| blob | 334417f46dc1e00eeab40af7c3e2ea9f350352ef |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=99:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS bytecode generation.
43 */
44 #ifdef HAVE_MEMORY_H
45 #include <memory.h>
46 #endif
47 #include <new>
48 #include <string.h>
72 /* Allocation chunk counts, must be powers of two in general. */
77 /* Macros to compute byte sizes from typed element counts. */
78 #define BYTECODE_SIZE(n) ((n) * sizeof(jsbytecode))
79 #define SRCNOTE_SIZE(n) ((n) * sizeof(jssrcnote))
80 #define TRYNOTE_SIZE(n) ((n) * sizeof(JSTryNote))
84 static JSBool
90 uintN lineno)
101 {
109 }
112 {
114 }
117 {
121 /* NB: non-null only after OOM. */
127 }
129 static ptrdiff_t
131 {
143 ? BYTECODE_CHUNK
152 }
156 }
160 }
162 }
164 static void
166 {
168 JSOp op;
171 intN ndefs;
176 #ifdef JS_TRACER
179 #else
181 #endif
185 extra;
188 }
201 JSMSG_STACK_UNDERFLOW,
203 numBuf);
204 }
209 /* We just executed IndexParsedObject */
218 }
222 }
224 ptrdiff_t
226 {
232 }
234 }
236 ptrdiff_t
238 {
247 }
249 }
251 ptrdiff_t
253 jsbytecode op2)
254 {
264 }
266 }
268 ptrdiff_t
270 {
280 /*
281 * Don't UpdateDepth if op's use-count comes from the immediate
282 * operand yet to be stored in the extra bytes after op.
283 */
286 }
288 }
290 /* XXX too many "... statement" L10N gaffes below -- fix via js.msg! */
311 };
317 {
321 }
323 static void
325 {
328 }
330 /**
331 Span-dependent instructions in JS bytecode consist of the jump (JOF_JUMP)
332 and switch (JOF_LOOKUPSWITCH, JOF_TABLESWITCH) format opcodes, subdivided
333 into unconditional (gotos and gosubs), and conditional jumps or branches
334 (which pop a value, test it, and jump depending on its value). Most jumps
335 have just one immediate operand, a signed offset from the jump opcode's pc
336 to the target bytecode. The lookup and table switch opcodes may contain
337 many jump offsets.
339 Mozilla bug #80981 (http://bugzilla.mozilla.org/show_bug.cgi?id=80981) was
340 fixed by adding extended "X" counterparts to the opcodes/formats (NB: X is
341 suffixed to prefer JSOP_ORX thereby avoiding a JSOP_XOR name collision for
342 the extended form of the JSOP_OR branch opcode). The unextended or short
343 formats have 16-bit signed immediate offset operands, the extended or long
344 formats have 32-bit signed immediates. The span-dependency problem consists
345 of selecting as few long instructions as possible, or about as few -- since
346 jumps can span other jumps, extending one jump may cause another to need to
347 be extended.
349 Most JS scripts are short, so need no extended jumps. We optimize for this
350 case by generating short jumps until we know a long jump is needed. After
351 that point, we keep generating short jumps, but each jump's 16-bit immediate
352 offset operand is actually an unsigned index into cg->spanDeps, an array of
353 JSSpanDep structs. Each struct tells the top offset in the script of the
354 opcode, the "before" offset of the jump (which will be the same as top for
355 simplex jumps, but which will index further into the bytecode array for a
356 non-initial jump offset in a lookup or table switch), the after "offset"
357 adjusted during span-dependent instruction selection (initially the same
358 value as the "before" offset), and the jump target (more below).
360 Since we generate cg->spanDeps lazily, from within js_SetJumpOffset, we must
361 ensure that all bytecode generated so far can be inspected to discover where
362 the jump offset immediate operands lie within CG_CODE(cg). But the bonus is
363 that we generate span-dependency records sorted by their offsets, so we can
364 binary-search when trying to find a JSSpanDep for a given bytecode offset,
365 or the nearest JSSpanDep at or above a given pc.
367 To avoid limiting scripts to 64K jumps, if the cg->spanDeps index overflows
368 65534, we store SPANDEP_INDEX_HUGE in the jump's immediate operand. This
369 tells us that we need to binary-search for the cg->spanDeps entry by the
370 jump opcode's bytecode offset (sd->before).
372 Jump targets need to be maintained in a data structure that lets us look
373 up an already-known target by its address (jumps may have a common target),
374 and that also lets us update the addresses (script-relative, a.k.a. absolute
375 offsets) of targets that come after a jump target (for when a jump below
376 that target needs to be extended). We use an AVL tree, implemented using
377 recursion, but with some tricky optimizations to its height-balancing code
378 (see http://www.cmcrossroads.com/bradapp/ftp/src/libs/C++/AvlTrees.html).
380 A final wrinkle: backpatch chains are linked by jump-to-jump offsets with
381 positive sign, even though they link "backward" (i.e., toward lower bytecode
382 address). We don't want to waste space and search time in the AVL tree for
383 such temporary backpatch deltas, so we use a single-bit wildcard scheme to
384 tag true JSJumpTarget pointers and encode untagged, signed (positive) deltas
385 in JSSpanDep.target pointers, depending on whether the JSSpanDep has a known
386 target, or is still awaiting backpatching.
388 Note that backpatch chains would present a problem for BuildSpanDepTable,
389 which inspects bytecode to build cg->spanDeps on demand, when the first
390 short jump offset overflows. To solve this temporary problem, we emit a
391 proxy bytecode (JSOP_BACKPATCH; JSOP_BACKPATCH_POP for branch ops) whose
392 nuses/ndefs counts help keep the stack balanced, but whose opcode format
393 distinguishes its backpatch delta immediate operand from a normal jump
394 offset.
395 */
396 static int
398 {
401 JSBool doubleRotate;
414 }
438 }
441 }
450 static int
452 {
469 }
470 }
478 }
483 }
487 else
496 }
498 #ifdef DEBUG_brendan
500 {
509 }
510 #endif
512 static JSBool
515 {
516 AddJumpTargetArgs args;
521 }
531 #ifdef DEBUG_brendan
533 #endif
537 }
539 #define SPANDEPS_MIN 256
540 #define SPANDEPS_SIZE(n) ((n) * sizeof(JSSpanDep))
541 #define SPANDEPS_SIZE_MIN SPANDEPS_SIZE(SPANDEPS_MIN)
543 static JSBool
546 {
547 uintN index;
555 }
564 }
572 /* Jump offset will be backpatched if off is a non-zero "bpdelta". */
578 }
579 }
582 /* Jump offset will be patched directly, without backpatch chaining. */
585 /* The jump offset in off is non-zero, therefore it's already known. */
588 }
594 }
598 {
599 JSOp op;
623 }
631 }
633 }
635 static JSBool
637 {
639 JSOp op;
662 /* FALL THROUGH */
666 }
667 }
670 }
674 {
675 uintN index;
694 else
696 }
700 }
702 static JSBool
705 {
712 }
717 }
726 }
728 static void
730 {
735 }
738 }
743 {
758 else
760 }
766 }
768 static void
770 {
777 }
779 static JSBool
781 {
785 JSBool done;
786 JSOp op;
787 uint32 type;
793 #ifdef DEBUG_brendan
795 #endif
811 #ifdef DEBUG_brendan
812 passes++;
813 #endif
828 /*
829 * We already extended all the jump offset operands for
830 * the opcode at sd->top. Jumps and branches have only
831 * one jump offset operand, but switches have many, all
832 * of which are adjacent in cg->spanDeps.
833 */
835 }
840 }
863 }
868 /*
869 * sd2->offset already includes delta as it stood
870 * before we entered this loop, but it must also
871 * include the delta relative to top due to all the
872 * extended jump offset immediates for the opcode
873 * starting at top, which we extend in this loop.
874 *
875 * If there is only one extended jump offset, then
876 * sd2->offset won't change and this for loop will
877 * iterate once only.
878 */
882 /*
883 * sd2 comes after sd, and won't be revisited by
884 * the outer for loop, so we have to increase its
885 * offset by delta, not merely by deltaFromTop.
886 */
888 }
893 }
895 }
896 }
897 }
903 #ifdef DEBUG_brendan
910 #endif
912 /*
913 * Ensure that we have room for the extended jumps, but don't round up
914 * to a power of two -- we're done generating code, so we cut to fit.
915 */
927 }
930 }
933 /*
934 * Set up a fake span dependency record to guard the end of the code
935 * being generated. This guard record is returned as a fencepost by
936 * FindNearestSpanDep if there is no real spandep at or above a given
937 * unextended code offset.
938 */
943 }
945 /*
946 * Now work backwards through the span dependencies, copying chunks of
947 * bytecode between each extended jump toward the end of the grown code
948 * space, and restoring immediate offset operands for all jump bytecodes.
949 * The first chunk of bytecodes, starting at base and ending at the first
950 * extended jump offset (NB: this chunk includes the operation bytecode
951 * just before that immediate jump offset), doesn't need to be copied.
952 */
963 sd2++;
966 }
971 /*
972 * If this jump didn't need to be extended, restore its span immediate
973 * offset operand now, overwriting the index of sd within cg->spanDeps
974 * that was stored temporarily after *pc when BuildSpanDepTable ran.
975 *
976 * Note that span might fit in 16 bits even for an extended jump op,
977 * if the op has multiple span operands, not all of which overflowed
978 * (e.g. JSOP_LOOKUPSWITCH or JSOP_TABLESWITCH where some cases are in
979 * range for a short jump, but others are not).
980 */
985 }
987 /*
988 * Set up parameters needed to copy the next run of bytecode starting
989 * at offset (which is a cursor into the unextended, original bytecode
990 * vector), down to sd->before (a cursor of the same scale as offset,
991 * it's the index of the original jump pc). Reuse delta to count the
992 * nominal number of bytes to copy.
993 */
998 /*
999 * Don't bother copying the jump offset we're about to reset, but do
1000 * copy the bytecode at oldpc (which comes just before its immediate
1001 * jump offset operand), on the next iteration through the loop, by
1002 * including it in offset's new value.
1003 */
1009 size);
1010 }
1013 }
1016 /*
1017 * Fix source note deltas. Don't hardwire the delta fixup adjustment,
1018 * even though currently it must be JUMPX_OFFSET_LEN - JUMP_OFFSET_LEN
1019 * at each sd that moved. The future may bring different offset sizes
1020 * for span-dependent instruction operands. However, we fix only main
1021 * notes here, not prolog notes -- we know that prolog opcodes are not
1022 * span-dependent, and aren't likely ever to be.
1023 */
1029 /*
1030 * Recall that the offset of a given note includes its delta, and
1031 * tells the offset of the annotated bytecode from the main entry
1032 * point of the script.
1033 */
1036 /*
1037 * To compute the delta to add to sn, we need to look at the
1038 * spandep after sd, whose offset - (before + growth) tells by
1039 * how many bytes sd's instruction grew.
1040 */
1052 }
1053 sd++;
1054 }
1056 /*
1057 * If sn has span-dependent offset operands, check whether each
1058 * covers further span-dependencies, and increase those operands
1059 * accordingly. Some source notes measure offset not from the
1060 * annotated pc, but from that pc plus some small bias. NB: we
1061 * assume that spec->offsetBias can't itself span span-dependent
1062 * instructions!
1063 */
1079 /*
1080 * Increase target by sd2's before-vs-after offset delta,
1081 * which is absolute (i.e., relative to start of script,
1082 * as is target). Recompute the span by subtracting its
1083 * adjusted pivot from target.
1084 */
1093 }
1094 }
1095 }
1098 /*
1099 * Fix try/catch notes (O(numTryNotes * log2(numSpanDeps)), but it's
1100 * not clear how we can beat that).
1101 */
1103 /*
1104 * First, look for the nearest span dependency at/above tn->start.
1105 * There may not be any such spandep, in which case the guard will
1106 * be returned.
1107 */
1113 /*
1114 * Next, find the nearest spandep at/above tn->start + tn->length.
1115 * Use its delta minus tn->start's delta to increase tn->length.
1116 */
1122 }
1123 }
1124 }
1126 #ifdef DEBUG_brendan
1127 {
1133 /* NB: sd->top cursors into the original, unextended bytecode vector. */
1150 }
1156 bigspans++;
1160 }
1163 }
1165 }
1167 }
1168 #endif
1170 /*
1171 * Reset so we optimize at most once -- cg may be used for further code
1172 * generation of successive, independent, top-level statements. No jump
1173 * can span top-level statements, because JS lacks goto.
1174 */
1183 }
1185 static ptrdiff_t
1187 {
1188 JSBool extend;
1201 }
1203 }
1205 static ptrdiff_t
1207 {
1223 sd++;
1225 }
1227 JSBool
1230 {
1235 }
1239 }
1242 }
1244 bool
1246 {
1250 }
1252 }
1254 bool
1256 {
1257 #if JS_HAS_SHARP_VARS
1263 }
1279 /*
1280 * Compiler::compileScript will rebase immediate operands indexing
1281 * the sharp slots to come at the end of the global script's |nfixed|
1282 * slots storage, after gvars and regexps.
1283 */
1285 }
1287 #endif
1289 }
1291 bool
1293 {
1300 }
1302 }
1304 void
1307 {
1321 }
1322 }
1324 void
1327 {
1335 }
1337 /*
1338 * Emit a backpatch op with offset pointing to the previous jump of this type,
1339 * so that we can walk back up the chain fixing up the op and jump offset.
1340 */
1341 static ptrdiff_t
1343 {
1351 }
1353 /*
1354 * Macro to emit a bytecode followed by a uint16 immediate operand stored in
1355 * big-endian order, used for arg and var numbers as well as for atomIndexes.
1356 * NB: We use cx and cg from our caller's lexical environment, and return
1357 * false on error.
1358 */
1359 #define EMIT_UINT16_IMM_OP(op, i) \
1360 JS_BEGIN_MACRO \
1361 if (js_Emit3(cx, cg, op, UINT16_HI(i), UINT16_LO(i)) < 0) \
1362 return JS_FALSE; \
1363 JS_END_MACRO
1365 #define EMIT_UINT16PAIR_IMM_OP(op, i, j) \
1366 JS_BEGIN_MACRO \
1367 ptrdiff_t off_ = js_EmitN(cx, cg, op, 2 * UINT16_LEN); \
1368 if (off_ < 0) \
1369 return JS_FALSE; \
1370 jsbytecode *pc_ = CG_CODE(cg, off_); \
1371 SET_UINT16(pc_, i); \
1372 pc_ += UINT16_LEN; \
1373 SET_UINT16(pc_, j); \
1374 JS_END_MACRO
1376 static JSBool
1378 {
1385 }
1387 /*
1388 * Emit additional bytecode(s) for non-local jumps.
1389 */
1390 static JSBool
1392 {
1396 /*
1397 * The non-local jump fixup we emit will unbalance cg->stackDepth, because
1398 * the fixup replicates balanced code such as JSOP_LEAVEWITH emitted at the
1399 * end of a with statement, so we save cg->stackDepth here and restore it
1400 * just before a successful return.
1401 */
1405 #define FLUSH_POPS() if (npops && !FlushPops(cx, cg, &npops)) return JS_FALSE
1418 /* There's a With object on the stack that we need to pop. */
1427 /*
1428 * The iterator and the object being iterated need to be popped.
1429 */
1438 /*
1439 * There's a [exception or hole, retsub pc-index] pair on the
1440 * stack that we need to pop.
1441 */
1446 }
1449 uintN i;
1451 /* There is a Block object with locals on the stack to pop. */
1457 }
1458 }
1464 #undef FLUSH_POPS
1465 }
1467 static ptrdiff_t
1470 {
1471 intN index;
1480 else
1486 }
1488 static JSBool
1491 {
1502 /*
1503 * Set *pc after jump offset in case bpdelta didn't overflow, but span
1504 * does (if so, CHECK_AND_SET_JUMP_OFFSET might call BuildSpanDepTable
1505 * and need to see the JSOP_BACKPATCH* op at *pc).
1506 */
1509 }
1511 }
1513 void
1515 {
1525 }
1526 }
1527 }
1529 JSBool
1531 {
1538 JSOP_GOTO))) {
1540 }
1543 }
1545 JSBool
1548 {
1549 jsdouble dval;
1550 jsint ival;
1552 jsval v;
1554 /* XXX just do numbers for now */
1560 /*
1561 * We atomize double to root a jsdouble instance that we wrap as
1562 * jsval and store in cg->constList. This works because atoms are
1563 * protected from GC during compilation.
1564 */
1569 }
1572 }
1574 }
1576 JSStmtInfo *
1578 {
1589 /* Skip "maybe scope" statements that don't contain let bindings. */
1604 }
1606 }
1607 }
1612 }
1614 /*
1615 * Check if the attributes describe a property holding a compile-time constant
1616 * or a permanent, read-only property without a getter.
1617 */
1618 #define IS_CONSTANT_PROPERTY(attrs) \
1619 (((attrs) & (JSPROP_READONLY | JSPROP_PERMANENT | JSPROP_GETTER)) == \
1620 (JSPROP_READONLY | JSPROP_PERMANENT))
1622 /*
1623 * The function sets vp to JSVAL_HOLE when the atom does not corresponds to a
1624 * name defining a constant.
1625 */
1626 static JSBool
1629 {
1630 JSBool ok;
1634 uintN attrs;
1636 /*
1637 * Chase down the cg stack, but only until we reach the outermost cg.
1638 * This enables propagating consts from top-level into switch cases in a
1639 * function compiled along with the top-level script.
1640 */
1644 /* XXX this will need revising if 'const' becomes block-scoped. */
1653 }
1655 /*
1656 * Try looking in the variable object for a direct property that
1657 * is readonly and permanent. We know such a property can't be
1658 * shadowed by another property on obj's prototype chain, or a
1659 * with object or catch variable; nor can prop's value be changed,
1660 * nor can prop be deleted.
1661 */
1672 /*
1673 * We're compiling code that will be executed immediately,
1674 * not re-executed against a different scope chain and/or
1675 * variable object. Therefore we can get constant values
1676 * from our variable object here.
1677 */
1682 }
1683 }
1690 }
1691 }
1694 }
1696 /*
1697 * Return JSOP_NOP to indicate that index fits 2 bytes and no index segment
1698 * reset instruction is necessary, JSOP_FALSE to indicate an error or either
1699 * JSOP_RESETBASE0 or JSOP_RESETBASE1 to indicate the reset bytecode to issue
1700 * after the main bytecode sequence.
1701 */
1702 static JSOp
1704 {
1705 uintN indexBase;
1707 /*
1708 * We have max 3 bytes for indexes and check for INDEX_LIMIT overflow only
1709 * for big indexes.
1710 */
1722 }
1726 JSMSG_TOO_MANY_LITERALS);
1728 }
1733 }
1735 /*
1736 * Emit a bytecode and its 2-byte constant index immediate operand. If the
1737 * index requires more than 2 bytes, emit a prefix op whose 8-bit immediate
1738 * operand effectively extends the 16-bit immediate of the prefixed opcode,
1739 * by changing index "segment" (see jsinterp.c). We optimize segments 1-3
1740 * with single-byte JSOP_INDEXBASE[123] codes.
1741 *
1742 * Such prefixing currently requires a suffix to restore the "zero segment"
1743 * register setting, but this could be optimized further.
1744 */
1745 static JSBool
1747 {
1748 JSOp bigSuffix;
1755 }
1757 /*
1758 * Slight sugar for EmitIndexOp, again accessing cx and cg from the macro
1759 * caller's lexical environment, and embedding a false return on error.
1760 */
1761 #define EMIT_INDEX_OP(op, index) \
1762 JS_BEGIN_MACRO \
1763 if (!EmitIndexOp(cx, op, index, cg)) \
1764 return JS_FALSE; \
1765 JS_END_MACRO
1767 static JSBool
1769 {
1776 }
1781 }
1783 static JSBool
1786 {
1789 }
1791 /*
1792 * What good are ARGNO_LEN and SLOTNO_LEN, you ask? The answer is that, apart
1793 * from EmitSlotIndexOp, they abstract out the detail that both are 2, and in
1794 * other parts of the code there's no necessary relationship between the two.
1795 * The abstraction cracks here in order to share EmitSlotIndexOp code among
1796 * the JSOP_DEFLOCALFUN and JSOP_GET{ARG,VAR,LOCAL}PROP cases.
1797 */
1801 static JSBool
1804 {
1805 JSOp bigSuffix;
1815 /* Emit [op, slot, index]. */
1824 }
1826 /*
1827 * Adjust the slot for a block local to account for the number of variables
1828 * that share the same index space with locals. Due to the incremental code
1829 * generation for top-level script, we do the adjustment via code patching in
1830 * Compiler::compileScript; see comments there.
1831 *
1832 * The function returns -1 on failures.
1833 */
1834 static jsint
1836 {
1843 }
1844 }
1846 }
1848 static bool
1850 {
1865 /* Beware the empty destructuring dummy. */
1869 }
1875 #ifdef DEBUG
1880 }
1881 #endif
1882 }
1886 }
1888 /*
1889 * When eval is called from a function, the eval code or function code it
1890 * compiles may reference upvars that live in the eval-calling function. The
1891 * eval-invoked compiler does not have explicit definitions for these upvars
1892 * and we do not attempt to create them a-priori (by inspecting the function's
1893 * args and vars) -- we could, but we'd take an avoidable penalty for each
1894 * function local not referenced by any upvar. Instead, we map such upvars
1895 * lazily, growing upvarMap.vector by powers of two.
1896 *
1897 * This function knows that it is called with pn pointing to a PN_NAME-arity
1898 * node, and cg->parser->callerFrame having a non-null fun member, and the
1899 * static level of cg at least one greater than the eval-calling function's
1900 * static level.
1901 */
1902 static bool
1904 {
1911 /*
1912 * Treat top-level function definitions as escaping (i.e., as funargs),
1913 * required since we compile each such top level function or statement
1914 * and throw away the AST, so we can't yet see all funarg uses of this
1915 * function being compiled (cg->funbox->object). See bug 493177.
1916 */
1922 }
1930 }
1931 }
1935 uintN index;
1949 }
1967 }
1975 }
1981 }
1983 /*
1984 * BindNameToSlot attempts to optimize name gets and sets to stack slot loads
1985 * and stores, given the compile-time information in cg and a TOK_NAME node pn.
1986 * It returns false on error, true on success.
1987 *
1988 * The caller can inspect pn->pn_cookie for FREE_UPVAR_COOKIE to tell whether
1989 * optimization occurred, in which case BindNameToSlot also updated pn->pn_op.
1990 * If pn->pn_cookie is still FREE_UPVAR_COOKIE on return, pn->pn_op still may
1991 * have been optimized, e.g., from JSOP_NAME to JSOP_CALLEE. Whether or not
1992 * pn->pn_op was modified, if this function finds an argument or local variable
1993 * name, PND_CONST will be set in pn_dflags for read-only properties after a
1994 * successful return.
1995 *
1996 * NB: if you add more opcodes specialized from JSOP_NAME, etc., don't forget
1997 * to update the TOK_FOR (for-in) and TOK_ASSIGN (op=, e.g. +=) special cases
1998 * in js_EmitTree.
1999 */
2000 static JSBool
2002 {
2004 JSOp op;
2006 uint32 cookie;
2009 uintN index;
2013 /* Idempotency tests come first, since we may be called more than once. */
2017 /* No cookie initialized for these two, they're pre-bound by definition. */
2020 /*
2021 * The parser linked all uses (including forward references) to their
2022 * definitions, unless a with statement or direct eval intervened.
2023 */
2035 }
2046 /*
2047 * Turn attempts to mutate const-declared bindings into get ops (for
2048 * pre-increment and pre-decrement ops, our caller will have to emit
2049 * JSOP_POS, JSOP_ONE, and JSOP_ADD as well).
2050 *
2051 * Turn JSOP_DELNAME into JSOP_FALSE if dn is known, as all declared
2052 * bindings visible to the compiler are permanent in JS unless the
2053 * declaration originates in eval code. We detect eval code by testing
2054 * cg->parser->callerFrame, which is set only by eval or a debugger
2055 * equivalent.
2056 *
2057 * Note that this callerFrame non-null test must be qualified by testing
2058 * !cg->funbox to exclude function code nested in eval code, which is not
2059 * subject to the deletable binding exception.
2060 */
2069 else
2073 }
2078 }
2085 /*
2086 * Don't generate upvars on the left side of a for loop. See
2087 * bug 470758.
2088 */
2096 /*
2097 * Make sure the variable object used by the compiler to initialize
2098 * parent links matches the caller's varobj. Compile-n-go compiler-
2099 * created function objects have the top-level cg's scopeChain set
2100 * as their parent by Parser::newFunction.
2101 */
2108 /*
2109 * We are compiling eval or debug script inside a function frame
2110 * and the scope chain matches the function's variable object.
2111 * Optimize access to function's arguments and variable and the
2112 * arguments object.
2113 */
2117 /*
2118 * Generator functions may be resumed from any call stack, which
2119 * defeats the display optimization to static link searching used
2120 * by JSOP_{GET,CALL}UPVAR.
2121 */
2129 }
2131 }
2134 /*
2135 * If this is a global reference from within a function, leave pn_op as
2136 * JSOP_NAME, etc. We could emit JSOP_*GVAR ops within function code if
2137 * only we could depend on the global frame's slots being valid for all
2138 * calls to the function, and if we could equate the atom index in the
2139 * function's atom map for every global name with its frame slot.
2140 */
2144 /*
2145 * We are optimizing global variables and there may be no pre-existing
2146 * global property named atom when this global script runs. If atom was
2147 * declared via const or var, optimize pn to access fp->vars using the
2148 * appropriate JSOP_*GVAR op.
2149 *
2150 * FIXME: should be able to optimize global function access too.
2151 */
2165 }
2170 }
2175 /*
2176 * A JSDefinition witnessed as a declaration by the parser cannot be an
2177 * upvar, unless it is the degenerate kind of upvar selected above (in the
2178 * code before the PND_GVAR test) for the special case of compile-and-go
2179 * code generated from eval called from a function, where the eval code
2180 * uses local vars defined in the function. We detect this upvar-for-eval
2181 * case by checking dn's op.
2182 */
2188 #ifdef DEBUG
2190 #endif
2203 /*
2204 * Don't generate upvars on the left side of a for loop. See
2205 * bug 470758 and bug 520513.
2206 */
2215 }
2218 }
2228 /*
2229 * If op is a mutating opcode, this upvar's static level is too big to
2230 * index into the display, or the function is heavyweight, we fall back
2231 * on JSOP_*NAME*.
2232 */
2243 /*
2244 * The function we're compiling may not be heavyweight, but if it
2245 * escapes as a funarg, we can't use JSOP_GETUPVAR/JSOP_CALLUPVAR.
2246 * Parser::analyzeFunctions has arranged for this function's
2247 * enclosing functions to be heavyweight, so we can safely stick
2248 * with JSOP_NAME/JSOP_CALLNAME.
2249 */
2253 /*
2254 * Generator functions may be resumed from any call stack, which
2255 * defeats the display optimization to static link searching used
2256 * by JSOP_{GET,CALL}UPVAR.
2257 */
2262 }
2285 }
2288 }
2298 }
2301 }
2307 }
2309 /*
2310 * We are compiling a function body and may be able to optimize name
2311 * to stack slot. Look for an argument or variable in the function and
2312 * rewrite pn_op and update pn accordingly.
2313 */
2328 }
2341 }
2350 /*
2351 * Leave pn->pn_op == JSOP_NAME if cg->fun is heavyweight, as we
2352 * cannot be sure cg->fun is not something of the form:
2353 *
2354 * var ff = (function f(s) { eval(s); return f; });
2355 *
2356 * where a caller invokes ff("var f = 42"). The result returned for
2357 * such an invocation must be 42, since the callee name is
2358 * lexically bound in an outer declarative environment from the
2359 * function's activation. See jsfun.cpp:call_resolve.
2360 */
2365 }
2370 }
2371 /* FALL THROUGH */
2387 }
2390 }
2397 }
2399 /*
2400 * If pn contains a useful expression, return true with *answer set to true.
2401 * If pn contains a useless expression, return true with *answer set to false.
2402 * Return false on error.
2403 *
2404 * The caller should initialize *answer to false and invoke this function on
2405 * an expression statement or similar subtree to decide whether the tree could
2406 * produce code that has any side effects. For an expression statement, we
2407 * define useless code as code with no side effects, because the main effect,
2408 * the value left on the stack after the code executes, will be discarded by a
2409 * pop bytecode.
2410 */
2411 static JSBool
2414 {
2415 JSBool ok;
2424 /*
2425 * A named function, contrary to ES3, is no longer useful, because we
2426 * bind its name lexically (using JSOP_CALLEE) instead of creating an
2427 * Object instance and binding a readonly, permanent property in it
2428 * (the object and binding can be detected and hijacked or captured).
2429 * This is a bug fix to ES3; it is fixed in ES3.1 drafts.
2430 */
2438 /*
2439 * Non-operators along with ||, &&, ===, and !== never invoke
2440 * toString or valueOf.
2441 */
2445 /*
2446 * All invocation operations (construct: TOK_NEW, call: TOK_LP)
2447 * are presumed to be useful, because they may have side effects
2448 * even if their main effect (their return value) is discarded.
2449 *
2450 * TOK_LB binary trees of 3 or more nodes are flattened into lists
2451 * to avoid too much recursion. All such lists must be presumed
2452 * to be useful because each index operation could invoke a getter
2453 * (the JSOP_ARGUMENTS special case below, in the PN_BINARY case,
2454 * does not apply here: arguments[i][j] might invoke a getter).
2455 *
2456 * Likewise, array and object initialisers may call prototype
2457 * setters (the __defineSetter__ built-in, and writable __proto__
2458 * on Array.prototype create this hazard). Initialiser list nodes
2459 * have JSOP_NEWINIT in their pn_op.
2460 */
2462 }
2473 /*
2474 * Assignment is presumed to be useful, even if the next operation
2475 * is another assignment overwriting this one's ostensible effect,
2476 * because the left operand may be a property with a setter that
2477 * has side effects.
2478 *
2479 * The only exception is assignment of a useless value to a const
2480 * declared in the function currently being compiled.
2481 */
2492 }
2496 /*
2497 * ||, &&, ===, and !== do not convert their operands via
2498 * toString or valueOf method calls.
2499 */
2503 /*
2504 * We can't easily prove that neither operand ever denotes an
2505 * object with a toString or valueOf method.
2506 */
2508 }
2509 }
2523 }
2524 /* FALL THROUGH */
2526 #if JS_HAS_XML_SUPPORT
2528 #endif
2531 /* All these delete addressing modes have effects too. */
2537 }
2542 /* ! does not convert its operand via toString or valueOf. */
2545 }
2546 /* FALL THROUGH */
2549 /*
2550 * All of TOK_INC, TOK_DEC, TOK_THROW, TOK_YIELD, and TOK_DEFSHARP
2551 * have direct effects. Of the remaining unary-arity node types,
2552 * we can't easily prove that the operand never denotes an object
2553 * with a toString or valueOf method.
2554 */
2557 }
2561 /*
2562 * Take care to avoid trying to bind a label name (labels, both for
2563 * statements and property values in object initialisers, have pn_op
2564 * defaulted to JSOP_NOP).
2565 */
2571 /*
2572 * Not an argument or local variable use, and not a use of a
2573 * unshadowed named function expression's given name, so this
2574 * expression could invoke a getter that has side effects.
2575 */
2577 }
2578 }
2585 /*
2586 * Any dotted property reference could call a getter, except
2587 * for arguments.length where arguments is unambiguous.
2588 */
2590 }
2591 }
2603 }
2605 }
2607 static JSBool
2609 JSBool callContext)
2610 {
2611 JSOp op;
2641 }
2642 }
2655 }
2656 }
2659 }
2661 #if JS_HAS_XML_SUPPORT
2662 static JSBool
2664 {
2666 uintN oldflags;
2681 }
2684 }
2685 #endif
2687 static JSBool
2689 {
2690 /*
2691 * Special case for obj.__proto__ to deoptimize away from fast paths in the
2692 * interpreter and trace recorder, which skip dense array instances by
2693 * going up to Array.prototype before looking up the property name.
2694 */
2703 }
2705 static JSBool
2707 JSBool callContext)
2708 {
2715 /* Special case deoptimization for __proto__. */
2721 }
2730 /* Fast path for gets of |this.foo|. */
2732 }
2734 /*
2735 * Try to optimize:
2736 * - arguments.length into JSOP_ARGCNT
2737 * - argname.prop into JSOP_GETARGPROP
2738 * - localname.prop into JSOP_GETLOCALPROP
2739 * but don't do this if the property is 'length' -- prefer to emit
2740 * JSOP_GETARG, etc., and then JSOP_LENGTH.
2741 */
2754 do_indexconst: {
2756 jsatomid atomIndex;
2763 }
2766 }
2767 }
2768 }
2769 }
2771 /*
2772 * If the object operand is also a dotted property reference, reverse the
2773 * list linked via pn_expr temporarily so we can iterate over it from the
2774 * bottom up (reversing again as we go), to avoid excessive recursion.
2775 */
2781 /* Reverse pndot->pn_expr to point up, not down. */
2790 }
2792 /* pndown is a primary expression, not a dotted property reference. */
2797 /* Walk back up the list, emitting annotated name ops. */
2801 }
2803 /* Special case deoptimization on __proto__, as above. */
2809 }
2811 /* Reverse the pn_expr link again. */
2819 }
2824 }
2827 }
2829 static JSBool
2831 {
2834 jsint slot;
2838 /* Left-associative operator chain to avoid too much recursion. */
2846 /*
2847 * Try to optimize arguments[0][j]... into JSOP_ARGSUB<0> followed by
2848 * one or more index expression and JSOP_GETELEM op pairs.
2849 */
2856 /*
2857 * arguments[i]() requires arguments object as "this".
2858 * Check that we never generates list for that usage.
2859 */
2865 }
2866 }
2868 /*
2869 * Check whether we generated JSOP_ARGSUB, just above, and have only
2870 * one more index expression to emit. Given arguments[0][j], we must
2871 * skip the while loop altogether, falling through to emit code for j
2872 * (in the subtree referenced by right), followed by the annotated op,
2873 * at the bottom of this function.
2874 */
2879 }
2888 }
2891 /*
2892 * Set left and right so pn appears to be a TOK_LB node, instead
2893 * of a TOK_DOT node. See the TOK_FOR/IN case in js_EmitTree, and
2894 * EmitDestructuringOps nearer below. In the destructuring case,
2895 * the base expression (pn_expr) of the name may be null, which
2896 * means we have to emit a JSOP_BINDNAME.
2897 */
2906 }
2911 ? JSOP_QNAMEPART
2920 }
2922 /* Try to optimize arguments[0] (e.g.) into JSOP_ARGSUB<0>. */
2934 }
2935 }
2939 }
2941 /* The right side of the descendant operator is implicitly quoted. */
2949 }
2951 static JSBool
2953 {
2954 jsint ival;
2955 uint32 u;
2984 }
2986 }
2996 }
2998 static JSBool
3001 {
3002 JSOp switchOp;
3008 jsdouble d;
3010 jsval v;
3013 intN noteIndex;
3016 #if JS_HAS_BLOCK_SCOPE
3017 jsint count;
3018 #endif
3020 /* Try for most optimal, fall back if not dense ints, and per ECMAv2. */
3026 /*
3027 * If the switch contains let variables scoped by its body, model the
3028 * resulting block on the stack first, before emitting the discriminant's
3029 * bytecode (in case the discriminant contains a stack-model dependency
3030 * such as a let expression).
3031 */
3033 #if JS_HAS_BLOCK_SCOPE
3035 /*
3036 * Push the body's block scope before discriminant code-gen for proper
3037 * static block scope linkage in case the discriminant contains a let
3038 * expression. The block's locals must lie under the discriminant on
3039 * the stack so that case-dispatch bytecodes can find the discriminant
3040 * on top of stack.
3041 */
3046 /* Emit JSOP_ENTERBLOCK before code to evaluate the discriminant. */
3050 /*
3051 * Pop the switch's statement info around discriminant code-gen. Note
3052 * how this leaves cg->blockChain referencing the switch's
3053 * block scope object, which is necessary for correct block parenting
3054 * in the case where the discriminant contains a let expression.
3055 */
3058 }
3059 #ifdef __GNUC__
3062 }
3063 #endif
3064 #endif
3066 /*
3067 * Emit code for the discriminant first (or nearly first, in the case of a
3068 * switch whose body is a block scope).
3069 */
3073 /* Switch bytecodes run from here till end of final case. */
3075 #if !JS_HAS_BLOCK_SCOPE
3077 #else
3081 /* Re-push the switch's statement info record. */
3084 /* Set the statement info record's idea of top. */
3087 /* Advance pn2 to refer to the switch case list. */
3089 }
3090 #endif
3103 #define INTMAP_LENGTH 256
3116 }
3135 }
3137 }
3149 /*
3150 * XXX JSOP_LOOKUPSWITCH does not support const-
3151 * propagated object values, see bug 407186.
3152 */
3155 }
3159 }
3160 }
3161 /* FALL THROUGH */
3166 }
3170 }
3174 }
3175 /* FALL THROUGH */
3179 }
3188 }
3193 }
3199 /*
3200 * Check for duplicates, which require a JSOP_LOOKUPSWITCH.
3201 * We bias i by 65536 if it's negative, and hope that's a rare
3202 * case (because it requires a malloc'd bitmap).
3203 */
3212 /* Just grab 8K for the worst-case bitmap. */
3220 }
3221 }
3223 }
3227 }
3229 }
3231 release:
3237 /*
3238 * Compute table length and select lookup instead if overlarge or
3239 * more than half-sparse.
3240 */
3246 /*
3247 * Lookup switch supports only atom indexes below 64K limit.
3248 * Conservatively estimate the maximum possible index during
3249 * switch generation and use conditional switch if it exceeds
3250 * the limit.
3251 */
3254 }
3255 }
3257 /*
3258 * Emit a note with two offsets: first tells total switch code length,
3259 * second tells offset to first JSOP_CASE if condswitch.
3260 */
3266 /*
3267 * 0 bytes of immediate for unoptimized ECMAv2 switch.
3268 */
3271 /*
3272 * 3 offsets (len, low, high) before the table, 1 per entry.
3273 */
3276 /*
3277 * JSOP_LOOKUPSWITCH:
3278 * 1 offset (len) and 1 atom index (npairs) before the table,
3279 * 1 atom index and 1 jump offset per entry.
3280 */
3283 }
3285 /*
3286 * Emit switchOp followed by switchSize bytes of jump or lookup table.
3287 *
3288 * If switchOp is JSOP_LOOKUPSWITCH or JSOP_TABLESWITCH, it is crucial
3289 * to emit the immediate operand(s) by which bytecode readers such as
3290 * BuildSpanDepTable discover the length of the switch opcode *before*
3291 * calling js_SetJumpOffset (which may call BuildSpanDepTable). It's
3292 * also important to zero all unknown jump offset immediate operands,
3293 * so they can be converted to span dependencies with null targets to
3294 * be computed later (js_EmitN zeros switchSize bytes after switchOp).
3295 */
3304 /* Emit code for evaluating cases and jumping to case statements. */
3310 /* off is the previous JSOP_CASE's bytecode offset. */
3314 }
3315 }
3319 }
3330 /* Switch note's second offset is to first JSOP_CASE. */
3335 }
3340 }
3341 }
3343 /*
3344 * If we didn't have an explicit default (which could fall in between
3345 * cases, preventing us from fusing this js_SetSrcNoteOffset with the
3346 * call in the loop above), link the last case to the implicit default
3347 * for the decompiler.
3348 */
3354 }
3356 /* Emit default even if no explicit default statement. */
3364 /* Fill in switch bounds, which we know fit in 16-bit offsets. */
3370 /*
3371 * Use malloc to avoid arena bloat for programs with many switches.
3372 * We free table if non-null at label out, so all control flow must
3373 * exit this function through goto out or goto bad.
3374 */
3388 }
3389 }
3393 /* Fill in the number of cases. */
3396 }
3398 /*
3399 * After this point, all control flow involving JSOP_TABLESWITCH
3400 * must set ok and goto out to exit this function. To keep things
3401 * simple, all switchOp cases exit that way.
3402 */
3405 /*
3406 * We have already generated at least one big jump so we must
3407 * explicitly add span dependencies for the switch jumps. When
3408 * called below, js_SetJumpOffset can only do it when patching
3409 * the first big jump or when cg->spanDeps is null.
3410 */
3413 }
3416 /*
3417 * Skip switchOp, as we are not setting jump offsets in the two
3418 * for loops below. We'll restore CG_NEXT(cg) from savepc after,
3419 * unless there was an error.
3420 */
3429 /* Note a propagated constant with the const's name. */
3438 }
3439 }
3441 }
3446 /* Note a propagated constant with the const's name. */
3455 }
3456 }
3458 }
3459 }
3461 }
3462 }
3464 /* Emit code for each case's statements, copying pn_offset up to pn3. */
3475 }
3478 /* If no default case, offset for default is to end of switch. */
3480 }
3482 /* We better have set "off" by now. */
3485 /* Set the default offset (to end of switch if no default). */
3499 }
3501 /* Set the SRC_SWITCH note's offset operand to tell end of switch. */
3508 /* Skip over the already-initialized switch bounds. */
3511 /* Fill in the jump table, if there is one. */
3519 }
3521 /* Skip over the already-initialized number of cases. */
3540 }
3541 }
3543 out:
3549 #if JS_HAS_BLOCK_SCOPE
3552 #endif
3553 }
3556 bad:
3559 }
3561 JSBool
3563 {
3565 /* JSOP_GENERATOR must be the first instruction. */
3572 /*
3573 * Emit a trace hint opcode only if not in a generator, since generators
3574 * are not yet traced and both want to be the first instruction.
3575 */
3578 }
3583 }
3588 }
3590 /* A macro for inlining at the top of js_EmitTree (whence it came). */
3591 #define UPDATE_LINE_NUMBER_NOTES(cx, cg, line) \
3592 JS_BEGIN_MACRO \
3593 uintN line_ = (line); \
3594 uintN delta_ = line_ - CG_CURRENT_LINE(cg); \
3595 if (delta_ != 0) { \
3596 /* \
3597 * Encode any change in the current source line number by using \
3598 * either several SRC_NEWLINE notes or just one SRC_SETLINE note, \
3599 * whichever consumes less space. \
3600 * \
3601 * NB: We handle backward line number deltas (possible with for \
3602 * loops where the update part is emitted after the body, but its \
3603 * line number is <= any line number in the body) here by letting \
3604 * unsigned delta_ wrap to a very large number, which triggers a \
3605 * SRC_SETLINE. \
3607 CG_CURRENT_LINE(cg) = line_; \
3608 if (delta_ >= (uintN)(2 + ((line_ > SN_3BYTE_OFFSET_MASK)<<1))) { \
3609 if (js_NewSrcNote2(cx, cg, SRC_SETLINE, (ptrdiff_t)line_) < 0)\
3610 return JS_FALSE; \
3611 } else { \
3612 do { \
3613 if (js_NewSrcNote(cx, cg, SRC_NEWLINE) < 0) \
3614 return JS_FALSE; \
3615 } while (--delta_ != 0); \
3616 } \
3617 } \
3618 JS_END_MACRO
3620 /* A function, so that we avoid macro-bloating all the other callsites. */
3621 static JSBool
3623 {
3626 }
3628 static JSBool
3631 {
3632 jsatomid atomIndex;
3642 }
3651 }
3656 }
3658 #if JS_HAS_DESTRUCTURING
3660 typedef JSBool
3664 static JSBool
3667 {
3674 }
3676 static JSBool
3679 {
3681 DestructuringDeclEmitter emitter;
3688 ? EmitDestructuringDecl
3692 }
3698 ? EmitDestructuringDecl
3702 }
3703 }
3705 }
3707 static JSBool
3710 static JSBool
3712 {
3713 jsuint slot;
3715 /*
3716 * Now emit the lvalue opcode sequence. If the lvalue is a nested
3717 * destructuring initialiser-form, call ourselves to handle it, then
3718 * pop the matched value. Otherwise emit an lvalue bytecode sequence
3719 * ending with a JSOP_ENUMELEM or equivalent op.
3720 */
3732 }
3736 /*
3737 * NB: pn is a PN_NAME node, not a PN_BINARY. Nevertheless,
3738 * we want to emit JSOP_ENUMELEM, which has format JOF_ELEM.
3739 * So here and for JSOP_ENUMCONSTELEM, we use EmitElemOp.
3740 */
3764 {
3775 }
3779 }
3780 }
3783 }
3785 /*
3786 * Recursive helper for EmitDestructuringOps.
3787 *
3788 * Given a value to destructure on the stack, walk over an object or array
3789 * initialiser at pn, emitting bytecodes to match property values and store
3790 * them in the lvalues identified by the matched property names.
3791 */
3792 static JSBool
3794 {
3795 jsuint index;
3797 JSBool doElemOp;
3799 #ifdef DEBUG
3804 #endif
3807 /* Emit a DUP;POP sequence for the decompiler. */
3810 }
3814 /*
3815 * Duplicate the value being destructured to use as a reference base.
3816 * If dup is not the first one, annotate it for the decompiler.
3817 */
3823 /*
3824 * Now push the property name currently being matched, which is either
3825 * the array initialiser's current index, or the current property name
3826 * "label" on the left of a colon in the object initialiser. Set pn3
3827 * to the lvalue node, which is in the value-initializing position.
3828 */
3839 /*
3840 * If we are emitting an object destructuring initialiser,
3841 * annotate the index op with SRC_INITPROP so we know we are
3842 * not decompiling an array initialiser.
3843 */
3854 }
3856 }
3859 /*
3860 * Ok, get the value of the matching property name. This leaves
3861 * that value on top of the value being destructured, so the stack
3862 * is one deeper than when we started.
3863 */
3867 }
3869 /* Nullary comma node makes a hole in the array destructurer. */
3878 }
3882 }
3885 }
3887 static ptrdiff_t
3889 {
3899 }
3900 }
3902 static JSBool
3905 {
3906 /*
3907 * If we're called from a variable declaration, help the decompiler by
3908 * annotating the first JSOP_DUP that EmitDestructuringOpsHelper emits.
3909 * If the destructuring initialiser is empty, our helper will emit a
3910 * JSOP_DUP followed by a JSOP_POP for the decompiler.
3911 */
3915 /*
3916 * Call our recursive helper to emit the destructuring assignments and
3917 * related stack manipulations.
3918 */
3920 }
3922 static JSBool
3925 {
3934 }
3936 /* MaybeEmitGroupAssignment won't call us if rhs is holey. */
3941 }
3948 /* MaybeEmitGroupAssignment requires lhs->pn_count <= rhs->pn_count. */
3961 }
3962 }
3968 }
3970 /*
3971 * Helper called with pop out param initialized to a JSOP_POP* opcode. If we
3972 * can emit a group assignment sequence, which results in 0 stack depth delta,
3973 * we set *pop to JSOP_NOP so callers can veto emitting pn followed by a pop.
3974 */
3975 static JSBool
3978 {
3991 }
3993 }
3997 static JSBool
4000 {
4002 #if JS_HAS_BLOCK_SCOPE
4005 #endif
4008 JSOp op;
4009 jsatomid atomIndex;
4010 uintN oldflags;
4012 /* Default in case of JS_HAS_BLOCK_SCOPE early return, below. */
4015 /*
4016 * Let blocks and expressions have a parenthesized head in which the new
4017 * scope is not yet open. Initializer evaluation uses the parent node's
4018 * lexical scope. If popScope is true below, then we hide the top lexical
4019 * block from any calls to BindNameToSlot hiding in pn2->pn_expr so that
4020 * it won't find any names in the new let block.
4021 *
4022 * The same goes for let declarations in the head of any kind of for loop.
4023 * Unlike a let declaration 'let x = i' within a block, where x is hoisted
4024 * to the start of the block, a 'for (let x = i...) ...' loop evaluates i
4025 * in the containing scope, and puts x in the loop body's scope.
4026 */
4029 #if JS_HAS_BLOCK_SCOPE
4035 }
4036 # ifdef __GNUC__
4038 # endif
4040 #endif
4048 #if JS_HAS_DESTRUCTURING
4050 /*
4051 * Emit variable binding ops, but not destructuring ops.
4052 * The parser (see Variables, jsparse.c) has ensured that
4053 * our caller will be the TOK_FOR/TOK_IN case in js_EmitTree,
4054 * and that case will emit the destructuring code only after
4055 * emitting an enumerating opcode and a branch that tests
4056 * whether the enumeration ended.
4057 */
4063 }
4064 #endif
4066 /*
4067 * A destructuring initialiser assignment preceded by var will
4068 * never occur to the left of 'in' in a for-in loop. As with 'for
4069 * (var x = i in o)...', this will cause the entire 'var [a, b] =
4070 * i' to be hoisted out of the loop.
4071 */
4075 /*
4076 * To allow the front end to rewrite var f = x; as f = x; when a
4077 * function f(){} precedes the var, detect simple name assignment
4078 * here and initialize the name.
4079 */
4080 #if !JS_HAS_DESTRUCTURING
4082 #else
4084 #endif
4085 {
4089 }
4091 #if JS_HAS_DESTRUCTURING
4093 /*
4094 * If this is the only destructuring assignment in the list,
4095 * try to optimize to a group assignment. If we're in a let
4096 * head, pass JSOP_POP rather than the pseudo-prolog JSOP_NOP
4097 * in pn->pn_op, to suppress a second (and misplaced) 'let'.
4098 */
4105 }
4109 }
4110 }
4119 /*
4120 * Veto pn->pn_op if inLetHead to avoid emitting a SRC_DESTRUCT
4121 * that's redundant with respect to the SRC_DECL/SRC_DECL_LET that
4122 * we will emit at the bottom of this function.
4123 */
4126 pn3)) {
4128 }
4130 #endif
4131 }
4133 /*
4134 * Load initializer early to share code above that jumps to do_name.
4135 * NB: if this var redeclares an existing binding, then pn2 is linked
4136 * on its definition's use-chain and pn_expr has been overlayed with
4137 * pn_lexdef.
4138 */
4141 do_name:
4147 /* JSOP_ARGUMENTS => no initializer */
4150 #ifdef __GNUC__
4152 #endif
4164 }
4168 }
4170 #if JS_HAS_BLOCK_SCOPE
4171 /* Evaluate expr in the outer lexical scope if requested. */
4175 }
4176 #endif
4184 #if JS_HAS_BLOCK_SCOPE
4188 }
4189 #endif
4190 }
4191 }
4193 /*
4194 * The parser rewrites 'for (var x = i in o)' to hoist 'var x = i' --
4195 * likewise 'for (let x = i in o)' becomes 'i; for (let x in o)' using
4196 * a TOK_SEQ node to make the two statements appear as one. Therefore
4197 * if this declaration is part of a for-in loop head, we do not need to
4198 * emit op or any source note. Our caller, the TOK_FOR/TOK_IN case in
4199 * js_EmitTree, will annotate appropriately.
4200 */
4206 }
4212 ? SRC_DECL_CONST
4214 ? SRC_DECL_VAR
4217 }
4225 }
4227 #if JS_HAS_DESTRUCTURING
4228 emit_note_pop:
4229 #endif
4234 }
4241 }
4243 /* If this is a let head, emit and return a srcnote on the pop. */
4250 }
4253 }
4255 #if defined DEBUG_brendan || defined DEBUG_mrbkap
4256 static JSBool
4258 {
4269 }
4271 }
4272 #endif
4274 /* Top-level named functions need a nop for decompilation. */
4275 static JSBool
4277 {
4280 }
4282 static bool
4284 {
4287 #if JS_HAS_SHARP_VARS
4295 }
4296 #endif
4298 }
4300 static bool
4302 {
4303 #if JS_HAS_SHARP_VARS
4304 /* Emit an op for sharp array cleanup and decompilation. */
4307 #endif
4309 }
4311 /* See the SRC_FOR source note offsetBias comments later in this file. */
4315 JSBool
4317 {
4324 jsatomid atomIndex;
4325 uintN index;
4327 JSSrcNoteType noteType;
4329 JSOp op;
4330 TokenKind type;
4331 uint32 argc;
4332 #if JS_HAS_SHARP_VARS
4333 jsint sharpnum;
4334 #endif
4342 /* Emit notes to tell the current bytecode's source line number. */
4347 {
4349 uintN slot;
4351 #if JS_HAS_XML_SUPPORT
4356 }
4357 #endif
4362 /*
4363 * This second pass is needed to emit JSOP_NOP with a source note
4364 * for the already-emitted function definition prolog opcode. See
4365 * comments in the TOK_LC case.
4366 */
4372 }
4382 /* Generate code for the function's body. */
4389 }
4399 #if JS_HAS_SHARP_VARS
4404 }
4405 #endif
4410 /*
4411 * jsparse.cpp:SetStaticLevel limited static nesting depth to fit in 16
4412 * bits and to reserve the all-ones value, thereby reserving the magic
4413 * FREE_UPVAR_COOKIE value. Note the cg2->staticLevel assignment below.
4414 */
4418 /* We measured the max scope depth when we parsed the function. */
4429 /* Make the function object a literal in the outer script's pool. */
4432 /* Emit a bytecode pointing to the closure object in its immediate. */
4438 }
4441 }
4443 /*
4444 * For a script we emit the code as we parse. Thus the bytecode for
4445 * top-level functions should go in the prolog to predefine their
4446 * names in the variable object before the already-generated main code
4447 * is executed. This extra work for top-level scripts is not necessary
4448 * when we emit the code for a function. It is fully parsed prior to
4449 * invocation of the emitter and calls to js_EmitTree for function
4450 * definitions can be scheduled before generating the rest of code.
4451 */
4459 /* Emit NOP for the decompiler. */
4463 #ifdef DEBUG
4464 JSLocalKind localKind =
4465 #endif
4473 }
4475 }
4489 /* Initialize so we can detect else-if chains and avoid recursion. */
4494 if_again:
4495 /* Emit code for the condition before pushing stmtInfo. */
4502 /*
4503 * We came here from the goto further below that detects else-if
4504 * chains, so we must mutate stmtInfo back into a STMT_IF record.
4505 * Also (see below for why) we need a note offset for SRC_IF_ELSE
4506 * to help the decompiler. Actually, we need two offsets, one for
4507 * decompiling any else clause and the second for decompiling an
4508 * else-if chain without bracing, overindenting, or incorrectly
4509 * scoping let declarations.
4510 */
4518 }
4520 /* Emit an annotated branch-if-false around the then part. */
4529 /* Emit code for the then and optional else parts. */
4533 /* Modify stmtInfo so we know we're in the else part. */
4536 /*
4537 * Emit a JSOP_BACKPATCH op to jump from the end of our then part
4538 * around the else part. The js_PopStatementCG call at the bottom
4539 * of this switch case will fix up the backpatch chain linked from
4540 * stmtInfo.breaks.
4541 */
4546 /* Ensure the branch-if-false comes here, then emit the else. */
4551 }
4556 /*
4557 * Annotate SRC_IF_ELSE with the offset from branch to jump, for
4558 * the decompiler's benefit. We can't just "back up" from the pc
4559 * of the else clause, because we don't know whether an extended
4560 * jump was required to leap from the end of the then clause over
4561 * the else clause.
4562 */
4566 /* No else part, fixup the branch-if-false to come here. */
4568 }
4573 /* Out of line to avoid bloating js_EmitTree's stack frame size. */
4578 /*
4579 * Minimize bytecodes issued for one or more iterations by jumping to
4580 * the condition below the body and closing the loop if the condition
4581 * is true with a backward branch. For iteration count i:
4582 *
4583 * i test at the top test at the bottom
4584 * = =============== ==================
4585 * 0 ifeq-pass goto; ifne-fail
4586 * 1 ifeq-fail; goto; ifne-pass goto; ifne-pass; ifne-fail
4587 * 2 2*(ifeq-fail; goto); ifeq-pass goto; 2*ifne-pass; ifne-fail
4588 * . . .
4589 * N N*(ifeq-fail; goto); ifeq-pass goto; N*ifne-pass; ifne-fail
4590 *
4591 * SpiderMonkey, pre-mozilla.org, emitted while parsing and so used
4592 * test at the top. When JSParseNode trees were added during the ES3
4593 * work (1998-9), the code generation scheme was not optimized, and
4594 * the decompiler continued to take advantage of the branch and jump
4595 * that bracketed the body. But given the SRC_WHILE note, it is easy
4596 * to support the more efficient scheme.
4597 */
4622 /* Emit an annotated nop so we know to decompile a 'do' keyword. */
4627 /* Compile the loop body. */
4635 /* Set loop and enclosing label update offsets, for continue. */
4641 /* Compile the loop condition, now that continues know where to go. */
4645 /*
4646 * Since we use JSOP_IFNE for other purposes as well as for do-while
4647 * loops, we must store 1 + (beq - top) in the SRC_WHILE note offset,
4648 * and the decompiler must get that delta and decompile recursively.
4649 */
4665 /* Set stmtInfo type for later testing. */
4668 /*
4669 * If the left part is 'var x', emit code to define x if necessary
4670 * using a prolog opcode, but do not emit a pop. If the left part
4671 * is 'var x = i', emit prolog code to define x if necessary; then
4672 * emit code to evaluate i, assign the result to x, and pop the
4673 * result off the stack.
4674 *
4675 * All the logic to do this is implemented in the outer switch's
4676 * TOK_VAR case, conditioned on pn_xflags flags set by the parser.
4677 *
4678 * In the 'for (var x = i in o) ...' case, the js_EmitTree(...pn3)
4679 * called here will generate the proper note for the assignment
4680 * op that sets x = i, hoisting the initialized var declaration
4681 * out of the loop: 'var x = i; for (x in o) ...'.
4682 *
4683 * In the 'for (var x in o) ...' case, nothing but the prolog op
4684 * (if needed) should be generated here, we must emit the note
4685 * just before the JSOP_FOR* opcode in the switch on pn3->pn_type
4686 * a bit below, so nothing is hoisted: 'for (var x in o) ...'.
4687 *
4688 * A 'for (let x = i in o)' loop must not be hoisted, since in
4689 * this form the let variable is scoped by the loop body (but not
4690 * the head). The initializer expression i must be evaluated for
4691 * any side effects. So we hoist only i in the let case.
4692 */
4700 /* Compile the object expression to the right of 'in'. */
4704 /*
4705 * Emit a bytecode to convert top of stack value to the iterator
4706 * object depending on the loop variant (for-in, for-each-in, or
4707 * destructuring for-in).
4708 */
4713 /* Annotate so the decompiler can find the loop-closing jump. */
4718 /*
4719 * Jump down to the loop condition to minimize overhead assuming at
4720 * least one iteration, as the other loop forms do.
4721 */
4731 #ifdef DEBUG
4733 #endif
4735 /*
4736 * Compile a JSOP_FOR* bytecode based on the left hand side.
4737 *
4738 * Initialize op to JSOP_SETNAME in case of |for ([a, b] in o)...|
4739 * or similar, to signify assignment, rather than declaration, to
4740 * the decompiler. EmitDestructuringOps takes a prolog bytecode
4741 * parameter and emits the appropriate source note, defaulting to
4742 * assignment, so JSOP_SETNAME is not critical here; many similar
4743 * ops could be used -- just not JSOP_NOP (which means 'let').
4744 */
4747 #if JS_HAS_BLOCK_SCOPE
4749 #endif
4753 #if JS_HAS_DESTRUCTURING
4757 }
4761 }
4762 #else
4764 #endif
4765 /* FALL THROUGH */
4768 /*
4769 * Always annotate JSOP_FORLOCAL if given input of the form
4770 * 'for (let x in * o)' -- the decompiler must not hoist the
4771 * 'let x' out of the loop head, or x will be bound in the
4772 * wrong scope. Likewise, but in this case only for the sake
4773 * of higher decompilation fidelity only, do not hoist 'var x'
4774 * when given 'for (var x in o)'.
4775 */
4777 #if JS_HAS_BLOCK_SCOPE
4779 #endif
4783 ? SRC_DECL_VAR
4786 }
4797 }
4803 }
4806 JSMSG_BAD_FOR_LEFTSIDE);
4808 }
4815 }
4819 /*
4820 * 'for (o.p in q)' can use JSOP_FORPROP only if evaluating 'o'
4821 * has no side effects.
4822 */
4830 }
4831 /* FALL THROUGH */
4833 #if JS_HAS_DESTRUCTURING
4834 destructuring_for:
4835 #endif
4841 #if JS_HAS_DESTRUCTURING
4848 #endif
4856 #if JS_HAS_XML_SUPPORT
4864 #endif
4868 }
4870 /* The stack should be balanced around the JSOP_FOR* opcode sequence. */
4873 /* Set the first srcnote offset so we can find the start of the loop body. */
4877 /* Emit code for the loop body. */
4881 /* Set loop and enclosing "update" offsets, for continue. */
4887 /*
4888 * Fixup the goto that starts the loop to jump down to JSOP_NEXTITER.
4889 */
4897 /* Set the second srcnote offset so we can find the closing jump. */
4901 /* C-style for (init; cond; update) ... loop. */
4905 /* No initializer: emit an annotated nop for the decompiler. */
4909 #if JS_HAS_DESTRUCTURING
4913 }
4914 #endif
4919 /*
4920 * Check whether a destructuring-initialized var decl
4921 * was optimized to a group assignment. If so, we do
4922 * not need to emit a pop below, so switch to a nop,
4923 * just for the decompiler.
4924 */
4928 }
4929 }
4931 }
4933 /*
4934 * NB: the SRC_FOR note has offsetBias 1 (JSOP_{NOP,POP}_LENGTH).
4935 * Use tmp to hold the biased srcnote "top" offset, which differs
4936 * from the top local variable by the length of the JSOP_GOTO{,X}
4937 * emitted in between tmp and top if this loop has a condition.
4938 */
4945 /* Goto the loop condition, which branches back to iterate. */
4949 }
4954 /* Emit code for the loop body. */
4960 /* Set the second note offset so we can find the update part. */
4965 }
4967 /* Set loop and enclosing "update" offsets, for continue. */
4973 /* Check for update code to do before the condition (if any). */
4977 #if JS_HAS_DESTRUCTURING
4981 }
4982 #endif
4986 /* Always emit the POP or NOP, to help the decompiler. */
4990 /* Restore the absolute line number for source note readers. */
4996 }
4997 }
4999 /* Set the first note offset so we can find the loop condition. */
5003 }
5006 /* Fix up the goto from top to target the loop condition. */
5012 }
5014 /* The third note offset helps us find the loop-closing jump. */
5018 }
5025 /* No loop condition -- emit the loop-closing jump. */
5029 }
5030 }
5032 /* Now fixup all breaks and continues (before for/in's JSOP_ENDITER). */
5037 /*
5038 * JSOP_ENDITER must have a slot to save an exception thrown from
5039 * the body of for-in loop when closing the iterator object, and
5040 * fortunately it does: the slot that was set by JSOP_NEXTITER to
5041 * the return value of iterator.next().
5042 */
5047 }
5048 }
5066 }
5076 /* Find the loop statement enclosed by the matching label. */
5085 }
5093 }
5113 {
5115 intN depth;
5120 /*
5121 * Push stmtInfo to track jumps-over-catches and gosubs-to-finally
5122 * for later fixup.
5123 *
5124 * When a finally block is active (STMT_FINALLY in our tree context),
5125 * non-local jumps (including jumps-over-catches) result in a GOSUB
5126 * being written into the bytecode stream and fixed-up later (c.f.
5127 * EmitBackPatchOp and BackPatch).
5128 */
5133 /*
5134 * Since an exception can be thrown at any place inside the try block,
5135 * we need to restore the stack and the scope chain before we transfer
5136 * the control to the exception handler.
5137 *
5138 * For that we store in a try note associated with the catch or
5139 * finally block the stack depth upon the try entry. The interpreter
5140 * uses this depth to properly unwind the stack and the scope chain.
5141 */
5144 /* Mark try location for decompilation, then emit try block. */
5152 /* GOSUB to finally, if present. */
5159 }
5161 /* Emit (hidden) jump over catch and/or finally. */
5170 /* If this try has a catch block, emit it. */
5176 /*
5177 * The emitted code for a catch block looks like:
5178 *
5179 * [throwing] only if 2nd+ catch block
5180 * [leaveblock] only if 2nd+ catch block
5181 * enterblock with SRC_CATCH
5182 * exception
5183 * [dup] only if catchguard
5184 * setlocalpop <slot> or destructuring code
5185 * [< catchguard code >] if there's a catchguard
5186 * [ifeq <offset to next catch block>] " "
5187 * [pop] only if catchguard
5188 * < catch block contents >
5189 * leaveblock
5190 * goto <end of catch blocks> non-local; finally applies
5191 *
5192 * If there's no catch block without a catchguard, the last
5193 * <offset to next catch block> points to rethrow code. This
5194 * code will [gosub] to the finally code if appropriate, and is
5195 * also used for the catch-all trynote for capturing exceptions
5196 * thrown from catch{} blocks.
5197 */
5204 /* Fix up and clean up previous catch block. */
5207 /*
5208 * Account for JSOP_ENTERBLOCK (whose block object count
5209 * is saved below) and pushed exception object that we
5210 * still have after the jumping from the previous guard.
5211 */
5214 /*
5215 * Move exception back to cx->exception to prepare for
5216 * the next catch. We hide [throwing] from the decompiler
5217 * since it compensates for the hidden JSOP_DUP at the
5218 * start of the previous guarded catch.
5219 */
5223 }
5228 }
5230 /*
5231 * Annotate the JSOP_ENTERBLOCK that's about to be generated
5232 * by the call to js_EmitTree immediately below. Save this
5233 * source note's index in stmtInfo for use by the TOK_CATCH:
5234 * case, where the length of the catch guard is set as the
5235 * note's offset.
5236 */
5242 /*
5243 * Emit the lexical scope and catch body. Save the catch's
5244 * block object population via count, for use when targeting
5245 * guardJump at the next catch (the guard mismatch case).
5246 */
5252 /* gosub <finally>, if required */
5259 }
5261 /*
5262 * Jump over the remaining catch blocks. This will get fixed
5263 * up to jump to after catch/finally.
5264 */
5271 /*
5272 * Save a pointer to the last catch node to handle try-finally
5273 * and try-catch(guard)-finally special cases.
5274 */
5276 }
5277 }
5279 /*
5280 * Last catch guard jumps to the rethrow code sequence if none of the
5281 * guards match. Target guardJump at the beginning of the rethrow
5282 * sequence, just in case a guard expression throws and leaves the
5283 * stack unbalanced.
5284 */
5288 /* Sync the stack to take into account pushed exception. */
5292 /*
5293 * Rethrow the exception, delegating executing of finally if any
5294 * to the exception handler.
5295 */
5299 }
5300 }
5304 /* Emit finally handler if any. */
5307 /*
5308 * Fix up the gosubs that might have been emitted before non-local
5309 * jumps to the finally code.
5310 */
5316 /* Indicate that we're emitting a subroutine body. */
5324 }
5326 }
5333 }
5335 /* Fix up the end-of-try/catch jumps to come here. */
5339 /*
5340 * Add the try note last, to let post-order give us the right ordering
5341 * (first to last for a given nesting level, inner to outer by level).
5342 */
5346 }
5348 /*
5349 * If we've got a finally, mark try+catch region with additional
5350 * trynote to catch exceptions (re)thrown from a catch block or
5351 * for the try{}finally{} case.
5352 */
5356 }
5358 }
5361 {
5365 /*
5366 * Morph STMT_BLOCK to STMT_CATCH, note the block entry code offset,
5367 * and save the block object atom.
5368 */
5375 /* Go up one statement info record to the TRY or FINALLY record. */
5379 /* Pick up the pending exception and bind it to the catch variable. */
5383 /*
5384 * Dup the exception object if there is a guard for rethrowing to use
5385 * it later when rethrowing or in other catches.
5386 */
5392 #if JS_HAS_DESTRUCTURING
5400 #endif
5403 /* Inline and specialize BindNameToSlot for pn2. */
5410 }
5412 /* Emit the guard expression, if there is one. */
5419 }
5420 /* ifeq <next block> */
5426 /* Pop duplicated exception object as we no longer need it. */
5429 }
5431 /* Emit the catch body. */
5435 /*
5436 * Annotate the JSOP_LEAVEBLOCK that will be emitted as we unwind via
5437 * our TOK_LEXICALSCOPE parent, so the decompiler knows to pop.
5438 */
5443 }
5451 /* Push a return value */
5459 }
5461 /*
5462 * EmitNonLocalJumpFixup may add fixup bytecode to close open try
5463 * blocks having finally clauses and to exit intermingled let blocks.
5464 * We can't simply transfer control flow to our caller in that case,
5465 * because we must gosub to those finally clauses from inner to outer,
5466 * with the correct stack pointer (i.e., after popping any with,
5467 * for/in, etc., slots nested inside the finally's try).
5468 *
5469 * In this case we mutate JSOP_RETURN into JSOP_SETRVAL and add an
5470 * extra JSOP_RETRVAL after the fixups.
5471 */
5481 }
5484 #if JS_HAS_GENERATORS
5488 JSMSG_BAD_RETURN_OR_YIELD,
5489 js_yield_str);
5491 }
5498 }
5504 #endif
5507 {
5508 #if JS_HAS_XML_SUPPORT
5515 }
5516 #endif
5526 }
5532 /*
5533 * This block contains top-level function definitions. To ensure
5534 * that we emit the bytecode defining them before the rest of code
5535 * in the block we use a separate pass over functions. During the
5536 * main pass later the emitter will add JSOP_NOP with source notes
5537 * for the function to preserve the original functions position
5538 * when decompiling.
5539 *
5540 * Currently this is used only for functions, as compile-as-we go
5541 * mode for scripts does not allow separate emitter passes.
5542 */
5545 /*
5546 * Assign the destructuring arguments before defining any
5547 * functions, see bug 419662.
5548 */
5554 }
5562 /*
5563 * JSOP_DEFFUN in a top-level block with function
5564 * definitions appears, for example, when "if (true)"
5565 * is optimized away from "if (true) function x() {}".
5566 * See bug 428424.
5567 */
5569 }
5570 }
5571 }
5572 }
5576 }
5582 }
5586 }
5594 }
5601 /*
5602 * Top-level or called-from-a-native JS_Execute/EvaluateScript,
5603 * debugger, and eval frames may need the value of the ultimate
5604 * expression statement as the script's result, despite the fact
5605 * that it appears useless to the compiler.
5606 *
5607 * API users may also set the JSOPTION_NO_SCRIPT_RVAL option when
5608 * calling JS_Compile* to suppress JSOP_POPV.
5609 */
5614 }
5616 /*
5617 * Don't eliminate apparently useless expressions if they are
5618 * labeled expression statements. The tc->topStmt->update test
5619 * catches the case where we are nesting in js_EmitTree for a
5620 * labeled compound statement.
5621 */
5629 JSMSG_USELESS_EXPR)) {
5631 }
5634 #if JS_HAS_DESTRUCTURING
5639 }
5640 #endif
5642 /*
5643 * Specialize JSOP_SETPROP to JSOP_SETMETHOD to defer or
5644 * avoid null closure cloning. Do this only for assignment
5645 * statements that are not completion values wanted by a
5646 * script evaluator, to ensure that the joined function
5647 * can't escape directly.
5648 */
5656 }
5661 }
5662 }
5663 }
5667 /* Emit an annotated nop so we know to decompile a label. */
5676 ? SRC_LABELBRACE
5683 }
5685 /* Emit code for the labeled statement. */
5693 /* If the statement was compound, emit a note for the end brace. */
5698 }
5699 }
5703 /*
5704 * Emit SRC_PCDELTA notes on each JSOP_POP between comma operands.
5705 * These notes help the decompiler bracket the bytecodes generated
5706 * from each sub-expression that follows a comma.
5707 */
5716 }
5724 }
5725 }
5729 /*
5730 * Check left operand type and generate specialized code for it.
5731 * Specialize to avoid ECMA "reference type" values on the operand
5732 * stack, which impose pervasive runtime "GetValue" costs.
5733 */
5749 }
5766 #if JS_HAS_DESTRUCTURING
5770 #endif
5775 #if JS_HAS_XML_SUPPORT
5783 #endif
5786 }
5798 }
5806 ? JSOP_GETGVAR
5808 ? JSOP_GETARG
5810 atomIndex);
5811 }
5826 }
5830 #if JS_HAS_XML_SUPPORT
5832 #endif
5839 }
5840 }
5842 /* Now emit the right operand (it may affect the namespace). */
5846 /* If += etc., emit the binary operator with a decompiler note. */
5848 /*
5849 * Take care to avoid SRC_ASSIGNOP if the left-hand side is a const
5850 * declared in the current compilation unit, as in this case (just
5851 * a bit further below) we will avoid emitting the assignment op.
5852 */
5856 }
5859 }
5861 /* Left parts such as a.b.c and a[b].c need a decompiler note. */
5863 #if JS_HAS_DESTRUCTURING
5866 #endif
5869 }
5871 /* Finally, emit the specialized assignment bytecode. */
5876 /* FALL THROUGH */
5885 #if JS_HAS_DESTRUCTURING
5891 #endif
5892 #if JS_HAS_XML_SUPPORT
5897 #endif
5900 }
5904 /* Emit the condition, then branch if false to the else part. */
5914 /* Jump around else, fixup the branch, emit else, fixup jump. */
5920 /*
5921 * Because each branch pushes a single value, but our stack budgeting
5922 * analysis ignores branches, we now have to adjust cg->stackDepth to
5923 * ignore the value pushed by the first branch. Execution will follow
5924 * only one path, so we must decrement cg->stackDepth.
5925 *
5926 * Failing to do this will foil code, such as the try/catch/finally
5927 * exception handling code generator, that samples cg->stackDepth for
5928 * use at runtime (JSOP_SETSP), or in let expression and block code
5929 * generation, which must use the stack depth to compute local stack
5930 * indexes correctly.
5931 */
5943 /*
5944 * JSOP_OR converts the operand on the stack to boolean, and if true,
5945 * leaves the original operand value on the stack and jumps; otherwise
5946 * it pops and falls into the next bytecode, which evaluates the right
5947 * operand. The jump goes around the right operand evaluation.
5948 *
5949 * JSOP_AND converts the operand on the stack to boolean, and if false,
5950 * leaves the original operand value on the stack and jumps; otherwise
5951 * it pops and falls into the right operand's bytecode.
5952 */
5969 /* Left-associative operator chain: avoid too much recursion. */
5977 /* Emit nodes between the head and the tail. */
5989 }
6002 }
6006 /* For TCF_IN_FUNCTION test, see TOK_RB concerning JSOP_NEWARRAY. */
6009 /* Emit up to the first string literal conventionally. */
6017 }
6022 /*
6023 * Having seen a string literal, we know statically that the rest
6024 * of the additions are string concatenation, so we emit them as a
6025 * single concatn. First, do string conversion on the result of the
6026 * preceding zero or more additions so that any side effects of
6027 * string conversion occur before the next operand begins.
6028 */
6035 }
6042 }
6046 }
6059 /* Left-associative operator chain: avoid too much recursion. */
6069 }
6071 #if JS_HAS_XML_SUPPORT
6072 uintN oldflags;
6081 }
6083 /*
6084 * Binary :: has a right operand that brackets arbitrary code,
6085 * possibly including a let (a = b) ... expression. We must clear
6086 * TCF_IN_FOR_INIT to avoid mis-compiling such beasts.
6087 */
6090 #endif
6092 /* Binary operators that evaluate both operands unconditionally. */
6097 #if JS_HAS_XML_SUPPORT
6099 #endif
6102 }
6106 #if JS_HAS_XML_SUPPORT
6110 /* FALL THROUGH */
6111 #endif
6113 {
6114 uintN oldflags;
6116 /* Unary op, including unary +/-. */
6118 #if JS_HAS_XML_SUPPORT
6123 }
6124 #endif
6138 }
6142 /* Emit lvalue-specialized code for ++/-- operators. */
6164 }
6175 }
6176 }
6192 }
6196 #if JS_HAS_XML_SUPPORT
6206 #endif
6207 }
6211 /*
6212 * Under ECMA 3, deleting a non-reference returns true -- but alas we
6213 * must evaluate the operand if it appears it might have side effects.
6214 */
6227 }
6233 #if JS_HAS_XML_SUPPORT
6238 #endif
6244 /*
6245 * If useless, just emit JSOP_TRUE; otherwise convert delete foo()
6246 * to foo(), true (a comma expression, requiring SRC_PCDELTA).
6247 */
6262 }
6269 }
6270 }
6273 #if JS_HAS_XML_SUPPORT
6289 #endif
6292 /*
6293 * Pop a stack operand, convert it to object, get a property named by
6294 * this bytecode's immediate-indexed atom operand, and push its value
6295 * (not a reference to it).
6296 */
6301 #if JS_HAS_XML_SUPPORT
6303 #endif
6304 /*
6305 * Pop two operands, convert the left one to object and the right one
6306 * to property name (atom or tagged int), get the named property, and
6307 * push its value. Set the "obj" register to the result of ToObject
6308 * on the left operand.
6309 */
6315 {
6318 /*
6319 * Emit callable invocation or operator new (constructor call) code.
6320 * First, emit code for the left operand to evaluate the callable or
6321 * constructable object expression.
6322 *
6323 * For operator new applied to other expressions than E4X ones, we emit
6324 * JSOP_GETPROP instead of JSOP_CALLPROP, etc. This is necessary to
6325 * interpose the lambda-initialized method read barrier -- see the code
6326 * in jsops.cpp for JSOP_LAMBDA followed by JSOP_{SET,INIT}PROP.
6327 *
6328 * Then (or in a call case that has no explicit reference-base object)
6329 * we emit JSOP_NULL as a placeholder local GC root to hold the |this|
6330 * parameter: in the operator new case, the newborn instance; in the
6331 * base-less call case, a cookie meaning "use the global object as the
6332 * |this| value" (or in ES5 strict mode, "use undefined", so we should
6333 * use JSOP_PUSH instead of JSOP_NULL -- see bug 514570).
6334 */
6351 #if JS_HAS_XML_SUPPORT
6357 }
6358 #endif
6359 /* FALL THROUGH */
6361 /*
6362 * Push null as a placeholder for the global object, per ECMA-262
6363 * 11.2.3 step 6.
6364 */
6369 }
6373 /* Remember start of callable-object bytecode for decompilation hint. */
6376 /*
6377 * Emit code for each argument in order, then emit the JSOP_*CALL or
6378 * JSOP_NEW bytecode with a two-byte immediate telling how many args
6379 * were pushed on the operand stack.
6380 */
6386 }
6395 /* Add a trace hint opcode for recursion. */
6398 }
6402 }
6405 {
6407 uintN count;
6412 /*
6413 * If this lexical scope is not for a catch block, let block or let
6414 * expression, or any kind of for loop (where the scope starts in the
6415 * head after the first part if for (;;), else in the body if for-in);
6416 * and if our container is top-level but not a function body, or else
6417 * a block statement; then emit a SRC_BRACE note. All other container
6418 * statements get braces by default from the decompiler.
6419 */
6426 #if defined DEBUG_brendan || defined DEBUG_mrbkap
6427 /* There must be no source note already output for the next op. */
6431 #endif
6435 }
6453 }
6454 }
6456 /* Emit the JSOP_LEAVEBLOCK or JSOP_LEAVEBLOCKEXPR opcode. */
6462 }
6464 #if JS_HAS_BLOCK_SCOPE
6466 /* Let statements have their variable declarations on the left. */
6472 }
6474 /* Non-null pn2 means that pn is the variable list from a let head. */
6479 /* Thus non-null pn2 is the body of the let block or expression. */
6488 }
6492 #if JS_HAS_GENERATORS
6494 jsint slot;
6496 /*
6497 * The array object's stack index is in cg->arrayCompDepth. See below
6498 * under the array initialiser code generator for array comprehension
6499 * special casing.
6500 */
6508 }
6509 #endif
6512 #if JS_HAS_GENERATORS
6514 #endif
6515 /*
6516 * Emit code for [a, b, c] that is equivalent to constructing a new
6517 * array and in source order evaluating each element value and adding
6518 * it to the array, without invoking latent setters. We use the
6519 * JSOP_NEWINIT and JSOP_INITELEM bytecodes to ignore setters and to
6520 * avoid dup'ing and popping the array as each element is added, as
6521 * JSOP_SETELEM/JSOP_SETPROP would do.
6522 *
6523 * If no sharp variable is defined, the initializer is not for an array
6524 * comprehension, the initializer is not overlarge, and the initializer
6525 * is not in global code (whose stack growth cannot be precisely modeled
6526 * due to the need to reserve space for global variables and regular
6527 * expressions), use JSOP_NEWARRAY to minimize opcodes and to create the
6528 * array using a fast, all-at-once process rather than a slow, element-
6529 * by-element process.
6530 */
6531 #if JS_HAS_SHARP_VARS
6533 do_emit_array:
6534 #endif
6537 ? JSOP_NEWARRAY
6540 #if JS_HAS_GENERATORS
6543 #endif
6544 #if JS_HAS_SHARP_VARS
6548 #endif
6553 #if JS_HAS_GENERATORS
6555 uintN saveDepth;
6557 /*
6558 * Pass the new array's stack index to the TOK_ARRAYPUSH case via
6559 * cg->arrayCompDepth, then simply traverse the TOK_FOR node and
6560 * its kids under pn2 to generate this comprehension.
6561 */
6569 /* Emit the usual op needed for decompilation. */
6573 }
6586 }
6589 }
6593 /* Emit a source note so we know to decompile an extra comma. */
6596 }
6599 /*
6600 * Emit an op to finish the array and, secondarily, to aid in sharp
6601 * array cleanup (if JS_HAS_SHARP_VARS) and decompilation.
6602 */
6606 }
6613 #if JS_HAS_SHARP_VARS
6615 do_emit_object:
6616 #endif
6617 #if JS_HAS_DESTRUCTURING_SHORTHAND
6621 }
6622 #endif
6623 /*
6624 * Emit code for {p:a, '%q':b, 2:c} that is equivalent to constructing
6625 * a new object and in source order evaluating each property value and
6626 * adding the property to the object, without invoking latent setters.
6627 * We use the JSOP_NEWINIT and JSOP_INITELEM/JSOP_INITPROP bytecodes to
6628 * ignore setters and to avoid dup'ing and popping the object as each
6629 * property is added, as JSOP_SETELEM/JSOP_SETPROP would do.
6630 */
6636 /* Emit an index for t[2] for later consumption by JSOP_INITELEM. */
6641 }
6643 /* Emit code for the property initializer. */
6651 }
6653 /* Annotate JSOP_INITELEM so we decompile 2:c and not just c. */
6666 /* Check whether we can optimize to JSOP_INITMETHOD. */
6672 {
6679 }
6682 }
6683 }
6688 }
6692 }
6694 #if JS_HAS_SHARP_VARS
6701 # if JS_HAS_GENERATORS
6704 # endif
6720 /*
6721 * Cope with a left-over function definition that was replaced by a use
6722 * of a later function definition of the same name. See FunctionDef and
6723 * MakeDefIntoUse in jsparse.cpp.
6724 */
6731 #if JS_HAS_XML_SUPPORT
6737 #endif
6747 /*
6748 * If the regexp's script is one-shot and the regexp is not used in a
6749 * loop, we can avoid the extra fork-on-exec costs of JSOP_REGEXP by
6750 * selecting JSOP_OBJECT. Otherwise, to avoid incorrect proto, parent,
6751 * and lastIndex sharing, select JSOP_REGEXP.
6752 */
6760 }
6761 }
6762 }
6768 cg);
6769 }
6771 }
6773 #if JS_HAS_XML_SUPPORT
6775 #endif
6781 #if JS_HAS_DEBUGGER_KEYWORD
6788 #if JS_HAS_XML_SUPPORT
6794 }
6800 /* FALL THROUGH */
6807 }
6813 }
6818 }
6828 }
6831 }
6832 #ifdef DEBUG
6833 else
6835 #endif
6842 }
6843 /* FALL THROUGH */
6847 {
6848 uint32 i;
6874 }
6880 }
6884 }
6885 }
6900 }
6909 }
6914 }
6920 }
6936 }
6943 }
6946 }
6948 /*
6949 * We should try to get rid of offsetBias (always 0 or 1, where 1 is
6950 * JSOP_{NOP,POP}_LENGTH), which is used only by SRC_FOR and SRC_DECL.
6951 */
6978 };
6980 static intN
6982 {
6983 intN index;
6992 /* Allocate the first note array lazily; leave noteMask alone. */
6995 /* Grow by doubling note array size; update noteMask on success. */
6999 }
7003 }
7004 }
7008 }
7010 intN
7012 {
7017 /*
7018 * Claim a note slot in CG_NOTES(cg) by growing it if necessary and then
7019 * incrementing CG_NOTE_COUNT(cg).
7020 */
7026 /*
7027 * Compute delta from the last annotated bytecode's offset. If it's too
7028 * big to fit in sn, allocate one or more xdelta notes and reset sn.
7029 */
7043 }
7045 /*
7046 * Initialize type and delta, then allocate the minimum number of notes
7047 * needed for type's arity. Usually, we won't need more, but if an offset
7048 * does take two bytes, js_SetSrcNoteOffset will grow CG_NOTES(cg).
7049 */
7054 }
7056 }
7058 intN
7061 {
7062 intN index;
7068 }
7070 }
7072 intN
7075 {
7076 intN index;
7084 }
7086 }
7088 static JSBool
7090 {
7094 /* Grow by doubling note array size; update noteMask on success. */
7101 }
7104 }
7106 jssrcnote *
7109 {
7111 intN index;
7113 /*
7114 * Called only from OptimizeSpanDeps and js_FinishTakingSrcNotes to add to
7115 * main script note deltas, and only by a small positive amount.
7116 */
7131 }
7136 sn++;
7137 }
7139 }
7143 {
7144 uintN arity;
7151 }
7153 }
7157 {
7158 /* Find the offset numbered which (i.e., skip exactly which offsets). */
7164 }
7169 }
7171 }
7173 JSBool
7176 {
7183 }
7185 /* Find the offset numbered which (i.e., skip exactly which offsets). */
7192 }
7194 /* See if the new offset requires three bytes. */
7196 /* Maybe this offset was already set to a three-byte value. */
7198 /* Losing, need to insert another two bytes for this offset. */
7201 /*
7202 * Simultaneously test to see if the source note array must grow to
7203 * accommodate either the first or second byte of additional storage
7204 * required by this 3-byte offset.
7205 */
7210 }
7217 }
7220 }
7223 }
7225 #ifdef DEBUG_notme
7226 #define DEBUG_srcnotesize
7227 #endif
7229 #ifdef DEBUG_srcnotesize
7230 #define NBINS 10
7234 {
7243 }
7250 }
7252 }
7253 #endif
7255 /*
7256 * Fill in the storage at notes with prolog and main srcnotes; the space at
7257 * notes was allocated using the CG_COUNT_FINAL_SRCNOTES macro from jsemit.h.
7258 * SO DON'T CHANGE THIS FUNCTION WITHOUT AT LEAST CHECKING WHETHER jsemit.h's
7259 * CG_COUNT_FINAL_SRCNOTES MACRO NEEDS CORRESPONDING CHANGES!
7260 */
7261 JSBool
7263 {
7278 /*
7279 * Either no prolog srcnotes, or no line number change over prolog.
7280 * We don't need a SRC_SETLINE, but we may need to adjust the offset
7281 * of the first main note, by adding to its delta and possibly even
7282 * prepending SRC_XDELTA notes to it to account for prolog bytecodes
7283 * that came at and after the last annotated bytecode.
7284 */
7288 /* NB: Use as much of the first main note's delta as we can. */
7303 }
7304 }
7305 }
7314 #ifdef DEBUG_notme
7319 }
7320 #endif
7322 }
7324 static JSBool
7327 {
7339 }
7349 }
7351 void
7353 {
7364 }
7366 /*
7367 * Find the index of the given object for code generator.
7368 *
7369 * Since the emitter refers to each parsed object only once, for the index we
7370 * use the number of already indexes objects. We also add the object to a list
7371 * to convert the list to a fixed-size array when we complete code generation,
7372 * see JSCGObjectList::finish below.
7373 *
7374 * Most of the objects go to JSCodeGenerator.objectList but for regexp we use a
7375 * separated JSCodeGenerator.regexpList. In this way the emitted index can be
7376 * directly used to store and fetch a reference to a cloned RegExp object that
7377 * shares the same JSRegExp private data created for the object literal in
7378 * objbox. We need a cloned object to hold lastIndex and other direct properties
7379 * that should not be shared among threads sharing a precompiled function or
7380 * script.
7381 *
7382 * If the code being compiled is function code, allocate a reserved slot in
7383 * the cloned function object that shares its precompiled script with other
7384 * cloned function objects and with the compiler-created clone-parent. There
7385 * are nregexps = script->regexps()->length such reserved slots in each
7386 * function object cloned from fun->object. NB: during compilation, a funobj
7387 * slots element must never be allocated, because js_AllocSlot could hand out
7388 * one of the slots that should be given to a regexp clone.
7389 *
7390 * If the code being compiled is global code, the cloned regexp are stored in
7391 * fp->vars slot after cg->ngvars and to protect regexp slots from GC we set
7392 * fp->nvars to ngvars + nregexps.
7393 *
7394 * The slots initially contain undefined or null. We populate them lazily when
7395 * JSOP_REGEXP is executed for the first time.
7396 *
7397 * Why clone regexp objects? ECMA specifies that when a regular expression
7398 * literal is scanned, a RegExp object is created. In the spec, compilation
7399 * and execution happen indivisibly, but in this implementation and many of
7400 * its embeddings, code is precompiled early and re-executed in multiple
7401 * threads, or using multiple global objects, or both, for efficiency.
7402 *
7403 * In such cases, naively following ECMA leads to wrongful sharing of RegExp
7404 * objects, which makes for collisions on the lastIndex property (especially
7405 * for global regexps) and on any ad-hoc properties. Also, __proto__ refers to
7406 * the pre-compilation prototype, a pigeon-hole problem for instanceof tests.
7407 */
7408 uintN
7410 {
7415 }
7417 void
7419 {
7434 }