| blob | a505c266e7252c2c6a43f7e875c55cc24bbb7e37 |
1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=99:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JavaScript bytecode interpreter.
43 */
44 #include <stdio.h>
45 #include <string.h>
46 #include <math.h>
92 #if JS_HAS_XML_SUPPORT
94 #endif
98 #if defined(JS_METHODJIT) && defined(JS_MONOIC)
100 #endif
105 /* jsinvoke_cpp___ indicates inclusion from jsinvoke.cpp. */
106 #if !JS_LONE_INTERPRET ^ defined jsinvoke_cpp___
108 #ifdef DEBUG
110 #endif
112 jsbytecode *
114 {
124 }
135 #if defined(JS_METHODJIT) && defined(JS_MONOIC)
141 /* Could overflow here on a script with 2 billion calls. Oh well. */
145 /*
146 * Use >= here as the return address of the call is likely to be
147 * the start address of the next (possibly IC'ed) operation.
148 */
151 else
153 }
157 JS_ASSERT((uint8*)callIC.funGuard.executableAddress() + callIC.joinPointOffset == next->ncode_);
159 #else
162 #endif
163 }
165 JSObject *
167 {
170 /*
171 * There is no code active on this context. In place of an actual
172 * scope chain, use the context's global object, which is set in
173 * js_InitFunctionAndObjectClasses, and which represents the default
174 * scope chain for the embedding. See also js_FindClassObject.
175 *
176 * For embeddings that use the inner and outer object hooks, the inner
177 * object represents the ultimate global object, with the outer object
178 * acting as a stand-in.
179 */
184 }
188 }
190 }
192 /*
193 * This computes the blockChain by iterating through the bytecode
194 * of the current script until it reaches the PC. Each time it sees
195 * an ENTERBLOCK or LEAVEBLOCK instruction, it records the new
196 * blockChain. A faster variant of this function that doesn't
197 * require bytecode scanning appears below.
198 */
199 JSObject *
201 {
205 /* Assume that imacros don't affect blockChain */
236 }
239 }
241 /*
242 * This function computes the current blockChain, but only in
243 * the special case where a BLOCKCHAIN or NULLBLOCKCHAIN
244 * instruction appears immediately after the current PC.
245 * We ensure this happens for a few important ops like DEFFUN.
246 * |oplen| is the length of opcode at the current PC.
247 */
248 JSObject *
250 {
251 /* Assume that we're in a script frame. */
259 /* The fast paths assume no JSOP_RESETBASE/INDEXBASE noise. */
266 }
268 /*
269 * We can't determine in advance which local variables can live on the stack and
270 * be freed when their dynamic scope ends, and which will be closed over and
271 * need to live in the heap. So we place variables on the stack initially, note
272 * when they are closed over, and copy those that are out to the heap when we
273 * leave their dynamic scope.
274 *
275 * The bytecode compiler produces a tree of block objects accompanying each
276 * JSScript representing those lexical blocks in the script that have let-bound
277 * variables associated with them. These block objects are never modified, and
278 * never become part of any function's scope chain. Their parent slots point to
279 * the innermost block that encloses them, or are NULL in the outermost blocks
280 * within a function or in eval or global code.
281 *
282 * When we are in the static scope of such a block, blockChain points to its
283 * compiler-allocated block object; otherwise, it is NULL.
284 *
285 * scopeChain is the current scope chain, including 'call' and 'block' objects
286 * for those function calls and lexical blocks whose static scope we are
287 * currently executing in, and 'with' objects for with statements; the chain is
288 * typically terminated by a global object. However, as an optimization, the
289 * young end of the chain omits block objects we have not yet cloned. To create
290 * a closure, we clone the missing blocks from blockChain (which is always
291 * current), place them at the head of scopeChain, and use that for the
292 * closure's scope chain. If we never close over a lexical block, we never
293 * place a mutable clone of it on scopeChain.
294 *
295 * This lazy cloning is implemented in GetScopeChain, which is also used in
296 * some other cases --- entering 'with' blocks, for example.
297 */
300 {
304 /*
305 * Don't force a call object for a lightweight function call, but do
306 * insist that there is a call object for a heavyweight function call.
307 */
311 }
313 /* We don't handle cloning blocks on trace. */
316 /*
317 * We have one or more lexical scopes to reflect into fp->scopeChain, so
318 * make sure there's a call object at the current head of the scope chain,
319 * if this frame is a call frame.
320 *
321 * Also, identify the innermost compiler-allocated block we needn't clone.
322 */
330 /* We know we must clone everything on blockChain. */
333 /*
334 * scopeChain includes all blocks whose static scope we're within that
335 * have already been cloned. Find the innermost such block. Its
336 * prototype should appear on blockChain; we'll clone blockChain up
337 * to, but not including, that prototype.
338 */
344 /*
345 * It may seem like we don't know enough about limitClone to be able
346 * to just grab its prototype as we do here, but it's actually okay.
347 *
348 * If limitClone is a block object belonging to this frame, then its
349 * prototype is the innermost entry in blockChain that we have already
350 * cloned, and is thus the place to stop when we clone below.
351 *
352 * Otherwise, there are no blocks for this frame on scopeChain, and we
353 * need to clone the whole blockChain. In this case, limitBlock can
354 * point to any object known not to be on blockChain, since we simply
355 * loop until we hit limitBlock or NULL. If limitClone is a block, it
356 * isn't a block from this function, since blocks can't be nested
357 * within themselves on scopeChain (recursion is dynamic nesting, not
358 * static nesting). If limitClone isn't a block, its prototype won't
359 * be a block either. So we can just grab limitClone's prototype here
360 * regardless of its type or which frame it belongs to.
361 */
364 /* If the innermost block has already been cloned, we are done. */
367 }
369 /*
370 * Special-case cloning the innermost block; this doesn't have enough in
371 * common with subsequent steps to include in the loop.
372 *
373 * js_CloneBlockObject leaves the clone's parent slot uninitialized. We
374 * populate it below.
375 */
381 /*
382 * Clone our way towards outer scopes until we reach the innermost
383 * enclosing function, or the innermost block we've already cloned.
384 */
390 /* Sometimes limitBlock will be NULL, so check that first. */
394 /* As in the call above, we don't know the real parent yet. */
401 }
405 /*
406 * If we found a limit block belonging to this frame, then we should have
407 * found it in blockChain.
408 */
412 sharedBlock);
414 /* Place our newly cloned blocks at the head of the scope chain. */
417 }
419 JSObject *
421 {
423 }
425 JSObject *
427 {
429 }
431 /* Some objects (e.g., With) delegate 'this' to another object. */
434 {
440 }
442 /*
443 * ECMA requires "the global object", but in embeddings such as the browser,
444 * which have multiple top-level objects (windows, frames, etc. in the DOM),
445 * we prefer fun's parent. An example that causes this code to run:
446 *
447 * // in window w1
448 * function f() { return this }
449 * function g() { return f }
450 *
451 * // in window w2
452 * var h = w1.g()
453 * alert(h() == w1)
454 *
455 * The alert should display "true".
456 */
457 JS_STATIC_INTERPRET bool
459 {
465 }
469 void
471 {
474 #ifdef DEBUG
485 }
486 #endif
498 ? js_null_str
500 ? js_undefined_str
502 JSAutoByteString funNameBytes;
506 }
507 }
508 }
510 bool
512 {
513 /*
514 * Check for SynthesizeFrame poisoning and fast constructors which
515 * didn't check their vp properly.
516 */
527 }
529 }
531 #if JS_HAS_NO_SUCH_METHOD
536 Class js_NoSuchMethodClass = {
543 EnumerateStub,
544 ResolveStub,
545 ConvertStub,
546 };
548 /*
549 * When JSOP_CALLPROP or JSOP_CALLELEM does not find the method property of
550 * the base object, we search for the __noSuchMethod__ method in the base.
551 * If it exists, we store the method and the property's id into an object of
552 * NoSuchMethod class and store this object into the callee's stack slot.
553 * Later, js_Invoke will recognise such an object and transfer control to
554 * NoSuchMethod that invokes the method like:
555 *
556 * this.__noSuchMethod__(id, args)
557 *
558 * where id is the name of the method that this invocation attempted to
559 * call by name, and args is an Array containing this invocation's actual
560 * parameters.
561 */
562 JSBool
564 {
575 #if JS_HAS_XML_SUPPORT
576 /* Extract the function name from function::name qname. */
583 }
584 #endif
589 /*
590 * Null map to cause prompt and safe crash if this object were to
591 * escape due to a bug. This will make the object appear to be a
592 * stillborn instance that needs no finalization, which is sound:
593 * NoSuchMethod helper objects own no manually allocated resources.
594 */
600 }
602 }
604 static JS_REQUIRES_STACK JSBool
606 {
607 InvokeArgsGuard args;
628 }
634 JS_REQUIRES_STACK bool
636 {
639 #ifdef JS_METHODJIT_SPEW
641 #endif
648 #ifdef JS_METHODJIT
655 #endif
658 }
660 /*
661 * Find a function reference and its 'this' value implicit first parameter
662 * under argc arguments on cx's stack, and call the function. Push missing
663 * required arguments, allocate declared local variables, and pop everything
664 * when done. Then push the return value.
665 */
666 JS_REQUIRES_STACK bool
668 {
669 /* N.B. Must be kept in sync with InvokeSessionGuard::start/invoke */
677 }
682 /* Invoke non-functions. */
684 #if JS_HAS_NO_SUCH_METHOD
687 #endif
692 }
694 }
696 /* Invoke native functions. */
702 /* Handle the empty-script special case. */
712 }
714 }
716 /* Get pointer to new frame/slots, prepare arguments. */
717 InvokeFrameGuard frame;
721 /* Initialize frame, locals. */
726 /* Officially push fp. frame's destructor pops. */
729 /* Now that the new frame is rooted, maybe create a call object. */
733 /* Run function until JSOP_STOP, JSOP_RETURN or error. */
734 JSBool ok;
735 {
738 }
744 }
746 bool
748 {
749 #ifdef JS_TRACER
752 #ifdef JS_METHODJIT
755 #endif
757 #endif
759 /* Always push arguments, regardless of optimized/normal invoke. */
764 /* Callees may clobber 'this' or 'callee'. */
769 /* Hoist dynamic checks from scripted Invoke. */
782 /* Push the stack frame once for the session. */
790 #ifdef JS_METHODJIT
791 /* Hoist dynamic checks from RunScript. */
797 /* Cannot also cache the raw code pointer; it can change. */
799 /* Hoist dynamic checks from CheckStackAndEnterMethodJIT. */
807 #endif
809 /* Cached to avoid canonicalActualArg in InvokeSessionGuard::operator[]. */
817 /*
818 * Use the normal invoke path.
819 *
820 * The callee slot gets overwritten during an unoptimized Invoke, so we
821 * cache it here and restore it before every Invoke call. The 'this' value
822 * does not get overwritten, so we can fill it here once.
823 */
829 }
831 bool
834 {
837 InvokeArgsGuard args;
846 /*
847 * We must call the thisObject hook in case we are not called from the
848 * interpreter, where a prior bytecode has computed an appropriate
849 * |this| already.
850 */
856 }
863 }
865 bool
868 {
871 InvokeArgsGuard args;
884 }
886 bool
889 {
892 /*
893 * ExternalInvoke could result in another try to get or set the same id
894 * again, see bug 355497.
895 */
899 }
901 bool
904 {
912 }
916 /*
917 * Get a pointer to new frame/slots. This memory is not "claimed", so the
918 * code before pushExecuteFrame must not reenter the interpreter.
919 */
920 ExecuteFrameGuard frame;
924 /* Initialize fixed slots (GVAR ops expect NULL). */
927 /* Initialize frame and locals. */
933 /*
934 * We want to call |prev->varobj()|, but this requires knowing the
935 * CallStackSegment of |prev|. If |prev == cx->fp()|, the callstack is
936 * simply the context's active callstack, so we can use
937 * |prev->varobj(cx)|. When |prev != cx->fp()|, we need to do a slow
938 * linear search. Luckily, this only happens with EvaluateInFrame.
939 */
944 /* The scope chain could be anything, so innerize just in case. */
950 /* If we were handed a non-native object, complain bitterly. */
953 JSMSG_NON_NATIVE_SCOPE);
955 }
957 /* Initialize frame. */
960 /* Compute 'this'. */
967 }
969 /*
970 * Strict mode eval code receives its own, fresh lexical environment; thus
971 * strict mode eval can't mutate its calling frame's binding set.
972 */
980 /* Clear the Call object propagated from the previous frame, if any. */
984 }
987 #if JS_HAS_SHARP_VARS
1004 }
1005 }
1006 #endif
1008 /* Officially push |fp|. |frame|'s destructor pops. */
1011 /* Now that the frame has been pushed, we can call the thisObject hook. */
1017 }
1021 /* Run script until JSOP_STOP or error. */
1030 }
1032 bool
1035 {
1042 /*
1043 * Both objp and propp must be either null or given. When given, *propp
1044 * must be null. This way we avoid an extra "if (propp) *propp = NULL" for
1045 * the common case of a nonexistent property.
1046 */
1050 /* The JSPROP_INITIALIZER case below may generate a warning. Since we must
1051 * drop the property before reporting it, we insists on !propp to avoid
1052 * looking up the property again after the reporting is done.
1053 */
1066 }
1073 }
1076 /* Allow the new object to override properties. */
1080 /* The property must be dropped already. */
1084 #ifdef __GNUC__
1086 #endif
1088 /* We allow redeclaring some non-readonly properties. */
1090 /* Allow redeclaration of variables and functions. */
1094 /*
1095 * Allow adding a getter only if a property already has a setter
1096 * but no getter and similarly for adding a setter. That is, we
1097 * allow only the following transitions:
1098 *
1099 * no-property --> getter --> getter + setter
1100 * no-property --> setter --> getter + setter
1101 */
1105 /*
1106 * Allow redeclaration of an impermanent property (in which case
1107 * anyone could delete it and redefine it, willy-nilly).
1108 */
1111 }
1116 Value value;
1120 }
1121 }
1126 ? js_getter_str
1128 ? js_setter_str
1130 ? js_const_str
1131 : isFunction
1132 ? js_function_str
1134 JSAutoByteString bytes;
1140 JSMSG_REDECLARED_VAR,
1142 }
1144 JSBool
1146 {
1153 }
1155 bool
1157 {
1165 }
1169 }
1173 }
1176 }
1183 }
1189 }
1193 }
1197 {
1199 }
1203 {
1205 }
1207 bool
1209 {
1213 }
1217 }
1221 }
1223 }
1225 JSType
1227 {
1241 }
1243 bool
1245 {
1250 JSAutoByteString funNameBytes;
1255 }
1256 }
1257 }
1259 }
1261 JS_REQUIRES_STACK bool
1263 {
1271 }
1273 /* Handle the fast-constructors cases before falling into the general case . */
1281 }
1285 }
1287 /* Scripts create their own |this| in JSOP_BEGIN */
1293 }
1300 /* native [[Construct]] returning primitive is error */
1301 JSAutoByteString bytes;
1306 }
1307 }
1309 /* The interpreter fixes rval for us. */
1313 }
1317 }
1319 bool
1322 {
1325 InvokeArgsGuard args;
1330 /* Initialize args.thisv on all paths below. */
1333 /* Handle the fast-constructor cases before calling the general case. */
1347 }
1351 }
1353 bool
1355 {
1372 }
1374 bool
1376 {
1381 }
1383 #if JS_HAS_XML_SUPPORT
1389 }
1390 }
1391 #endif
1394 }
1398 /*
1399 * Enter the new with scope using an object at sp[-1] and associate the depth
1400 * of the with block with sp + stackIndex.
1401 */
1402 JS_STATIC_INTERPRET JS_REQUIRES_STACK JSBool
1404 {
1418 }
1435 }
1437 JS_STATIC_INTERPRET JS_REQUIRES_STACK void
1439 {
1448 }
1450 JS_REQUIRES_STACK Class *
1452 {
1460 }
1462 }
1464 /*
1465 * Unwind block and scope chains to match the given depth. The function sets
1466 * fp->sp on return to stackDepth.
1467 */
1468 JS_REQUIRES_STACK JSBool
1470 {
1482 /* Don't fail until after we've updated all stacks. */
1486 }
1487 }
1491 }
1493 JS_STATIC_INTERPRET JSBool
1495 {
1504 }
1513 }
1517 {
1537 }
1540 }
1542 #ifdef DEBUG
1544 JS_STATIC_INTERPRET JS_REQUIRES_STACK void
1546 {
1551 JSOp op;
1558 /*
1559 * Operations in prologues don't produce interesting values, and
1560 * js_DecompileValueGenerator isn't set up to handle them anyway.
1561 */
1567 /*
1568 * If there aren't that many elements on the stack, then we have
1569 * probably entered a new frame, and printing output would just be
1570 * misleading.
1571 */
1579 bytes);
1583 }
1584 }
1586 }
1590 /*
1591 * Call objects have NULL convert ops so that we catch cases
1592 * where they escape. So js_ValueToString doesn't work on them.
1593 */
1603 }
1604 }
1606 }
1608 }
1624 bytes);
1628 }
1629 }
1631 }
1634 /* It's nice to have complete logs when debugging a crash. */
1636 }
1640 #ifdef JS_OPMETER
1642 # include <stdlib.h>
1644 # define HIST_NSLOTS 8
1646 /*
1647 * The second dimension is hardcoded at 256 because we know that many bits fit
1648 * in a byte, and mainly to optimize away multiplying by JSOP_LIMIT to address
1649 * any particular row.
1650 */
1654 JS_STATIC_INTERPRET void
1656 {
1659 }
1661 JS_STATIC_INTERPRET void
1663 {
1666 }
1671 uint32 count;
1674 static int
1676 {
1681 }
1683 void
1685 {
1699 }
1708 }
1709 }
1710 }
1712 # define SIGNIFICANT(count,total) (200. * (count) >= (total))
1726 }
1727 }
1728 }
1731 # undef SIGNIFICANT
1740 }
1744 }
1756 }
1768 /* Reuse j in the next loop, since we break after. */
1774 }
1775 }
1776 }
1778 }
1784 #ifndef jsinvoke_cpp___
1786 #ifdef JS_REPRMETER
1787 // jsval representation metering: this measures the kinds of jsvals that
1788 // are used as inputs to each JSOp.
1791 NONE,
1792 INT,
1793 DOUBLE,
1794 BOOLEAN_PROPER,
1795 BOOLEAN_OTHER,
1796 STRING,
1797 OBJECT_NULL,
1798 OBJECT_PLAIN,
1799 FUNCTION_INTERPRETED,
1800 FUNCTION_FASTNATIVE,
1801 ARRAY_SLOW,
1802 ARRAY_DENSE
1803 };
1805 // Return the |repr| value giving the representation of the given jsval.
1806 static Repr
1808 {
1815 ? BOOLEAN_PROPER
1817 }
1829 }
1830 // This must come before the general array test, because that
1831 // one subsumes this one.
1839 }
1846 // Logically, a tuple of (JSOp, repr_1, ..., repr_n) where repr_i is
1847 // the |repr| of the ith input to the JSOp.
1851 JSOp op;
1857 }
1862 }
1864 // Hash function
1870 }
1878 }
1880 }
1887 }
1888 };
1892 OpInputHistogram opinputs;
1895 // Record an OpInput for the current op. This should be called just
1896 // before executing the op.
1897 static void
1899 {
1900 // Note that we simply ignore the possibility of errors (OOMs)
1901 // using the hash map, since this is only metering code.
1906 }
1911 // Build the OpInput.
1916 }
1921 else
1923 }
1925 void
1927 {
1937 }
1939 }
1940 }
1943 #define PUSH_COPY(v) do { *regs.sp++ = v; assertSameCompartment(cx, regs.sp[-1]); } while (0)
1944 #define PUSH_NULL() regs.sp++->setNull()
1945 #define PUSH_UNDEFINED() regs.sp++->setUndefined()
1946 #define PUSH_BOOLEAN(b) regs.sp++->setBoolean(b)
1947 #define PUSH_DOUBLE(d) regs.sp++->setDouble(d)
1948 #define PUSH_INT32(i) regs.sp++->setInt32(i)
1949 #define PUSH_STRING(s) do { regs.sp++->setString(s); assertSameCompartment(cx, regs.sp[-1]); } while (0)
1950 #define PUSH_OBJECT(obj) do { regs.sp++->setObject(obj); assertSameCompartment(cx, regs.sp[-1]); } while (0)
1951 #define PUSH_OBJECT_OR_NULL(obj) do { regs.sp++->setObjectOrNull(obj); assertSameCompartment(cx, regs.sp[-1]); } while (0)
1952 #define PUSH_HOLE() regs.sp++->setMagic(JS_ARRAY_HOLE)
1953 #define POP_COPY_TO(v) v = *--regs.sp
1954 #define POP_RETURN_VALUE() regs.fp->setReturnValue(*--regs.sp)
1956 #define POP_BOOLEAN(cx, vp, b) \
1957 JS_BEGIN_MACRO \
1958 vp = ®s.sp[-1]; \
1959 if (vp->isNull()) { \
1960 b = false; \
1961 } else if (vp->isBoolean()) { \
1962 b = vp->toBoolean(); \
1963 } else { \
1964 b = !!js_ValueToBoolean(*vp); \
1965 } \
1966 regs.sp--; \
1967 JS_END_MACRO
1969 #define VALUE_TO_OBJECT(cx, vp, obj) \
1970 JS_BEGIN_MACRO \
1971 if ((vp)->isObject()) { \
1972 obj = &(vp)->toObject(); \
1973 } else { \
1974 obj = js_ValueToNonNullObject(cx, *(vp)); \
1975 if (!obj) \
1976 goto error; \
1977 (vp)->setObject(*obj); \
1978 } \
1979 JS_END_MACRO
1981 #define FETCH_OBJECT(cx, n, obj) \
1982 JS_BEGIN_MACRO \
1983 Value *vp_ = ®s.sp[n]; \
1984 VALUE_TO_OBJECT(cx, vp_, obj); \
1985 JS_END_MACRO
1987 #define DEFAULT_VALUE(cx, n, hint, v) \
1988 JS_BEGIN_MACRO \
1989 JS_ASSERT(v.isObject()); \
1990 JS_ASSERT(v == regs.sp[n]); \
1991 if (!DefaultValue(cx, &v.toObject(), hint, ®s.sp[n])) \
1992 goto error; \
1993 v = regs.sp[n]; \
1994 JS_END_MACRO
1996 /* Test whether v is an int in the range [-2^31 + 1, 2^31 - 2] */
1999 {
2001 }
2003 /*
2004 * Define JS_OPMETER to instrument bytecode succession, generating a .dot file
2005 * on shutdown that shows the graph of significant predecessor/successor pairs
2006 * executed, where the edge labels give the succession counts. The .dot file
2007 * is named by the JS_OPMETER_FILE envariable, and defaults to /tmp/ops.dot.
2008 *
2009 * Bonus feature: JS_OPMETER also enables counters for stack-addressing ops
2010 * such as JSOP_GETLOCAL, JSOP_INCARG, via METER_SLOT_OP. The resulting counts
2011 * are written to JS_OPMETER_HIST, defaulting to /tmp/ops.hist.
2012 */
2013 #ifndef JS_OPMETER
2017 #else
2019 /*
2020 * The second dimension is hardcoded at 256 because we know that many bits fit
2021 * in a byte, and mainly to optimize away multiplying by JSOP_LIMIT to address
2022 * any particular row.
2023 */
2024 # define METER_OP_INIT(op) ((op) = JSOP_STOP)
2025 # define METER_OP_PAIR(op1,op2) (js_MeterOpcodePair(op1, op2))
2026 # define METER_SLOT_OP(op,slot) (js_MeterSlotOpcode(op, slot))
2028 #endif
2030 #ifdef JS_REPRMETER
2031 # define METER_REPR(cx) (reprmeter::MeterRepr(cx))
2032 #else
2033 # define METER_REPR(cx) ((void) 0)
2036 /*
2037 * Threaded interpretation via computed goto appears to be well-supported by
2038 * GCC 3 and higher. IBM's C compiler when run with the right options (e.g.,
2039 * -qlanglvl=extended) also supports threading. Ditto the SunPro C compiler.
2040 * Currently it's broken for JS_VERSION < 160, though this isn't worth fixing.
2041 * Add your compiler support macros here.
2042 */
2043 #ifndef JS_THREADED_INTERP
2044 # if JS_VERSION >= 160 && ( \
2045 __GNUC__ >= 3 || \
2046 (__IBMC__ >= 700 && defined __IBM_COMPUTED_GOTO) || \
2047 __SUNPRO_C >= 0x570)
2048 # define JS_THREADED_INTERP 1
2049 # else
2050 # define JS_THREADED_INTERP 0
2051 # endif
2052 #endif
2054 /*
2055 * Deadlocks or else bad races are likely if JS_THREADSAFE, so we must rely on
2056 * single-thread DEBUG js shell testing to verify property cache hits.
2057 */
2058 #if defined DEBUG && !defined JS_THREADSAFE
2060 # define ASSERT_VALID_PROPERTY_CACHE_HIT(pcoff,obj,pobj,entry) \
2061 JS_BEGIN_MACRO \
2062 if (!AssertValidPropertyCacheHit(cx, script, regs, pcoff, obj, pobj, \
2063 entry)) { \
2064 goto error; \
2065 } \
2066 JS_END_MACRO
2068 static bool
2072 {
2078 else
2083 JSBool ok;
2090 }
2107 Value v;
2119 }
2120 }
2123 }
2125 #else
2126 # define ASSERT_VALID_PROPERTY_CACHE_HIT(pcoff,obj,pobj,entry) ((void) 0)
2127 #endif
2129 /*
2130 * Ensure that the intrepreter switch can close call-bytecode cases in the
2131 * same way as non-call bytecodes.
2132 */
2141 /*
2142 * Same for debuggable flat closures defined at top level in another function
2143 * or program fragment.
2144 */
2147 /*
2148 * Same for JSOP_SETNAME and JSOP_SETPROP, which differ only slightly but
2149 * remain distinct for the decompiler. Likewise for JSOP_INIT{PROP,METHOD}.
2150 */
2155 /* See TRY_BRANCH_AFTER_COND. */
2159 /* For the fastest case inder JSOP_INCNAME, etc. */
2164 #ifdef JS_TRACER
2165 # define ABORT_RECORDING(cx, reason) \
2166 JS_BEGIN_MACRO \
2167 if (TRACE_RECORDER(cx)) \
2168 AbortRecording(cx, reason); \
2169 JS_END_MACRO
2170 #else
2171 # define ABORT_RECORDING(cx, reason) ((void) 0)
2172 #endif
2174 /*
2175 * Inline fast paths for iteration. js_IteratorMore and js_IteratorNext handle
2176 * all cases, but we inline the most frequently taken paths here.
2177 */
2180 {
2186 }
2187 }
2192 }
2196 {
2206 }
2207 /* Take the slow path if we have to stringify a numeric property name. */
2208 }
2209 }
2211 }
2215 {
2221 }
2229 }
2232 }
2236 JS_REQUIRES_STACK JS_NEVER_INLINE bool
2237 Interpret(JSContext *cx, JSStackFrame *entryFrame, uintN inlineCallCount, JSInterpMode interpMode)
2238 {
2239 #ifdef MOZ_TRACEVIS
2241 #endif
2244 # ifdef DEBUG
2245 /*
2246 * We call this macro from BEGIN_CASE in threaded interpreters,
2247 * and before entering the switch in non-threaded interpreters.
2248 * However, reaching such points doesn't mean we've actually
2249 * fetched an OP from the instruction stream: some opcodes use
2250 * 'op=x; DO_OP()' to let another opcode's implementation finish
2251 * their work, and many opcodes share entry points with a run of
2252 * consecutive BEGIN_CASEs.
2253 *
2254 * Take care to trace OP only when it is the opcode fetched from
2255 * the instruction stream, so the trace matches what one would
2256 * expect from looking at the code. (We do omit POPs after SETs;
2257 * unfortunate, but not worth fixing.)
2258 */
2259 # define LOG_OPCODE(OP) JS_BEGIN_MACRO \
2260 if (JS_UNLIKELY(cx->logfp != NULL) && \
2261 (OP) == *regs.pc) \
2262 js_LogOpcode(cx); \
2263 JS_END_MACRO
2264 # else
2265 # define LOG_OPCODE(OP) ((void) 0)
2266 # endif
2268 /*
2269 * Macros for threaded interpreter loop
2270 */
2271 #if JS_THREADED_INTERP
2273 # define OPDEF(op,val,name,token,length,nuses,ndefs,prec,format) \
2274 JS_EXTENSION &&L_##op,
2276 # undef OPDEF
2277 };
2280 # define OPDEF(op,val,name,token,length,nuses,ndefs,prec,format) \
2281 JS_EXTENSION &&interrupt,
2283 # undef OPDEF
2284 };
2290 # define ENABLE_INTERRUPTS() ((void) (jumpTable = interruptJumpTable))
2292 # ifdef JS_TRACER
2293 # define CHECK_RECORDER() \
2294 JS_ASSERT_IF(TRACE_RECORDER(cx), jumpTable == interruptJumpTable)
2295 # else
2296 # define CHECK_RECORDER() ((void)0)
2297 # endif
2299 # define DO_OP() JS_BEGIN_MACRO \
2300 CHECK_RECORDER(); \
2301 JS_EXTENSION_(goto *jumpTable[op]); \
2302 JS_END_MACRO
2303 # define DO_NEXT_OP(n) JS_BEGIN_MACRO \
2304 METER_OP_PAIR(op, JSOp(regs.pc[n])); \
2305 op = (JSOp) *(regs.pc += (n)); \
2306 METER_REPR(cx); \
2307 DO_OP(); \
2308 JS_END_MACRO
2310 # define BEGIN_CASE(OP) L_##OP: LOG_OPCODE(OP); CHECK_RECORDER();
2311 # define END_CASE(OP) DO_NEXT_OP(OP##_LENGTH);
2312 # define END_VARLEN_CASE DO_NEXT_OP(len);
2313 # define ADD_EMPTY_CASE(OP) BEGIN_CASE(OP) \
2314 JS_ASSERT(js_CodeSpec[OP].length == 1); \
2315 op = (JSOp) *++regs.pc; \
2316 DO_OP();
2318 # define END_EMPTY_CASES
2323 intN switchOp;
2325 # define ENABLE_INTERRUPTS() ((void) (switchMask = -1))
2327 # ifdef JS_TRACER
2328 # define CHECK_RECORDER() \
2329 JS_ASSERT_IF(TRACE_RECORDER(cx), switchMask == -1)
2330 # else
2331 # define CHECK_RECORDER() ((void)0)
2332 # endif
2334 # define DO_OP() goto do_op
2335 # define DO_NEXT_OP(n) JS_BEGIN_MACRO \
2336 JS_ASSERT((n) == len); \
2337 goto advance_pc; \
2338 JS_END_MACRO
2340 # define BEGIN_CASE(OP) case OP: CHECK_RECORDER();
2341 # define END_CASE(OP) END_CASE_LEN(OP##_LENGTH)
2342 # define END_CASE_LEN(n) END_CASE_LENX(n)
2343 # define END_CASE_LENX(n) END_CASE_LEN##n
2345 /*
2346 * To share the code for all len == 1 cases we use the specialized label with
2347 * code that falls through to advance_pc: .
2348 */
2349 # define END_CASE_LEN1 goto advance_pc_by_one;
2350 # define END_CASE_LEN2 len = 2; goto advance_pc;
2351 # define END_CASE_LEN3 len = 3; goto advance_pc;
2352 # define END_CASE_LEN4 len = 4; goto advance_pc;
2353 # define END_CASE_LEN5 len = 5; goto advance_pc;
2354 # define END_VARLEN_CASE goto advance_pc;
2355 # define ADD_EMPTY_CASE(OP) BEGIN_CASE(OP)
2356 # define END_EMPTY_CASES goto advance_pc_by_one;
2360 #define LOAD_ATOM(PCOFF, atom) \
2361 JS_BEGIN_MACRO \
2362 JS_ASSERT(regs.fp->hasImacropc() \
2363 ? atoms == COMMON_ATOMS_START(&rt->atomState) && \
2364 GET_INDEX(regs.pc + PCOFF) < js_common_atom_count \
2365 : (size_t)(atoms - script->atomMap.vector) < \
2366 (size_t)(script->atomMap.length - \
2367 GET_INDEX(regs.pc + PCOFF))); \
2368 atom = atoms[GET_INDEX(regs.pc + PCOFF)]; \
2369 JS_END_MACRO
2371 #define GET_FULL_INDEX(PCOFF) \
2372 (atoms - script->atomMap.vector + GET_INDEX(regs.pc + (PCOFF)))
2374 #define LOAD_OBJECT(PCOFF, obj) \
2375 (obj = script->getObject(GET_FULL_INDEX(PCOFF)))
2377 #define LOAD_FUNCTION(PCOFF) \
2378 (fun = script->getFunction(GET_FULL_INDEX(PCOFF)))
2380 #define LOAD_DOUBLE(PCOFF, dbl) \
2381 (dbl = script->getConst(GET_FULL_INDEX(PCOFF)).toDouble())
2383 #ifdef JS_TRACER
2385 #ifdef MOZ_TRACEVIS
2386 #if JS_THREADED_INTERP
2387 #define MONITOR_BRANCH_TRACEVIS \
2388 JS_BEGIN_MACRO \
2389 if (jumpTable != interruptJumpTable) \
2390 EnterTraceVisState(cx, S_RECORD, R_NONE); \
2391 JS_END_MACRO
2393 #define MONITOR_BRANCH_TRACEVIS \
2394 JS_BEGIN_MACRO \
2395 EnterTraceVisState(cx, S_RECORD, R_NONE); \
2396 JS_END_MACRO
2397 #endif
2398 #else
2399 #define MONITOR_BRANCH_TRACEVIS
2400 #endif
2402 #define RESTORE_INTERP_VARS() \
2403 JS_BEGIN_MACRO \
2404 script = regs.fp->script(); \
2405 argv = regs.fp->maybeFormalArgs(); \
2406 atoms = FrameAtomBase(cx, regs.fp); \
2407 JS_ASSERT(cx->regs == ®s); \
2408 if (cx->isExceptionPending()) \
2409 goto error; \
2410 JS_END_MACRO
2412 #define MONITOR_BRANCH() \
2413 JS_BEGIN_MACRO \
2414 if (TRACING_ENABLED(cx)) { \
2415 MonitorResult r = MonitorLoopEdge(cx, inlineCallCount); \
2416 if (r == MONITOR_RECORDING) { \
2417 JS_ASSERT(TRACE_RECORDER(cx)); \
2418 JS_ASSERT(!TRACE_PROFILER(cx)); \
2419 MONITOR_BRANCH_TRACEVIS; \
2420 ENABLE_INTERRUPTS(); \
2421 CLEAR_LEAVE_ON_TRACE_POINT(); \
2422 } \
2423 RESTORE_INTERP_VARS(); \
2424 JS_ASSERT_IF(cx->isExceptionPending(), r == MONITOR_ERROR); \
2425 if (r == MONITOR_ERROR) \
2426 goto error; \
2427 } \
2428 JS_END_MACRO
2432 #define MONITOR_BRANCH() ((void) 0)
2436 /*
2437 * Prepare to call a user-supplied branch handler, and abort the script
2438 * if it returns false.
2439 */
2440 #define CHECK_BRANCH() \
2441 JS_BEGIN_MACRO \
2442 if (JS_THREAD_DATA(cx)->interruptFlags && !js_HandleExecutionInterrupt(cx)) \
2443 goto error; \
2444 JS_END_MACRO
2446 #ifndef TRACE_RECORDER
2447 #define TRACE_RECORDER(cx) (false)
2448 #define TRACE_PROFILER(cx) (false)
2449 #endif
2451 #if defined(JS_TRACER) && defined(JS_METHODJIT)
2452 # define LEAVE_ON_SAFE_POINT() \
2453 do { \
2454 JS_ASSERT_IF(leaveOnSafePoint, !TRACE_RECORDER(cx)); \
2455 JS_ASSERT_IF(leaveOnSafePoint, !TRACE_PROFILER(cx)); \
2456 JS_ASSERT_IF(leaveOnSafePoint, interpMode != JSINTERP_NORMAL); \
2457 if (leaveOnSafePoint && !regs.fp->hasImacropc() && \
2458 script->maybeNativeCodeForPC(regs.fp->isConstructing(), regs.pc)) { \
2459 JS_ASSERT(!TRACE_RECORDER(cx)); \
2460 interpReturnOK = true; \
2461 goto leave_on_safe_point; \
2462 } \
2463 } while (0)
2464 #else
2466 #endif
2468 #define BRANCH(n) \
2469 JS_BEGIN_MACRO \
2470 regs.pc += (n); \
2471 op = (JSOp) *regs.pc; \
2472 if ((n) <= 0) { \
2473 CHECK_BRANCH(); \
2474 if (op == JSOP_NOTRACE) { \
2475 if (TRACE_RECORDER(cx) || TRACE_PROFILER(cx)) { \
2476 MONITOR_BRANCH(); \
2477 op = (JSOp) *regs.pc; \
2478 } \
2479 } else if (op == JSOP_TRACE) { \
2480 MONITOR_BRANCH(); \
2481 op = (JSOp) *regs.pc; \
2482 } \
2483 } \
2484 LEAVE_ON_SAFE_POINT(); \
2485 DO_OP(); \
2486 JS_END_MACRO
2488 #define CHECK_INTERRUPT_HANDLER() \
2489 JS_BEGIN_MACRO \
2490 if (cx->debugHooks->interruptHook) \
2491 ENABLE_INTERRUPTS(); \
2492 JS_END_MACRO
2496 /* Repoint cx->regs to a local variable for faster access. */
2505 }
2511 }
2514 /* Copy in hot values that change infrequently. */
2520 #if defined(JS_TRACER) && defined(JS_METHODJIT)
2522 # define CLEAR_LEAVE_ON_TRACE_POINT() ((void) (leaveOnSafePoint = false))
2523 #else
2524 # define CLEAR_LEAVE_ON_TRACE_POINT() ((void) 0)
2525 #endif
2530 /*
2531 * Initialize the index segment register used by LOAD_ATOM and
2532 * GET_FULL_INDEX macros below. As a register we use a pointer based on
2533 * the atom map to turn frequently executed LOAD_ATOM into simple array
2534 * access. For less frequent object and regexp loads we have to recover
2535 * the segment from atoms pointer first.
2536 */
2539 #if JS_HAS_GENERATORS
2545 /*
2546 * To support generator_throw and to catch ignored exceptions,
2547 * fail if cx->isExceptionPending() is true.
2548 */
2551 }
2552 #endif
2554 #ifdef JS_TRACER
2555 /*
2556 * The method JIT may have already initiated a recording, in which case
2557 * there should already be a valid recorder. Otherwise...
2558 * we cannot reenter the interpreter while recording.
2559 */
2568 #ifdef JS_METHODJIT
2571 #endif
2572 }
2576 #endif
2578 /* Don't call the script prologue if executing between Method and Trace JIT. */
2583 }
2587 /* State communicated between non-local jumps: */
2588 JSBool interpReturnOK;
2591 /*
2592 * It is important that "op" be initialized before calling DO_OP because
2593 * it is possible for "op" to be specially assigned during the normal
2594 * processing of an opcode while looping. We rely on DO_NEXT_OP to manage
2595 * "op" correctly in all other cases.
2596 */
2597 JSOp op;
2598 jsint len;
2601 /* Check for too deep of a native thread stack. */
2602 #ifdef JS_TRACER
2603 #ifdef JS_METHODJIT
2611 #else
2617 #endif
2618 #else
2620 #endif
2622 #if JS_THREADED_INTERP
2624 #else
2626 #endif
2628 #if JS_THREADED_INTERP
2629 /*
2630 * This is a loop, but it does not look like a loop. The loop-closing
2631 * jump is distributed throughout goto *jumpTable[op] inside of DO_OP.
2632 * When interrupts are enabled, jumpTable is set to interruptJumpTable
2633 * where all jumps point to the interrupt label. The latter, after
2634 * calling the interrupt handler, dispatches through normalJumpTable to
2635 * continue the normal bytecode processing.
2636 */
2640 advance_pc_by_one:
2643 advance_pc:
2647 do_op:
2651 do_switch:
2653 #endif
2655 #if JS_THREADED_INTERP
2656 interrupt:
2661 {
2665 #ifdef JS_TRACER
2668 #ifdef JS_METHODJIT
2671 #endif
2672 #endif
2673 Value rval;
2688 }
2690 }
2692 #ifdef JS_TRACER
2693 #ifdef JS_METHODJIT
2702 }
2707 }
2708 }
2709 #endif
2722 #ifdef JS_METHODJIT
2725 #endif
2729 }
2730 }
2745 // The code at 'error:' aborts the recording.
2751 /* A 'stop' error should have already aborted recording. */
2754 }
2755 }
2758 #if JS_THREADED_INTERP
2759 #ifdef MOZ_TRACEVIS
2762 #endif
2765 #else
2769 #endif
2770 }
2772 /* No-ops for ease of decompilation. */
2776 #if JS_HAS_XML_SUPPORT
2779 #endif
2781 END_EMPTY_CASES
2788 /* ADD_EMPTY_CASE is not used here as JSOP_LINENO_LENGTH == 3. */
2804 {
2806 #ifdef DEBUG
2823 }
2824 #endif
2825 }
2837 /*
2838 * We must ensure that different "with" blocks have different stack depth
2839 * associated with them. This allows the try handler search to properly
2840 * recover the scope chain. Thus we must keep the stack at least at the
2841 * current level.
2842 *
2843 * We set sp[-1] to the current "with" object to help asserting the
2844 * enter/leave balance in [leavewith].
2845 */
2857 /* FALL THROUGH */
2861 {
2862 /*
2863 * When the inlined frame exits with an exception or an error, ok will be
2864 * false after the inline_return label.
2865 */
2868 #ifdef JS_TRACER
2870 /*
2871 * If we are at the end of an imacro, return to its caller in the
2872 * current frame.
2873 */
2883 }
2884 #endif
2888 inline_return:
2889 {
2894 /* The JIT inlines ScriptEpilogue. */
2895 jit_return:
2900 /* Sync interpreter registers. */
2905 /* Resume execution in the calling frame. */
2907 inlineCallCount--;
2914 }
2918 }
2921 }
2925 /* FALL THROUGH */
2927 {
2930 }
2934 {
2941 }
2942 }
2946 {
2953 }
2954 }
2958 {
2966 }
2967 }
2971 {
2979 }
2980 }
2985 /* FALL THROUGH */
2987 {
2990 }
2994 {
3001 }
3002 }
3006 {
3013 }
3014 }
3018 {
3026 }
3027 }
3031 {
3039 }
3040 }
3043 /*
3044 * If the index value at sp[n] is not an int that fits in a jsval, it could
3045 * be an object (an XML QName, AttributeName, or AnyName), but only if we are
3046 * compiling with JS_HAS_XML_SUPPORT. Otherwise convert the index value to a
3047 * string atom id.
3048 */
3049 #define FETCH_ELEMENT_ID(obj, n, id) \
3050 JS_BEGIN_MACRO \
3051 const Value &idval_ = regs.sp[n]; \
3052 int32_t i_; \
3053 if (ValueFitsInInt32(idval_, &i_) && INT_FITS_IN_JSID(i_)) { \
3054 id = INT_TO_JSID(i_); \
3055 } else { \
3056 if (!js_InternNonIntElementId(cx, obj, idval_, &id, ®s.sp[n])) \
3057 goto error; \
3058 } \
3059 JS_END_MACRO
3061 #define TRY_BRANCH_AFTER_COND(cond,spdec) \
3062 JS_BEGIN_MACRO \
3063 JS_ASSERT(js_CodeSpec[op].length == 1); \
3064 uintN diff_ = (uintN) regs.pc[1] - (uintN) JSOP_IFEQ; \
3065 if (diff_ <= 1) { \
3066 regs.sp -= spdec; \
3067 if (cond == (diff_ != 0)) { \
3068 ++regs.pc; \
3069 len = GET_JUMP_OFFSET(regs.pc); \
3070 BRANCH(len); \
3071 } \
3072 len = 1 + JSOP_IFEQ_LENGTH; \
3073 DO_NEXT_OP(len); \
3074 } \
3075 JS_END_MACRO
3078 {
3083 }
3085 jsid id;
3095 }
3099 {
3106 }
3110 {
3119 }
3123 {
3129 }
3133 {
3140 }
3144 {
3151 }
3156 {
3166 {
3173 }
3174 }
3178 {
3185 {
3192 }
3194 }
3198 /*
3199 * JSOP_FORELEM simply dups the property identifier at top of stack and
3200 * lets the subsequent JSOP_ENUMELEM opcode sequence handle the left-hand
3201 * side expression evaluation and assignment. This opcode exists solely to
3202 * help the decompiler.
3203 */
3212 {
3216 }
3220 {
3226 }
3230 {
3235 }
3239 {
3245 }
3248 #define NATIVE_GET(cx,obj,pobj,shape,getHow,vp) \
3249 JS_BEGIN_MACRO \
3250 if (shape->isDataDescriptor() && shape->hasDefaultGetter()) { \
3252 JS_ASSERT((shape)->slot != SHAPE_INVALID_SLOT || \
3253 !shape->hasDefaultSetter()); \
3254 if (((shape)->slot != SHAPE_INVALID_SLOT)) \
3255 *(vp) = (pobj)->nativeGetSlot((shape)->slot); \
3256 else \
3257 (vp)->setUndefined(); \
3258 } else { \
3259 if (!js_NativeGet(cx, obj, pobj, shape, getHow, vp)) \
3260 goto error; \
3261 } \
3262 JS_END_MACRO
3264 #define NATIVE_SET(cx,obj,shape,entry,vp) \
3265 JS_BEGIN_MACRO \
3266 if (shape->hasDefaultSetter() && \
3267 (shape)->slot != SHAPE_INVALID_SLOT && \
3268 !(obj)->brandedOrHasMethodBarrier()) { \
3270 (obj)->nativeSetSlot((shape)->slot, *vp); \
3271 } else { \
3272 if (!js_NativeSet(cx, obj, shape, false, vp)) \
3273 goto error; \
3274 } \
3275 JS_END_MACRO
3277 /*
3278 * Skip the JSOP_POP typically found after a JSOP_SET* opcode, where oplen is
3279 * the constant length of the SET opcode sequence, and spdec is the constant
3280 * by which to decrease the stack pointer to pop all of the SET op's operands.
3281 *
3282 * NB: unlike macros that could conceivably be replaced by functions (ignoring
3283 * goto error), where a call should not have to be braced in order to expand
3284 * correctly (e.g., in if (cond) FOO(); else BAR()), these three macros lack
3285 * JS_{BEGIN,END}_MACRO brackets. They are also indented so as to align with
3286 * nearby opcode code.
3287 */
3288 #define SKIP_POP_AFTER_SET(oplen,spdec) \
3289 if (regs.pc[oplen] == JSOP_POP) { \
3290 regs.sp -= spdec; \
3291 regs.pc += oplen + JSOP_POP_LENGTH; \
3292 op = (JSOp) *regs.pc; \
3293 DO_OP(); \
3294 }
3296 #define END_SET_CASE(OP) \
3297 SKIP_POP_AFTER_SET(OP##_LENGTH, 1); \
3298 END_CASE(OP)
3300 #define END_SET_CASE_STORE_RVAL(OP,spdec) \
3301 SKIP_POP_AFTER_SET(OP##_LENGTH, spdec); \
3302 { \
3303 Value *newsp = regs.sp - ((spdec) - 1); \
3304 newsp[-1] = regs.sp[-1]; \
3305 regs.sp = newsp; \
3306 } \
3307 END_CASE(OP)
3310 {
3319 }
3320 }
3323 #if JS_HAS_DESTRUCTURING
3325 {
3329 jsid id;
3335 }
3337 }
3339 #endif
3346 {
3349 /*
3350 * We can skip the property lookup for the global object. If the
3351 * property does not exist anywhere on the scope chain, JSOP_SETNAME
3352 * adds the property to the global.
3353 *
3354 * As a consequence of this optimization for the global object we run
3355 * its JSRESOLVE_ASSIGNING-tolerant resolve hooks only in JSOP_SETNAME,
3356 * after the interpreter evaluates the right- hand-side of the
3357 * assignment, and not here.
3358 *
3359 * This should be transparent to the hooks because the script, instead
3360 * of name = rhs, could have used global.name = rhs given a global
3361 * object reference, which also calls the hooks only after evaluating
3362 * the rhs. We desire such resolve hook equivalence between the two
3363 * forms.
3364 */
3376 }
3384 }
3392 #define BITWISE_OP(OP) \
3393 JS_BEGIN_MACRO \
3394 int32_t i, j; \
3395 if (!ValueToECMAInt32(cx, regs.sp[-2], &i)) \
3396 goto error; \
3397 if (!ValueToECMAInt32(cx, regs.sp[-1], &j)) \
3398 goto error; \
3399 i = i OP j; \
3400 regs.sp--; \
3401 regs.sp[-1].setInt32(i); \
3402 JS_END_MACRO
3416 #undef BITWISE_OP
3418 /*
3419 * NB: These macros can't use JS_BEGIN_MACRO/JS_END_MACRO around their bodies
3420 * because they begin if/else chains, so callers must not put semicolons after
3421 * the call expressions!
3422 */
3423 #if JS_HAS_XML_SUPPORT
3424 #define XML_EQUALITY_OP(OP) \
3425 if ((lval.isObject() && lval.toObject().isXML()) || \
3426 (rval.isObject() && rval.toObject().isXML())) { \
3427 if (!js_TestXMLEquality(cx, lval, rval, &cond)) \
3428 goto error; \
3429 cond = cond OP JS_TRUE; \
3430 } else
3431 #else
3433 #endif
3435 #define EQUALITY_OP(OP, IFNAN) \
3436 JS_BEGIN_MACRO \
3437 JSBool cond; \
3438 Value rval = regs.sp[-1]; \
3439 Value lval = regs.sp[-2]; \
3440 XML_EQUALITY_OP(OP) \
3441 if (SameType(lval, rval)) { \
3442 if (lval.isString()) { \
3443 JSString *l = lval.toString(), *r = rval.toString(); \
3444 JSBool equal; \
3445 if (!EqualStrings(cx, l, r, &equal)) \
3446 goto error; \
3447 cond = equal OP JS_TRUE; \
3448 } else if (lval.isDouble()) { \
3449 double l = lval.toDouble(), r = rval.toDouble(); \
3450 cond = JSDOUBLE_COMPARE(l, OP, r, IFNAN); \
3451 } else if (lval.isObject()) { \
3452 JSObject *l = &lval.toObject(), *r = &rval.toObject(); \
3453 l->assertSpecialEqualitySynced(); \
3454 if (EqualityOp eq = l->getClass()->ext.equality) { \
3455 if (!eq(cx, l, &rval, &cond)) \
3456 goto error; \
3457 cond = cond OP JS_TRUE; \
3458 } else { \
3459 cond = l OP r; \
3460 } \
3461 } else { \
3462 cond = lval.payloadAsRawUint32() OP rval.payloadAsRawUint32();\
3463 } \
3464 } else { \
3465 if (lval.isNullOrUndefined()) { \
3466 cond = rval.isNullOrUndefined() OP true; \
3467 } else if (rval.isNullOrUndefined()) { \
3468 cond = true OP false; \
3469 } else { \
3470 if (lval.isObject()) \
3471 DEFAULT_VALUE(cx, -2, JSTYPE_VOID, lval); \
3472 if (rval.isObject()) \
3473 DEFAULT_VALUE(cx, -1, JSTYPE_VOID, rval); \
3474 if (lval.isString() && rval.isString()) { \
3475 JSString *l = lval.toString(), *r = rval.toString(); \
3476 JSBool equal; \
3477 if (!EqualStrings(cx, l, r, &equal)) \
3478 goto error; \
3479 cond = equal OP JS_TRUE; \
3480 } else { \
3481 double l, r; \
3482 if (!ValueToNumber(cx, lval, &l) || \
3483 !ValueToNumber(cx, rval, &r)) { \
3484 goto error; \
3485 } \
3486 cond = JSDOUBLE_COMPARE(l, OP, r, IFNAN); \
3487 } \
3488 } \
3489 } \
3490 TRY_BRANCH_AFTER_COND(cond, 2); \
3491 regs.sp--; \
3492 regs.sp[-1].setBoolean(cond); \
3493 JS_END_MACRO
3503 #undef EQUALITY_OP
3504 #undef XML_EQUALITY_OP
3505 #undef EXTENDED_EQUALITY_OP
3507 #define STRICT_EQUALITY_OP(OP, COND) \
3508 JS_BEGIN_MACRO \
3509 const Value &rref = regs.sp[-1]; \
3510 const Value &lref = regs.sp[-2]; \
3511 JSBool equal; \
3512 if (!StrictlyEqual(cx, lref, rref, &equal)) \
3513 goto error; \
3514 COND = equal OP JS_TRUE; \
3515 regs.sp--; \
3516 JS_END_MACRO
3519 {
3523 }
3527 {
3531 }
3535 {
3542 }
3543 }
3547 {
3554 }
3555 }
3558 #undef STRICT_EQUALITY_OP
3560 #define RELATIONAL_OP(OP) \
3561 JS_BEGIN_MACRO \
3562 Value rval = regs.sp[-1]; \
3563 Value lval = regs.sp[-2]; \
3564 bool cond; \
3566 if (lval.isInt32() && rval.isInt32()) { \
3567 cond = lval.toInt32() OP rval.toInt32(); \
3568 } else { \
3569 if (lval.isObject()) \
3570 DEFAULT_VALUE(cx, -2, JSTYPE_NUMBER, lval); \
3571 if (rval.isObject()) \
3572 DEFAULT_VALUE(cx, -1, JSTYPE_NUMBER, rval); \
3573 if (lval.isString() && rval.isString()) { \
3574 JSString *l = lval.toString(), *r = rval.toString(); \
3575 int32 result; \
3576 if (!CompareStrings(cx, l, r, &result)) \
3577 goto error; \
3578 cond = result OP 0; \
3579 } else { \
3580 double l, r; \
3581 if (!ValueToNumber(cx, lval, &l) || \
3582 !ValueToNumber(cx, rval, &r)) { \
3583 goto error; \
3584 } \
3585 cond = JSDOUBLE_COMPARE(l, OP, r, false); \
3586 } \
3587 } \
3588 TRY_BRANCH_AFTER_COND(cond, 2); \
3589 regs.sp--; \
3590 regs.sp[-1].setBoolean(cond); \
3591 JS_END_MACRO
3609 #undef RELATIONAL_OP
3611 #define SIGNED_SHIFT_OP(OP) \
3612 JS_BEGIN_MACRO \
3613 int32_t i, j; \
3614 if (!ValueToECMAInt32(cx, regs.sp[-2], &i)) \
3615 goto error; \
3616 if (!ValueToECMAInt32(cx, regs.sp[-1], &j)) \
3617 goto error; \
3618 i = i OP (j & 31); \
3619 regs.sp--; \
3620 regs.sp[-1].setInt32(i); \
3621 JS_END_MACRO
3631 #undef SIGNED_SHIFT_OP
3634 {
3646 }
3650 {
3660 else
3663 #if JS_HAS_XML_SUPPORT
3670 #endif
3671 {
3686 }
3694 }
3707 }
3708 }
3709 }
3712 #define BINARY_OP(OP) \
3713 JS_BEGIN_MACRO \
3714 double d1, d2; \
3715 if (!ValueToNumber(cx, regs.sp[-2], &d1) || \
3716 !ValueToNumber(cx, regs.sp[-1], &d2)) { \
3717 goto error; \
3718 } \
3719 double d = d1 OP d2; \
3720 regs.sp--; \
3721 regs.sp[-1].setNumber(d); \
3722 JS_END_MACRO
3732 #undef BINARY_OP
3735 {
3740 }
3744 #ifdef XP_WIN
3745 /* XXX MSVC miscompiles such that (NaN == 0) */
3748 else
3749 #endif
3754 else
3760 }
3761 }
3765 {
3779 }
3786 }
3787 }
3788 }
3792 {
3797 }
3801 {
3807 }
3811 {
3812 /*
3813 * When the operand is int jsval, INT32_FITS_IN_JSVAL(i) implies
3814 * INT32_FITS_IN_JSVAL(-i) unless i is 0 or INT32_MIN when the
3815 * results, -0.0 or INT32_MAX + 1, are jsdouble values.
3816 */
3828 }
3829 }
3838 {
3847 /* Strict mode code should never contain JSOP_DELNAME opcodes. */
3850 /* ECMA says to return true if name is undefined or inherited. */
3855 }
3856 }
3860 {
3868 Value rval;
3873 }
3877 {
3878 /* Fetch the left part and resolve it to a non-null object. */
3882 /* Fetch index and convert it to id suitable for use with obj. */
3883 jsid id;
3886 /* Get or set the element. */
3891 }
3896 {
3901 }
3908 {
3911 jsid id;
3912 jsint i;
3919 /*
3920 * Delay fetching of id until we have the object to ensure the proper
3921 * evaluation order. See bug 372331.
3922 */
3935 fetch_incop_obj:
3949 {
3971 }
3972 }
3974 }
3983 }
3984 }
3986 do_incop:
3987 {
3988 /*
3989 * We need a root to store the value to leave on the stack until
3990 * we have done with obj->setProperty.
3991 */
4005 else
4013 /*
4014 * We must set regs.sp[-1] to tmp for both post and pre increments
4015 * as the setter overwrites regs.sp[-1].
4016 */
4019 /* We need an extra root for the result. */
4029 }
4032 /* regs.sp[-1] already contains the result of name increment. */
4036 }
4039 }
4040 }
4042 {
4044 uint32 slot;
4047 /* Position cases so the most frequent i++ does not need a jump. */
4057 do_arg_incop:
4073 /*
4074 * do_local_incop comes right before do_int_fast_incop as we want to
4075 * avoid an extra jump for variable cases as local++ is more frequent
4076 * than arg++.
4077 */
4078 do_local_incop:
4084 do_int_fast_incop:
4095 }
4099 }
4108 {
4116 }
4117 }
4120 {
4123 jsint i;
4133 {
4139 }
4142 {
4148 }
4154 do_getprop_body:
4157 do_getprop_with_lval:
4160 {
4161 Value rval;
4163 /*
4164 * We do not impose the method read barrier if in an imacro,
4165 * assuming any property gets it does (e.g., for 'toString'
4166 * from JSOP_NEW) will not be leaked to the calling script.
4167 */
4187 }
4189 }
4201 }
4208 }
4209 END_VARLEN_CASE
4227 }
4231 }
4234 }
4237 {
4240 Value objv;
4244 JSProtoKey protoKey;
4255 }
4260 }
4263 Value rval;
4280 }
4285 /*
4286 * Cache miss: use the immediate atom that was loaded for us under
4287 * PropertyCache::test.
4288 */
4289 jsid id;
4300 }
4310 }
4314 }
4315 }
4316 #if JS_HAS_NO_SUCH_METHOD
4322 }
4323 #endif
4324 }
4336 {
4349 /*
4350 * Probe the property cache, specializing for two important
4351 * set-property cases. First:
4352 *
4353 * function f(a, b, c) {
4354 * var o = {p:a, q:b, r:c};
4355 * return o;
4356 * }
4357 *
4358 * or similar real-world cases, which evolve a newborn native
4359 * object predicatably through some bounded number of property
4360 * additions. And second:
4361 *
4362 * o.p = x;
4363 *
4364 * in a frequently executed method or loop body, where p will
4365 * (possibly after the first iteration) always exist in native
4366 * object o.
4367 */
4372 /*
4373 * Property cache hit, only partially confirmed by testForSet. We
4374 * know that the entry applies to regs.pc and that obj's shape
4375 * matches.
4376 *
4377 * The entry predicts either a new property to be added directly to
4378 * obj by this set, or on an existing "own" property, or on a
4379 * prototype property that has a setter.
4380 */
4385 /*
4386 * Fastest path: check whether obj already has the cached shape and
4387 * call NATIVE_SET and break to get out of the do-while(0). But we
4388 * can call NATIVE_SET only for a direct or proto-setter hit.
4389 */
4393 {
4394 #ifdef DEBUG
4402 }
4403 #endif
4409 }
4416 }
4418 uint32 slot;
4425 /*
4426 * Fast path: adding a plain old property that was once at
4427 * the frontier of the property tree, whose slot is next to
4428 * claim among the already-allocated slots in obj, where
4429 * shape->table has not been created yet.
4430 */
4440 }
4442 /* Simply extend obj's property tree path with shape! */
4445 /*
4446 * No method change check here because here we are adding a
4447 * new property, not updating an existing slot's value that
4448 * might contain a method of a branded shape.
4449 */
4453 /*
4454 * Purge the property cache of the id we may have just
4455 * shadowed in obj's scope and proto chains.
4456 */
4459 }
4460 }
4466 }
4470 uintN defineHow;
4475 else
4483 }
4485 }
4489 {
4503 }
4504 }
4510 Value rval;
4511 jsid id;
4521 }
4531 }
4532 }
4533 }
4536 else
4543 intern_big_int:
4546 }
4547 }
4553 end_getelem:
4557 }
4561 {
4562 /* Find the object on which to look for |this|'s properties. */
4568 /* Fetch index and convert it to id suitable for use with obj. */
4569 jsid id;
4572 /* Get the method. */
4576 #if JS_HAS_NO_SUCH_METHOD
4578 /* For js_OnUnknownMethod, sp[-2] is the index, and sp[-1] is the object missing it. */
4584 #endif
4585 {
4587 }
4588 }
4592 {
4595 jsid id;
4597 Value rval;
4608 }
4611 }
4612 }
4617 end_setelem:;
4618 }
4622 {
4623 /* Funky: the value to set is under the [obj, id] pair. */
4626 jsid id;
4632 }
4638 uint32 flags;
4639 uintN argc;
4643 {
4644 /* Get immediate argc and find the constructor function. */
4649 /*
4650 * Assign lval, callee, and newfun exactly as the code at inline_call: expects to
4651 * find them, to avoid nesting a js_Interpret call via js_InvokeConstructor.
4652 */
4663 }
4667 }
4668 }
4676 end_new:;
4677 }
4681 {
4694 }
4700 {
4707 /* Clear frame flags since this is not a constructor call. */
4710 inline_call:
4711 {
4717 }
4719 /* Restrict recursion of lightweight functions. */
4723 }
4725 /* Get pointer to new frame/slots, prepare arguments. */
4733 /* Initialize frame, locals. */
4737 /* Officially push the frame. */
4740 /* Refresh interpreter locals. */
4746 /* Now that the new frame is rooted, maybe create a call object. */
4750 inlineCallCount++;
4757 #ifdef JS_METHODJIT
4758 /* Try to ensure methods are method JIT'd. */
4766 }
4767 #endif
4774 /* Load first op and dispatch it (safe since JSOP_STOP). */
4777 }
4787 }
4789 call_using_invoke:
4799 end_call:;
4800 }
4806 {
4809 }
4812 #define SLOW_PUSH_THISV(cx, obj) \
4813 JS_BEGIN_MACRO \
4814 Class *clasp; \
4815 JSObject *thisp = obj; \
4816 if (!thisp->getParent() || \
4817 (clasp = thisp->getClass()) == &js_CallClass || \
4818 clasp == &js_BlockClass || \
4819 clasp == &js_DeclEnvClass) { \
4824 PUSH_UNDEFINED(); \
4825 } else { \
4826 thisp = thisp->thisObject(cx); \
4827 if (!thisp) \
4828 goto error; \
4829 PUSH_OBJECT(*thisp); \
4830 } \
4831 JS_END_MACRO
4837 {
4841 Value rval;
4859 }
4861 /*
4862 * Push results, the same as below, but with a prop$ hit there
4863 * is no need to test for the unusual and uncacheable case where
4864 * the caller determines |this|.
4865 */
4866 #if DEBUG
4872 #endif
4877 }
4879 jsid id;
4885 /* Kludge to allow (typeof foo == "undefined") tests. */
4891 }
4894 }
4896 /* Take the slow path if prop was not found in a native object. */
4906 }
4910 /* obj must be on the scope chain, thus not a function. */
4913 }
4933 /*
4934 * Here atoms can exceed script->atomMap.length as we use atoms as a
4935 * segment register for object literals as well.
4936 */
4952 {
4957 }
4961 {
4965 }
4969 {
4973 }
4977 {
4978 /*
4979 * Push a regexp object cloned from the regexp literal object mapped by the
4980 * bytecode at pc. ES5 finally fixed this bad old ES3 design flaw which was
4981 * flouted by many browser-based implementations.
4982 *
4983 * We avoid the GetScopeChain call here and pass fp->scopeChain as
4984 * js_GetClassPrototype uses the latter only to locate the global.
4985 */
4995 }
5018 {
5020 {
5024 /*
5025 * ECMAv2+ forbids conversion of discriminant, so we will skip to the
5026 * default case if the discriminant isn't already an int jsval. (This
5027 * opcode is emitted only for dense jsint-domain switches.)
5028 */
5035 /* Don't use JSDOUBLE_IS_INT32; treat -0 (double) as 0. */
5038 }
5051 }
5052 }
5053 END_VARLEN_CASE
5054 }
5056 {
5058 {
5062 /*
5063 * ECMAv2+ forbids conversion of discriminant, so we will skip to the
5064 * default case if the discriminant isn't already an int jsval. (This
5065 * opcode is emitted only for dense jsint-domain switches.)
5066 */
5072 /* Treat -0 (double) as 0. */
5076 }
5089 }
5090 }
5091 END_VARLEN_CASE
5092 }
5094 {
5096 {
5097 jsint off;
5104 do_lookup_switch:
5105 /*
5106 * JSOP_LOOKUPSWITCH and JSOP_LOOKUPSWITCHX are never used if any atom
5107 * index in it would exceed 64K limit.
5108 */
5120 jsint npairs;
5126 #define SEARCH_PAIRS(MATCH_CODE) \
5127 for (;;) { \
5128 Value rval = script->getConst(GET_INDEX(pc2)); \
5129 MATCH_CODE \
5130 pc2 += INDEX_LEN; \
5131 if (match) \
5132 break; \
5133 pc2 += off; \
5134 if (--npairs == 0) { \
5135 pc2 = regs.pc; \
5136 break; \
5137 } \
5138 }
5149 )
5154 )
5158 )
5159 }
5160 #undef SEARCH_PAIRS
5162 end_lookup_switch:
5166 }
5167 END_VARLEN_CASE
5168 }
5171 {
5172 Value rval;
5186 }
5193 }
5196 {
5197 Value rval;
5201 }
5205 {
5207 Value rval;
5211 }
5215 {
5217 Value rval;
5221 }
5226 {
5233 }
5237 {
5242 }
5246 {
5250 }
5254 {
5259 }
5263 {
5267 }
5272 {
5277 /* Scope for tempPool mark and local names allocation in it. */
5280 jsid id;
5282 {
5293 }
5298 }
5300 /* Minimize footprint with generic code instead of NATIVE_GET. */
5308 }
5313 {
5322 }
5327 {
5335 }
5340 {
5352 /* Lookup id in order to check for redeclaration problems. */
5357 /*
5358 * Redundant declaration of a |var|, even one for a non-writable
5359 * property like |undefined| in ES5, does nothing.
5360 */
5366 }
5368 /* Bind a variable only if it's not yet defined. */
5373 }
5376 }
5377 }
5381 {
5382 /*
5383 * A top-level function defined in Global or Eval code (see ECMA-262
5384 * Ed. 3), or else a SpiderMonkey extension: a named function statement in
5385 * a compound statement (not at the top statement level of global code, or
5386 * at the top level of a function body).
5387 */
5394 /*
5395 * Even a null closure needs a parent for principals finding.
5396 * FIXME: bug 476950, although debugger users may also demand some kind
5397 * of scope link for debugger-assisted eval-in-frame.
5398 */
5406 }
5408 /*
5409 * If static link is not current scope, clone fun's object to link to the
5410 * current scope via parent. We do this to enable sharing of compiled
5411 * functions among multiple equivalent scopes, amortizing the cost of
5412 * compilation over a number of executions. Examples include XUL scripts
5413 * and event handlers shared among Firefox or other Mozilla app chrome
5414 * windows, and user-defined JS functions precompiled and then shared among
5415 * requests in server-side JS.
5416 */
5421 }
5424 /*
5425 * ECMA requires functions defined when entering Eval code to be
5426 * impermanent.
5427 */
5429 ? JSPROP_ENUMERATE
5432 /*
5433 * We define the function as a property of the variable object and not the
5434 * current scope chain even for the case of function expression statements
5435 * and functions defined by eval inside let or with blocks.
5436 */
5439 /* ES5 10.5 (NB: with subsequent errata). */
5449 /* Steps 5d, 5f. */
5454 }
5456 /* Step 5e. */
5464 }
5467 JSAutoByteString bytes;
5471 }
5473 }
5474 }
5476 /*
5477 * Non-global properties, and global properties which we aren't simply
5478 * redefining, must be set. First, this preserves their attributes.
5479 * Second, this will produce warnings and/or errors as necessary if the
5480 * specified Call object property is not writable (const).
5481 */
5483 /* Step 5f. */
5487 }
5492 {
5505 ? JSPROP_ENUMERATE
5518 }
5519 }
5523 {
5524 /*
5525 * Define a local function (i.e., one nested at the top level of another
5526 * function), parented by the current scope chain, stored in a local
5527 * variable slot that the compiler allocated. This is an optimization over
5528 * JSOP_DEFFUN that avoids requiring a call object for the outer function's
5529 * activation.
5530 */
5543 JSOP_DEFLOCALFUN_LENGTH);
5548 #ifdef JS_TRACER
5551 #endif
5555 }
5556 }
5562 }
5566 {
5578 }
5582 {
5592 }
5596 {
5597 /* Load the specified function object literal. */
5602 /* do-while(0) so we can break instead of using a goto. */
5612 /*
5613 * Optimize var obj = {method: function () { ... }, ...},
5614 * this.method = function () { ... }; and other significant
5615 * single-use-of-null-closure bytecode sequences.
5616 *
5617 * WARNING: code in TraceRecorder::record_JSOP_LAMBDA must
5618 * match the optimization cases in the following code that
5619 * break from the outer do-while(0).
5620 */
5622 #ifdef DEBUG
5627 #endif
5632 }
5635 #ifdef DEBUG
5638 #endif
5644 }
5647 /*
5648 * Array.prototype.sort and String.prototype.replace are
5649 * optimized as if they are special form. We know that they
5650 * won't leak the joined function object in obj, therefore
5651 * we don't need to clone that compiler- created function
5652 * object for identity/mutation reasons.
5653 */
5656 /*
5657 * Note that we have not yet pushed obj as the final argument,
5658 * so regs.sp[1 - (iargc + 2)], and not regs.sp[-(iargc + 2)],
5659 * is the callee for this JSOP_CALL.
5660 */
5670 }
5674 }
5675 }
5676 }
5684 }
5685 }
5686 }
5687 }
5689 #ifdef DEBUG
5691 // No locking, this is mainly for js shell testing.
5702 }
5703 }
5704 #endif
5709 }
5717 }
5721 {
5730 }
5734 {
5743 }
5753 {
5754 do_getter_setter:
5756 jsid id;
5757 Value rval;
5758 jsint i;
5773 {
5780 }
5785 gs_pop_lval:
5790 {
5798 }
5806 gs_get_lval:
5807 {
5812 }
5813 }
5815 /* Ensure that id has a type suitable for use with obj. */
5821 JSMSG_BAD_GETTER_OR_SETTER,
5823 ? js_getter_str
5826 }
5828 /*
5829 * Getters and setters are just like watchpoints from an access control
5830 * point of view.
5831 */
5832 Value rtmp;
5833 uintN attrs;
5846 }
5849 /* Check for a readonly or permanent property of the same name. */
5861 }
5864 }
5871 {
5882 }
5889 }
5893 {
5901 }
5905 {
5916 }
5920 {
5921 /* FIXME remove JSOP_ENDINIT bug 588522 */
5924 }
5929 {
5930 /* Load the property's initial value into rval. */
5934 /* Load the object being initialized into lval/obj. */
5938 /*
5939 * Probe the property cache.
5940 *
5941 * On a hit, if the cached shape has a non-default setter, it must be
5942 * __proto__. If shape->previous() != obj->lastProperty(), there must be a
5943 * repeated property name. The fast path does not handle these two cases.
5944 */
5950 {
5951 /* Fast path. Property cache hit. */
5962 }
5964 /* A new object, or one we just extended in a recent initprop op. */
5969 /*
5970 * No method change check here because here we are adding a new
5971 * property, not updating an existing slot's value that might
5972 * contain a method of a branded shape.
5973 */
5979 /* Get the immediate property name into id. */
5984 /* No need to check for duplicate property; the compiler already did. */
5993 defineHow))) {
5995 }
5996 }
5998 /* Common tail for property cache hit and miss cases. */
6000 }
6004 {
6005 /* Pop the element's value into rval. */
6009 /* Find the object being initialized at top of stack. */
6014 /* Fetch id now that we have obj. */
6015 jsid id;
6018 /* No need to check for duplicate property; the compiler already did. */
6020 /*
6021 * If rref is a hole, do not call JSObject::defineProperty. In this case,
6022 * obj must be an array, so if the current op is the last element
6023 * initialiser, set the array length to one greater than id.
6024 */
6032 }
6036 }
6038 }
6041 #if JS_HAS_SHARP_VARS
6044 {
6057 }
6067 }
6070 }
6074 {
6079 Value rval;
6087 }
6095 }
6097 }
6101 {
6107 /*
6108 * We peek ahead safely here because empty initialisers get zero
6109 * JSOP_SHARPINIT ops, and non-empty ones get two: the first comes
6110 * immediately after JSOP_NEWINIT followed by one or more property
6111 * initialisers; and the second comes directly before JSOP_ENDINIT.
6112 */
6120 }
6122 }
6127 {
6133 END_VARLEN_CASE
6134 }
6136 {
6142 END_VARLEN_CASE
6143 }
6145 {
6147 /* Pop [exception or hole, retsub pc-index]. */
6153 /*
6154 * Exception was pending during finally, throw it *before* we adjust
6155 * pc, because pc indexes into script->trynotes. This turns out not to
6156 * be necessary, but it seems clearer. And it points out a FIXME:
6157 * 350509, due to Igor Bukanov.
6158 */
6161 }
6165 END_VARLEN_CASE
6166 }
6171 #if defined(JS_TRACER) && defined(JS_METHODJIT)
6175 }
6176 #endif
6185 {
6187 Value v;
6190 }
6194 {
6197 Value v;
6200 /* let the code at error try to catch the exception. */
6202 }
6204 {
6205 /*
6206 * The stack must have a block with at least one local slot below the
6207 * exception object.
6208 */
6213 }
6217 /*
6218 * If the top of stack is of primitive type, jump to our target. Otherwise
6219 * advance to the next opcode.
6220 */
6225 }
6235 }
6242 }
6246 {
6251 }
6259 }
6263 {
6266 Value rval;
6280 }
6282 }
6283 }
6286 #if JS_HAS_XML_SUPPORT
6288 {
6292 }
6296 {
6297 jsid id;
6301 }
6305 {
6309 }
6313 {
6322 }
6326 {
6334 }
6338 {
6339 Value rval;
6344 }
6348 {
6349 Value rval;
6356 }
6361 {
6371 }
6375 {
6376 Value lval;
6379 jsid id;
6384 }
6388 {
6391 jsid id;
6398 }
6403 {
6406 jsid id;
6409 Value rval;
6415 }
6420 {
6432 }
6436 }
6439 {
6441 /*
6442 * We push the hole value before jumping to [enditer] so we can detect the
6443 * first iteration and direct js_StepXMLListFilter to initialize filter's
6444 * state.
6445 */
6449 END_VARLEN_CASE
6450 }
6453 {
6456 /* Exit the "with" block left from the previous iteration. */
6458 }
6462 /*
6463 * Decrease sp after EnterWith returns as we use sp[-1] there to root
6464 * temporaries.
6465 */
6473 }
6475 }
6479 {
6485 }
6489 {
6495 }
6499 {
6505 }
6509 {
6518 }
6522 }
6526 {
6534 }
6538 {
6546 }
6550 {
6560 }
6564 {
6565 Value rval;
6569 }
6574 {
6585 #ifdef DEBUG
6586 /*
6587 * The young end of fp->scopeChain may omit blocks if we haven't closed
6588 * over them, but if there are any closure blocks on fp->scopeChain, they'd
6589 * better be (clones of) ancestors of the block we're entering now;
6590 * anything else we should have popped off fp->scopeChain when we left its
6591 * static scope.
6592 */
6604 }
6605 #endif
6606 }
6611 {
6614 #ifdef DEBUG
6618 #endif
6619 /*
6620 * If we're about to leave the dynamic scope of a block that has been
6621 * cloned onto fp->scopeChain, clear its private data, move its locals from
6622 * the stack into the clone, and pop it off the chain.
6623 */
6629 }
6631 /* Move the result of the expression to the new topmost stack slot. */
6641 }
6642 }
6645 #if JS_HAS_GENERATORS
6647 {
6659 }
6668 }
6676 {
6684 }
6688 #if JS_THREADED_INTERP
6689 L_JSOP_BACKPATCH:
6690 L_JSOP_BACKPATCH_POP:
6692 # if !JS_HAS_GENERATORS
6693 L_JSOP_GENERATOR:
6694 L_JSOP_YIELD:
6695 L_JSOP_ARRAYPUSH:
6696 # endif
6698 # if !JS_HAS_SHARP_VARS
6699 L_JSOP_DEFSHARP:
6700 L_JSOP_USESHARP:
6701 L_JSOP_SHARPINIT:
6702 # endif
6704 # if !JS_HAS_DESTRUCTURING
6705 L_JSOP_ENUMCONSTELEM:
6706 # endif
6708 # if !JS_HAS_XML_SUPPORT
6709 L_JSOP_CALLXMLNAME:
6710 L_JSOP_STARTXMLEXPR:
6711 L_JSOP_STARTXML:
6712 L_JSOP_DELDESC:
6713 L_JSOP_GETFUNNS:
6714 L_JSOP_XMLPI:
6715 L_JSOP_XMLCOMMENT:
6716 L_JSOP_XMLCDATA:
6717 L_JSOP_XMLELTEXPR:
6718 L_JSOP_XMLTAGEXPR:
6719 L_JSOP_TOXMLLIST:
6720 L_JSOP_TOXML:
6721 L_JSOP_ENDFILTER:
6722 L_JSOP_FILTER:
6723 L_JSOP_DESCENDANTS:
6724 L_JSOP_XMLNAME:
6725 L_JSOP_SETXMLNAME:
6726 L_JSOP_BINDXMLNAME:
6727 L_JSOP_ADDATTRVAL:
6728 L_JSOP_ADDATTRNAME:
6729 L_JSOP_TOATTRVAL:
6730 L_JSOP_TOATTRNAME:
6731 L_JSOP_QNAME:
6732 L_JSOP_QNAMECONST:
6733 L_JSOP_QNAMEPART:
6734 L_JSOP_ANYNAME:
6735 L_JSOP_DEFXMLNS:
6736 # endif
6739 #if !JS_THREADED_INTERP
6741 #endif
6742 {
6748 }
6750 #if !JS_THREADED_INTERP
6755 error:
6757 #ifdef JS_TRACER
6759 // Handle exceptions as if they came from the imacro-calling pc.
6762 }
6763 #endif
6768 #ifdef JS_TRACER
6769 /*
6770 * This abort could be weakened to permit tracing through exceptions that
6771 * are thrown and caught within a loop, with the co-operation of the tracer.
6772 * For now just bail on any sign of trouble.
6773 */
6776 # ifdef JS_METHODJIT
6779 # endif
6780 #endif
6783 /* This is an error, not a catchable exception, quit the frame ASAP. */
6786 JSThrowHook handler;
6788 uint32 offset;
6790 /* Restore atoms local in case we will resume. */
6793 /* Call debugger throw hook if set. */
6796 Value rval;
6811 }
6813 }
6815 /*
6816 * Look for a try block in script that can catch this exception.
6817 */
6828 /*
6829 * We have a note that covers the exception pc but we must check
6830 * whether the interpreter has already executed the corresponding
6831 * handler. This is possible when the executed bytecode
6832 * implements break or return from inside a for-in loop.
6833 *
6834 * In this case the emitter generates additional [enditer] and
6835 * [gosub] opcodes to close all outstanding iterators and execute
6836 * the finally blocks. If such an [enditer] throws an exception,
6837 * its pc can still be inside several nested for-in loops and
6838 * try-finally statements even if we have already closed the
6839 * corresponding iterators and invoked the finally blocks.
6840 *
6841 * To address this, we make [enditer] always decrease the stack
6842 * even when its implementation throws an exception. Thus already
6843 * executed [enditer] and [gosub] opcodes will have try notes
6844 * with the stack depth exceeding the current one and this
6845 * condition is what we use to filter them out.
6846 */
6850 /*
6851 * Set pc to the first bytecode after the the try note to point
6852 * to the beginning of catch or finally or to [enditer] closing
6853 * the for-in loop.
6854 */
6860 /*
6861 * Restart the handler search with updated pc and stack depth
6862 * to properly notify the debugger.
6863 */
6865 }
6869 #if JS_HAS_GENERATORS
6870 /* Catch cannot intercept the closing of a generator. */
6873 #endif
6875 /*
6876 * Don't clear exceptions to save cx->exception from GC
6877 * until it is pushed to the stack via [exception] in the
6878 * catch block.
6879 */
6884 /*
6885 * Push (true, exception) pair for finally to indicate that
6886 * [retsub] should rethrow the exception.
6887 */
6895 /* This is similar to JSOP_ENDITER in the interpreter loop. */
6904 }
6905 }
6908 no_catch:
6909 /*
6910 * Propagate the exception or error to the caller unless the exception
6911 * is an asynchronous return from a generator.
6912 */
6914 #if JS_HAS_GENERATORS
6920 }
6921 #endif
6922 }
6924 forced_return:
6925 /*
6926 * Unwind the scope making sure that interpReturnOK stays false even when
6927 * js_UnwindScope returns true.
6928 *
6929 * When a trap handler returns JSTRAP_RETURN, we jump here with
6930 * interpReturnOK set to true bypassing any finally blocks.
6931 */
6935 #ifdef DEBUG
6937 #endif
6942 exit:
6946 /*
6947 * At this point we are inevitably leaving an interpreted function or a
6948 * top-level script, and returning to one of:
6949 * (a) an "out of line" call made through js_Invoke;
6950 * (b) a js_Execute activation;
6951 * (c) a generator (SendToGenerator, jsiter.c).
6952 *
6953 * We must not be in an inline frame. The check above ensures that for the
6954 * error case and for a normal return, the code jumps directly to parent's
6955 * frame pc.
6956 */
6959 #ifdef JS_TRACER
6963 # ifdef JS_METHODJIT
6966 # endif
6967 #endif
6969 JS_ASSERT_IF(!regs.fp->isGeneratorFrame(), !js_IsActiveWithOrBlock(cx, ®s.fp->scopeChain(), 0));
6973 atom_not_defined:
6974 {
6975 JSAutoByteString printable;
6978 }
6981 /*
6982 * This path is used when it's guaranteed the method can be finished
6983 * inside the JIT.
6984 */
6985 #if defined(JS_TRACER) && defined(JS_METHODJIT)
6986 leave_on_safe_point:
6987 #endif
6989 }