3303 /* Emit code for evaluating cases and jumping to case statements. */
3309 /* off is the previous JSOP_CASE's bytecode offset. */
3313 }
3314 }
3318 }
3329 /* Switch note's second offset is to first JSOP_CASE. */
3334 }
3339 }
3340 }
3342 /*
3343 * If we didn't have an explicit default (which could fall in between
3344 * cases, preventing us from fusing this js_SetSrcNoteOffset with the
3345 * call in the loop above), link the last case to the implicit default
3346 * for the decompiler.
3347 */
3353 }
3355 /* Emit default even if no explicit default statement. */
3363 /* Fill in switch bounds, which we know fit in 16-bit offsets. */
3369 /*
3370 * Use malloc to avoid arena bloat for programs with many switches.
3371 * We free table if non-null at label out, so all control flow must
3372 * exit this function through goto out or goto bad.
3373 */
3387 }
3388 }
3392 /* Fill in the number of cases. */
3395 }
3397 /*
3398 * After this point, all control flow involving JSOP_TABLESWITCH
3399 * must set ok and goto out to exit this function. To keep things
3400 * simple, all switchOp cases exit that way.
3401 */
3404 /*
3405 * We have already generated at least one big jump so we must
3406 * explicitly add span dependencies for the switch jumps. When
3407 * called below, js_SetJumpOffset can only do it when patching
3408 * the first big jump or when cg->spanDeps is null.
3409 */
3412 }
3415 /*
3416 * Skip switchOp, as we are not setting jump offsets in the two
3417 * for loops below. We'll restore CG_NEXT(cg) from savepc after,
3418 * unless there was an error.
3419 */
3428 /* Note a propagated constant with the const's name. */
3437 }
3438 }
3440 }
3445 /* Note a propagated constant with the const's name. */
3454 }
3455 }
3457 }
3458 }
3460 }
3461 }
3463 /* Emit code for each case's statements, copying pn_offset up to pn3. */
3474 }
3477 /* If no default case, offset for default is to end of switch. */
3479 }
3481 /* We better have set "off" by now. */
3484 /* Set the default offset (to end of switch if no default). */
3498 }
3500 /* Set the SRC_SWITCH note's offset operand to tell end of switch. */
3507 /* Skip over the already-initialized switch bounds. */
3510 /* Fill in the jump table, if there is one. */
3518 }
3520 /* Skip over the already-initialized number of cases. */
3539 }
3540 }
3542 out:
3548 #if JS_HAS_BLOCK_SCOPE
3551 #endif
3552 }
3555 bad:
3558 }
3560 JSBool
3562 {
3564 /* JSOP_GENERATOR must be the first instruction. */
3571 /*
3572 * Emit a trace hint opcode only if not in a generator, since generators
3573 * are not yet traced and both want to be the first instruction.
3574 */
3577 }
3582 }
3587 }
3589 /* A macro for inlining at the top of js_EmitTree (whence it came). */
3590 #define UPDATE_LINE_NUMBER_NOTES(cx, cg, line) \
3591 JS_BEGIN_MACRO \
3592 uintN line_ = (line); \
3593 uintN delta_ = line_ - CG_CURRENT_LINE(cg); \
3594 if (delta_ != 0) { \
3595 /* \
3596 * Encode any change in the current source line number by using \
3597 * either several SRC_NEWLINE notes or just one SRC_SETLINE note, \
3598 * whichever consumes less space. \
3599 * \
3600 * NB: We handle backward line number deltas (possible with for \
3601 * loops where the update part is emitted after the body, but its \
3602 * line number is <= any line number in the body) here by letting \
3603 * unsigned delta_ wrap to a very large number, which triggers a \
3604 * SRC_SETLINE. \
3606 CG_CURRENT_LINE(cg) = line_; \
3607 if (delta_ >= (uintN)(2 + ((line_ > SN_3BYTE_OFFSET_MASK)<<1))) { \
3608 if (js_NewSrcNote2(cx, cg, SRC_SETLINE, (ptrdiff_t)line_) < 0)\
3609 return JS_FALSE; \
3610 } else { \
3611 do { \
3612 if (js_NewSrcNote(cx, cg, SRC_NEWLINE) < 0) \
3613 return JS_FALSE; \
3614 } while (--delta_ != 0); \
3615 } \
3616 } \
3617 JS_END_MACRO
3619 /* A function, so that we avoid macro-bloating all the other callsites. */
3620 static JSBool
3622 {
3625 }
3627 static JSBool
3630 {
3631 jsatomid atomIndex;
3641 }
3650 }
3655 }
3657 #if JS_HAS_DESTRUCTURING
3659 typedef JSBool
3663 static JSBool
3666 {
3673 }
3675 static JSBool
3678 {
3680 DestructuringDeclEmitter emitter;
3687 ? EmitDestructuringDecl
3691 }
3697 ? EmitDestructuringDecl
3701 }
3702 }
3704 }
3706 static JSBool
3709 static JSBool
3711 {
3712 jsuint slot;
3714 /*
3715 * Now emit the lvalue opcode sequence. If the lvalue is a nested
3716 * destructuring initialiser-form, call ourselves to handle it, then
3717 * pop the matched value. Otherwise emit an lvalue bytecode sequence
3718 * ending with a JSOP_ENUMELEM or equivalent op.
3719 */
3731 }
3735 /*
3736 * NB: pn is a PN_NAME node, not a PN_BINARY. Nevertheless,
3737 * we want to emit JSOP_ENUMELEM, which has format JOF_ELEM.
3738 * So here and for JSOP_ENUMCONSTELEM, we use EmitElemOp.
3739 */
3763 {
3774 }
3778 }
3779 }
3782 }
3784 /*
3785 * Recursive helper for EmitDestructuringOps.
3786 *
3787 * Given a value to destructure on the stack, walk over an object or array
3788 * initialiser at pn, emitting bytecodes to match property values and store
3789 * them in the lvalues identified by the matched property names.
3790 */
3791 static JSBool
3793 {
3794 jsuint index;
3796 JSBool doElemOp;
3798 #ifdef DEBUG
3803 #endif
3806 /* Emit a DUP;POP sequence for the decompiler. */
3809 }
3813 /*
3814 * Duplicate the value being destructured to use as a reference base.
3815 * If dup is not the first one, annotate it for the decompiler.
3816 */
3822 /*
3823 * Now push the property name currently being matched, which is either
3824 * the array initialiser's current index, or the current property name
3825 * "label" on the left of a colon in the object initialiser. Set pn3
3826 * to the lvalue node, which is in the value-initializing position.
3827 */
3838 /*
3839 * If we are emitting an object destructuring initialiser,
3840 * annotate the index op with SRC_INITPROP so we know we are
3841 * not decompiling an array initialiser.
3842 */
3853 }
3855 }
3858 /*
3859 * Ok, get the value of the matching property name. This leaves
3860 * that value on top of the value being destructured, so the stack
3861 * is one deeper than when we started.
3862 */
3866 }
3868 /* Nullary comma node makes a hole in the array destructurer. */
3877 }
3881 }
3884 }
3886 static ptrdiff_t
3888 {
3898 }
3899 }
3901 static JSBool
3904 {
3905 /*
3906 * If we're called from a variable declaration, help the decompiler by
3907 * annotating the first JSOP_DUP that EmitDestructuringOpsHelper emits.
3908 * If the destructuring initialiser is empty, our helper will emit a
3909 * JSOP_DUP followed by a JSOP_POP for the decompiler.
3910 */
3914 /*
3915 * Call our recursive helper to emit the destructuring assignments and
3916 * related stack manipulations.
3917 */
3919 }
3921 static JSBool
3924 {
3933 }
3935 /* MaybeEmitGroupAssignment won't call us if rhs is holey. */
3940 }
3947 /* MaybeEmitGroupAssignment requires lhs->pn_count <= rhs->pn_count. */
3960 }
3961 }
3967 }
3969 /*
3970 * Helper called with pop out param initialized to a JSOP_POP* opcode. If we
3971 * can emit a group assignment sequence, which results in 0 stack depth delta,
3972 * we set *pop to JSOP_NOP so callers can veto emitting pn followed by a pop.
3973 */
3974 static JSBool
3977 {
3990 }
3992 }
3996 static JSBool
3999 {
4001 #if JS_HAS_BLOCK_SCOPE
4004 #endif
4007 JSOp op;
4008 jsatomid atomIndex;
4009 uintN oldflags;
4011 /* Default in case of JS_HAS_BLOCK_SCOPE early return, below. */
4014 /*
4015 * Let blocks and expressions have a parenthesized head in which the new
4016 * scope is not yet open. Initializer evaluation uses the parent node's
4017 * lexical scope. If popScope is true below, then we hide the top lexical
4018 * block from any calls to BindNameToSlot hiding in pn2->pn_expr so that
4019 * it won't find any names in the new let block.
4020 *
4021 * The same goes for let declarations in the head of any kind of for loop.
4022 * Unlike a let declaration 'let x = i' within a block, where x is hoisted
4023 * to the start of the block, a 'for (let x = i...) ...' loop evaluates i
4024 * in the containing scope, and puts x in the loop body's scope.
4025 */
4028 #if JS_HAS_BLOCK_SCOPE
4034 }
4035 # ifdef __GNUC__
4037 # endif
4039 #endif
4047 #if JS_HAS_DESTRUCTURING
4049 /*
4050 * Emit variable binding ops, but not destructuring ops.
4051 * The parser (see Variables, jsparse.c) has ensured that
4052 * our caller will be the TOK_FOR/TOK_IN case in js_EmitTree,
4053 * and that case will emit the destructuring code only after
4054 * emitting an enumerating opcode and a branch that tests
4055 * whether the enumeration ended.
4056 */
4062 }
4063 #endif
4065 /*
4066 * A destructuring initialiser assignment preceded by var will
4067 * never occur to the left of 'in' in a for-in loop. As with 'for
4068 * (var x = i in o)...', this will cause the entire 'var [a, b] =
4069 * i' to be hoisted out of the loop.
4070 */
4074 /*
4075 * To allow the front end to rewrite var f = x; as f = x; when a
4076 * function f(){} precedes the var, detect simple name assignment
4077 * here and initialize the name.
4078 */
4079 #if !JS_HAS_DESTRUCTURING
4081 #else
4083 #endif
4084 {
4088 }
4090 #if JS_HAS_DESTRUCTURING
4092 /*
4093 * If this is the only destructuring assignment in the list,
4094 * try to optimize to a group assignment. If we're in a let
4095 * head, pass JSOP_POP rather than the pseudo-prolog JSOP_NOP
4096 * in pn->pn_op, to suppress a second (and misplaced) 'let'.
4097 */
4104 }
4108 }
4109 }
4118 /*
4119 * Veto pn->pn_op if inLetHead to avoid emitting a SRC_DESTRUCT
4120 * that's redundant with respect to the SRC_DECL/SRC_DECL_LET that
4121 * we will emit at the bottom of this function.
4122 */
4125 pn3)) {
4127 }
4129 #endif
4130 }
4132 /*
4133 * Load initializer early to share code above that jumps to do_name.
4134 * NB: if this var redeclares an existing binding, then pn2 is linked
4135 * on its definition's use-chain and pn_expr has been overlayed with
4136 * pn_lexdef.
4137 */
4140 do_name:
4146 /* JSOP_ARGUMENTS => no initializer */
4149 #ifdef __GNUC__
4151 #endif
4163 }
4167 }
4169 #if JS_HAS_BLOCK_SCOPE
4170 /* Evaluate expr in the outer lexical scope if requested. */
4174 }
4175 #endif
4183 #if JS_HAS_BLOCK_SCOPE
4187 }
4188 #endif
4189 }
4190 }
4192 /*
4193 * The parser rewrites 'for (var x = i in o)' to hoist 'var x = i' --
4194 * likewise 'for (let x = i in o)' becomes 'i; for (let x in o)' using
4195 * a TOK_SEQ node to make the two statements appear as one. Therefore
4196 * if this declaration is part of a for-in loop head, we do not need to
4197 * emit op or any source note. Our caller, the TOK_FOR/TOK_IN case in
4198 * js_EmitTree, will annotate appropriately.
4199 */
4205 }
4211 ? SRC_DECL_CONST
4213 ? SRC_DECL_VAR
4216 }
4224 }
4226 #if JS_HAS_DESTRUCTURING
4227 emit_note_pop:
4228 #endif
4233 }
4240 }
4242 /* If this is a let head, emit and return a srcnote on the pop. */
4249 }
4252 }
4254 #if defined DEBUG_brendan || defined DEBUG_mrbkap
4255 static JSBool
4257 {
4268 }
4270 }
4271 #endif
4273 /* Top-level named functions need a nop for decompilation. */
4274 static JSBool
4276 {
4279 }
4281 static bool
4283 {
4286 #if JS_HAS_SHARP_VARS
4294 }
4295 #endif
4297 }
4299 static bool
4301 {
4302 #if JS_HAS_SHARP_VARS
4303 /* Emit an op for sharp array cleanup and decompilation. */
4306 #endif
4308 }
4310 /* See the SRC_FOR source note offsetBias comments later in this file. */
4314 JSBool
4316 {
4323 jsatomid atomIndex;
4324 uintN index;
4326 JSSrcNoteType noteType;
4328 JSOp op;
4329 TokenKind type;
4330 uint32 argc;
4331 #if JS_HAS_SHARP_VARS
4332 jsint sharpnum;
4333 #endif
4341 /* Emit notes to tell the current bytecode's source line number. */
4346 {
4348 uintN slot;
4350 #if JS_HAS_XML_SUPPORT
4355 }
4356 #endif
4361 /*
4362 * This second pass is needed to emit JSOP_NOP with a source note
4363 * for the already-emitted function definition prolog opcode. See
4364 * comments in the TOK_LC case.
4365 */
4371 }
4381 /* Generate code for the function's body. */
4388 }
4398 #if JS_HAS_SHARP_VARS
4403 }
4404 #endif
4409 /*
4410 * jsparse.cpp:SetStaticLevel limited static nesting depth to fit in 16
4411 * bits and to reserve the all-ones value, thereby reserving the magic
4412 * FREE_UPVAR_COOKIE value. Note the cg2->staticLevel assignment below.
4413 */
4417 /* We measured the max scope depth when we parsed the function. */
4428 /* Make the function object a literal in the outer script's pool. */
4431 /* Emit a bytecode pointing to the closure object in its immediate. */
4437 }
4440 }
4442 /*
4443 * For a script we emit the code as we parse. Thus the bytecode for
4444 * top-level functions should go in the prolog to predefine their
4445 * names in the variable object before the already-generated main code
4446 * is executed. This extra work for top-level scripts is not necessary
4447 * when we emit the code for a function. It is fully parsed prior to
4448 * invocation of the emitter and calls to js_EmitTree for function
4449 * definitions can be scheduled before generating the rest of code.
4450 */
4458 /* Emit NOP for the decompiler. */
4462 #ifdef DEBUG
4463 JSLocalKind localKind =
4464 #endif
4472 }
4474 }
4488 /* Initialize so we can detect else-if chains and avoid recursion. */
4493 if_again:
4494 /* Emit code for the condition before pushing stmtInfo. */
4501 /*
4502 * We came here from the goto further below that detects else-if
4503 * chains, so we must mutate stmtInfo back into a STMT_IF record.
4504 * Also (see below for why) we need a note offset for SRC_IF_ELSE
4505 * to help the decompiler. Actually, we need two offsets, one for
4506 * decompiling any else clause and the second for decompiling an
4507 * else-if chain without bracing, overindenting, or incorrectly
4508 * scoping let declarations.
4509 */
4517 }
4519 /* Emit an annotated branch-if-false around the then part. */
4528 /* Emit code for the then and optional else parts. */
4532 /* Modify stmtInfo so we know we're in the else part. */
4535 /*
4536 * Emit a JSOP_BACKPATCH op to jump from the end of our then part
4537 * around the else part. The js_PopStatementCG call at the bottom
4538 * of this switch case will fix up the backpatch chain linked from
4539 * stmtInfo.breaks.
4540 */
4545 /* Ensure the branch-if-false comes here, then emit the else. */
4550 }
4555 /*
4556 * Annotate SRC_IF_ELSE with the offset from branch to jump, for
4557 * the decompiler's benefit. We can't just "back up" from the pc
4558 * of the else clause, because we don't know whether an extended
4559 * jump was required to leap from the end of the then clause over
4560 * the else clause.
4561 */
4565 /* No else part, fixup the branch-if-false to come here. */
4567 }
4572 /* Out of line to avoid bloating js_EmitTree's stack frame size. */
4577 /*
4578 * Minimize bytecodes issued for one or more iterations by jumping to
4579 * the condition below the body and closing the loop if the condition
4580 * is true with a backward branch. For iteration count i:
4581 *
4582 * i test at the top test at the bottom
4583 * = =============== ==================
4584 * 0 ifeq-pass goto; ifne-fail
4585 * 1 ifeq-fail; goto; ifne-pass goto; ifne-pass; ifne-fail
4586 * 2 2*(ifeq-fail; goto); ifeq-pass goto; 2*ifne-pass; ifne-fail
4587 * . . .
4588 * N N*(ifeq-fail; goto); ifeq-pass goto; N*ifne-pass; ifne-fail
4589 *
4590 * SpiderMonkey, pre-mozilla.org, emitted while parsing and so used
4591 * test at the top. When JSParseNode trees were added during the ES3
4592 * work (1998-9), the code generation scheme was not optimized, and
4593 * the decompiler continued to take advantage of the branch and jump
4594 * that bracketed the body. But given the SRC_WHILE note, it is easy
4595 * to support the more efficient scheme.
4596 */
4621 /* Emit an annotated nop so we know to decompile a 'do' keyword. */
4626 /* Compile the loop body. */
4634 /* Set loop and enclosing label update offsets, for continue. */
4640 /* Compile the loop condition, now that continues know where to go. */
4644 /*
4645 * Since we use JSOP_IFNE for other purposes as well as for do-while
4646 * loops, we must store 1 + (beq - top) in the SRC_WHILE note offset,
4647 * and the decompiler must get that delta and decompile recursively.
4648 */
4664 /* Set stmtInfo type for later testing. */
4667 /*
4668 * If the left part is 'var x', emit code to define x if necessary
4669 * using a prolog opcode, but do not emit a pop. If the left part
4670 * is 'var x = i', emit prolog code to define x if necessary; then
4671 * emit code to evaluate i, assign the result to x, and pop the
4672 * result off the stack.
4673 *
4674 * All the logic to do this is implemented in the outer switch's
4675 * TOK_VAR case, conditioned on pn_xflags flags set by the parser.
4676 *
4677 * In the 'for (var x = i in o) ...' case, the js_EmitTree(...pn3)
4678 * called here will generate the proper note for the assignment
4679 * op that sets x = i, hoisting the initialized var declaration
4680 * out of the loop: 'var x = i; for (x in o) ...'.
4681 *
4682 * In the 'for (var x in o) ...' case, nothing but the prolog op
4683 * (if needed) should be generated here, we must emit the note
4684 * just before the JSOP_FOR* opcode in the switch on pn3->pn_type
4685 * a bit below, so nothing is hoisted: 'for (var x in o) ...'.
4686 *
4687 * A 'for (let x = i in o)' loop must not be hoisted, since in
4688 * this form the let variable is scoped by the loop body (but not
4689 * the head). The initializer expression i must be evaluated for
4690 * any side effects. So we hoist only i in the let case.
4691 */
4699 /* Compile the object expression to the right of 'in'. */
4703 /*
4704 * Emit a bytecode to convert top of stack value to the iterator
4705 * object depending on the loop variant (for-in, for-each-in, or
4706 * destructuring for-in).
4707 */
4712 /* Annotate so the decompiler can find the loop-closing jump. */
4717 /*
4718 * Jump down to the loop condition to minimize overhead assuming at
4719 * least one iteration, as the other loop forms do.
4720 */
4730 #ifdef DEBUG
4732 #endif
4734 /*
4735 * Compile a JSOP_FOR* bytecode based on the left hand side.
4736 *
4737 * Initialize op to JSOP_SETNAME in case of |for ([a, b] in o)...|
4738 * or similar, to signify assignment, rather than declaration, to
4739 * the decompiler. EmitDestructuringOps takes a prolog bytecode
4740 * parameter and emits the appropriate source note, defaulting to
4741 * assignment, so JSOP_SETNAME is not critical here; many similar
4742 * ops could be used -- just not JSOP_NOP (which means 'let').
4743 */
4746 #if JS_HAS_BLOCK_SCOPE
4748 #endif
4752 #if JS_HAS_DESTRUCTURING
4756 }
4760 }
4761 #else
4763 #endif
4764 /* FALL THROUGH */
4767 /*
4768 * Always annotate JSOP_FORLOCAL if given input of the form
4769 * 'for (let x in * o)' -- the decompiler must not hoist the
4770 * 'let x' out of the loop head, or x will be bound in the
4771 * wrong scope. Likewise, but in this case only for the sake
4772 * of higher decompilation fidelity only, do not hoist 'var x'
4773 * when given 'for (var x in o)'.
4774 */
4776 #if JS_HAS_BLOCK_SCOPE
4778 #endif
4782 ? SRC_DECL_VAR
4785 }
4796 }
4802 }
4805 JSMSG_BAD_FOR_LEFTSIDE);
4807 }
4814 }
4818 /*
4819 * 'for (o.p in q)' can use JSOP_FORPROP only if evaluating 'o'
4820 * has no side effects.
4821 */
4829 }
4830 /* FALL THROUGH */
4832 #if JS_HAS_DESTRUCTURING
4833 destructuring_for:
4834 #endif
4840 #if JS_HAS_DESTRUCTURING
4847 #endif
4855 #if JS_HAS_XML_SUPPORT
4863 #endif
4867 }
4869 /* The stack should be balanced around the JSOP_FOR* opcode sequence. */
4872 /* Set the first srcnote offset so we can find the start of the loop body. */
4876 /* Emit code for the loop body. */
4880 /* Set loop and enclosing "update" offsets, for continue. */
4886 /*
4887 * Fixup the goto that starts the loop to jump down to JSOP_MOREITER.
4888 */
4896 /* Set the second srcnote offset so we can find the closing jump. */
4900 /* C-style for (init; cond; update) ... loop. */
4904 /* No initializer: emit an annotated nop for the decompiler. */
4908 #if JS_HAS_DESTRUCTURING
4912 }
4913 #endif
4918 /*
4919 * Check whether a destructuring-initialized var decl
4920 * was optimized to a group assignment. If so, we do
4921 * not need to emit a pop below, so switch to a nop,
4922 * just for the decompiler.
4923 */
4927 }
4928 }
4930 }
4932 /*
4933 * NB: the SRC_FOR note has offsetBias 1 (JSOP_{NOP,POP}_LENGTH).
4934 * Use tmp to hold the biased srcnote "top" offset, which differs
4935 * from the top local variable by the length of the JSOP_GOTO{,X}
4936 * emitted in between tmp and top if this loop has a condition.
4937 */
4944 /* Goto the loop condition, which branches back to iterate. */
4948 }
4953 /* Emit code for the loop body. */
4959 /* Set the second note offset so we can find the update part. */
4964 }
4966 /* Set loop and enclosing "update" offsets, for continue. */
4972 /* Check for update code to do before the condition (if any). */
4976 #if JS_HAS_DESTRUCTURING
4980 }
4981 #endif
4985 /* Always emit the POP or NOP, to help the decompiler. */
4989 /* Restore the absolute line number for source note readers. */
4995 }
4996 }
4998 /* Set the first note offset so we can find the loop condition. */
5002 }
5005 /* Fix up the goto from top to target the loop condition. */
5011 }
5013 /* The third note offset helps us find the loop-closing jump. */
5017 }
5024 /* No loop condition -- emit the loop-closing jump. */
5028 }
5029 }
5031 /* Now fixup all breaks and continues (before for/in's JSOP_ENDITER). */
5039 }
5040 }
5058 }
5068 /* Find the loop statement enclosed by the matching label. */
5077 }
5085 }
5105 {
5107 intN depth;
5112 /*
5113 * Push stmtInfo to track jumps-over-catches and gosubs-to-finally
5114 * for later fixup.
5115 *
5116 * When a finally block is active (STMT_FINALLY in our tree context),
5117 * non-local jumps (including jumps-over-catches) result in a GOSUB
5118 * being written into the bytecode stream and fixed-up later (c.f.
5119 * EmitBackPatchOp and BackPatch).
5120 */
5125 /*
5126 * Since an exception can be thrown at any place inside the try block,
5127 * we need to restore the stack and the scope chain before we transfer
5128 * the control to the exception handler.
5129 *
5130 * For that we store in a try note associated with the catch or
5131 * finally block the stack depth upon the try entry. The interpreter
5132 * uses this depth to properly unwind the stack and the scope chain.
5133 */
5136 /* Mark try location for decompilation, then emit try block. */
5144 /* GOSUB to finally, if present. */
5151 }
5153 /* Emit (hidden) jump over catch and/or finally. */
5162 /* If this try has a catch block, emit it. */
5168 /*
5169 * The emitted code for a catch block looks like:
5170 *
5171 * [throwing] only if 2nd+ catch block
5172 * [leaveblock] only if 2nd+ catch block
5173 * enterblock with SRC_CATCH
5174 * exception
5175 * [dup] only if catchguard
5176 * setlocalpop <slot> or destructuring code
5177 * [< catchguard code >] if there's a catchguard
5178 * [ifeq <offset to next catch block>] " "
5179 * [pop] only if catchguard
5180 * < catch block contents >
5181 * leaveblock
5182 * goto <end of catch blocks> non-local; finally applies
5183 *
5184 * If there's no catch block without a catchguard, the last
5185 * <offset to next catch block> points to rethrow code. This
5186 * code will [gosub] to the finally code if appropriate, and is
5187 * also used for the catch-all trynote for capturing exceptions
5188 * thrown from catch{} blocks.
5189 */
5196 /* Fix up and clean up previous catch block. */
5199 /*
5200 * Account for JSOP_ENTERBLOCK (whose block object count
5201 * is saved below) and pushed exception object that we
5202 * still have after the jumping from the previous guard.
5203 */
5206 /*
5207 * Move exception back to cx->exception to prepare for
5208 * the next catch. We hide [throwing] from the decompiler
5209 * since it compensates for the hidden JSOP_DUP at the
5210 * start of the previous guarded catch.
5211 */
5215 }
5220 }
5222 /*
5223 * Annotate the JSOP_ENTERBLOCK that's about to be generated
5224 * by the call to js_EmitTree immediately below. Save this
5225 * source note's index in stmtInfo for use by the TOK_CATCH:
5226 * case, where the length of the catch guard is set as the
5227 * note's offset.
5228 */
5234 /*
5235 * Emit the lexical scope and catch body. Save the catch's
5236 * block object population via count, for use when targeting
5237 * guardJump at the next catch (the guard mismatch case).
5238 */
5244 /* gosub <finally>, if required */
5251 }
5253 /*
5254 * Jump over the remaining catch blocks. This will get fixed
5255 * up to jump to after catch/finally.
5256 */
5263 /*
5264 * Save a pointer to the last catch node to handle try-finally
5265 * and try-catch(guard)-finally special cases.
5266 */
5268 }
5269 }
5271 /*
5272 * Last catch guard jumps to the rethrow code sequence if none of the
5273 * guards match. Target guardJump at the beginning of the rethrow
5274 * sequence, just in case a guard expression throws and leaves the
5275 * stack unbalanced.
5276 */
5280 /* Sync the stack to take into account pushed exception. */
5284 /*
5285 * Rethrow the exception, delegating executing of finally if any
5286 * to the exception handler.
5287 */
5291 }
5292 }
5296 /* Emit finally handler if any. */
5299 /*
5300 * Fix up the gosubs that might have been emitted before non-local
5301 * jumps to the finally code.
5302 */
5308 /* Indicate that we're emitting a subroutine body. */
5316 }
5318 }
5325 }
5327 /* Fix up the end-of-try/catch jumps to come here. */
5331 /*
5332 * Add the try note last, to let post-order give us the right ordering
5333 * (first to last for a given nesting level, inner to outer by level).
5334 */
5338 }
5340 /*
5341 * If we've got a finally, mark try+catch region with additional
5342 * trynote to catch exceptions (re)thrown from a catch block or
5343 * for the try{}finally{} case.
5344 */
5348 }
5350 }
5353 {
5357 /*
5358 * Morph STMT_BLOCK to STMT_CATCH, note the block entry code offset,
5359 * and save the block object atom.
5360 */
5367 /* Go up one statement info record to the TRY or FINALLY record. */
5371 /* Pick up the pending exception and bind it to the catch variable. */
5375 /*
5376 * Dup the exception object if there is a guard for rethrowing to use
5377 * it later when rethrowing or in other catches.
5378 */
5384 #if JS_HAS_DESTRUCTURING
5392 #endif
5395 /* Inline and specialize BindNameToSlot for pn2. */
5402 }
5404 /* Emit the guard expression, if there is one. */
5411 }
5412 /* ifeq <next block> */
5418 /* Pop duplicated exception object as we no longer need it. */
5421 }
5423 /* Emit the catch body. */
5427 /*
5428 * Annotate the JSOP_LEAVEBLOCK that will be emitted as we unwind via
5429 * our TOK_LEXICALSCOPE parent, so the decompiler knows to pop.
5430 */
5435 }
5443 /* Push a return value */
5451 }
5453 /*
5454 * EmitNonLocalJumpFixup may add fixup bytecode to close open try
5455 * blocks having finally clauses and to exit intermingled let blocks.
5456 * We can't simply transfer control flow to our caller in that case,
5457 * because we must gosub to those finally clauses from inner to outer,
5458 * with the correct stack pointer (i.e., after popping any with,
5459 * for/in, etc., slots nested inside the finally's try).
5460 *
5461 * In this case we mutate JSOP_RETURN into JSOP_SETRVAL and add an
5462 * extra JSOP_RETRVAL after the fixups.
5463 */
5473 }
5476 #if JS_HAS_GENERATORS
5480 JSMSG_BAD_RETURN_OR_YIELD,
5481 js_yield_str);
5483 }
5490 }
5496 #endif
5499 {
5500 #if JS_HAS_XML_SUPPORT
5507 }
5508 #endif
5518 }
5524 /*
5525 * This block contains top-level function definitions. To ensure
5526 * that we emit the bytecode defining them before the rest of code
5527 * in the block we use a separate pass over functions. During the
5528 * main pass later the emitter will add JSOP_NOP with source notes
5529 * for the function to preserve the original functions position
5530 * when decompiling.
5531 *
5532 * Currently this is used only for functions, as compile-as-we go
5533 * mode for scripts does not allow separate emitter passes.
5534 */
5537 /*
5538 * Assign the destructuring arguments before defining any
5539 * functions, see bug 419662.
5540 */
5546 }
5554 /*
5555 * JSOP_DEFFUN in a top-level block with function
5556 * definitions appears, for example, when "if (true)"
5557 * is optimized away from "if (true) function x() {}".
5558 * See bug 428424.
5559 */
5561 }
5562 }
5563 }
5564 }
5568 }
5574 }
5578 }
5586 }
5593 /*
5594 * Top-level or called-from-a-native JS_Execute/EvaluateScript,
5595 * debugger, and eval frames may need the value of the ultimate
5596 * expression statement as the script's result, despite the fact
5597 * that it appears useless to the compiler.
5598 *
5599 * API users may also set the JSOPTION_NO_SCRIPT_RVAL option when
5600 * calling JS_Compile* to suppress JSOP_POPV.
5601 */
5606 }
5608 /*
5609 * Don't eliminate apparently useless expressions if they are
5610 * labeled expression statements. The tc->topStmt->update test
5611 * catches the case where we are nesting in js_EmitTree for a
5612 * labeled compound statement.
5613 */
5621 JSMSG_USELESS_EXPR)) {
5623 }
5626 #if JS_HAS_DESTRUCTURING
5631 }
5632 #endif
5634 /*
5635 * Specialize JSOP_SETPROP to JSOP_SETMETHOD to defer or
5636 * avoid null closure cloning. Do this only for assignment
5637 * statements that are not completion values wanted by a
5638 * script evaluator, to ensure that the joined function
5639 * can't escape directly.
5640 */
5648 }
5653 }
5654 }
5655 }
5659 /* Emit an annotated nop so we know to decompile a label. */
5668 ? SRC_LABELBRACE
5675 }
5677 /* Emit code for the labeled statement. */
5685 /* If the statement was compound, emit a note for the end brace. */
5690 }
5691 }
5695 /*
5696 * Emit SRC_PCDELTA notes on each JSOP_POP between comma operands.
5697 * These notes help the decompiler bracket the bytecodes generated
5698 * from each sub-expression that follows a comma.
5699 */
5708 }
5716 }
5717 }
5721 /*
5722 * Check left operand type and generate specialized code for it.
5723 * Specialize to avoid ECMA "reference type" values on the operand
5724 * stack, which impose pervasive runtime "GetValue" costs.
5725 */
5741 }
5758 #if JS_HAS_DESTRUCTURING
5762 #endif
5767 #if JS_HAS_XML_SUPPORT
5775 #endif
5778 }
5790 }
5798 ? JSOP_GETGVAR
5800 ? JSOP_GETARG
5802 atomIndex);
5803 }
5818 }
5822 #if JS_HAS_XML_SUPPORT
5824 #endif
5831 }
5832 }
5834 /* Now emit the right operand (it may affect the namespace). */
5838 /* If += etc., emit the binary operator with a decompiler note. */
5840 /*
5841 * Take care to avoid SRC_ASSIGNOP if the left-hand side is a const
5842 * declared in the current compilation unit, as in this case (just
5843 * a bit further below) we will avoid emitting the assignment op.
5844 */
5848 }
5851 }
5853 /* Left parts such as a.b.c and a[b].c need a decompiler note. */
5855 #if JS_HAS_DESTRUCTURING
5858 #endif
5861 }
5863 /* Finally, emit the specialized assignment bytecode. */
5868 /* FALL THROUGH */
5877 #if JS_HAS_DESTRUCTURING
5883 #endif
5884 #if JS_HAS_XML_SUPPORT
5889 #endif
5892 }
5896 /* Emit the condition, then branch if false to the else part. */
5906 /* Jump around else, fixup the branch, emit else, fixup jump. */
5912 /*
5913 * Because each branch pushes a single value, but our stack budgeting
5914 * analysis ignores branches, we now have to adjust cg->stackDepth to
5915 * ignore the value pushed by the first branch. Execution will follow
5916 * only one path, so we must decrement cg->stackDepth.
5917 *
5918 * Failing to do this will foil code, such as the try/catch/finally
5919 * exception handling code generator, that samples cg->stackDepth for
5920 * use at runtime (JSOP_SETSP), or in let expression and block code
5921 * generation, which must use the stack depth to compute local stack
5922 * indexes correctly.
5923 */
5935 /*
5936 * JSOP_OR converts the operand on the stack to boolean, and if true,
5937 * leaves the original operand value on the stack and jumps; otherwise
5938 * it pops and falls into the next bytecode, which evaluates the right
5939 * operand. The jump goes around the right operand evaluation.
5940 *
5941 * JSOP_AND converts the operand on the stack to boolean, and if false,
5942 * leaves the original operand value on the stack and jumps; otherwise
5943 * it pops and falls into the right operand's bytecode.
5944 */
5961 /* Left-associative operator chain: avoid too much recursion. */
5969 /* Emit nodes between the head and the tail. */
5981 }
5994 }
5998 /* For TCF_IN_FUNCTION test, see TOK_RB concerning JSOP_NEWARRAY. */
6001 /* Emit up to the first string literal conventionally. */
6009 }
6014 /*
6015 * Having seen a string literal, we know statically that the rest
6016 * of the additions are string concatenation, so we emit them as a
6017 * single concatn. First, do string conversion on the result of the
6018 * preceding zero or more additions so that any side effects of
6019 * string conversion occur before the next operand begins.
6020 */
6027 }
6034 }
6038 }
6051 /* Left-associative operator chain: avoid too much recursion. */
6061 }
6063 #if JS_HAS_XML_SUPPORT
6064 uintN oldflags;
6073 }
6075 /*
6076 * Binary :: has a right operand that brackets arbitrary code,
6077 * possibly including a let (a = b) ... expression. We must clear
6078 * TCF_IN_FOR_INIT to avoid mis-compiling such beasts.
6079 */
6082 #endif
6084 /* Binary operators that evaluate both operands unconditionally. */
6089 #if JS_HAS_XML_SUPPORT
6091 #endif
6094 }
6098 #if JS_HAS_XML_SUPPORT
6102 /* FALL THROUGH */
6103 #endif
6105 {
6106 uintN oldflags;
6108 /* Unary op, including unary +/-. */
6110 #if JS_HAS_XML_SUPPORT
6115 }
6116 #endif
6130 }
6134 /* Emit lvalue-specialized code for ++/-- operators. */
6156 }
6167 }
6168 }
6184 }
6188 #if JS_HAS_XML_SUPPORT
6198 #endif
6199 }
6203 /*
6204 * Under ECMA 3, deleting a non-reference returns true -- but alas we
6205 * must evaluate the operand if it appears it might have side effects.
6206 */
6219 }
6225 #if JS_HAS_XML_SUPPORT
6230 #endif
6236 /*
6237 * If useless, just emit JSOP_TRUE; otherwise convert delete foo()
6238 * to foo(), true (a comma expression, requiring SRC_PCDELTA).
6239 */
6254 }
6261 }
6262 }
6265 #if JS_HAS_XML_SUPPORT
6281 #endif
6284 /*
6285 * Pop a stack operand, convert it to object, get a property named by
6286 * this bytecode's immediate-indexed atom operand, and push its value
6287 * (not a reference to it).
6288 */
6293 #if JS_HAS_XML_SUPPORT
6295 #endif
6296 /*
6297 * Pop two operands, convert the left one to object and the right one
6298 * to property name (atom or tagged int), get the named property, and
6299 * push its value. Set the "obj" register to the result of ToObject
6300 * on the left operand.
6301 */
6307 {
6310 /*
6311 * Emit callable invocation or operator new (constructor call) code.
6312 * First, emit code for the left operand to evaluate the callable or
6313 * constructable object expression.
6314 *
6315 * For operator new applied to other expressions than E4X ones, we emit
6316 * JSOP_GETPROP instead of JSOP_CALLPROP, etc. This is necessary to
6317 * interpose the lambda-initialized method read barrier -- see the code
6318 * in jsops.cpp for JSOP_LAMBDA followed by JSOP_{SET,INIT}PROP.
6319 *
6320 * Then (or in a call case that has no explicit reference-base object)
6321 * we emit JSOP_NULL as a placeholder local GC root to hold the |this|
6322 * parameter: in the operator new case, the newborn instance; in the
6323 * base-less call case, a cookie meaning "use the global object as the
6324 * |this| value" (or in ES5 strict mode, "use undefined", so we should
6325 * use JSOP_PUSH instead of JSOP_NULL -- see bug 514570).
6326 */
6343 #if JS_HAS_XML_SUPPORT
6349 }
6350 #endif
6351 /* FALL THROUGH */
6353 /*
6354 * Push null as a placeholder for the global object, per ECMA-262
6355 * 11.2.3 step 6.
6356 */
6361 }
6365 /* Remember start of callable-object bytecode for decompilation hint. */
6368 /*
6369 * Emit code for each argument in order, then emit the JSOP_*CALL or
6370 * JSOP_NEW bytecode with a two-byte immediate telling how many args
6371 * were pushed on the operand stack.
6372 */
6378 }
6387 /* Add a trace hint opcode for recursion. */
6390 }
6394 }
6397 {
6399 uintN count;
6404 /*
6405 * If this lexical scope is not for a catch block, let block or let
6406 * expression, or any kind of for loop (where the scope starts in the
6407 * head after the first part if for (;;), else in the body if for-in);
6408 * and if our container is top-level but not a function body, or else
6409 * a block statement; then emit a SRC_BRACE note. All other container
6410 * statements get braces by default from the decompiler.
6411 */
6418 #if defined DEBUG_brendan || defined DEBUG_mrbkap
6419 /* There must be no source note already output for the next op. */
6423 #endif
6427 }
6445 }
6446 }
6448 /* Emit the JSOP_LEAVEBLOCK or JSOP_LEAVEBLOCKEXPR opcode. */
6454 }
6456 #if JS_HAS_BLOCK_SCOPE
6458 /* Let statements have their variable declarations on the left. */
6464 }
6466 /* Non-null pn2 means that pn is the variable list from a let head. */
6471 /* Thus non-null pn2 is the body of the let block or expression. */
6480 }
6484 #if JS_HAS_GENERATORS
6486 jsint slot;
6488 /*
6489 * The array object's stack index is in cg->arrayCompDepth. See below
6490 * under the array initialiser code generator for array comprehension
6491 * special casing.
6492 */
6500 }
6501 #endif
6504 #if JS_HAS_GENERATORS
6506 #endif
6507 /*
6508 * Emit code for [a, b, c] that is equivalent to constructing a new
6509 * array and in source order evaluating each element value and adding
6510 * it to the array, without invoking latent setters. We use the
6511 * JSOP_NEWINIT and JSOP_INITELEM bytecodes to ignore setters and to
6512 * avoid dup'ing and popping the array as each element is added, as
6513 * JSOP_SETELEM/JSOP_SETPROP would do.
6514 *
6515 * If no sharp variable is defined, the initializer is not for an array
6516 * comprehension, the initializer is not overlarge, and the initializer
6517 * is not in global code (whose stack growth cannot be precisely modeled
6518 * due to the need to reserve space for global variables and regular
6519 * expressions), use JSOP_NEWARRAY to minimize opcodes and to create the
6520 * array using a fast, all-at-once process rather than a slow, element-
6521 * by-element process.
6522 */
6523 #if JS_HAS_SHARP_VARS
6525 do_emit_array:
6526 #endif
6529 ? JSOP_NEWARRAY
6532 #if JS_HAS_GENERATORS
6535 #endif
6536 #if JS_HAS_SHARP_VARS
6540 #endif
6545 #if JS_HAS_GENERATORS
6547 uintN saveDepth;
6549 /*
6550 * Pass the new array's stack index to the TOK_ARRAYPUSH case via
6551 * cg->arrayCompDepth, then simply traverse the TOK_FOR node and
6552 * its kids under pn2 to generate this comprehension.
6553 */
6561 /* Emit the usual op needed for decompilation. */
6565 }
6578 }
6581 }
6585 /* Emit a source note so we know to decompile an extra comma. */
6588 }
6591 /*
6592 * Emit an op to finish the array and, secondarily, to aid in sharp
6593 * array cleanup (if JS_HAS_SHARP_VARS) and decompilation.
6594 */
6598 }
6605 #if JS_HAS_SHARP_VARS
6607 do_emit_object:
6608 #endif
6609 #if JS_HAS_DESTRUCTURING_SHORTHAND
6613 }
6614 #endif
6615 /*
6616 * Emit code for {p:a, '%q':b, 2:c} that is equivalent to constructing
6617 * a new object and in source order evaluating each property value and
6618 * adding the property to the object, without invoking latent setters.
6619 * We use the JSOP_NEWINIT and JSOP_INITELEM/JSOP_INITPROP bytecodes to
6620 * ignore setters and to avoid dup'ing and popping the object as each
6621 * property is added, as JSOP_SETELEM/JSOP_SETPROP would do.
6622 */
6628 /* Emit an index for t[2] for later consumption by JSOP_INITELEM. */
6633 }
6635 /* Emit code for the property initializer. */
6643 }
6645 /* Annotate JSOP_INITELEM so we decompile 2:c and not just c. */
6658 /* Check whether we can optimize to JSOP_INITMETHOD. */
6664 {
6671 }
6674 }
6675 }
6680 }
6684 }
6686 #if JS_HAS_SHARP_VARS
6693 # if JS_HAS_GENERATORS
6696 # endif
6712 /*
6713 * Cope with a left-over function definition that was replaced by a use
6714 * of a later function definition of the same name. See FunctionDef and
6715 * MakeDefIntoUse in jsparse.cpp.
6716 */
6723 #if JS_HAS_XML_SUPPORT
6729 #endif
6739 /*
6740 * If the regexp's script is one-shot and the regexp is not used in a
6741 * loop, we can avoid the extra fork-on-exec costs of JSOP_REGEXP by
6742 * selecting JSOP_OBJECT. Otherwise, to avoid incorrect proto, parent,
6743 * and lastIndex sharing, select JSOP_REGEXP.
6744 */
6752 }
6753 }
6754 }
6760 cg);
6761 }
6763 }
6765 #if JS_HAS_XML_SUPPORT
6767 #endif
6773 #if JS_HAS_DEBUGGER_KEYWORD
6780 #if JS_HAS_XML_SUPPORT
6786 }
6792 /* FALL THROUGH */
6799 }
6805 }
6810 }
6820 }
6823 }
6824 #ifdef DEBUG
6825 else
6827 #endif
6834 }
6835 /* FALL THROUGH */
6839 {
6840 uint32 i;
6866 }
6872 }
6876 }
6877 }
6892 }
6901 }
6906 }
6912 }
6928 }
6935 }
6938 }
6940 /*
6941 * We should try to get rid of offsetBias (always 0 or 1, where 1 is
6942 * JSOP_{NOP,POP}_LENGTH), which is used only by SRC_FOR and SRC_DECL.
6943 */
6970 };
6972 static intN
6974 {
6975 intN index;
6984 /* Allocate the first note array lazily; leave noteMask alone. */
6987 /* Grow by doubling note array size; update noteMask on success. */
6991 }
6995 }
6996 }
7000 }
7002 intN
7004 {
7009 /*
7010 * Claim a note slot in CG_NOTES(cg) by growing it if necessary and then
7011 * incrementing CG_NOTE_COUNT(cg).
7012 */
7018 /*
7019 * Compute delta from the last annotated bytecode's offset. If it's too
7020 * big to fit in sn, allocate one or more xdelta notes and reset sn.
7021 */
7035 }
7037 /*
7038 * Initialize type and delta, then allocate the minimum number of notes
7039 * needed for type's arity. Usually, we won't need more, but if an offset
7040 * does take two bytes, js_SetSrcNoteOffset will grow CG_NOTES(cg).
7041 */
7046 }
7048 }
7050 intN
7053 {
7054 intN index;
7060 }
7062 }
7064 intN
7067 {
7068 intN index;
7076 }
7078 }
7080 static JSBool
7082 {
7086 /* Grow by doubling note array size; update noteMask on success. */
7093 }
7096 }
7098 jssrcnote *
7101 {
7103 intN index;
7105 /*
7106 * Called only from OptimizeSpanDeps and js_FinishTakingSrcNotes to add to
7107 * main script note deltas, and only by a small positive amount.
7108 */
7123 }
7128 sn++;
7129 }
7131 }
7135 {
7136 uintN arity;
7143 }
7145 }
7149 {
7150 /* Find the offset numbered which (i.e., skip exactly which offsets). */
7156 }
7161 }
7163 }
7165 JSBool
7168 {
7175 }
7177 /* Find the offset numbered which (i.e., skip exactly which offsets). */
7184 }
7186 /* See if the new offset requires three bytes. */
7188 /* Maybe this offset was already set to a three-byte value. */
7190 /* Losing, need to insert another two bytes for this offset. */
7193 /*
7194 * Simultaneously test to see if the source note array must grow to
7195 * accommodate either the first or second byte of additional storage
7196 * required by this 3-byte offset.
7197 */
7202 }
7209 }
7212 }
7215 }
7217 #ifdef DEBUG_notme
7218 #define DEBUG_srcnotesize
7219 #endif
7221 #ifdef DEBUG_srcnotesize
7222 #define NBINS 10
7226 {
7235 }
7242 }
7244 }
7245 #endif
7247 /*
7248 * Fill in the storage at notes with prolog and main srcnotes; the space at
7249 * notes was allocated using the CG_COUNT_FINAL_SRCNOTES macro from jsemit.h.
7250 * SO DON'T CHANGE THIS FUNCTION WITHOUT AT LEAST CHECKING WHETHER jsemit.h's
7251 * CG_COUNT_FINAL_SRCNOTES MACRO NEEDS CORRESPONDING CHANGES!
7252 */
7253 JSBool
7255 {
7270 /*
7271 * Either no prolog srcnotes, or no line number change over prolog.
7272 * We don't need a SRC_SETLINE, but we may need to adjust the offset
7273 * of the first main note, by adding to its delta and possibly even
7274 * prepending SRC_XDELTA notes to it to account for prolog bytecodes
7275 * that came at and after the last annotated bytecode.
7276 */
7280 /* NB: Use as much of the first main note's delta as we can. */
7295 }
7296 }
7297 }
7306 #ifdef DEBUG_notme
7311 }
7312 #endif
7314 }
7316 static JSBool
7319 {
7331 }
7341 }
7343 void
7345 {
7356 }
7358 /*
7359 * Find the index of the given object for code generator.
7360 *
7361 * Since the emitter refers to each parsed object only once, for the index we
7362 * use the number of already indexes objects. We also add the object to a list
7363 * to convert the list to a fixed-size array when we complete code generation,
7364 * see JSCGObjectList::finish below.
7365 *
7366 * Most of the objects go to JSCodeGenerator.objectList but for regexp we use a
7367 * separated JSCodeGenerator.regexpList. In this way the emitted index can be
7368 * directly used to store and fetch a reference to a cloned RegExp object that
7369 * shares the same JSRegExp private data created for the object literal in
7370 * objbox. We need a cloned object to hold lastIndex and other direct properties
7371 * that should not be shared among threads sharing a precompiled function or
7372 * script.
7373 *
7374 * If the code being compiled is function code, allocate a reserved slot in
7375 * the cloned function object that shares its precompiled script with other
7376 * cloned function objects and with the compiler-created clone-parent. There
7377 * are nregexps = script->regexps()->length such reserved slots in each
7378 * function object cloned from fun->object. NB: during compilation, a funobj
7379 * slots element must never be allocated, because js_AllocSlot could hand out
7380 * one of the slots that should be given to a regexp clone.
7381 *
7382 * If the code being compiled is global code, the cloned regexp are stored in
7383 * fp->vars slot after cg->ngvars and to protect regexp slots from GC we set
7384 * fp->nvars to ngvars + nregexps.
7385 *
7386 * The slots initially contain undefined or null. We populate them lazily when
7387 * JSOP_REGEXP is executed for the first time.
7388 *
7389 * Why clone regexp objects? ECMA specifies that when a regular expression
7390 * literal is scanned, a RegExp object is created. In the spec, compilation
7391 * and execution happen indivisibly, but in this implementation and many of
7392 * its embeddings, code is precompiled early and re-executed in multiple
7393 * threads, or using multiple global objects, or both, for efficiency.
7394 *
7395 * In such cases, naively following ECMA leads to wrongful sharing of RegExp
7396 * objects, which makes for collisions on the lastIndex property (especially
7397 * for global regexps) and on any ad-hoc properties. Also, __proto__ refers to
7398 * the pre-compilation prototype, a pigeon-hole problem for instanceof tests.
7399 */
7400 uintN
7402 {
7407 }
7409 void
7411 {
7426 }