| blob | ec1b7ad9803b9495ec3feb351ecab0855415f70a |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=99:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS bytecode generation.
43 */
44 #ifdef HAVE_MEMORY_H
45 #include <memory.h>
46 #endif
47 #include <new>
48 #include <string.h>
75 /* Allocation chunk counts, must be powers of two in general. */
80 /* Macros to compute byte sizes from typed element counts. */
81 #define BYTECODE_SIZE(n) ((n) * sizeof(jsbytecode))
82 #define SRCNOTE_SIZE(n) ((n) * sizeof(jssrcnote))
83 #define TRYNOTE_SIZE(n) ((n) * sizeof(JSTryNote))
87 static JSBool
93 uintN lineno)
105 {
113 }
116 {
118 }
121 {
125 /* NB: non-null only after OOM. */
131 }
133 static ptrdiff_t
135 {
147 ? BYTECODE_CHUNK
156 }
160 }
164 }
166 }
168 static void
170 {
172 JSOp op;
175 intN ndefs;
180 #ifdef JS_TRACER
183 #else
185 #endif
189 extra;
192 }
205 JSMSG_STACK_UNDERFLOW,
207 numBuf);
208 }
213 /* We just executed IndexParsedObject */
222 }
226 }
228 ptrdiff_t
230 {
236 }
238 }
240 ptrdiff_t
242 {
251 }
253 }
255 ptrdiff_t
257 jsbytecode op2)
258 {
268 }
270 }
272 ptrdiff_t
274 {
284 /*
285 * Don't UpdateDepth if op's use-count comes from the immediate
286 * operand yet to be stored in the extra bytes after op.
287 */
290 }
292 }
294 /* XXX too many "... statement" L10N gaffes below -- fix via js.msg! */
315 };
321 {
325 }
327 static void
329 {
332 }
334 /**
335 Span-dependent instructions in JS bytecode consist of the jump (JOF_JUMP)
336 and switch (JOF_LOOKUPSWITCH, JOF_TABLESWITCH) format opcodes, subdivided
337 into unconditional (gotos and gosubs), and conditional jumps or branches
338 (which pop a value, test it, and jump depending on its value). Most jumps
339 have just one immediate operand, a signed offset from the jump opcode's pc
340 to the target bytecode. The lookup and table switch opcodes may contain
341 many jump offsets.
343 Mozilla bug #80981 (http://bugzilla.mozilla.org/show_bug.cgi?id=80981) was
344 fixed by adding extended "X" counterparts to the opcodes/formats (NB: X is
345 suffixed to prefer JSOP_ORX thereby avoiding a JSOP_XOR name collision for
346 the extended form of the JSOP_OR branch opcode). The unextended or short
347 formats have 16-bit signed immediate offset operands, the extended or long
348 formats have 32-bit signed immediates. The span-dependency problem consists
349 of selecting as few long instructions as possible, or about as few -- since
350 jumps can span other jumps, extending one jump may cause another to need to
351 be extended.
353 Most JS scripts are short, so need no extended jumps. We optimize for this
354 case by generating short jumps until we know a long jump is needed. After
355 that point, we keep generating short jumps, but each jump's 16-bit immediate
356 offset operand is actually an unsigned index into cg->spanDeps, an array of
357 JSSpanDep structs. Each struct tells the top offset in the script of the
358 opcode, the "before" offset of the jump (which will be the same as top for
359 simplex jumps, but which will index further into the bytecode array for a
360 non-initial jump offset in a lookup or table switch), the after "offset"
361 adjusted during span-dependent instruction selection (initially the same
362 value as the "before" offset), and the jump target (more below).
364 Since we generate cg->spanDeps lazily, from within js_SetJumpOffset, we must
365 ensure that all bytecode generated so far can be inspected to discover where
366 the jump offset immediate operands lie within CG_CODE(cg). But the bonus is
367 that we generate span-dependency records sorted by their offsets, so we can
368 binary-search when trying to find a JSSpanDep for a given bytecode offset,
369 or the nearest JSSpanDep at or above a given pc.
371 To avoid limiting scripts to 64K jumps, if the cg->spanDeps index overflows
372 65534, we store SPANDEP_INDEX_HUGE in the jump's immediate operand. This
373 tells us that we need to binary-search for the cg->spanDeps entry by the
374 jump opcode's bytecode offset (sd->before).
376 Jump targets need to be maintained in a data structure that lets us look
377 up an already-known target by its address (jumps may have a common target),
378 and that also lets us update the addresses (script-relative, a.k.a. absolute
379 offsets) of targets that come after a jump target (for when a jump below
380 that target needs to be extended). We use an AVL tree, implemented using
381 recursion, but with some tricky optimizations to its height-balancing code
382 (see http://www.cmcrossroads.com/bradapp/ftp/src/libs/C++/AvlTrees.html).
384 A final wrinkle: backpatch chains are linked by jump-to-jump offsets with
385 positive sign, even though they link "backward" (i.e., toward lower bytecode
386 address). We don't want to waste space and search time in the AVL tree for
387 such temporary backpatch deltas, so we use a single-bit wildcard scheme to
388 tag true JSJumpTarget pointers and encode untagged, signed (positive) deltas
389 in JSSpanDep.target pointers, depending on whether the JSSpanDep has a known
390 target, or is still awaiting backpatching.
392 Note that backpatch chains would present a problem for BuildSpanDepTable,
393 which inspects bytecode to build cg->spanDeps on demand, when the first
394 short jump offset overflows. To solve this temporary problem, we emit a
395 proxy bytecode (JSOP_BACKPATCH; JSOP_BACKPATCH_POP for branch ops) whose
396 nuses/ndefs counts help keep the stack balanced, but whose opcode format
397 distinguishes its backpatch delta immediate operand from a normal jump
398 offset.
399 */
400 static int
402 {
405 JSBool doubleRotate;
418 }
442 }
445 }
454 static int
456 {
473 }
474 }
482 }
487 }
491 else
500 }
502 #ifdef DEBUG_brendan
504 {
513 }
514 #endif
516 static JSBool
519 {
520 AddJumpTargetArgs args;
525 }
535 #ifdef DEBUG_brendan
537 #endif
541 }
543 #define SPANDEPS_MIN 256
544 #define SPANDEPS_SIZE(n) ((n) * sizeof(JSSpanDep))
545 #define SPANDEPS_SIZE_MIN SPANDEPS_SIZE(SPANDEPS_MIN)
547 static JSBool
550 {
551 uintN index;
559 }
568 }
576 /* Jump offset will be backpatched if off is a non-zero "bpdelta". */
582 }
583 }
586 /* Jump offset will be patched directly, without backpatch chaining. */
589 /* The jump offset in off is non-zero, therefore it's already known. */
592 }
598 }
602 {
603 JSOp op;
627 }
635 }
637 }
639 static JSBool
641 {
643 JSOp op;
666 /* FALL THROUGH */
670 }
671 }
674 }
678 {
679 uintN index;
698 else
700 }
704 }
706 static JSBool
709 {
716 }
721 }
730 }
732 static void
734 {
739 }
742 }
747 {
762 else
764 }
770 }
772 static void
774 {
781 }
783 static JSBool
785 {
789 JSBool done;
790 JSOp op;
791 uint32 type;
797 #ifdef DEBUG_brendan
799 #endif
815 #ifdef DEBUG_brendan
816 passes++;
817 #endif
832 /*
833 * We already extended all the jump offset operands for
834 * the opcode at sd->top. Jumps and branches have only
835 * one jump offset operand, but switches have many, all
836 * of which are adjacent in cg->spanDeps.
837 */
839 }
844 }
867 }
872 /*
873 * sd2->offset already includes delta as it stood
874 * before we entered this loop, but it must also
875 * include the delta relative to top due to all the
876 * extended jump offset immediates for the opcode
877 * starting at top, which we extend in this loop.
878 *
879 * If there is only one extended jump offset, then
880 * sd2->offset won't change and this for loop will
881 * iterate once only.
882 */
886 /*
887 * sd2 comes after sd, and won't be revisited by
888 * the outer for loop, so we have to increase its
889 * offset by delta, not merely by deltaFromTop.
890 */
892 }
897 }
899 }
900 }
901 }
907 #ifdef DEBUG_brendan
914 #endif
916 /*
917 * Ensure that we have room for the extended jumps, but don't round up
918 * to a power of two -- we're done generating code, so we cut to fit.
919 */
931 }
934 }
937 /*
938 * Set up a fake span dependency record to guard the end of the code
939 * being generated. This guard record is returned as a fencepost by
940 * FindNearestSpanDep if there is no real spandep at or above a given
941 * unextended code offset.
942 */
947 }
949 /*
950 * Now work backwards through the span dependencies, copying chunks of
951 * bytecode between each extended jump toward the end of the grown code
952 * space, and restoring immediate offset operands for all jump bytecodes.
953 * The first chunk of bytecodes, starting at base and ending at the first
954 * extended jump offset (NB: this chunk includes the operation bytecode
955 * just before that immediate jump offset), doesn't need to be copied.
956 */
967 sd2++;
970 }
975 /*
976 * If this jump didn't need to be extended, restore its span immediate
977 * offset operand now, overwriting the index of sd within cg->spanDeps
978 * that was stored temporarily after *pc when BuildSpanDepTable ran.
979 *
980 * Note that span might fit in 16 bits even for an extended jump op,
981 * if the op has multiple span operands, not all of which overflowed
982 * (e.g. JSOP_LOOKUPSWITCH or JSOP_TABLESWITCH where some cases are in
983 * range for a short jump, but others are not).
984 */
989 }
991 /*
992 * Set up parameters needed to copy the next run of bytecode starting
993 * at offset (which is a cursor into the unextended, original bytecode
994 * vector), down to sd->before (a cursor of the same scale as offset,
995 * it's the index of the original jump pc). Reuse delta to count the
996 * nominal number of bytes to copy.
997 */
1002 /*
1003 * Don't bother copying the jump offset we're about to reset, but do
1004 * copy the bytecode at oldpc (which comes just before its immediate
1005 * jump offset operand), on the next iteration through the loop, by
1006 * including it in offset's new value.
1007 */
1013 size);
1014 }
1017 }
1020 /*
1021 * Fix source note deltas. Don't hardwire the delta fixup adjustment,
1022 * even though currently it must be JUMPX_OFFSET_LEN - JUMP_OFFSET_LEN
1023 * at each sd that moved. The future may bring different offset sizes
1024 * for span-dependent instruction operands. However, we fix only main
1025 * notes here, not prolog notes -- we know that prolog opcodes are not
1026 * span-dependent, and aren't likely ever to be.
1027 */
1033 /*
1034 * Recall that the offset of a given note includes its delta, and
1035 * tells the offset of the annotated bytecode from the main entry
1036 * point of the script.
1037 */
1040 /*
1041 * To compute the delta to add to sn, we need to look at the
1042 * spandep after sd, whose offset - (before + growth) tells by
1043 * how many bytes sd's instruction grew.
1044 */
1056 }
1057 sd++;
1058 }
1060 /*
1061 * If sn has span-dependent offset operands, check whether each
1062 * covers further span-dependencies, and increase those operands
1063 * accordingly. Some source notes measure offset not from the
1064 * annotated pc, but from that pc plus some small bias. NB: we
1065 * assume that spec->offsetBias can't itself span span-dependent
1066 * instructions!
1067 */
1083 /*
1084 * Increase target by sd2's before-vs-after offset delta,
1085 * which is absolute (i.e., relative to start of script,
1086 * as is target). Recompute the span by subtracting its
1087 * adjusted pivot from target.
1088 */
1097 }
1098 }
1099 }
1102 /*
1103 * Fix try/catch notes (O(numTryNotes * log2(numSpanDeps)), but it's
1104 * not clear how we can beat that).
1105 */
1107 /*
1108 * First, look for the nearest span dependency at/above tn->start.
1109 * There may not be any such spandep, in which case the guard will
1110 * be returned.
1111 */
1117 /*
1118 * Next, find the nearest spandep at/above tn->start + tn->length.
1119 * Use its delta minus tn->start's delta to increase tn->length.
1120 */
1126 }
1127 }
1128 }
1130 #ifdef DEBUG_brendan
1131 {
1137 /* NB: sd->top cursors into the original, unextended bytecode vector. */
1154 }
1160 bigspans++;
1164 }
1167 }
1169 }
1171 }
1172 #endif
1174 /*
1175 * Reset so we optimize at most once -- cg may be used for further code
1176 * generation of successive, independent, top-level statements. No jump
1177 * can span top-level statements, because JS lacks goto.
1178 */
1187 }
1189 static ptrdiff_t
1191 {
1192 JSBool extend;
1205 }
1207 }
1209 static ptrdiff_t
1211 {
1227 sd++;
1229 }
1231 JSBool
1234 {
1239 }
1243 }
1246 }
1248 bool
1250 {
1254 }
1256 }
1258 bool
1260 {
1261 #if JS_HAS_SHARP_VARS
1267 }
1283 /*
1284 * Compiler::compileScript will rebase immediate operands indexing
1285 * the sharp slots to come at the end of the global script's |nfixed|
1286 * slots storage, after gvars and regexps.
1287 */
1289 }
1291 #endif
1293 }
1295 bool
1297 {
1304 }
1306 }
1308 void
1311 {
1325 }
1326 }
1328 void
1331 {
1339 }
1341 /*
1342 * Emit a backpatch op with offset pointing to the previous jump of this type,
1343 * so that we can walk back up the chain fixing up the op and jump offset.
1344 */
1345 static ptrdiff_t
1347 {
1355 }
1357 /*
1358 * Macro to emit a bytecode followed by a uint16 immediate operand stored in
1359 * big-endian order, used for arg and var numbers as well as for atomIndexes.
1360 * NB: We use cx and cg from our caller's lexical environment, and return
1361 * false on error.
1362 */
1363 #define EMIT_UINT16_IMM_OP(op, i) \
1364 JS_BEGIN_MACRO \
1365 if (js_Emit3(cx, cg, op, UINT16_HI(i), UINT16_LO(i)) < 0) \
1366 return JS_FALSE; \
1367 JS_END_MACRO
1369 #define EMIT_UINT16PAIR_IMM_OP(op, i, j) \
1370 JS_BEGIN_MACRO \
1371 ptrdiff_t off_ = js_EmitN(cx, cg, op, 2 * UINT16_LEN); \
1372 if (off_ < 0) \
1373 return JS_FALSE; \
1374 jsbytecode *pc_ = CG_CODE(cg, off_); \
1375 SET_UINT16(pc_, i); \
1376 pc_ += UINT16_LEN; \
1377 SET_UINT16(pc_, j); \
1378 JS_END_MACRO
1380 static JSBool
1382 {
1389 }
1391 /*
1392 * Emit additional bytecode(s) for non-local jumps.
1393 */
1394 static JSBool
1396 {
1400 /*
1401 * The non-local jump fixup we emit will unbalance cg->stackDepth, because
1402 * the fixup replicates balanced code such as JSOP_LEAVEWITH emitted at the
1403 * end of a with statement, so we save cg->stackDepth here and restore it
1404 * just before a successful return.
1405 */
1409 #define FLUSH_POPS() if (npops && !FlushPops(cx, cg, &npops)) return JS_FALSE
1422 /* There's a With object on the stack that we need to pop. */
1431 /*
1432 * The iterator and the object being iterated need to be popped.
1433 */
1442 /*
1443 * There's a [exception or hole, retsub pc-index] pair on the
1444 * stack that we need to pop.
1445 */
1450 }
1453 uintN i;
1455 /* There is a Block object with locals on the stack to pop. */
1461 }
1462 }
1468 #undef FLUSH_POPS
1469 }
1471 static ptrdiff_t
1474 {
1475 intN index;
1484 else
1490 }
1492 static JSBool
1495 {
1506 /*
1507 * Set *pc after jump offset in case bpdelta didn't overflow, but span
1508 * does (if so, CHECK_AND_SET_JUMP_OFFSET might call BuildSpanDepTable
1509 * and need to see the JSOP_BACKPATCH* op at *pc).
1510 */
1513 }
1515 }
1517 void
1519 {
1529 }
1530 }
1531 }
1533 JSBool
1535 {
1542 JSOP_GOTO))) {
1544 }
1547 }
1549 JSBool
1552 {
1553 /* XXX just do numbers for now */
1557 }
1559 }
1561 JSStmtInfo *
1563 {
1574 /* Skip "maybe scope" statements that don't contain let bindings. */
1589 }
1591 }
1592 }
1597 }
1599 /*
1600 * The function sets vp to NO_CONSTANT when the atom does not corresponds to a
1601 * name defining a constant.
1602 */
1603 static JSBool
1606 {
1610 /*
1611 * Chase down the cg stack, but only until we reach the outermost cg.
1612 * This enables propagating consts from top-level into switch cases in a
1613 * function compiled along with the top-level script.
1614 */
1618 /* XXX this will need revising if 'const' becomes block-scoped. */
1627 }
1629 /*
1630 * Try looking in the variable object for a direct property that
1631 * is readonly and permanent. We know such a property can't be
1632 * shadowed by another property on obj's prototype chain, or a
1633 * with object or catch variable; nor can prop's value be changed,
1634 * nor can prop be deleted.
1635 */
1647 /*
1648 * We're compiling code that will be executed immediately,
1649 * not re-executed against a different scope chain and/or
1650 * variable object. Therefore we can get constant values
1651 * from our variable object here.
1652 */
1656 }
1657 }
1662 }
1663 }
1666 }
1668 /*
1669 * Return JSOP_NOP to indicate that index fits 2 bytes and no index segment
1670 * reset instruction is necessary, JSOP_FALSE to indicate an error or either
1671 * JSOP_RESETBASE0 or JSOP_RESETBASE1 to indicate the reset bytecode to issue
1672 * after the main bytecode sequence.
1673 */
1674 static JSOp
1676 {
1677 uintN indexBase;
1679 /*
1680 * We have max 3 bytes for indexes and check for INDEX_LIMIT overflow only
1681 * for big indexes.
1682 */
1694 }
1698 JSMSG_TOO_MANY_LITERALS);
1700 }
1705 }
1707 /*
1708 * Emit a bytecode and its 2-byte constant index immediate operand. If the
1709 * index requires more than 2 bytes, emit a prefix op whose 8-bit immediate
1710 * operand effectively extends the 16-bit immediate of the prefixed opcode,
1711 * by changing index "segment" (see jsinterp.c). We optimize segments 1-3
1712 * with single-byte JSOP_INDEXBASE[123] codes.
1713 *
1714 * Such prefixing currently requires a suffix to restore the "zero segment"
1715 * register setting, but this could be optimized further.
1716 */
1717 static JSBool
1719 {
1720 JSOp bigSuffix;
1727 }
1729 /*
1730 * Slight sugar for EmitIndexOp, again accessing cx and cg from the macro
1731 * caller's lexical environment, and embedding a false return on error.
1732 */
1733 #define EMIT_INDEX_OP(op, index) \
1734 JS_BEGIN_MACRO \
1735 if (!EmitIndexOp(cx, op, index, cg)) \
1736 return JS_FALSE; \
1737 JS_END_MACRO
1739 static JSBool
1741 {
1748 }
1753 }
1755 static JSBool
1758 {
1761 }
1763 /*
1764 * What good are ARGNO_LEN and SLOTNO_LEN, you ask? The answer is that, apart
1765 * from EmitSlotIndexOp, they abstract out the detail that both are 2, and in
1766 * other parts of the code there's no necessary relationship between the two.
1767 * The abstraction cracks here in order to share EmitSlotIndexOp code among
1768 * the JSOP_DEFLOCALFUN and JSOP_GET{ARG,VAR,LOCAL}PROP cases.
1769 */
1773 static JSBool
1776 {
1777 JSOp bigSuffix;
1787 /* Emit [op, slot, index]. */
1796 }
1798 /*
1799 * Adjust the slot for a block local to account for the number of variables
1800 * that share the same index space with locals. Due to the incremental code
1801 * generation for top-level script, we do the adjustment via code patching in
1802 * Compiler::compileScript; see comments there.
1803 *
1804 * The function returns -1 on failures.
1805 */
1806 static jsint
1808 {
1815 }
1816 }
1818 }
1820 static bool
1822 {
1836 /* Beware the empty destructuring dummy. */
1840 }
1846 #ifdef DEBUG
1851 }
1852 #endif
1853 }
1857 }
1859 /*
1860 * When eval is called from a function, the eval code or function code it
1861 * compiles may reference upvars that live in the eval-calling function. The
1862 * eval-invoked compiler does not have explicit definitions for these upvars
1863 * and we do not attempt to create them a-priori (by inspecting the function's
1864 * args and vars) -- we could, but we'd take an avoidable penalty for each
1865 * function local not referenced by any upvar. Instead, we map such upvars
1866 * lazily, growing upvarMap.vector by powers of two.
1867 *
1868 * This function knows that it is called with pn pointing to a PN_NAME-arity
1869 * node, and cg->parser->callerFrame having a non-null fun member, and the
1870 * static level of cg at least one greater than the eval-calling function's
1871 * static level.
1872 */
1873 static bool
1875 {
1882 /*
1883 * Treat top-level function definitions as escaping (i.e., as funargs),
1884 * required since we compile each such top level function or statement
1885 * and throw away the AST, so we can't yet see all funarg uses of this
1886 * function being compiled (cg->funbox->object). See bug 493177.
1887 */
1893 }
1901 }
1902 }
1906 uintN index;
1920 }
1938 }
1946 }
1952 }
1954 /*
1955 * BindNameToSlot attempts to optimize name gets and sets to stack slot loads
1956 * and stores, given the compile-time information in cg and a TOK_NAME node pn.
1957 * It returns false on error, true on success.
1958 *
1959 * The caller can inspect pn->pn_cookie for FREE_UPVAR_COOKIE to tell whether
1960 * optimization occurred, in which case BindNameToSlot also updated pn->pn_op.
1961 * If pn->pn_cookie is still FREE_UPVAR_COOKIE on return, pn->pn_op still may
1962 * have been optimized, e.g., from JSOP_NAME to JSOP_CALLEE. Whether or not
1963 * pn->pn_op was modified, if this function finds an argument or local variable
1964 * name, PND_CONST will be set in pn_dflags for read-only properties after a
1965 * successful return.
1966 *
1967 * NB: if you add more opcodes specialized from JSOP_NAME, etc., don't forget
1968 * to update the TOK_FOR (for-in) and TOK_ASSIGN (op=, e.g. +=) special cases
1969 * in js_EmitTree.
1970 */
1971 static JSBool
1973 {
1975 JSOp op;
1979 uintN index;
1983 /* Idempotency tests come first, since we may be called more than once. */
1987 /* No cookie initialized for these two, they're pre-bound by definition. */
1990 /*
1991 * The parser linked all uses (including forward references) to their
1992 * definitions, unless a with statement or direct eval intervened.
1993 */
2005 }
2016 /*
2017 * Turn attempts to mutate const-declared bindings into get ops (for
2018 * pre-increment and pre-decrement ops, our caller will have to emit
2019 * JSOP_POS, JSOP_ONE, and JSOP_ADD as well).
2020 *
2021 * Turn JSOP_DELNAME into JSOP_FALSE if dn is known, as all declared
2022 * bindings visible to the compiler are permanent in JS unless the
2023 * declaration originates in eval code. We detect eval code by testing
2024 * cg->parser->callerFrame, which is set only by eval or a debugger
2025 * equivalent.
2026 *
2027 * Note that this callerFrame non-null test must be qualified by testing
2028 * !cg->funbox to exclude function code nested in eval code, which is not
2029 * subject to the deletable binding exception.
2030 */
2039 else
2043 }
2048 }
2055 /*
2056 * Don't generate upvars on the left side of a for loop. See
2057 * bug 470758.
2058 */
2066 /*
2067 * Make sure the variable object used by the compiler to initialize
2068 * parent links matches the caller's varobj. Compile-n-go compiler-
2069 * created function objects have the top-level cg's scopeChain set
2070 * as their parent by Parser::newFunction.
2071 */
2078 /*
2079 * We are compiling eval or debug script inside a function frame
2080 * and the scope chain matches the function's variable object.
2081 * Optimize access to function's arguments and variable and the
2082 * arguments object.
2083 */
2087 /*
2088 * Generator functions may be resumed from any call stack, which
2089 * defeats the display optimization to static link searching used
2090 * by JSOP_{GET,CALL}UPVAR.
2091 */
2099 }
2101 }
2104 /*
2105 * If this is a global reference from within a function, leave pn_op as
2106 * JSOP_NAME, etc. We could emit JSOP_*GVAR ops within function code if
2107 * only we could depend on the global frame's slots being valid for all
2108 * calls to the function, and if we could equate the atom index in the
2109 * function's atom map for every global name with its frame slot.
2110 */
2114 /*
2115 * We are optimizing global variables and there may be no pre-existing
2116 * global property named atom when this global script runs. If atom was
2117 * declared via const or var, optimize pn to access fp->vars using the
2118 * appropriate JSOP_*GVAR op.
2119 *
2120 * FIXME: should be able to optimize global function access too.
2121 */
2135 }
2140 }
2145 /*
2146 * A JSDefinition witnessed as a declaration by the parser cannot be an
2147 * upvar, unless it is the degenerate kind of upvar selected above (in the
2148 * code before the PND_GVAR test) for the special case of compile-and-go
2149 * code generated from eval called from a function, where the eval code
2150 * uses local vars defined in the function. We detect this upvar-for-eval
2151 * case by checking dn's op.
2152 */
2158 #ifdef DEBUG
2160 #endif
2173 /*
2174 * Don't generate upvars on the left side of a for loop. See
2175 * bug 470758 and bug 520513.
2176 */
2185 }
2188 }
2197 /*
2198 * If op is a mutating opcode, this upvar's lookup skips too many levels,
2199 * or the function is heavyweight, we fall back on JSOP_*NAME*.
2200 */
2211 /*
2212 * The function we're compiling may not be heavyweight, but if it
2213 * escapes as a funarg, we can't use JSOP_GETUPVAR/JSOP_CALLUPVAR.
2214 * Parser::analyzeFunctions has arranged for this function's
2215 * enclosing functions to be heavyweight, so we can safely stick
2216 * with JSOP_NAME/JSOP_CALLNAME.
2217 */
2221 /*
2222 * Generator functions may be resumed from any call stack, which
2223 * defeats the display optimization to static link searching used
2224 * by JSOP_{GET,CALL}UPVAR.
2225 */
2230 }
2253 }
2256 }
2266 }
2269 }
2276 }
2278 /*
2279 * We are compiling a function body and may be able to optimize name
2280 * to stack slot. Look for an argument or variable in the function and
2281 * rewrite pn_op and update pn accordingly.
2282 */
2297 }
2310 }
2319 /*
2320 * Leave pn->pn_op == JSOP_NAME if cg->fun is heavyweight, as we
2321 * cannot be sure cg->fun is not something of the form:
2322 *
2323 * var ff = (function f(s) { eval(s); return f; });
2324 *
2325 * where a caller invokes ff("var f = 42"). The result returned for
2326 * such an invocation must be 42, since the callee name is
2327 * lexically bound in an outer declarative environment from the
2328 * function's activation. See jsfun.cpp:call_resolve.
2329 */
2334 }
2339 }
2340 /* FALL THROUGH */
2356 }
2359 }
2366 }
2368 /*
2369 * If pn contains a useful expression, return true with *answer set to true.
2370 * If pn contains a useless expression, return true with *answer set to false.
2371 * Return false on error.
2372 *
2373 * The caller should initialize *answer to false and invoke this function on
2374 * an expression statement or similar subtree to decide whether the tree could
2375 * produce code that has any side effects. For an expression statement, we
2376 * define useless code as code with no side effects, because the main effect,
2377 * the value left on the stack after the code executes, will be discarded by a
2378 * pop bytecode.
2379 */
2380 static JSBool
2383 {
2384 JSBool ok;
2393 /*
2394 * A named function, contrary to ES3, is no longer useful, because we
2395 * bind its name lexically (using JSOP_CALLEE) instead of creating an
2396 * Object instance and binding a readonly, permanent property in it
2397 * (the object and binding can be detected and hijacked or captured).
2398 * This is a bug fix to ES3; it is fixed in ES3.1 drafts.
2399 */
2407 /*
2408 * Non-operators along with ||, &&, ===, and !== never invoke
2409 * toString or valueOf.
2410 */
2414 /*
2415 * All invocation operations (construct: TOK_NEW, call: TOK_LP)
2416 * are presumed to be useful, because they may have side effects
2417 * even if their main effect (their return value) is discarded.
2418 *
2419 * TOK_LB binary trees of 3 or more nodes are flattened into lists
2420 * to avoid too much recursion. All such lists must be presumed
2421 * to be useful because each index operation could invoke a getter
2422 * (the JSOP_ARGUMENTS special case below, in the PN_BINARY case,
2423 * does not apply here: arguments[i][j] might invoke a getter).
2424 *
2425 * Likewise, array and object initialisers may call prototype
2426 * setters (the __defineSetter__ built-in, and writable __proto__
2427 * on Array.prototype create this hazard). Initialiser list nodes
2428 * have JSOP_NEWINIT in their pn_op.
2429 */
2431 }
2442 /*
2443 * Assignment is presumed to be useful, even if the next operation
2444 * is another assignment overwriting this one's ostensible effect,
2445 * because the left operand may be a property with a setter that
2446 * has side effects.
2447 *
2448 * The only exception is assignment of a useless value to a const
2449 * declared in the function currently being compiled.
2450 */
2461 }
2465 /*
2466 * ||, &&, ===, and !== do not convert their operands via
2467 * toString or valueOf method calls.
2468 */
2472 /*
2473 * We can't easily prove that neither operand ever denotes an
2474 * object with a toString or valueOf method.
2475 */
2477 }
2478 }
2492 }
2493 /* FALL THROUGH */
2495 #if JS_HAS_XML_SUPPORT
2497 #endif
2500 /* All these delete addressing modes have effects too. */
2506 }
2511 /* ! does not convert its operand via toString or valueOf. */
2514 }
2515 /* FALL THROUGH */
2518 /*
2519 * All of TOK_INC, TOK_DEC, TOK_THROW, TOK_YIELD, and TOK_DEFSHARP
2520 * have direct effects. Of the remaining unary-arity node types,
2521 * we can't easily prove that the operand never denotes an object
2522 * with a toString or valueOf method.
2523 */
2526 }
2530 /*
2531 * Take care to avoid trying to bind a label name (labels, both for
2532 * statements and property values in object initialisers, have pn_op
2533 * defaulted to JSOP_NOP).
2534 */
2540 /*
2541 * Not an argument or local variable use, and not a use of a
2542 * unshadowed named function expression's given name, so this
2543 * expression could invoke a getter that has side effects.
2544 */
2546 }
2547 }
2554 /*
2555 * Any dotted property reference could call a getter, except
2556 * for arguments.length where arguments is unambiguous.
2557 */
2559 }
2560 }
2572 }
2574 }
2576 static JSBool
2578 JSBool callContext)
2579 {
2580 JSOp op;
2610 }
2611 }
2624 }
2625 }
2628 }
2630 #if JS_HAS_XML_SUPPORT
2631 static JSBool
2633 {
2635 uintN oldflags;
2650 }
2653 }
2654 #endif
2656 static JSBool
2658 {
2659 /*
2660 * Special case for obj.__proto__ to deoptimize away from fast paths in the
2661 * interpreter and trace recorder, which skip dense array instances by
2662 * going up to Array.prototype before looking up the property name.
2663 */
2672 }
2674 static JSBool
2676 JSBool callContext)
2677 {
2684 /* Special case deoptimization for __proto__. */
2690 }
2699 /* Fast path for gets of |this.foo|. */
2701 }
2703 /*
2704 * Try to optimize:
2705 * - arguments.length into JSOP_ARGCNT
2706 * - argname.prop into JSOP_GETARGPROP
2707 * - localname.prop into JSOP_GETLOCALPROP
2708 * but don't do this if the property is 'length' -- prefer to emit
2709 * JSOP_GETARG, etc., and then JSOP_LENGTH.
2710 */
2723 do_indexconst: {
2725 jsatomid atomIndex;
2732 }
2735 }
2736 }
2737 }
2738 }
2740 /*
2741 * If the object operand is also a dotted property reference, reverse the
2742 * list linked via pn_expr temporarily so we can iterate over it from the
2743 * bottom up (reversing again as we go), to avoid excessive recursion.
2744 */
2750 /* Reverse pndot->pn_expr to point up, not down. */
2759 }
2761 /* pndown is a primary expression, not a dotted property reference. */
2766 /* Walk back up the list, emitting annotated name ops. */
2770 }
2772 /* Special case deoptimization on __proto__, as above. */
2778 }
2780 /* Reverse the pn_expr link again. */
2788 }
2793 }
2796 }
2798 static JSBool
2800 {
2807 /* Left-associative operator chain to avoid too much recursion. */
2815 /*
2816 * Try to optimize arguments[0][j]... into JSOP_ARGSUB<0> followed by
2817 * one or more index expression and JSOP_GETELEM op pairs.
2818 */
2825 /*
2826 * arguments[i]() requires arguments object as "this".
2827 * Check that we never generates list for that usage.
2828 */
2834 }
2835 }
2837 /*
2838 * Check whether we generated JSOP_ARGSUB, just above, and have only
2839 * one more index expression to emit. Given arguments[0][j], we must
2840 * skip the while loop altogether, falling through to emit code for j
2841 * (in the subtree referenced by right), followed by the annotated op,
2842 * at the bottom of this function.
2843 */
2848 }
2857 }
2860 /*
2861 * Set left and right so pn appears to be a TOK_LB node, instead
2862 * of a TOK_DOT node. See the TOK_FOR/IN case in js_EmitTree, and
2863 * EmitDestructuringOps nearer below. In the destructuring case,
2864 * the base expression (pn_expr) of the name may be null, which
2865 * means we have to emit a JSOP_BINDNAME.
2866 */
2875 }
2879 ? JSOP_QNAMEPART
2888 }
2890 /* Try to optimize arguments[0] (e.g.) into JSOP_ARGSUB<0>. */
2902 }
2903 }
2907 }
2909 /* The right side of the descendant operator is implicitly quoted. */
2917 }
2919 static JSBool
2921 {
2923 uint32 u;
2950 }
2952 }
2958 }
2960 /*
2961 * To avoid bloating all parse nodes for the special case of switch, values are
2962 * allocated in the temp pool and pointed to by the parse node. These values
2963 * are not currently recycled (like parse nodes) and the temp pool is only
2964 * flushed at the end of compiling a script, so these values are technically
2965 * leaked. This would only be a problem for scripts containing a large number
2966 * of large switches, which seems unlikely.
2967 */
2970 {
2974 }
2976 static JSBool
2979 {
2980 JSOp switchOp;
2988 intN noteIndex;
2991 #if JS_HAS_BLOCK_SCOPE
2992 jsint count;
2993 #endif
2995 /* Try for most optimal, fall back if not dense ints, and per ECMAv2. */
3001 /*
3002 * If the switch contains let variables scoped by its body, model the
3003 * resulting block on the stack first, before emitting the discriminant's
3004 * bytecode (in case the discriminant contains a stack-model dependency
3005 * such as a let expression).
3006 */
3008 #if JS_HAS_BLOCK_SCOPE
3010 /*
3011 * Push the body's block scope before discriminant code-gen for proper
3012 * static block scope linkage in case the discriminant contains a let
3013 * expression. The block's locals must lie under the discriminant on
3014 * the stack so that case-dispatch bytecodes can find the discriminant
3015 * on top of stack.
3016 */
3021 /* Emit JSOP_ENTERBLOCK before code to evaluate the discriminant. */
3025 /*
3026 * Pop the switch's statement info around discriminant code-gen. Note
3027 * how this leaves cg->blockChain referencing the switch's
3028 * block scope object, which is necessary for correct block parenting
3029 * in the case where the discriminant contains a let expression.
3030 */
3033 }
3034 #ifdef __GNUC__
3037 }
3038 #endif
3039 #endif
3041 /*
3042 * Emit code for the discriminant first (or nearly first, in the case of a
3043 * switch whose body is a block scope).
3044 */
3048 /* Switch bytecodes run from here till end of final case. */
3050 #if !JS_HAS_BLOCK_SCOPE
3052 #else
3056 /* Re-push the switch's statement info record. */
3059 /* Set the statement info record's idea of top. */
3062 /* Advance pn2 to refer to the switch case list. */
3064 }
3065 #endif
3078 #define INTMAP_LENGTH 256
3091 }
3101 Value constVal;
3116 /*
3117 * XXX JSOP_LOOKUPSWITCH does not support const-
3118 * propagated object values, see bug 407186.
3119 */
3122 }
3125 }
3126 }
3127 /* FALL THROUGH */
3132 }
3136 }
3140 }
3141 /* FALL THROUGH */
3145 }
3152 }
3161 }
3166 }
3172 /*
3173 * Check for duplicates, which require a JSOP_LOOKUPSWITCH.
3174 * We bias i by 65536 if it's negative, and hope that's a rare
3175 * case (because it requires a malloc'd bitmap).
3176 */
3185 /* Just grab 8K for the worst-case bitmap. */
3193 }
3194 }
3196 }
3200 }
3202 }
3204 release:
3210 /*
3211 * Compute table length and select lookup instead if overlarge or
3212 * more than half-sparse.
3213 */
3219 /*
3220 * Lookup switch supports only atom indexes below 64K limit.
3221 * Conservatively estimate the maximum possible index during
3222 * switch generation and use conditional switch if it exceeds
3223 * the limit.
3224 */
3227 }
3228 }
3230 /*
3231 * Emit a note with two offsets: first tells total switch code length,
3232 * second tells offset to first JSOP_CASE if condswitch.
3233 */
3239 /*
3240 * 0 bytes of immediate for unoptimized ECMAv2 switch.
3241 */
3244 /*
3245 * 3 offsets (len, low, high) before the table, 1 per entry.
3246 */
3249 /*
3250 * JSOP_LOOKUPSWITCH:
3251 * 1 offset (len) and 1 atom index (npairs) before the table,
3252 * 1 atom index and 1 jump offset per entry.
3253 */
3256 }
3258 /*
3259 * Emit switchOp followed by switchSize bytes of jump or lookup table.
3260 *
3261 * If switchOp is JSOP_LOOKUPSWITCH or JSOP_TABLESWITCH, it is crucial
3262 * to emit the immediate operand(s) by which bytecode readers such as
3263 * BuildSpanDepTable discover the length of the switch opcode *before*
3264 * calling js_SetJumpOffset (which may call BuildSpanDepTable). It's
3265 * also important to zero all unknown jump offset immediate operands,
3266 * so they can be converted to span dependencies with null targets to
3267 * be computed later (js_EmitN zeros switchSize bytes after switchOp).
3268 */
3277 /* Emit code for evaluating cases and jumping to case statements. */
3283 /* off is the previous JSOP_CASE's bytecode offset. */
3287 }
3288 }
3292 }
3303 /* Switch note's second offset is to first JSOP_CASE. */
3308 }
3313 }
3314 }
3316 /*
3317 * If we didn't have an explicit default (which could fall in between
3318 * cases, preventing us from fusing this js_SetSrcNoteOffset with the
3319 * call in the loop above), link the last case to the implicit default
3320 * for the decompiler.
3321 */
3327 }
3329 /* Emit default even if no explicit default statement. */
3337 /* Fill in switch bounds, which we know fit in 16-bit offsets. */
3343 /*
3344 * Use malloc to avoid arena bloat for programs with many switches.
3345 * We free table if non-null at label out, so all control flow must
3346 * exit this function through goto out or goto bad.
3347 */
3361 }
3362 }
3366 /* Fill in the number of cases. */
3369 }
3371 /*
3372 * After this point, all control flow involving JSOP_TABLESWITCH
3373 * must set ok and goto out to exit this function. To keep things
3374 * simple, all switchOp cases exit that way.
3375 */
3378 /*
3379 * We have already generated at least one big jump so we must
3380 * explicitly add span dependencies for the switch jumps. When
3381 * called below, js_SetJumpOffset can only do it when patching
3382 * the first big jump or when cg->spanDeps is null.
3383 */
3386 }
3389 /*
3390 * Skip switchOp, as we are not setting jump offsets in the two
3391 * for loops below. We'll restore CG_NEXT(cg) from savepc after,
3392 * unless there was an error.
3393 */
3402 /* Note a propagated constant with the const's name. */
3411 }
3412 }
3414 }
3419 /* Note a propagated constant with the const's name. */
3428 }
3429 }
3431 }
3432 }
3434 }
3435 }
3437 /* Emit code for each case's statements, copying pn_offset up to pn3. */
3448 }
3451 /* If no default case, offset for default is to end of switch. */
3453 }
3455 /* We better have set "off" by now. */
3458 /* Set the default offset (to end of switch if no default). */
3472 }
3474 /* Set the SRC_SWITCH note's offset operand to tell end of switch. */
3481 /* Skip over the already-initialized switch bounds. */
3484 /* Fill in the jump table, if there is one. */
3492 }
3494 /* Skip over the already-initialized number of cases. */
3510 }
3511 }
3513 out:
3519 #if JS_HAS_BLOCK_SCOPE
3522 #endif
3523 }
3526 bad:
3529 }
3531 JSBool
3533 {
3535 /* JSOP_GENERATOR must be the first instruction. */
3542 /*
3543 * Emit a trace hint opcode only if not in a generator, since generators
3544 * are not yet traced and both want to be the first instruction.
3545 */
3548 }
3553 }
3558 }
3560 /* A macro for inlining at the top of js_EmitTree (whence it came). */
3561 #define UPDATE_LINE_NUMBER_NOTES(cx, cg, line) \
3562 JS_BEGIN_MACRO \
3563 uintN line_ = (line); \
3564 uintN delta_ = line_ - CG_CURRENT_LINE(cg); \
3565 if (delta_ != 0) { \
3566 /* \
3567 * Encode any change in the current source line number by using \
3568 * either several SRC_NEWLINE notes or just one SRC_SETLINE note, \
3569 * whichever consumes less space. \
3570 * \
3571 * NB: We handle backward line number deltas (possible with for \
3572 * loops where the update part is emitted after the body, but its \
3573 * line number is <= any line number in the body) here by letting \
3574 * unsigned delta_ wrap to a very large number, which triggers a \
3575 * SRC_SETLINE. \
3577 CG_CURRENT_LINE(cg) = line_; \
3578 if (delta_ >= (uintN)(2 + ((line_ > SN_3BYTE_OFFSET_MASK)<<1))) { \
3579 if (js_NewSrcNote2(cx, cg, SRC_SETLINE, (ptrdiff_t)line_) < 0)\
3580 return JS_FALSE; \
3581 } else { \
3582 do { \
3583 if (js_NewSrcNote(cx, cg, SRC_NEWLINE) < 0) \
3584 return JS_FALSE; \
3585 } while (--delta_ != 0); \
3586 } \
3587 } \
3588 JS_END_MACRO
3590 /* A function, so that we avoid macro-bloating all the other callsites. */
3591 static JSBool
3593 {
3596 }
3598 static JSBool
3601 {
3602 jsatomid atomIndex;
3612 }
3621 }
3626 }
3628 #if JS_HAS_DESTRUCTURING
3630 typedef JSBool
3634 static JSBool
3637 {
3644 }
3646 static JSBool
3649 {
3651 DestructuringDeclEmitter emitter;
3658 ? EmitDestructuringDecl
3662 }
3668 ? EmitDestructuringDecl
3672 }
3673 }
3675 }
3677 static JSBool
3680 static JSBool
3682 {
3683 /*
3684 * Now emit the lvalue opcode sequence. If the lvalue is a nested
3685 * destructuring initialiser-form, call ourselves to handle it, then
3686 * pop the matched value. Otherwise emit an lvalue bytecode sequence
3687 * ending with a JSOP_ENUMELEM or equivalent op.
3688 */
3700 }
3704 /*
3705 * NB: pn is a PN_NAME node, not a PN_BINARY. Nevertheless,
3706 * we want to emit JSOP_ENUMELEM, which has format JOF_ELEM.
3707 * So here and for JSOP_ENUMCONSTELEM, we use EmitElemOp.
3708 */
3719 {
3723 }
3727 {
3733 }
3736 {
3747 }
3751 }
3752 }
3755 }
3757 /*
3758 * Recursive helper for EmitDestructuringOps.
3759 *
3760 * Given a value to destructure on the stack, walk over an object or array
3761 * initialiser at pn, emitting bytecodes to match property values and store
3762 * them in the lvalues identified by the matched property names.
3763 */
3764 static JSBool
3766 {
3767 jsuint index;
3769 JSBool doElemOp;
3771 #ifdef DEBUG
3776 #endif
3779 /* Emit a DUP;POP sequence for the decompiler. */
3782 }
3786 /*
3787 * Duplicate the value being destructured to use as a reference base.
3788 * If dup is not the first one, annotate it for the decompiler.
3789 */
3795 /*
3796 * Now push the property name currently being matched, which is either
3797 * the array initialiser's current index, or the current property name
3798 * "label" on the left of a colon in the object initialiser. Set pn3
3799 * to the lvalue node, which is in the value-initializing position.
3800 */
3811 /*
3812 * If we are emitting an object destructuring initialiser,
3813 * annotate the index op with SRC_INITPROP so we know we are
3814 * not decompiling an array initialiser.
3815 */
3826 }
3828 }
3831 /*
3832 * Ok, get the value of the matching property name. This leaves
3833 * that value on top of the value being destructured, so the stack
3834 * is one deeper than when we started.
3835 */
3839 }
3841 /* Nullary comma node makes a hole in the array destructurer. */
3850 }
3854 }
3857 }
3859 static ptrdiff_t
3861 {
3871 }
3872 }
3874 static JSBool
3877 {
3878 /*
3879 * If we're called from a variable declaration, help the decompiler by
3880 * annotating the first JSOP_DUP that EmitDestructuringOpsHelper emits.
3881 * If the destructuring initialiser is empty, our helper will emit a
3882 * JSOP_DUP followed by a JSOP_POP for the decompiler.
3883 */
3887 /*
3888 * Call our recursive helper to emit the destructuring assignments and
3889 * related stack manipulations.
3890 */
3892 }
3894 static JSBool
3897 {
3906 }
3908 /* MaybeEmitGroupAssignment won't call us if rhs is holey. */
3913 }
3920 /* MaybeEmitGroupAssignment requires lhs->pn_count <= rhs->pn_count. */
3933 }
3934 }
3940 }
3942 /*
3943 * Helper called with pop out param initialized to a JSOP_POP* opcode. If we
3944 * can emit a group assignment sequence, which results in 0 stack depth delta,
3945 * we set *pop to JSOP_NOP so callers can veto emitting pn followed by a pop.
3946 */
3947 static JSBool
3950 {
3963 }
3965 }
3969 static JSBool
3972 {
3974 #if JS_HAS_BLOCK_SCOPE
3977 #endif
3980 JSOp op;
3981 jsatomid atomIndex;
3982 uintN oldflags;
3984 /* Default in case of JS_HAS_BLOCK_SCOPE early return, below. */
3987 /*
3988 * Let blocks and expressions have a parenthesized head in which the new
3989 * scope is not yet open. Initializer evaluation uses the parent node's
3990 * lexical scope. If popScope is true below, then we hide the top lexical
3991 * block from any calls to BindNameToSlot hiding in pn2->pn_expr so that
3992 * it won't find any names in the new let block.
3993 *
3994 * The same goes for let declarations in the head of any kind of for loop.
3995 * Unlike a let declaration 'let x = i' within a block, where x is hoisted
3996 * to the start of the block, a 'for (let x = i...) ...' loop evaluates i
3997 * in the containing scope, and puts x in the loop body's scope.
3998 */
4001 #if JS_HAS_BLOCK_SCOPE
4007 }
4008 # ifdef __GNUC__
4010 # endif
4012 #endif
4020 #if JS_HAS_DESTRUCTURING
4022 /*
4023 * Emit variable binding ops, but not destructuring ops.
4024 * The parser (see Variables, jsparse.c) has ensured that
4025 * our caller will be the TOK_FOR/TOK_IN case in js_EmitTree,
4026 * and that case will emit the destructuring code only after
4027 * emitting an enumerating opcode and a branch that tests
4028 * whether the enumeration ended.
4029 */
4035 }
4036 #endif
4038 /*
4039 * A destructuring initialiser assignment preceded by var will
4040 * never occur to the left of 'in' in a for-in loop. As with 'for
4041 * (var x = i in o)...', this will cause the entire 'var [a, b] =
4042 * i' to be hoisted out of the loop.
4043 */
4047 /*
4048 * To allow the front end to rewrite var f = x; as f = x; when a
4049 * function f(){} precedes the var, detect simple name assignment
4050 * here and initialize the name.
4051 */
4052 #if !JS_HAS_DESTRUCTURING
4054 #else
4056 #endif
4057 {
4061 }
4063 #if JS_HAS_DESTRUCTURING
4065 /*
4066 * If this is the only destructuring assignment in the list,
4067 * try to optimize to a group assignment. If we're in a let
4068 * head, pass JSOP_POP rather than the pseudo-prolog JSOP_NOP
4069 * in pn->pn_op, to suppress a second (and misplaced) 'let'.
4070 */
4077 }
4081 }
4082 }
4091 /*
4092 * Veto pn->pn_op if inLetHead to avoid emitting a SRC_DESTRUCT
4093 * that's redundant with respect to the SRC_DECL/SRC_DECL_LET that
4094 * we will emit at the bottom of this function.
4095 */
4098 pn3)) {
4100 }
4102 #endif
4103 }
4105 /*
4106 * Load initializer early to share code above that jumps to do_name.
4107 * NB: if this var redeclares an existing binding, then pn2 is linked
4108 * on its definition's use-chain and pn_expr has been overlayed with
4109 * pn_lexdef.
4110 */
4113 do_name:
4119 /* JSOP_ARGUMENTS => no initializer */
4122 #ifdef __GNUC__
4124 #endif
4136 }
4140 }
4142 #if JS_HAS_BLOCK_SCOPE
4143 /* Evaluate expr in the outer lexical scope if requested. */
4147 }
4148 #endif
4156 #if JS_HAS_BLOCK_SCOPE
4160 }
4161 #endif
4162 }
4163 }
4165 /*
4166 * The parser rewrites 'for (var x = i in o)' to hoist 'var x = i' --
4167 * likewise 'for (let x = i in o)' becomes 'i; for (let x in o)' using
4168 * a TOK_SEQ node to make the two statements appear as one. Therefore
4169 * if this declaration is part of a for-in loop head, we do not need to
4170 * emit op or any source note. Our caller, the TOK_FOR/TOK_IN case in
4171 * js_EmitTree, will annotate appropriately.
4172 */
4178 }
4184 ? SRC_DECL_CONST
4186 ? SRC_DECL_VAR
4189 }
4197 }
4199 #if JS_HAS_DESTRUCTURING
4200 emit_note_pop:
4201 #endif
4206 }
4213 }
4215 /* If this is a let head, emit and return a srcnote on the pop. */
4222 }
4225 }
4227 #if defined DEBUG_brendan || defined DEBUG_mrbkap
4228 static JSBool
4230 {
4241 }
4243 }
4244 #endif
4246 /* Top-level named functions need a nop for decompilation. */
4247 static JSBool
4249 {
4252 }
4254 static bool
4256 {
4259 #if JS_HAS_SHARP_VARS
4267 }
4268 #endif
4270 }
4272 static bool
4274 {
4275 #if JS_HAS_SHARP_VARS
4276 /* Emit an op for sharp array cleanup and decompilation. */
4279 #endif
4281 }
4283 /* See the SRC_FOR source note offsetBias comments later in this file. */
4287 JSBool
4289 {
4296 jsatomid atomIndex;
4297 uintN index;
4299 JSSrcNoteType noteType;
4301 JSOp op;
4302 TokenKind type;
4303 uint32 argc;
4304 #if JS_HAS_SHARP_VARS
4305 jsint sharpnum;
4306 #endif
4314 /* Emit notes to tell the current bytecode's source line number. */
4319 {
4321 uintN slot;
4323 #if JS_HAS_XML_SUPPORT
4328 }
4329 #endif
4334 /*
4335 * This second pass is needed to emit JSOP_NOP with a source note
4336 * for the already-emitted function definition prolog opcode. See
4337 * comments in the TOK_LC case.
4338 */
4344 }
4354 /* Generate code for the function's body. */
4361 }
4371 #if JS_HAS_SHARP_VARS
4376 }
4377 #endif
4382 /*
4383 * jsparse.cpp:SetStaticLevel limited static nesting depth to fit in 16
4384 * bits and to reserve the all-ones value, thereby reserving the magic
4385 * FREE_UPVAR_COOKIE value. Note the cg2->staticLevel assignment below.
4386 */
4390 /* We measured the max scope depth when we parsed the function. */
4401 /* Make the function object a literal in the outer script's pool. */
4404 /* Emit a bytecode pointing to the closure object in its immediate. */
4410 }
4413 }
4415 /*
4416 * For a script we emit the code as we parse. Thus the bytecode for
4417 * top-level functions should go in the prolog to predefine their
4418 * names in the variable object before the already-generated main code
4419 * is executed. This extra work for top-level scripts is not necessary
4420 * when we emit the code for a function. It is fully parsed prior to
4421 * invocation of the emitter and calls to js_EmitTree for function
4422 * definitions can be scheduled before generating the rest of code.
4423 */
4431 /* Emit NOP for the decompiler. */
4435 #ifdef DEBUG
4436 JSLocalKind localKind =
4437 #endif
4445 }
4447 }
4461 /* Initialize so we can detect else-if chains and avoid recursion. */
4466 if_again:
4467 /* Emit code for the condition before pushing stmtInfo. */
4474 /*
4475 * We came here from the goto further below that detects else-if
4476 * chains, so we must mutate stmtInfo back into a STMT_IF record.
4477 * Also (see below for why) we need a note offset for SRC_IF_ELSE
4478 * to help the decompiler. Actually, we need two offsets, one for
4479 * decompiling any else clause and the second for decompiling an
4480 * else-if chain without bracing, overindenting, or incorrectly
4481 * scoping let declarations.
4482 */
4490 }
4492 /* Emit an annotated branch-if-false around the then part. */
4501 /* Emit code for the then and optional else parts. */
4505 /* Modify stmtInfo so we know we're in the else part. */
4508 /*
4509 * Emit a JSOP_BACKPATCH op to jump from the end of our then part
4510 * around the else part. The js_PopStatementCG call at the bottom
4511 * of this switch case will fix up the backpatch chain linked from
4512 * stmtInfo.breaks.
4513 */
4518 /* Ensure the branch-if-false comes here, then emit the else. */
4523 }
4528 /*
4529 * Annotate SRC_IF_ELSE with the offset from branch to jump, for
4530 * the decompiler's benefit. We can't just "back up" from the pc
4531 * of the else clause, because we don't know whether an extended
4532 * jump was required to leap from the end of the then clause over
4533 * the else clause.
4534 */
4538 /* No else part, fixup the branch-if-false to come here. */
4540 }
4545 /* Out of line to avoid bloating js_EmitTree's stack frame size. */
4550 /*
4551 * Minimize bytecodes issued for one or more iterations by jumping to
4552 * the condition below the body and closing the loop if the condition
4553 * is true with a backward branch. For iteration count i:
4554 *
4555 * i test at the top test at the bottom
4556 * = =============== ==================
4557 * 0 ifeq-pass goto; ifne-fail
4558 * 1 ifeq-fail; goto; ifne-pass goto; ifne-pass; ifne-fail
4559 * 2 2*(ifeq-fail; goto); ifeq-pass goto; 2*ifne-pass; ifne-fail
4560 * . . .
4561 * N N*(ifeq-fail; goto); ifeq-pass goto; N*ifne-pass; ifne-fail
4562 *
4563 * SpiderMonkey, pre-mozilla.org, emitted while parsing and so used
4564 * test at the top. When JSParseNode trees were added during the ES3
4565 * work (1998-9), the code generation scheme was not optimized, and
4566 * the decompiler continued to take advantage of the branch and jump
4567 * that bracketed the body. But given the SRC_WHILE note, it is easy
4568 * to support the more efficient scheme.
4569 */
4594 /* Emit an annotated nop so we know to decompile a 'do' keyword. */
4599 /* Compile the loop body. */
4607 /* Set loop and enclosing label update offsets, for continue. */
4613 /* Compile the loop condition, now that continues know where to go. */
4617 /*
4618 * Since we use JSOP_IFNE for other purposes as well as for do-while
4619 * loops, we must store 1 + (beq - top) in the SRC_WHILE note offset,
4620 * and the decompiler must get that delta and decompile recursively.
4621 */
4637 /* Set stmtInfo type for later testing. */
4640 /*
4641 * If the left part is 'var x', emit code to define x if necessary
4642 * using a prolog opcode, but do not emit a pop. If the left part
4643 * is 'var x = i', emit prolog code to define x if necessary; then
4644 * emit code to evaluate i, assign the result to x, and pop the
4645 * result off the stack.
4646 *
4647 * All the logic to do this is implemented in the outer switch's
4648 * TOK_VAR case, conditioned on pn_xflags flags set by the parser.
4649 *
4650 * In the 'for (var x = i in o) ...' case, the js_EmitTree(...pn3)
4651 * called here will generate the proper note for the assignment
4652 * op that sets x = i, hoisting the initialized var declaration
4653 * out of the loop: 'var x = i; for (x in o) ...'.
4654 *
4655 * In the 'for (var x in o) ...' case, nothing but the prolog op
4656 * (if needed) should be generated here, we must emit the note
4657 * just before the JSOP_FOR* opcode in the switch on pn3->pn_type
4658 * a bit below, so nothing is hoisted: 'for (var x in o) ...'.
4659 *
4660 * A 'for (let x = i in o)' loop must not be hoisted, since in
4661 * this form the let variable is scoped by the loop body (but not
4662 * the head). The initializer expression i must be evaluated for
4663 * any side effects. So we hoist only i in the let case.
4664 */
4672 /* Compile the object expression to the right of 'in'. */
4676 /*
4677 * Emit a bytecode to convert top of stack value to the iterator
4678 * object depending on the loop variant (for-in, for-each-in, or
4679 * destructuring for-in).
4680 */
4685 /* Annotate so the decompiler can find the loop-closing jump. */
4690 /*
4691 * Jump down to the loop condition to minimize overhead assuming at
4692 * least one iteration, as the other loop forms do.
4693 */
4703 #ifdef DEBUG
4705 #endif
4707 /*
4708 * Compile a JSOP_FOR* bytecode based on the left hand side.
4709 *
4710 * Initialize op to JSOP_SETNAME in case of |for ([a, b] in o)...|
4711 * or similar, to signify assignment, rather than declaration, to
4712 * the decompiler. EmitDestructuringOps takes a prolog bytecode
4713 * parameter and emits the appropriate source note, defaulting to
4714 * assignment, so JSOP_SETNAME is not critical here; many similar
4715 * ops could be used -- just not JSOP_NOP (which means 'let').
4716 */
4719 #if JS_HAS_BLOCK_SCOPE
4721 #endif
4725 #if JS_HAS_DESTRUCTURING
4729 }
4733 }
4734 #else
4736 #endif
4737 /* FALL THROUGH */
4740 /*
4741 * Always annotate JSOP_FORLOCAL if given input of the form
4742 * 'for (let x in * o)' -- the decompiler must not hoist the
4743 * 'let x' out of the loop head, or x will be bound in the
4744 * wrong scope. Likewise, but in this case only for the sake
4745 * of higher decompilation fidelity only, do not hoist 'var x'
4746 * when given 'for (var x in o)'.
4747 */
4749 #if JS_HAS_BLOCK_SCOPE
4751 #endif
4755 ? SRC_DECL_VAR
4758 }
4769 }
4775 }
4778 JSMSG_BAD_FOR_LEFTSIDE);
4780 }
4787 }
4791 /*
4792 * 'for (o.p in q)' can use JSOP_FORPROP only if evaluating 'o'
4793 * has no side effects.
4794 */
4802 }
4803 /* FALL THROUGH */
4805 #if JS_HAS_DESTRUCTURING
4806 destructuring_for:
4807 #endif
4813 #if JS_HAS_DESTRUCTURING
4820 #endif
4828 #if JS_HAS_XML_SUPPORT
4836 #endif
4840 }
4842 /* The stack should be balanced around the JSOP_FOR* opcode sequence. */
4845 /* Set the first srcnote offset so we can find the start of the loop body. */
4849 /* Emit code for the loop body. */
4853 /* Set loop and enclosing "update" offsets, for continue. */
4859 /*
4860 * Fixup the goto that starts the loop to jump down to JSOP_MOREITER.
4861 */
4869 /* Set the second srcnote offset so we can find the closing jump. */
4873 /* C-style for (init; cond; update) ... loop. */
4877 /* No initializer: emit an annotated nop for the decompiler. */
4881 #if JS_HAS_DESTRUCTURING
4885 }
4886 #endif
4891 /*
4892 * Check whether a destructuring-initialized var decl
4893 * was optimized to a group assignment. If so, we do
4894 * not need to emit a pop below, so switch to a nop,
4895 * just for the decompiler.
4896 */
4900 }
4901 }
4903 }
4905 /*
4906 * NB: the SRC_FOR note has offsetBias 1 (JSOP_{NOP,POP}_LENGTH).
4907 * Use tmp to hold the biased srcnote "top" offset, which differs
4908 * from the top local variable by the length of the JSOP_GOTO{,X}
4909 * emitted in between tmp and top if this loop has a condition.
4910 */
4917 /* Goto the loop condition, which branches back to iterate. */
4921 }
4926 /* Emit code for the loop body. */
4932 /* Set the second note offset so we can find the update part. */
4937 }
4939 /* Set loop and enclosing "update" offsets, for continue. */
4945 /* Check for update code to do before the condition (if any). */
4949 #if JS_HAS_DESTRUCTURING
4953 }
4954 #endif
4958 /* Always emit the POP or NOP, to help the decompiler. */
4962 /* Restore the absolute line number for source note readers. */
4968 }
4969 }
4971 /* Set the first note offset so we can find the loop condition. */
4975 }
4978 /* Fix up the goto from top to target the loop condition. */
4984 }
4986 /* The third note offset helps us find the loop-closing jump. */
4990 }
4997 /* No loop condition -- emit the loop-closing jump. */
5001 }
5002 }
5004 /* Now fixup all breaks and continues (before for/in's JSOP_ENDITER). */
5012 }
5013 }
5031 }
5041 /* Find the loop statement enclosed by the matching label. */
5050 }
5058 }
5078 {
5080 intN depth;
5085 /*
5086 * Push stmtInfo to track jumps-over-catches and gosubs-to-finally
5087 * for later fixup.
5088 *
5089 * When a finally block is active (STMT_FINALLY in our tree context),
5090 * non-local jumps (including jumps-over-catches) result in a GOSUB
5091 * being written into the bytecode stream and fixed-up later (c.f.
5092 * EmitBackPatchOp and BackPatch).
5093 */
5098 /*
5099 * Since an exception can be thrown at any place inside the try block,
5100 * we need to restore the stack and the scope chain before we transfer
5101 * the control to the exception handler.
5102 *
5103 * For that we store in a try note associated with the catch or
5104 * finally block the stack depth upon the try entry. The interpreter
5105 * uses this depth to properly unwind the stack and the scope chain.
5106 */
5109 /* Mark try location for decompilation, then emit try block. */
5117 /* GOSUB to finally, if present. */
5124 }
5126 /* Emit (hidden) jump over catch and/or finally. */
5135 /* If this try has a catch block, emit it. */
5141 /*
5142 * The emitted code for a catch block looks like:
5143 *
5144 * [throwing] only if 2nd+ catch block
5145 * [leaveblock] only if 2nd+ catch block
5146 * enterblock with SRC_CATCH
5147 * exception
5148 * [dup] only if catchguard
5149 * setlocalpop <slot> or destructuring code
5150 * [< catchguard code >] if there's a catchguard
5151 * [ifeq <offset to next catch block>] " "
5152 * [pop] only if catchguard
5153 * < catch block contents >
5154 * leaveblock
5155 * goto <end of catch blocks> non-local; finally applies
5156 *
5157 * If there's no catch block without a catchguard, the last
5158 * <offset to next catch block> points to rethrow code. This
5159 * code will [gosub] to the finally code if appropriate, and is
5160 * also used for the catch-all trynote for capturing exceptions
5161 * thrown from catch{} blocks.
5162 */
5169 /* Fix up and clean up previous catch block. */
5172 /*
5173 * Account for JSOP_ENTERBLOCK (whose block object count
5174 * is saved below) and pushed exception object that we
5175 * still have after the jumping from the previous guard.
5176 */
5179 /*
5180 * Move exception back to cx->exception to prepare for
5181 * the next catch. We hide [throwing] from the decompiler
5182 * since it compensates for the hidden JSOP_DUP at the
5183 * start of the previous guarded catch.
5184 */
5188 }
5193 }
5195 /*
5196 * Annotate the JSOP_ENTERBLOCK that's about to be generated
5197 * by the call to js_EmitTree immediately below. Save this
5198 * source note's index in stmtInfo for use by the TOK_CATCH:
5199 * case, where the length of the catch guard is set as the
5200 * note's offset.
5201 */
5207 /*
5208 * Emit the lexical scope and catch body. Save the catch's
5209 * block object population via count, for use when targeting
5210 * guardJump at the next catch (the guard mismatch case).
5211 */
5217 /* gosub <finally>, if required */
5224 }
5226 /*
5227 * Jump over the remaining catch blocks. This will get fixed
5228 * up to jump to after catch/finally.
5229 */
5236 /*
5237 * Save a pointer to the last catch node to handle try-finally
5238 * and try-catch(guard)-finally special cases.
5239 */
5241 }
5242 }
5244 /*
5245 * Last catch guard jumps to the rethrow code sequence if none of the
5246 * guards match. Target guardJump at the beginning of the rethrow
5247 * sequence, just in case a guard expression throws and leaves the
5248 * stack unbalanced.
5249 */
5253 /* Sync the stack to take into account pushed exception. */
5257 /*
5258 * Rethrow the exception, delegating executing of finally if any
5259 * to the exception handler.
5260 */
5264 }
5265 }
5269 /* Emit finally handler if any. */
5272 /*
5273 * Fix up the gosubs that might have been emitted before non-local
5274 * jumps to the finally code.
5275 */
5281 /* Indicate that we're emitting a subroutine body. */
5289 }
5291 }
5298 }
5300 /* Fix up the end-of-try/catch jumps to come here. */
5304 /*
5305 * Add the try note last, to let post-order give us the right ordering
5306 * (first to last for a given nesting level, inner to outer by level).
5307 */
5311 }
5313 /*
5314 * If we've got a finally, mark try+catch region with additional
5315 * trynote to catch exceptions (re)thrown from a catch block or
5316 * for the try{}finally{} case.
5317 */
5321 }
5323 }
5326 {
5330 /*
5331 * Morph STMT_BLOCK to STMT_CATCH, note the block entry code offset,
5332 * and save the block object atom.
5333 */
5340 /* Go up one statement info record to the TRY or FINALLY record. */
5344 /* Pick up the pending exception and bind it to the catch variable. */
5348 /*
5349 * Dup the exception object if there is a guard for rethrowing to use
5350 * it later when rethrowing or in other catches.
5351 */
5357 #if JS_HAS_DESTRUCTURING
5365 #endif
5368 /* Inline and specialize BindNameToSlot for pn2. */
5375 }
5377 /* Emit the guard expression, if there is one. */
5384 }
5385 /* ifeq <next block> */
5391 /* Pop duplicated exception object as we no longer need it. */
5394 }
5396 /* Emit the catch body. */
5400 /*
5401 * Annotate the JSOP_LEAVEBLOCK that will be emitted as we unwind via
5402 * our TOK_LEXICALSCOPE parent, so the decompiler knows to pop.
5403 */
5408 }
5416 /* Push a return value */
5424 }
5426 /*
5427 * EmitNonLocalJumpFixup may add fixup bytecode to close open try
5428 * blocks having finally clauses and to exit intermingled let blocks.
5429 * We can't simply transfer control flow to our caller in that case,
5430 * because we must gosub to those finally clauses from inner to outer,
5431 * with the correct stack pointer (i.e., after popping any with,
5432 * for/in, etc., slots nested inside the finally's try).
5433 *
5434 * In this case we mutate JSOP_RETURN into JSOP_SETRVAL and add an
5435 * extra JSOP_RETRVAL after the fixups.
5436 */
5446 }
5449 #if JS_HAS_GENERATORS
5453 JSMSG_BAD_RETURN_OR_YIELD,
5454 js_yield_str);
5456 }
5463 }
5469 #endif
5472 {
5473 #if JS_HAS_XML_SUPPORT
5480 }
5481 #endif
5491 }
5497 /*
5498 * This block contains top-level function definitions. To ensure
5499 * that we emit the bytecode defining them before the rest of code
5500 * in the block we use a separate pass over functions. During the
5501 * main pass later the emitter will add JSOP_NOP with source notes
5502 * for the function to preserve the original functions position
5503 * when decompiling.
5504 *
5505 * Currently this is used only for functions, as compile-as-we go
5506 * mode for scripts does not allow separate emitter passes.
5507 */
5510 /*
5511 * Assign the destructuring arguments before defining any
5512 * functions, see bug 419662.
5513 */
5519 }
5527 /*
5528 * JSOP_DEFFUN in a top-level block with function
5529 * definitions appears, for example, when "if (true)"
5530 * is optimized away from "if (true) function x() {}".
5531 * See bug 428424.
5532 */
5534 }
5535 }
5536 }
5537 }
5541 }
5547 }
5551 }
5559 }
5566 /*
5567 * Top-level or called-from-a-native JS_Execute/EvaluateScript,
5568 * debugger, and eval frames may need the value of the ultimate
5569 * expression statement as the script's result, despite the fact
5570 * that it appears useless to the compiler.
5571 *
5572 * API users may also set the JSOPTION_NO_SCRIPT_RVAL option when
5573 * calling JS_Compile* to suppress JSOP_POPV.
5574 */
5579 }
5581 /*
5582 * Don't eliminate apparently useless expressions if they are
5583 * labeled expression statements. The tc->topStmt->update test
5584 * catches the case where we are nesting in js_EmitTree for a
5585 * labeled compound statement.
5586 */
5594 JSMSG_USELESS_EXPR)) {
5596 }
5599 #if JS_HAS_DESTRUCTURING
5604 }
5605 #endif
5607 /*
5608 * Specialize JSOP_SETPROP to JSOP_SETMETHOD to defer or
5609 * avoid null closure cloning. Do this only for assignment
5610 * statements that are not completion values wanted by a
5611 * script evaluator, to ensure that the joined function
5612 * can't escape directly.
5613 */
5621 }
5626 }
5627 }
5628 }
5632 /* Emit an annotated nop so we know to decompile a label. */
5641 ? SRC_LABELBRACE
5648 }
5650 /* Emit code for the labeled statement. */
5658 /* If the statement was compound, emit a note for the end brace. */
5663 }
5664 }
5668 /*
5669 * Emit SRC_PCDELTA notes on each JSOP_POP between comma operands.
5670 * These notes help the decompiler bracket the bytecodes generated
5671 * from each sub-expression that follows a comma.
5672 */
5681 }
5689 }
5690 }
5694 /*
5695 * Check left operand type and generate specialized code for it.
5696 * Specialize to avoid ECMA "reference type" values on the operand
5697 * stack, which impose pervasive runtime "GetValue" costs.
5698 */
5714 }
5731 #if JS_HAS_DESTRUCTURING
5735 #endif
5740 #if JS_HAS_XML_SUPPORT
5748 #endif
5751 }
5763 }
5771 ? JSOP_GETGVAR
5773 ? JSOP_GETARG
5775 atomIndex);
5776 }
5791 }
5795 #if JS_HAS_XML_SUPPORT
5797 #endif
5804 }
5805 }
5807 /* Now emit the right operand (it may affect the namespace). */
5811 /* If += etc., emit the binary operator with a decompiler note. */
5813 /*
5814 * Take care to avoid SRC_ASSIGNOP if the left-hand side is a const
5815 * declared in the current compilation unit, as in this case (just
5816 * a bit further below) we will avoid emitting the assignment op.
5817 */
5821 }
5824 }
5826 /* Left parts such as a.b.c and a[b].c need a decompiler note. */
5828 #if JS_HAS_DESTRUCTURING
5831 #endif
5834 }
5836 /* Finally, emit the specialized assignment bytecode. */
5841 /* FALL THROUGH */
5850 #if JS_HAS_DESTRUCTURING
5856 #endif
5857 #if JS_HAS_XML_SUPPORT
5862 #endif
5865 }
5869 /* Emit the condition, then branch if false to the else part. */
5879 /* Jump around else, fixup the branch, emit else, fixup jump. */
5885 /*
5886 * Because each branch pushes a single value, but our stack budgeting
5887 * analysis ignores branches, we now have to adjust cg->stackDepth to
5888 * ignore the value pushed by the first branch. Execution will follow
5889 * only one path, so we must decrement cg->stackDepth.
5890 *
5891 * Failing to do this will foil code, such as the try/catch/finally
5892 * exception handling code generator, that samples cg->stackDepth for
5893 * use at runtime (JSOP_SETSP), or in let expression and block code
5894 * generation, which must use the stack depth to compute local stack
5895 * indexes correctly.
5896 */
5908 /*
5909 * JSOP_OR converts the operand on the stack to boolean, and if true,
5910 * leaves the original operand value on the stack and jumps; otherwise
5911 * it pops and falls into the next bytecode, which evaluates the right
5912 * operand. The jump goes around the right operand evaluation.
5913 *
5914 * JSOP_AND converts the operand on the stack to boolean, and if false,
5915 * leaves the original operand value on the stack and jumps; otherwise
5916 * it pops and falls into the right operand's bytecode.
5917 */
5934 /* Left-associative operator chain: avoid too much recursion. */
5942 /* Emit nodes between the head and the tail. */
5954 }
5967 }
5971 /* For TCF_IN_FUNCTION test, see TOK_RB concerning JSOP_NEWARRAY. */
5974 /* Emit up to the first string literal conventionally. */
5982 }
5987 /*
5988 * Having seen a string literal, we know statically that the rest
5989 * of the additions are string concatenation, so we emit them as a
5990 * single concatn. First, do string conversion on the result of the
5991 * preceding zero or more additions so that any side effects of
5992 * string conversion occur before the next operand begins.
5993 */
6000 }
6007 }
6011 }
6024 /* Left-associative operator chain: avoid too much recursion. */
6034 }
6036 #if JS_HAS_XML_SUPPORT
6037 uintN oldflags;
6046 }
6048 /*
6049 * Binary :: has a right operand that brackets arbitrary code,
6050 * possibly including a let (a = b) ... expression. We must clear
6051 * TCF_IN_FOR_INIT to avoid mis-compiling such beasts.
6052 */
6055 #endif
6057 /* Binary operators that evaluate both operands unconditionally. */
6062 #if JS_HAS_XML_SUPPORT
6064 #endif
6067 }
6071 #if JS_HAS_XML_SUPPORT
6075 /* FALL THROUGH */
6076 #endif
6078 {
6079 uintN oldflags;
6081 /* Unary op, including unary +/-. */
6083 #if JS_HAS_XML_SUPPORT
6088 }
6089 #endif
6103 }
6107 /* Emit lvalue-specialized code for ++/-- operators. */
6129 }
6140 }
6141 }
6157 }
6161 #if JS_HAS_XML_SUPPORT
6171 #endif
6172 }
6176 /*
6177 * Under ECMA 3, deleting a non-reference returns true -- but alas we
6178 * must evaluate the operand if it appears it might have side effects.
6179 */
6192 }
6198 #if JS_HAS_XML_SUPPORT
6203 #endif
6209 /*
6210 * If useless, just emit JSOP_TRUE; otherwise convert delete foo()
6211 * to foo(), true (a comma expression, requiring SRC_PCDELTA).
6212 */
6227 }
6234 }
6235 }
6238 #if JS_HAS_XML_SUPPORT
6254 #endif
6257 /*
6258 * Pop a stack operand, convert it to object, get a property named by
6259 * this bytecode's immediate-indexed atom operand, and push its value
6260 * (not a reference to it).
6261 */
6266 #if JS_HAS_XML_SUPPORT
6268 #endif
6269 /*
6270 * Pop two operands, convert the left one to object and the right one
6271 * to property name (atom or tagged int), get the named property, and
6272 * push its value. Set the "obj" register to the result of ToObject
6273 * on the left operand.
6274 */
6280 {
6283 /*
6284 * Emit callable invocation or operator new (constructor call) code.
6285 * First, emit code for the left operand to evaluate the callable or
6286 * constructable object expression.
6287 *
6288 * For operator new applied to other expressions than E4X ones, we emit
6289 * JSOP_GETPROP instead of JSOP_CALLPROP, etc. This is necessary to
6290 * interpose the lambda-initialized method read barrier -- see the code
6291 * in jsinterp.cpp for JSOP_LAMBDA followed by JSOP_{SET,INIT}PROP.
6292 *
6293 * Then (or in a call case that has no explicit reference-base object)
6294 * we emit JSOP_NULL as a placeholder local GC root to hold the |this|
6295 * parameter: in the operator new case, the newborn instance; in the
6296 * base-less call case, a cookie meaning "use the global object as the
6297 * |this| value" (or in ES5 strict mode, "use undefined", so we should
6298 * use JSOP_PUSH instead of JSOP_NULL -- see bug 514570).
6299 */
6316 #if JS_HAS_XML_SUPPORT
6322 }
6323 #endif
6324 /* FALL THROUGH */
6326 /*
6327 * Push null as a placeholder for the global object, per ECMA-262
6328 * 11.2.3 step 6.
6329 */
6334 }
6338 /* Remember start of callable-object bytecode for decompilation hint. */
6341 /*
6342 * Emit code for each argument in order, then emit the JSOP_*CALL or
6343 * JSOP_NEW bytecode with a two-byte immediate telling how many args
6344 * were pushed on the operand stack.
6345 */
6351 }
6360 /* Add a trace hint opcode for recursion. */
6363 }
6367 }
6370 {
6372 uintN count;
6377 /*
6378 * If this lexical scope is not for a catch block, let block or let
6379 * expression, or any kind of for loop (where the scope starts in the
6380 * head after the first part if for (;;), else in the body if for-in);
6381 * and if our container is top-level but not a function body, or else
6382 * a block statement; then emit a SRC_BRACE note. All other container
6383 * statements get braces by default from the decompiler.
6384 */
6391 #if defined DEBUG_brendan || defined DEBUG_mrbkap
6392 /* There must be no source note already output for the next op. */
6396 #endif
6400 }
6418 }
6419 }
6421 /* Emit the JSOP_LEAVEBLOCK or JSOP_LEAVEBLOCKEXPR opcode. */
6427 }
6429 #if JS_HAS_BLOCK_SCOPE
6431 /* Let statements have their variable declarations on the left. */
6437 }
6439 /* Non-null pn2 means that pn is the variable list from a let head. */
6444 /* Thus non-null pn2 is the body of the let block or expression. */
6453 }
6457 #if JS_HAS_GENERATORS
6459 jsint slot;
6461 /*
6462 * The array object's stack index is in cg->arrayCompDepth. See below
6463 * under the array initialiser code generator for array comprehension
6464 * special casing.
6465 */
6473 }
6474 #endif
6477 #if JS_HAS_GENERATORS
6479 #endif
6480 /*
6481 * Emit code for [a, b, c] that is equivalent to constructing a new
6482 * array and in source order evaluating each element value and adding
6483 * it to the array, without invoking latent setters. We use the
6484 * JSOP_NEWINIT and JSOP_INITELEM bytecodes to ignore setters and to
6485 * avoid dup'ing and popping the array as each element is added, as
6486 * JSOP_SETELEM/JSOP_SETPROP would do.
6487 *
6488 * If no sharp variable is defined, the initializer is not for an array
6489 * comprehension, the initializer is not overlarge, and the initializer
6490 * is not in global code (whose stack growth cannot be precisely modeled
6491 * due to the need to reserve space for global variables and regular
6492 * expressions), use JSOP_NEWARRAY to minimize opcodes and to create the
6493 * array using a fast, all-at-once process rather than a slow, element-
6494 * by-element process.
6495 */
6496 #if JS_HAS_SHARP_VARS
6498 do_emit_array:
6499 #endif
6502 ? JSOP_NEWARRAY
6505 #if JS_HAS_GENERATORS
6508 #endif
6509 #if JS_HAS_SHARP_VARS
6513 #endif
6518 #if JS_HAS_GENERATORS
6520 uintN saveDepth;
6522 /*
6523 * Pass the new array's stack index to the TOK_ARRAYPUSH case via
6524 * cg->arrayCompDepth, then simply traverse the TOK_FOR node and
6525 * its kids under pn2 to generate this comprehension.
6526 */
6534 /* Emit the usual op needed for decompilation. */
6538 }
6551 }
6554 }
6558 /* Emit a source note so we know to decompile an extra comma. */
6561 }
6564 /*
6565 * Emit an op to finish the array and, secondarily, to aid in sharp
6566 * array cleanup (if JS_HAS_SHARP_VARS) and decompilation.
6567 */
6571 }
6578 #if JS_HAS_SHARP_VARS
6580 do_emit_object:
6581 #endif
6582 #if JS_HAS_DESTRUCTURING_SHORTHAND
6586 }
6587 #endif
6588 /*
6589 * Emit code for {p:a, '%q':b, 2:c} that is equivalent to constructing
6590 * a new object and in source order evaluating each property value and
6591 * adding the property to the object, without invoking latent setters.
6592 * We use the JSOP_NEWINIT and JSOP_INITELEM/JSOP_INITPROP bytecodes to
6593 * ignore setters and to avoid dup'ing and popping the object as each
6594 * property is added, as JSOP_SETELEM/JSOP_SETPROP would do.
6595 */
6601 /* Emit an index for t[2] for later consumption by JSOP_INITELEM. */
6606 }
6608 /* Emit code for the property initializer. */
6616 }
6618 /* Annotate JSOP_INITELEM so we decompile 2:c and not just c. */
6631 /* Check whether we can optimize to JSOP_INITMETHOD. */
6637 {
6644 }
6647 }
6648 }
6653 }
6657 }
6659 #if JS_HAS_SHARP_VARS
6666 # if JS_HAS_GENERATORS
6669 # endif
6685 /*
6686 * Cope with a left-over function definition that was replaced by a use
6687 * of a later function definition of the same name. See FunctionDef and
6688 * MakeDefIntoUse in jsparse.cpp.
6689 */
6696 #if JS_HAS_XML_SUPPORT
6702 #endif
6712 /*
6713 * If the regexp's script is one-shot and the regexp is not used in a
6714 * loop, we can avoid the extra fork-on-exec costs of JSOP_REGEXP by
6715 * selecting JSOP_OBJECT. Otherwise, to avoid incorrect proto, parent,
6716 * and lastIndex sharing, select JSOP_REGEXP.
6717 */
6725 }
6726 }
6727 }
6733 cg);
6734 }
6736 }
6738 #if JS_HAS_XML_SUPPORT
6740 #endif
6746 #if JS_HAS_DEBUGGER_KEYWORD
6753 #if JS_HAS_XML_SUPPORT
6760 /* FALL THROUGH */
6767 }
6773 }
6778 }
6788 }
6791 }
6792 #ifdef DEBUG
6793 else
6795 #endif
6801 {
6802 uint32 i;
6828 }
6834 }
6838 }
6839 }
6854 }
6863 }
6868 }
6874 }
6890 }
6897 }
6900 }
6902 /*
6903 * We should try to get rid of offsetBias (always 0 or 1, where 1 is
6904 * JSOP_{NOP,POP}_LENGTH), which is used only by SRC_FOR and SRC_DECL.
6905 */
6932 };
6934 static intN
6936 {
6937 intN index;
6946 /* Allocate the first note array lazily; leave noteMask alone. */
6949 /* Grow by doubling note array size; update noteMask on success. */
6953 }
6957 }
6958 }
6962 }
6964 intN
6966 {
6971 /*
6972 * Claim a note slot in CG_NOTES(cg) by growing it if necessary and then
6973 * incrementing CG_NOTE_COUNT(cg).
6974 */
6980 /*
6981 * Compute delta from the last annotated bytecode's offset. If it's too
6982 * big to fit in sn, allocate one or more xdelta notes and reset sn.
6983 */
6997 }
6999 /*
7000 * Initialize type and delta, then allocate the minimum number of notes
7001 * needed for type's arity. Usually, we won't need more, but if an offset
7002 * does take two bytes, js_SetSrcNoteOffset will grow CG_NOTES(cg).
7003 */
7008 }
7010 }
7012 intN
7015 {
7016 intN index;
7022 }
7024 }
7026 intN
7029 {
7030 intN index;
7038 }
7040 }
7042 static JSBool
7044 {
7048 /* Grow by doubling note array size; update noteMask on success. */
7055 }
7058 }
7060 jssrcnote *
7063 {
7065 intN index;
7067 /*
7068 * Called only from OptimizeSpanDeps and js_FinishTakingSrcNotes to add to
7069 * main script note deltas, and only by a small positive amount.
7070 */
7085 }
7090 sn++;
7091 }
7093 }
7097 {
7098 uintN arity;
7105 }
7107 }
7111 {
7112 /* Find the offset numbered which (i.e., skip exactly which offsets). */
7118 }
7123 }
7125 }
7127 JSBool
7130 {
7137 }
7139 /* Find the offset numbered which (i.e., skip exactly which offsets). */
7146 }
7148 /* See if the new offset requires three bytes. */
7150 /* Maybe this offset was already set to a three-byte value. */
7152 /* Losing, need to insert another two bytes for this offset. */
7155 /*
7156 * Simultaneously test to see if the source note array must grow to
7157 * accommodate either the first or second byte of additional storage
7158 * required by this 3-byte offset.
7159 */
7164 }
7171 }
7174 }
7177 }
7179 #ifdef DEBUG_notme
7180 #define DEBUG_srcnotesize
7181 #endif
7183 #ifdef DEBUG_srcnotesize
7184 #define NBINS 10
7188 {
7197 }
7204 }
7206 }
7207 #endif
7209 /*
7210 * Fill in the storage at notes with prolog and main srcnotes; the space at
7211 * notes was allocated using the CG_COUNT_FINAL_SRCNOTES macro from jsemit.h.
7212 * SO DON'T CHANGE THIS FUNCTION WITHOUT AT LEAST CHECKING WHETHER jsemit.h's
7213 * CG_COUNT_FINAL_SRCNOTES MACRO NEEDS CORRESPONDING CHANGES!
7214 */
7215 JSBool
7217 {
7232 /*
7233 * Either no prolog srcnotes, or no line number change over prolog.
7234 * We don't need a SRC_SETLINE, but we may need to adjust the offset
7235 * of the first main note, by adding to its delta and possibly even
7236 * prepending SRC_XDELTA notes to it to account for prolog bytecodes
7237 * that came at and after the last annotated bytecode.
7238 */
7242 /* NB: Use as much of the first main note's delta as we can. */
7257 }
7258 }
7259 }
7268 #ifdef DEBUG_notme
7273 }
7274 #endif
7276 }
7278 static JSBool
7281 {
7293 }
7303 }
7305 void
7307 {
7318 }
7320 /*
7321 * Find the index of the given object for code generator.
7322 *
7323 * Since the emitter refers to each parsed object only once, for the index we
7324 * use the number of already indexes objects. We also add the object to a list
7325 * to convert the list to a fixed-size array when we complete code generation,
7326 * see JSCGObjectList::finish below.
7327 *
7328 * Most of the objects go to JSCodeGenerator.objectList but for regexp we use a
7329 * separated JSCodeGenerator.regexpList. In this way the emitted index can be
7330 * directly used to store and fetch a reference to a cloned RegExp object that
7331 * shares the same JSRegExp private data created for the object literal in
7332 * objbox. We need a cloned object to hold lastIndex and other direct properties
7333 * that should not be shared among threads sharing a precompiled function or
7334 * script.
7335 *
7336 * If the code being compiled is function code, allocate a reserved slot in
7337 * the cloned function object that shares its precompiled script with other
7338 * cloned function objects and with the compiler-created clone-parent. There
7339 * are nregexps = script->regexps()->length such reserved slots in each
7340 * function object cloned from fun->object. NB: during compilation, a funobj
7341 * slots element must never be allocated, because js_AllocSlot could hand out
7342 * one of the slots that should be given to a regexp clone.
7343 *
7344 * If the code being compiled is global code, the cloned regexp are stored in
7345 * fp->vars slot after cg->ngvars and to protect regexp slots from GC we set
7346 * fp->nvars to ngvars + nregexps.
7347 *
7348 * The slots initially contain undefined or null. We populate them lazily when
7349 * JSOP_REGEXP is executed for the first time.
7350 *
7351 * Why clone regexp objects? ECMA specifies that when a regular expression
7352 * literal is scanned, a RegExp object is created. In the spec, compilation
7353 * and execution happen indivisibly, but in this implementation and many of
7354 * its embeddings, code is precompiled early and re-executed in multiple
7355 * threads, or using multiple global objects, or both, for efficiency.
7356 *
7357 * In such cases, naively following ECMA leads to wrongful sharing of RegExp
7358 * objects, which makes for collisions on the lastIndex property (especially
7359 * for global regexps) and on any ad-hoc properties. Also, __proto__ refers to
7360 * the pre-compilation prototype, a pigeon-hole problem for instanceof tests.
7361 */
7362 uintN
7364 {
7369 }
7371 void
7373 {
7388 }
7390 void
7392 {
7398 }