| blob | 5105d8bba4986851d78e43917919799566320e68 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=99:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS bytecode generation.
43 */
44 #ifdef HAVE_MEMORY_H
45 #include <memory.h>
46 #endif
47 #include <new>
48 #include <string.h>
72 /* Allocation chunk counts, must be powers of two in general. */
77 /* Macros to compute byte sizes from typed element counts. */
78 #define BYTECODE_SIZE(n) ((n) * sizeof(jsbytecode))
79 #define SRCNOTE_SIZE(n) ((n) * sizeof(jssrcnote))
80 #define TRYNOTE_SIZE(n) ((n) * sizeof(JSTryNote))
82 static JSBool
88 uintN lineno)
98 {
106 }
109 {
113 /* NB: non-null only after OOM. */
119 }
121 static ptrdiff_t
123 {
135 ? BYTECODE_CHUNK
144 }
148 }
152 }
154 }
156 static void
158 {
160 JSOp op;
163 intN ndefs;
168 #ifdef JS_TRACER
171 #else
173 #endif
177 extra;
180 }
193 JSMSG_STACK_UNDERFLOW,
195 numBuf);
196 }
201 /* We just executed IndexParsedObject */
210 }
214 }
216 ptrdiff_t
218 {
224 }
226 }
228 ptrdiff_t
230 {
239 }
241 }
243 ptrdiff_t
245 jsbytecode op2)
246 {
256 }
258 }
260 ptrdiff_t
262 {
272 /*
273 * Don't UpdateDepth if op's use-count comes from the immediate
274 * operand yet to be stored in the extra bytes after op.
275 */
278 }
280 }
282 /* XXX too many "... statement" L10N gaffes below -- fix via js.msg! */
303 };
309 {
313 }
315 static void
317 {
320 }
322 /**
323 Span-dependent instructions in JS bytecode consist of the jump (JOF_JUMP)
324 and switch (JOF_LOOKUPSWITCH, JOF_TABLESWITCH) format opcodes, subdivided
325 into unconditional (gotos and gosubs), and conditional jumps or branches
326 (which pop a value, test it, and jump depending on its value). Most jumps
327 have just one immediate operand, a signed offset from the jump opcode's pc
328 to the target bytecode. The lookup and table switch opcodes may contain
329 many jump offsets.
331 Mozilla bug #80981 (http://bugzilla.mozilla.org/show_bug.cgi?id=80981) was
332 fixed by adding extended "X" counterparts to the opcodes/formats (NB: X is
333 suffixed to prefer JSOP_ORX thereby avoiding a JSOP_XOR name collision for
334 the extended form of the JSOP_OR branch opcode). The unextended or short
335 formats have 16-bit signed immediate offset operands, the extended or long
336 formats have 32-bit signed immediates. The span-dependency problem consists
337 of selecting as few long instructions as possible, or about as few -- since
338 jumps can span other jumps, extending one jump may cause another to need to
339 be extended.
341 Most JS scripts are short, so need no extended jumps. We optimize for this
342 case by generating short jumps until we know a long jump is needed. After
343 that point, we keep generating short jumps, but each jump's 16-bit immediate
344 offset operand is actually an unsigned index into cg->spanDeps, an array of
345 JSSpanDep structs. Each struct tells the top offset in the script of the
346 opcode, the "before" offset of the jump (which will be the same as top for
347 simplex jumps, but which will index further into the bytecode array for a
348 non-initial jump offset in a lookup or table switch), the after "offset"
349 adjusted during span-dependent instruction selection (initially the same
350 value as the "before" offset), and the jump target (more below).
352 Since we generate cg->spanDeps lazily, from within js_SetJumpOffset, we must
353 ensure that all bytecode generated so far can be inspected to discover where
354 the jump offset immediate operands lie within CG_CODE(cg). But the bonus is
355 that we generate span-dependency records sorted by their offsets, so we can
356 binary-search when trying to find a JSSpanDep for a given bytecode offset,
357 or the nearest JSSpanDep at or above a given pc.
359 To avoid limiting scripts to 64K jumps, if the cg->spanDeps index overflows
360 65534, we store SPANDEP_INDEX_HUGE in the jump's immediate operand. This
361 tells us that we need to binary-search for the cg->spanDeps entry by the
362 jump opcode's bytecode offset (sd->before).
364 Jump targets need to be maintained in a data structure that lets us look
365 up an already-known target by its address (jumps may have a common target),
366 and that also lets us update the addresses (script-relative, a.k.a. absolute
367 offsets) of targets that come after a jump target (for when a jump below
368 that target needs to be extended). We use an AVL tree, implemented using
369 recursion, but with some tricky optimizations to its height-balancing code
370 (see http://www.cmcrossroads.com/bradapp/ftp/src/libs/C++/AvlTrees.html).
372 A final wrinkle: backpatch chains are linked by jump-to-jump offsets with
373 positive sign, even though they link "backward" (i.e., toward lower bytecode
374 address). We don't want to waste space and search time in the AVL tree for
375 such temporary backpatch deltas, so we use a single-bit wildcard scheme to
376 tag true JSJumpTarget pointers and encode untagged, signed (positive) deltas
377 in JSSpanDep.target pointers, depending on whether the JSSpanDep has a known
378 target, or is still awaiting backpatching.
380 Note that backpatch chains would present a problem for BuildSpanDepTable,
381 which inspects bytecode to build cg->spanDeps on demand, when the first
382 short jump offset overflows. To solve this temporary problem, we emit a
383 proxy bytecode (JSOP_BACKPATCH; JSOP_BACKPATCH_POP for branch ops) whose
384 nuses/ndefs counts help keep the stack balanced, but whose opcode format
385 distinguishes its backpatch delta immediate operand from a normal jump
386 offset.
387 */
388 static int
390 {
393 JSBool doubleRotate;
406 }
430 }
433 }
442 static int
444 {
461 }
462 }
470 }
475 }
479 else
488 }
490 #ifdef DEBUG_brendan
492 {
501 }
502 #endif
504 static JSBool
507 {
508 AddJumpTargetArgs args;
513 }
523 #ifdef DEBUG_brendan
525 #endif
529 }
531 #define SPANDEPS_MIN 256
532 #define SPANDEPS_SIZE(n) ((n) * sizeof(JSSpanDep))
533 #define SPANDEPS_SIZE_MIN SPANDEPS_SIZE(SPANDEPS_MIN)
535 static JSBool
538 {
539 uintN index;
547 }
556 }
564 /* Jump offset will be backpatched if off is a non-zero "bpdelta". */
570 }
571 }
574 /* Jump offset will be patched directly, without backpatch chaining. */
577 /* The jump offset in off is non-zero, therefore it's already known. */
580 }
586 }
590 {
591 JSOp op;
615 }
623 }
625 }
627 static JSBool
629 {
631 JSOp op;
654 /* FALL THROUGH */
658 }
659 }
662 }
666 {
667 uintN index;
686 else
688 }
692 }
694 static JSBool
697 {
704 }
709 }
718 }
720 static void
722 {
727 }
730 }
735 {
750 else
752 }
758 }
760 static void
762 {
769 }
771 static JSBool
773 {
777 JSBool done;
778 JSOp op;
779 uint32 type;
785 #ifdef DEBUG_brendan
787 #endif
803 #ifdef DEBUG_brendan
804 passes++;
805 #endif
820 /*
821 * We already extended all the jump offset operands for
822 * the opcode at sd->top. Jumps and branches have only
823 * one jump offset operand, but switches have many, all
824 * of which are adjacent in cg->spanDeps.
825 */
827 }
832 }
855 }
860 /*
861 * sd2->offset already includes delta as it stood
862 * before we entered this loop, but it must also
863 * include the delta relative to top due to all the
864 * extended jump offset immediates for the opcode
865 * starting at top, which we extend in this loop.
866 *
867 * If there is only one extended jump offset, then
868 * sd2->offset won't change and this for loop will
869 * iterate once only.
870 */
874 /*
875 * sd2 comes after sd, and won't be revisited by
876 * the outer for loop, so we have to increase its
877 * offset by delta, not merely by deltaFromTop.
878 */
880 }
885 }
887 }
888 }
889 }
895 #ifdef DEBUG_brendan
902 #endif
904 /*
905 * Ensure that we have room for the extended jumps, but don't round up
906 * to a power of two -- we're done generating code, so we cut to fit.
907 */
919 }
922 }
925 /*
926 * Set up a fake span dependency record to guard the end of the code
927 * being generated. This guard record is returned as a fencepost by
928 * FindNearestSpanDep if there is no real spandep at or above a given
929 * unextended code offset.
930 */
935 }
937 /*
938 * Now work backwards through the span dependencies, copying chunks of
939 * bytecode between each extended jump toward the end of the grown code
940 * space, and restoring immediate offset operands for all jump bytecodes.
941 * The first chunk of bytecodes, starting at base and ending at the first
942 * extended jump offset (NB: this chunk includes the operation bytecode
943 * just before that immediate jump offset), doesn't need to be copied.
944 */
955 sd2++;
958 }
963 /*
964 * If this jump didn't need to be extended, restore its span immediate
965 * offset operand now, overwriting the index of sd within cg->spanDeps
966 * that was stored temporarily after *pc when BuildSpanDepTable ran.
967 *
968 * Note that span might fit in 16 bits even for an extended jump op,
969 * if the op has multiple span operands, not all of which overflowed
970 * (e.g. JSOP_LOOKUPSWITCH or JSOP_TABLESWITCH where some cases are in
971 * range for a short jump, but others are not).
972 */
977 }
979 /*
980 * Set up parameters needed to copy the next run of bytecode starting
981 * at offset (which is a cursor into the unextended, original bytecode
982 * vector), down to sd->before (a cursor of the same scale as offset,
983 * it's the index of the original jump pc). Reuse delta to count the
984 * nominal number of bytes to copy.
985 */
990 /*
991 * Don't bother copying the jump offset we're about to reset, but do
992 * copy the bytecode at oldpc (which comes just before its immediate
993 * jump offset operand), on the next iteration through the loop, by
994 * including it in offset's new value.
995 */
1001 size);
1002 }
1005 }
1008 /*
1009 * Fix source note deltas. Don't hardwire the delta fixup adjustment,
1010 * even though currently it must be JUMPX_OFFSET_LEN - JUMP_OFFSET_LEN
1011 * at each sd that moved. The future may bring different offset sizes
1012 * for span-dependent instruction operands. However, we fix only main
1013 * notes here, not prolog notes -- we know that prolog opcodes are not
1014 * span-dependent, and aren't likely ever to be.
1015 */
1021 /*
1022 * Recall that the offset of a given note includes its delta, and
1023 * tells the offset of the annotated bytecode from the main entry
1024 * point of the script.
1025 */
1028 /*
1029 * To compute the delta to add to sn, we need to look at the
1030 * spandep after sd, whose offset - (before + growth) tells by
1031 * how many bytes sd's instruction grew.
1032 */
1044 }
1045 sd++;
1046 }
1048 /*
1049 * If sn has span-dependent offset operands, check whether each
1050 * covers further span-dependencies, and increase those operands
1051 * accordingly. Some source notes measure offset not from the
1052 * annotated pc, but from that pc plus some small bias. NB: we
1053 * assume that spec->offsetBias can't itself span span-dependent
1054 * instructions!
1055 */
1071 /*
1072 * Increase target by sd2's before-vs-after offset delta,
1073 * which is absolute (i.e., relative to start of script,
1074 * as is target). Recompute the span by subtracting its
1075 * adjusted pivot from target.
1076 */
1085 }
1086 }
1087 }
1090 /*
1091 * Fix try/catch notes (O(numTryNotes * log2(numSpanDeps)), but it's
1092 * not clear how we can beat that).
1093 */
1095 /*
1096 * First, look for the nearest span dependency at/above tn->start.
1097 * There may not be any such spandep, in which case the guard will
1098 * be returned.
1099 */
1105 /*
1106 * Next, find the nearest spandep at/above tn->start + tn->length.
1107 * Use its delta minus tn->start's delta to increase tn->length.
1108 */
1114 }
1115 }
1116 }
1118 #ifdef DEBUG_brendan
1119 {
1125 /* NB: sd->top cursors into the original, unextended bytecode vector. */
1142 }
1148 bigspans++;
1152 }
1155 }
1157 }
1159 }
1160 #endif
1162 /*
1163 * Reset so we optimize at most once -- cg may be used for further code
1164 * generation of successive, independent, top-level statements. No jump
1165 * can span top-level statements, because JS lacks goto.
1166 */
1175 }
1177 static ptrdiff_t
1179 {
1180 JSBool extend;
1193 }
1195 }
1197 static ptrdiff_t
1199 {
1215 sd++;
1217 }
1219 JSBool
1222 {
1227 }
1231 }
1234 }
1236 bool
1238 {
1242 }
1244 }
1246 void
1249 {
1263 }
1264 }
1266 void
1269 {
1277 }
1279 /*
1280 * Emit a backpatch op with offset pointing to the previous jump of this type,
1281 * so that we can walk back up the chain fixing up the op and jump offset.
1282 */
1283 static ptrdiff_t
1285 {
1293 }
1295 /*
1296 * Macro to emit a bytecode followed by a uint16 immediate operand stored in
1297 * big-endian order, used for arg and var numbers as well as for atomIndexes.
1298 * NB: We use cx and cg from our caller's lexical environment, and return
1299 * false on error.
1300 */
1301 #define EMIT_UINT16_IMM_OP(op, i) \
1302 JS_BEGIN_MACRO \
1303 if (js_Emit3(cx, cg, op, UINT16_HI(i), UINT16_LO(i)) < 0) \
1304 return JS_FALSE; \
1305 JS_END_MACRO
1307 static JSBool
1309 {
1316 }
1318 /*
1319 * Emit additional bytecode(s) for non-local jumps.
1320 */
1321 static JSBool
1323 {
1327 /*
1328 * The non-local jump fixup we emit will unbalance cg->stackDepth, because
1329 * the fixup replicates balanced code such as JSOP_LEAVEWITH emitted at the
1330 * end of a with statement, so we save cg->stackDepth here and restore it
1331 * just before a successful return.
1332 */
1336 #define FLUSH_POPS() if (npops && !FlushPops(cx, cg, &npops)) return JS_FALSE
1349 /* There's a With object on the stack that we need to pop. */
1358 /*
1359 * The iterator and the object being iterated need to be popped.
1360 */
1369 /*
1370 * There's a [exception or hole, retsub pc-index] pair on the
1371 * stack that we need to pop.
1372 */
1377 }
1380 uintN i;
1382 /* There is a Block object with locals on the stack to pop. */
1388 }
1389 }
1395 #undef FLUSH_POPS
1396 }
1398 static ptrdiff_t
1401 {
1402 intN index;
1411 else
1417 }
1419 static JSBool
1422 {
1433 /*
1434 * Set *pc after jump offset in case bpdelta didn't overflow, but span
1435 * does (if so, CHECK_AND_SET_JUMP_OFFSET might call BuildSpanDepTable
1436 * and need to see the JSOP_BACKPATCH* op at *pc).
1437 */
1440 }
1442 }
1444 void
1446 {
1456 }
1457 }
1458 }
1460 JSBool
1462 {
1469 JSOP_GOTO))) {
1471 }
1474 }
1476 JSBool
1479 {
1480 jsdouble dval;
1481 jsint ival;
1483 jsval v;
1486 /* XXX just do numbers for now */
1492 /*
1493 * We atomize double to root a jsdouble instance that we wrap as
1494 * jsval and store in cg->constList. This works because atoms are
1495 * protected from GC during compilation.
1496 */
1501 }
1506 }
1508 }
1510 JSStmtInfo *
1512 {
1523 /* Skip "maybe scope" statements that don't contain let bindings. */
1538 }
1540 }
1541 }
1546 }
1548 /*
1549 * Check if the attributes describe a property holding a compile-time constant
1550 * or a permanent, read-only property without a getter.
1551 */
1552 #define IS_CONSTANT_PROPERTY(attrs) \
1553 (((attrs) & (JSPROP_READONLY | JSPROP_PERMANENT | JSPROP_GETTER)) == \
1554 (JSPROP_READONLY | JSPROP_PERMANENT))
1556 /*
1557 * The function sets vp to JSVAL_HOLE when the atom does not corresponds to a
1558 * name defining a constant.
1559 */
1560 static JSBool
1563 {
1564 JSBool ok;
1569 uintN attrs;
1571 /*
1572 * Chase down the cg stack, but only until we reach the outermost cg.
1573 * This enables propagating consts from top-level into switch cases in a
1574 * function compiled along with the top-level script.
1575 */
1579 /* XXX this will need revising if 'const' becomes block-scoped. */
1589 }
1591 /*
1592 * Try looking in the variable object for a direct property that
1593 * is readonly and permanent. We know such a property can't be
1594 * shadowed by another property on obj's prototype chain, or a
1595 * with object or catch variable; nor can prop's value be changed,
1596 * nor can prop be deleted.
1597 */
1609 /*
1610 * We're compiling code that will be executed immediately,
1611 * not re-executed against a different scope chain and/or
1612 * variable object. Therefore we can get constant values
1613 * from our variable object here.
1614 */
1620 }
1621 }
1628 }
1629 }
1632 }
1634 /*
1635 * Return JSOP_NOP to indicate that index fits 2 bytes and no index segment
1636 * reset instruction is necessary, JSOP_FALSE to indicate an error or either
1637 * JSOP_RESETBASE0 or JSOP_RESETBASE1 to indicate the reset bytecode to issue
1638 * after the main bytecode sequence.
1639 */
1640 static JSOp
1642 {
1643 uintN indexBase;
1645 /*
1646 * We have max 3 bytes for indexes and check for INDEX_LIMIT overflow only
1647 * for big indexes.
1648 */
1660 }
1664 JSMSG_TOO_MANY_LITERALS);
1666 }
1671 }
1673 /*
1674 * Emit a bytecode and its 2-byte constant index immediate operand. If the
1675 * index requires more than 2 bytes, emit a prefix op whose 8-bit immediate
1676 * operand effectively extends the 16-bit immediate of the prefixed opcode,
1677 * by changing index "segment" (see jsinterp.c). We optimize segments 1-3
1678 * with single-byte JSOP_INDEXBASE[123] codes.
1679 *
1680 * Such prefixing currently requires a suffix to restore the "zero segment"
1681 * register setting, but this could be optimized further.
1682 */
1683 static JSBool
1685 {
1686 JSOp bigSuffix;
1693 }
1695 /*
1696 * Slight sugar for EmitIndexOp, again accessing cx and cg from the macro
1697 * caller's lexical environment, and embedding a false return on error.
1698 */
1699 #define EMIT_INDEX_OP(op, index) \
1700 JS_BEGIN_MACRO \
1701 if (!EmitIndexOp(cx, op, index, cg)) \
1702 return JS_FALSE; \
1703 JS_END_MACRO
1705 static JSBool
1707 {
1714 }
1719 }
1721 static JSBool
1724 {
1727 }
1729 /*
1730 * What good are ARGNO_LEN and SLOTNO_LEN, you ask? The answer is that, apart
1731 * from EmitSlotIndexOp, they abstract out the detail that both are 2, and in
1732 * other parts of the code there's no necessary relationship between the two.
1733 * The abstraction cracks here in order to share EmitSlotIndexOp code among
1734 * the JSOP_DEFLOCALFUN and JSOP_GET{ARG,VAR,LOCAL}PROP cases.
1735 */
1739 static JSBool
1742 {
1743 JSOp bigSuffix;
1753 /* Emit [op, slot, index]. */
1762 }
1764 /*
1765 * Adjust the slot for a block local to account for the number of variables
1766 * that share the same index space with locals. Due to the incremental code
1767 * generation for top-level script, we do the adjustment via code patching in
1768 * JSCompiler::compileScript; see comments there.
1769 *
1770 * The function returns -1 on failures.
1771 */
1772 static jsint
1774 {
1780 JSREPORT_ERROR,
1781 JSMSG_TOO_MANY_LOCALS);
1783 }
1784 }
1786 }
1788 static bool
1790 {
1805 /* Beware the empty destructuring dummy. */
1809 }
1815 #ifdef DEBUG
1820 }
1821 #endif
1822 }
1826 }
1828 /*
1829 * When eval is called from a function, the eval code or function code it
1830 * compiles may reference upvars that live in the eval-calling function. The
1831 * eval-invoked compiler does not have explicit definitions for these upvars
1832 * and we do not attempt to create them a-priori (by inspecting the function's
1833 * args and vars) -- we could, but we'd take an avoidable penalty for each
1834 * function local not referenced by any upvar. Instead, we map such upvars
1835 * lazily, growing upvarMap.vector by powers of two.
1836 *
1837 * This function knows that it is called with pn pointing to a PN_NAME-arity
1838 * node, and cg->compiler->callerFrame having a non-null fun member, and the
1839 * static level of cg at least one greater than the eval-calling function's
1840 * static level.
1841 */
1842 static bool
1844 {
1851 /*
1852 * Treat top-level function definitions as escaping (i.e., as funargs),
1853 * required since we compile each such top level function or statement
1854 * and throw away the AST, so we can't yet see all funarg uses of this
1855 * function being compiled (cg->funbox->object). See bug 493177.
1856 */
1862 }
1870 }
1871 }
1875 uintN index;
1889 }
1907 }
1915 }
1921 }
1923 /*
1924 * BindNameToSlot attempts to optimize name gets and sets to stack slot loads
1925 * and stores, given the compile-time information in cg and a TOK_NAME node pn.
1926 * It returns false on error, true on success.
1927 *
1928 * The caller can inspect pn->pn_cookie for FREE_UPVAR_COOKIE to tell whether
1929 * optimization occurred, in which case BindNameToSlot also updated pn->pn_op.
1930 * If pn->pn_cookie is still FREE_UPVAR_COOKIE on return, pn->pn_op still may
1931 * have been optimized, e.g., from JSOP_NAME to JSOP_CALLEE. Whether or not
1932 * pn->pn_op was modified, if this function finds an argument or local variable
1933 * name, PND_CONST will be set in pn_dflags for read-only properties after a
1934 * successful return.
1935 *
1936 * NB: if you add more opcodes specialized from JSOP_NAME, etc., don't forget
1937 * to update the TOK_FOR (for-in) and TOK_ASSIGN (op=, e.g. +=) special cases
1938 * in js_EmitTree.
1939 */
1940 static JSBool
1942 {
1944 JSOp op;
1946 uint32 cookie;
1949 uintN index;
1953 /* Idempotency tests come first, since we may be called more than once. */
1957 /* No cookie initialized for these two, they're pre-bound by definition. */
1960 /*
1961 * The parser linked all uses (including forward references) to their
1962 * definitions, unless a with statement or direct eval intervened.
1963 */
1973 }
1984 /*
1985 * Turn attempts to mutate const-declared bindings into get ops (for
1986 * pre-increment and pre-decrement ops, our caller will have to emit
1987 * JSOP_POS, JSOP_ONE, and JSOP_ADD as well).
1988 *
1989 * Turn JSOP_DELNAME into JSOP_FALSE if dn is known, as all declared
1990 * bindings visible to the compiler are permanent in JS unless the
1991 * declaration originates in eval code. We detect eval code by testing
1992 * cg->compiler->callerFrame, which is set only by eval or a debugger
1993 * equivalent.
1994 *
1995 * Note that this callerFrame non-null test must be qualified by testing
1996 * !cg->funbox to exclude function code nested in eval code, which is not
1997 * subject to the deletable binding exception.
1998 */
2007 else
2011 }
2016 }
2023 /*
2024 * Don't generate upvars on the left side of a for loop. See
2025 * bug 470758.
2026 */
2034 /*
2035 * Make sure the variable object used by the compiler to initialize
2036 * parent links matches the caller's varobj. Compile-n-go compiler-
2037 * created function objects have the top-level cg's scopeChain set
2038 * as their parent by JSCompiler::newFunction.
2039 */
2046 /*
2047 * We are compiling eval or debug script inside a function frame
2048 * and the scope chain matches the function's variable object.
2049 * Optimize access to function's arguments and variable and the
2050 * arguments object.
2051 */
2056 }
2058 }
2061 /*
2062 * If this is a global reference from within a function, leave pn_op as
2063 * JSOP_NAME, etc. We could emit JSOP_*GVAR ops within function code if
2064 * only we could depend on the global frame's slots being valid for all
2065 * calls to the function.
2066 */
2070 /*
2071 * We are optimizing global variables and there may be no pre-existing
2072 * global property named atom when this global script runs. If atom was
2073 * declared via const or var, optimize pn to access fp->vars using the
2074 * appropriate JSOP_*GVAR op.
2075 *
2076 * FIXME: should be able to optimize global function access too.
2077 */
2091 }
2096 }
2101 /*
2102 * A JSDefinition witnessed as a declaration by the parser cannot be an
2103 * upvar, unless it is the degenerate kind of upvar selected above (in the
2104 * code before the PND_GVAR test) for the special case of compile-and-go
2105 * code generated from eval called from a function, where the eval code
2106 * uses local vars defined in the function. We detect this upvar-for-eval
2107 * case by checking dn's op.
2108 */
2114 #ifdef DEBUG
2128 #endif
2135 }
2138 }
2147 /*
2148 * If op is a mutating opcode, this upvar's static level is too big to
2149 * index into the display, or the function is heavyweight, we fall back
2150 * on JSOP_*NAME*.
2151 */
2162 /*
2163 * The function we're compiling may not be heavyweight, but if it
2164 * escapes as a funarg, we can't use JSOP_GETUPVAR/JSOP_CALLUPVAR.
2165 * JSCompiler::analyzeFunctions has arranged for this function's
2166 * enclosing functions to be heavyweight, so we can safely stick
2167 * with JSOP_NAME/JSOP_CALLNAME.
2168 */
2172 /*
2173 * Generator functions may be resumed from any call stack, which
2174 * defeats the display optimization to static link searching used
2175 * by JSOP_{GET,CALL}UPVAR.
2176 */
2181 }
2204 }
2207 }
2217 }
2220 }
2226 }
2228 /*
2229 * We are compiling a function body and may be able to optimize name
2230 * to stack slot. Look for an argument or variable in the function and
2231 * rewrite pn_op and update pn accordingly.
2232 */
2247 }
2260 }
2271 /*
2272 * Leave pn->pn_op == JSOP_NAME if cg->fun is heavyweight, as
2273 * we cannot be sure cg->fun is not something of the form:
2274 *
2275 * var ff = (function f(s) { eval(s); return f; });
2276 *
2277 * where a caller invokes ff("var f = 42"). The result returned
2278 * for such an invocation must be 42, since the callee name is
2279 * lexically bound in an outer declarative environment from the
2280 * function's activation. See jsfun.cpp:call_resolve.
2281 */
2286 }
2288 }
2292 }
2293 /* FALL THROUGH */
2309 }
2312 }
2319 }
2321 /*
2322 * If pn contains a useful expression, return true with *answer set to true.
2323 * If pn contains a useless expression, return true with *answer set to false.
2324 * Return false on error.
2325 *
2326 * The caller should initialize *answer to false and invoke this function on
2327 * an expression statement or similar subtree to decide whether the tree could
2328 * produce code that has any side effects. For an expression statement, we
2329 * define useless code as code with no side effects, because the main effect,
2330 * the value left on the stack after the code executes, will be discarded by a
2331 * pop bytecode.
2332 */
2333 static JSBool
2336 {
2337 JSBool ok;
2346 /*
2347 * A named function, contrary to ES3, is no longer useful, because we
2348 * bind its name lexically (using JSOP_CALLEE) instead of creating an
2349 * Object instance and binding a readonly, permanent property in it
2350 * (the object and binding can be detected and hijacked or captured).
2351 * This is a bug fix to ES3; it is fixed in ES3.1 drafts.
2352 */
2360 /*
2361 * Non-operators along with ||, &&, ===, and !== never invoke
2362 * toString or valueOf.
2363 */
2367 /*
2368 * All invocation operations (construct: TOK_NEW, call: TOK_LP)
2369 * are presumed to be useful, because they may have side effects
2370 * even if their main effect (their return value) is discarded.
2371 *
2372 * TOK_LB binary trees of 3 or more nodes are flattened into lists
2373 * to avoid too much recursion. All such lists must be presumed
2374 * to be useful because each index operation could invoke a getter
2375 * (the JSOP_ARGUMENTS special case below, in the PN_BINARY case,
2376 * does not apply here: arguments[i][j] might invoke a getter).
2377 *
2378 * Likewise, array and object initialisers may call prototype
2379 * setters (the __defineSetter__ built-in, and writable __proto__
2380 * on Array.prototype create this hazard). Initialiser list nodes
2381 * have JSOP_NEWINIT in their pn_op.
2382 */
2384 }
2395 /*
2396 * Assignment is presumed to be useful, even if the next operation
2397 * is another assignment overwriting this one's ostensible effect,
2398 * because the left operand may be a property with a setter that
2399 * has side effects.
2400 *
2401 * The only exception is assignment of a useless value to a const
2402 * declared in the function currently being compiled.
2403 */
2414 }
2418 /*
2419 * ||, &&, ===, and !== do not convert their operands via
2420 * toString or valueOf method calls.
2421 */
2425 /*
2426 * We can't easily prove that neither operand ever denotes an
2427 * object with a toString or valueOf method.
2428 */
2430 }
2431 }
2449 }
2450 /* FALL THROUGH */
2452 #if JS_HAS_XML_SUPPORT
2454 #endif
2455 #if JS_HAS_LVALUE_RETURN
2457 #endif
2459 /* All these delete addressing modes have effects too. */
2465 }
2470 /* ! does not convert its operand via toString or valueOf. */
2473 }
2474 /* FALL THROUGH */
2477 /*
2478 * All of TOK_INC, TOK_DEC, TOK_THROW, TOK_YIELD, and TOK_DEFSHARP
2479 * have direct effects. Of the remaining unary-arity node types,
2480 * we can't easily prove that the operand never denotes an object
2481 * with a toString or valueOf method.
2482 */
2485 }
2489 /*
2490 * Take care to avoid trying to bind a label name (labels, both for
2491 * statements and property values in object initialisers, have pn_op
2492 * defaulted to JSOP_NOP).
2493 */
2499 /*
2500 * Not an argument or local variable use, and not a use of a
2501 * unshadowed named function expression's given name, so this
2502 * expression could invoke a getter that has side effects.
2503 */
2505 }
2506 }
2513 /*
2514 * Any dotted property reference could call a getter, except
2515 * for arguments.length where arguments is unambiguous.
2516 */
2518 }
2519 }
2531 }
2533 }
2535 static JSBool
2537 JSBool callContext)
2538 {
2539 JSOp op;
2568 }
2569 }
2582 }
2583 }
2586 }
2588 #if JS_HAS_XML_SUPPORT
2589 static JSBool
2591 {
2593 uintN oldflags;
2608 }
2611 }
2612 #endif
2614 static JSBool
2616 {
2617 /*
2618 * Special case for obj.__proto__, obj.__parent__, obj.__count__ to
2619 * deoptimize away from fast paths in the interpreter and trace recorder,
2620 * which skip dense array instances by going up to Array.prototype before
2621 * looking up the property name.
2622 */
2631 }
2633 static JSBool
2635 JSBool callContext)
2636 {
2643 /* Special case deoptimization on __proto__, __count__ and __parent__. */
2651 }
2660 /* Fast path for gets of |this.foo|. */
2662 }
2664 /*
2665 * Try to optimize:
2666 * - arguments.length into JSOP_ARGCNT
2667 * - argname.prop into JSOP_GETARGPROP
2668 * - localname.prop into JSOP_GETLOCALPROP
2669 * but don't do this if the property is 'length' -- prefer to emit
2670 * JSOP_GETARG, etc., and then JSOP_LENGTH.
2671 */
2684 do_indexconst: {
2686 jsatomid atomIndex;
2693 }
2696 }
2697 }
2698 }
2699 }
2701 /*
2702 * If the object operand is also a dotted property reference, reverse the
2703 * list linked via pn_expr temporarily so we can iterate over it from the
2704 * bottom up (reversing again as we go), to avoid excessive recursion.
2705 */
2711 /* Reverse pndot->pn_expr to point up, not down. */
2720 }
2722 /* pndown is a primary expression, not a dotted property reference. */
2727 /* Walk back up the list, emitting annotated name ops. */
2731 }
2733 /*
2734 * Special case deoptimization on __proto__, __count__ and
2735 * __parent__, as above.
2736 */
2745 }
2747 /* Reverse the pn_expr link again. */
2755 }
2760 }
2763 }
2765 static JSBool
2767 {
2770 jsint slot;
2774 /* Left-associative operator chain to avoid too much recursion. */
2782 /*
2783 * Try to optimize arguments[0][j]... into JSOP_ARGSUB<0> followed by
2784 * one or more index expression and JSOP_GETELEM op pairs.
2785 */
2792 /*
2793 * arguments[i]() requires arguments object as "this".
2794 * Check that we never generates list for that usage.
2795 */
2801 }
2802 }
2804 /*
2805 * Check whether we generated JSOP_ARGSUB, just above, and have only
2806 * one more index expression to emit. Given arguments[0][j], we must
2807 * skip the while loop altogether, falling through to emit code for j
2808 * (in the subtree referenced by right), followed by the annotated op,
2809 * at the bottom of this function.
2810 */
2815 }
2824 }
2827 /*
2828 * Set left and right so pn appears to be a TOK_LB node, instead
2829 * of a TOK_DOT node. See the TOK_FOR/IN case in js_EmitTree, and
2830 * EmitDestructuringOps nearer below. In the destructuring case,
2831 * the base expression (pn_expr) of the name may be null, which
2832 * means we have to emit a JSOP_BINDNAME.
2833 */
2842 }
2847 ? JSOP_QNAMEPART
2856 }
2858 /* Try to optimize arguments[0] (e.g.) into JSOP_ARGSUB<0>. */
2870 }
2871 }
2875 }
2877 /* The right side of the descendant operator is implicitly quoted. */
2885 }
2887 static JSBool
2889 {
2890 jsint ival;
2891 uint32 u;
2920 }
2922 }
2932 }
2934 static JSBool
2937 {
2938 JSOp switchOp;
2944 jsdouble d;
2946 jsval v;
2949 intN noteIndex;
2952 #if JS_HAS_BLOCK_SCOPE
2953 jsint count;
2954 #endif
2956 /* Try for most optimal, fall back if not dense ints, and per ECMAv2. */
2962 /*
2963 * If the switch contains let variables scoped by its body, model the
2964 * resulting block on the stack first, before emitting the discriminant's
2965 * bytecode (in case the discriminant contains a stack-model dependency
2966 * such as a let expression).
2967 */
2969 #if JS_HAS_BLOCK_SCOPE
2971 /*
2972 * Push the body's block scope before discriminant code-gen for proper
2973 * static block scope linkage in case the discriminant contains a let
2974 * expression. The block's locals must lie under the discriminant on
2975 * the stack so that case-dispatch bytecodes can find the discriminant
2976 * on top of stack.
2977 */
2982 /* Emit JSOP_ENTERBLOCK before code to evaluate the discriminant. */
2986 /*
2987 * Pop the switch's statement info around discriminant code-gen. Note
2988 * how this leaves cg->blockChain referencing the switch's
2989 * block scope object, which is necessary for correct block parenting
2990 * in the case where the discriminant contains a let expression.
2991 */
2994 }
2995 #ifdef __GNUC__
2998 }
2999 #endif
3000 #endif
3002 /*
3003 * Emit code for the discriminant first (or nearly first, in the case of a
3004 * switch whose body is a block scope).
3005 */
3009 /* Switch bytecodes run from here till end of final case. */
3011 #if !JS_HAS_BLOCK_SCOPE
3013 #else
3017 /* Re-push the switch's statement info record. */
3020 /* Set the statement info record's idea of top. */
3023 /* Advance pn2 to refer to the switch case list. */
3025 }
3026 #endif
3039 #define INTMAP_LENGTH 256
3052 }
3071 }
3073 }
3085 /*
3086 * XXX JSOP_LOOKUPSWITCH does not support const-
3087 * propagated object values, see bug 407186.
3088 */
3091 }
3095 }
3096 }
3097 /* FALL THROUGH */
3102 }
3106 }
3107 /* FALL THROUGH */
3111 }
3120 }
3125 }
3131 /*
3132 * Check for duplicates, which require a JSOP_LOOKUPSWITCH.
3133 * We bias i by 65536 if it's negative, and hope that's a rare
3134 * case (because it requires a malloc'd bitmap).
3135 */
3144 /* Just grab 8K for the worst-case bitmap. */
3152 }
3153 }
3155 }
3159 }
3161 }
3163 release:
3169 /*
3170 * Compute table length and select lookup instead if overlarge or
3171 * more than half-sparse.
3172 */
3178 /*
3179 * Lookup switch supports only atom indexes below 64K limit.
3180 * Conservatively estimate the maximum possible index during
3181 * switch generation and use conditional switch if it exceeds
3182 * the limit.
3183 */
3186 }
3187 }
3189 /*
3190 * Emit a note with two offsets: first tells total switch code length,
3191 * second tells offset to first JSOP_CASE if condswitch.
3192 */
3198 /*
3199 * 0 bytes of immediate for unoptimized ECMAv2 switch.
3200 */
3203 /*
3204 * 3 offsets (len, low, high) before the table, 1 per entry.
3205 */
3208 /*
3209 * JSOP_LOOKUPSWITCH:
3210 * 1 offset (len) and 1 atom index (npairs) before the table,
3211 * 1 atom index and 1 jump offset per entry.
3212 */
3215 }
3217 /*
3218 * Emit switchOp followed by switchSize bytes of jump or lookup table.
3219 *
3220 * If switchOp is JSOP_LOOKUPSWITCH or JSOP_TABLESWITCH, it is crucial
3221 * to emit the immediate operand(s) by which bytecode readers such as
3222 * BuildSpanDepTable discover the length of the switch opcode *before*
3223 * calling js_SetJumpOffset (which may call BuildSpanDepTable). It's
3224 * also important to zero all unknown jump offset immediate operands,
3225 * so they can be converted to span dependencies with null targets to
3226 * be computed later (js_EmitN zeros switchSize bytes after switchOp).
3227 */
3236 /* Emit code for evaluating cases and jumping to case statements. */
3242 /* off is the previous JSOP_CASE's bytecode offset. */
3246 }
3247 }
3251 }
3262 /* Switch note's second offset is to first JSOP_CASE. */
3267 }
3272 }
3273 }
3275 /*
3276 * If we didn't have an explicit default (which could fall in between
3277 * cases, preventing us from fusing this js_SetSrcNoteOffset with the
3278 * call in the loop above), link the last case to the implicit default
3279 * for the decompiler.
3280 */
3286 }
3288 /* Emit default even if no explicit default statement. */
3296 /* Fill in switch bounds, which we know fit in 16-bit offsets. */
3302 /*
3303 * Use malloc to avoid arena bloat for programs with many switches.
3304 * We free table if non-null at label out, so all control flow must
3305 * exit this function through goto out or goto bad.
3306 */
3320 }
3321 }
3325 /* Fill in the number of cases. */
3328 }
3330 /*
3331 * After this point, all control flow involving JSOP_TABLESWITCH
3332 * must set ok and goto out to exit this function. To keep things
3333 * simple, all switchOp cases exit that way.
3334 */
3337 /*
3338 * We have already generated at least one big jump so we must
3339 * explicitly add span dependencies for the switch jumps. When
3340 * called below, js_SetJumpOffset can only do it when patching
3341 * the first big jump or when cg->spanDeps is null.
3342 */
3345 }
3348 /*
3349 * Skip switchOp, as we are not setting jump offsets in the two
3350 * for loops below. We'll restore CG_NEXT(cg) from savepc after,
3351 * unless there was an error.
3352 */
3361 /* Note a propagated constant with the const's name. */
3370 }
3371 }
3373 }
3378 /* Note a propagated constant with the const's name. */
3387 }
3388 }
3390 }
3391 }
3393 }
3394 }
3396 /* Emit code for each case's statements, copying pn_offset up to pn3. */
3407 }
3410 /* If no default case, offset for default is to end of switch. */
3412 }
3414 /* We better have set "off" by now. */
3417 /* Set the default offset (to end of switch if no default). */
3431 }
3433 /* Set the SRC_SWITCH note's offset operand to tell end of switch. */
3440 /* Skip over the already-initialized switch bounds. */
3443 /* Fill in the jump table, if there is one. */
3451 }
3453 /* Skip over the already-initialized number of cases. */
3472 }
3473 }
3475 out:
3481 #if JS_HAS_BLOCK_SCOPE
3484 #endif
3485 }
3488 bad:
3491 }
3493 JSBool
3495 {
3497 /* JSOP_GENERATOR must be the first instruction. */
3503 }
3508 }
3510 /* A macro for inlining at the top of js_EmitTree (whence it came). */
3511 #define UPDATE_LINE_NUMBER_NOTES(cx, cg, line) \
3512 JS_BEGIN_MACRO \
3513 uintN line_ = (line); \
3514 uintN delta_ = line_ - CG_CURRENT_LINE(cg); \
3515 if (delta_ != 0) { \
3516 /* \
3517 * Encode any change in the current source line number by using \
3518 * either several SRC_NEWLINE notes or just one SRC_SETLINE note, \
3519 * whichever consumes less space. \
3520 * \
3521 * NB: We handle backward line number deltas (possible with for \
3522 * loops where the update part is emitted after the body, but its \
3523 * line number is <= any line number in the body) here by letting \
3524 * unsigned delta_ wrap to a very large number, which triggers a \
3525 * SRC_SETLINE. \
3527 CG_CURRENT_LINE(cg) = line_; \
3528 if (delta_ >= (uintN)(2 + ((line_ > SN_3BYTE_OFFSET_MASK)<<1))) { \
3529 if (js_NewSrcNote2(cx, cg, SRC_SETLINE, (ptrdiff_t)line_) < 0)\
3530 return JS_FALSE; \
3531 } else { \
3532 do { \
3533 if (js_NewSrcNote(cx, cg, SRC_NEWLINE) < 0) \
3534 return JS_FALSE; \
3535 } while (--delta_ != 0); \
3536 } \
3537 } \
3538 JS_END_MACRO
3540 /* A function, so that we avoid macro-bloating all the other callsites. */
3541 static JSBool
3543 {
3546 }
3548 static JSBool
3551 {
3552 jsatomid atomIndex;
3562 }
3571 }
3576 }
3578 #if JS_HAS_DESTRUCTURING
3580 typedef JSBool
3584 static JSBool
3587 {
3594 }
3596 static JSBool
3599 {
3601 DestructuringDeclEmitter emitter;
3608 ? EmitDestructuringDecl
3612 }
3618 ? EmitDestructuringDecl
3622 }
3623 }
3625 }
3627 static JSBool
3630 static JSBool
3632 {
3633 jsuint slot;
3635 /* Skip any parenthesization. */
3639 /*
3640 * Now emit the lvalue opcode sequence. If the lvalue is a nested
3641 * destructuring initialiser-form, call ourselves to handle it, then
3642 * pop the matched value. Otherwise emit an lvalue bytecode sequence
3643 * ending with a JSOP_ENUMELEM or equivalent op.
3644 */
3656 }
3660 /*
3661 * NB: pn is a PN_NAME node, not a PN_BINARY. Nevertheless,
3662 * we want to emit JSOP_ENUMELEM, which has format JOF_ELEM.
3663 * So here and for JSOP_ENUMCONSTELEM, we use EmitElemOp.
3664 */
3688 #if JS_HAS_LVALUE_RETURN || JS_HAS_XML_SUPPORT
3689 {
3700 }
3701 #endif
3704 }
3705 }
3708 }
3710 /*
3711 * Recursive helper for EmitDestructuringOps.
3712 *
3713 * Given a value to destructure on the stack, walk over an object or array
3714 * initialiser at pn, emitting bytecodes to match property values and store
3715 * them in the lvalues identified by the matched property names.
3716 */
3717 static JSBool
3719 {
3720 jsuint index;
3722 JSBool doElemOp;
3724 #ifdef DEBUG
3729 #endif
3732 /* Emit a DUP;POP sequence for the decompiler. */
3735 }
3739 /*
3740 * Duplicate the value being destructured to use as a reference base.
3741 * If dup is not the first one, annotate it for the decompiler.
3742 */
3748 /*
3749 * Now push the property name currently being matched, which is either
3750 * the array initialiser's current index, or the current property name
3751 * "label" on the left of a colon in the object initialiser. Set pn3
3752 * to the lvalue node, which is in the value-initializing position.
3753 */
3764 /*
3765 * If we are emitting an object destructuring initialiser,
3766 * annotate the index op with SRC_INITPROP so we know we are
3767 * not decompiling an array initialiser.
3768 */
3779 }
3781 }
3784 /*
3785 * Ok, get the value of the matching property name. This leaves
3786 * that value on top of the value being destructured, so the stack
3787 * is one deeper than when we started.
3788 */
3792 }
3794 /* Nullary comma node makes a hole in the array destructurer. */
3803 }
3807 }
3810 }
3812 static ptrdiff_t
3814 {
3824 }
3825 }
3827 static JSBool
3830 {
3831 /*
3832 * If we're called from a variable declaration, help the decompiler by
3833 * annotating the first JSOP_DUP that EmitDestructuringOpsHelper emits.
3834 * If the destructuring initialiser is empty, our helper will emit a
3835 * JSOP_DUP followed by a JSOP_POP for the decompiler.
3836 */
3840 /*
3841 * Call our recursive helper to emit the destructuring assignments and
3842 * related stack manipulations.
3843 */
3845 }
3847 static JSBool
3850 {
3858 JSMSG_ARRAY_INIT_TOO_BIG);
3860 }
3862 /* MaybeEmitGroupAssignment won't call us if rhs is holey. */
3867 }
3874 /* MaybeEmitGroupAssignment requires lhs->pn_count <= rhs->pn_count. */
3887 }
3888 }
3894 }
3896 /*
3897 * Helper called with pop out param initialized to a JSOP_POP* opcode. If we
3898 * can emit a group assignment sequence, which results in 0 stack depth delta,
3899 * we set *pop to JSOP_NOP so callers can veto emitting pn followed by a pop.
3900 */
3901 static JSBool
3904 {
3917 }
3919 }
3923 static JSBool
3926 {
3928 #if JS_HAS_BLOCK_SCOPE
3931 #endif
3934 JSOp op;
3935 jsatomid atomIndex;
3936 uintN oldflags;
3938 /* Default in case of JS_HAS_BLOCK_SCOPE early return, below. */
3941 /*
3942 * Let blocks and expressions have a parenthesized head in which the new
3943 * scope is not yet open. Initializer evaluation uses the parent node's
3944 * lexical scope. If popScope is true below, then we hide the top lexical
3945 * block from any calls to BindNameToSlot hiding in pn2->pn_expr so that
3946 * it won't find any names in the new let block.
3947 *
3948 * The same goes for let declarations in the head of any kind of for loop.
3949 * Unlike a let declaration 'let x = i' within a block, where x is hoisted
3950 * to the start of the block, a 'for (let x = i...) ...' loop evaluates i
3951 * in the containing scope, and puts x in the loop body's scope.
3952 */
3955 #if JS_HAS_BLOCK_SCOPE
3961 }
3962 # ifdef __GNUC__
3964 # endif
3966 #endif
3974 #if JS_HAS_DESTRUCTURING
3976 /*
3977 * Emit variable binding ops, but not destructuring ops.
3978 * The parser (see Variables, jsparse.c) has ensured that
3979 * our caller will be the TOK_FOR/TOK_IN case in js_EmitTree,
3980 * and that case will emit the destructuring code only after
3981 * emitting an enumerating opcode and a branch that tests
3982 * whether the enumeration ended.
3983 */
3989 }
3990 #endif
3992 /*
3993 * A destructuring initialiser assignment preceded by var will
3994 * never occur to the left of 'in' in a for-in loop. As with 'for
3995 * (var x = i in o)...', this will cause the entire 'var [a, b] =
3996 * i' to be hoisted out of the loop.
3997 */
4001 /*
4002 * To allow the front end to rewrite var f = x; as f = x; when a
4003 * function f(){} precedes the var, detect simple name assignment
4004 * here and initialize the name.
4005 */
4006 #if !JS_HAS_DESTRUCTURING
4008 #else
4010 #endif
4011 {
4015 }
4017 #if JS_HAS_DESTRUCTURING
4019 /*
4020 * If this is the only destructuring assignment in the list,
4021 * try to optimize to a group assignment. If we're in a let
4022 * head, pass JSOP_POP rather than the pseudo-prolog JSOP_NOP
4023 * in pn->pn_op, to suppress a second (and misplaced) 'let'.
4024 */
4031 }
4035 }
4036 }
4045 /*
4046 * Veto pn->pn_op if inLetHead to avoid emitting a SRC_DESTRUCT
4047 * that's redundant with respect to the SRC_DECL/SRC_DECL_LET that
4048 * we will emit at the bottom of this function.
4049 */
4052 pn3)) {
4054 }
4056 #endif
4057 }
4059 /*
4060 * Load initializer early to share code above that jumps to do_name.
4061 * NB: if this var redeclares an existing binding, then pn2 is linked
4062 * on its definition's use-chain and pn_expr has been overlayed with
4063 * pn_lexdef.
4064 */
4067 do_name:
4073 /* JSOP_ARGUMENTS => no initializer */
4076 #ifdef __GNUC__
4078 #endif
4090 }
4094 }
4096 #if JS_HAS_BLOCK_SCOPE
4097 /* Evaluate expr in the outer lexical scope if requested. */
4101 }
4102 #endif
4110 #if JS_HAS_BLOCK_SCOPE
4114 }
4115 #endif
4116 }
4117 }
4119 /*
4120 * The parser rewrites 'for (var x = i in o)' to hoist 'var x = i' --
4121 * likewise 'for (let x = i in o)' becomes 'i; for (let x in o)' using
4122 * a TOK_SEQ node to make the two statements appear as one. Therefore
4123 * if this declaration is part of a for-in loop head, we do not need to
4124 * emit op or any source note. Our caller, the TOK_FOR/TOK_IN case in
4125 * js_EmitTree, will annotate appropriately.
4126 */
4132 }
4138 ? SRC_DECL_CONST
4140 ? SRC_DECL_VAR
4143 }
4151 }
4153 #if JS_HAS_DESTRUCTURING
4154 emit_note_pop:
4155 #endif
4160 }
4167 }
4169 /* If this is a let head, emit and return a srcnote on the pop. */
4176 }
4179 }
4181 #if defined DEBUG_brendan || defined DEBUG_mrbkap
4182 static JSBool
4184 {
4195 }
4197 }
4198 #endif
4200 /* Top-level named functions need a nop for decompilation. */
4201 static JSBool
4203 {
4206 }
4208 /* See the SRC_FOR source note offsetBias comments later in this file. */
4212 JSBool
4214 {
4221 jsatomid atomIndex;
4222 uintN index;
4224 JSSrcNoteType noteType;
4226 JSOp op;
4227 JSTokenType type;
4228 uint32 argc;
4229 #if JS_HAS_SHARP_VARS
4230 jsint sharpnum;
4231 #endif
4239 /* Emit notes to tell the current bytecode's source line number. */
4244 {
4246 uintN slot;
4248 #if JS_HAS_XML_SUPPORT
4253 }
4254 #endif
4259 /*
4260 * This second pass is needed to emit JSOP_NOP with a source note
4261 * for the already-emitted function definition prolog opcode. See
4262 * comments in the TOK_LC case.
4263 */
4269 }
4279 /* Generate code for the function's body. */
4286 }
4296 /*
4297 * jsparse.cpp:SetStaticLevel limited static nesting depth to fit in 16
4298 * bits and to reserve the all-ones value, thereby reserving the magic
4299 * FREE_UPVAR_COOKIE value. Note the cg2->staticLevel assignment below.
4300 */
4304 /* We measured the max scope depth when we parsed the function. */
4315 /* Make the function object a literal in the outer script's pool. */
4318 /* Emit a bytecode pointing to the closure object in its immediate. */
4324 }
4327 }
4329 /*
4330 * For a script we emit the code as we parse. Thus the bytecode for
4331 * top-level functions should go in the prolog to predefine their
4332 * names in the variable object before the already-generated main code
4333 * is executed. This extra work for top-level scripts is not necessary
4334 * when we emit the code for a function. It is fully parsed prior to
4335 * invocation of the emitter and calls to js_EmitTree for function
4336 * definitions can be scheduled before generating the rest of code.
4337 */
4345 /* Emit NOP for the decompiler. */
4349 #ifdef DEBUG
4350 JSLocalKind localKind =
4351 #endif
4359 }
4361 }
4375 /* Initialize so we can detect else-if chains and avoid recursion. */
4380 if_again:
4381 /* Emit code for the condition before pushing stmtInfo. */
4388 /*
4389 * We came here from the goto further below that detects else-if
4390 * chains, so we must mutate stmtInfo back into a STMT_IF record.
4391 * Also (see below for why) we need a note offset for SRC_IF_ELSE
4392 * to help the decompiler. Actually, we need two offsets, one for
4393 * decompiling any else clause and the second for decompiling an
4394 * else-if chain without bracing, overindenting, or incorrectly
4395 * scoping let declarations.
4396 */
4404 }
4406 /* Emit an annotated branch-if-false around the then part. */
4415 /* Emit code for the then and optional else parts. */
4419 /* Modify stmtInfo so we know we're in the else part. */
4422 /*
4423 * Emit a JSOP_BACKPATCH op to jump from the end of our then part
4424 * around the else part. The js_PopStatementCG call at the bottom
4425 * of this switch case will fix up the backpatch chain linked from
4426 * stmtInfo.breaks.
4427 */
4432 /* Ensure the branch-if-false comes here, then emit the else. */
4437 }
4442 /*
4443 * Annotate SRC_IF_ELSE with the offset from branch to jump, for
4444 * the decompiler's benefit. We can't just "back up" from the pc
4445 * of the else clause, because we don't know whether an extended
4446 * jump was required to leap from the end of the then clause over
4447 * the else clause.
4448 */
4452 /* No else part, fixup the branch-if-false to come here. */
4454 }
4459 /* Out of line to avoid bloating js_EmitTree's stack frame size. */
4464 /*
4465 * Minimize bytecodes issued for one or more iterations by jumping to
4466 * the condition below the body and closing the loop if the condition
4467 * is true with a backward branch. For iteration count i:
4468 *
4469 * i test at the top test at the bottom
4470 * = =============== ==================
4471 * 0 ifeq-pass goto; ifne-fail
4472 * 1 ifeq-fail; goto; ifne-pass goto; ifne-pass; ifne-fail
4473 * 2 2*(ifeq-fail; goto); ifeq-pass goto; 2*ifne-pass; ifne-fail
4474 * . . .
4475 * N N*(ifeq-fail; goto); ifeq-pass goto; N*ifne-pass; ifne-fail
4476 *
4477 * SpiderMonkey, pre-mozilla.org, emitted while parsing and so used
4478 * test at the top. When JSParseNode trees were added during the ES3
4479 * work (1998-9), the code generation scheme was not optimized, and
4480 * the decompiler continued to take advantage of the branch and jump
4481 * that bracketed the body. But given the SRC_WHILE note, it is easy
4482 * to support the more efficient scheme.
4483 */
4508 /* Emit an annotated nop so we know to decompile a 'do' keyword. */
4513 /* Compile the loop body. */
4521 /* Set loop and enclosing label update offsets, for continue. */
4527 /* Compile the loop condition, now that continues know where to go. */
4531 /*
4532 * Since we use JSOP_IFNE for other purposes as well as for do-while
4533 * loops, we must store 1 + (beq - top) in the SRC_WHILE note offset,
4534 * and the decompiler must get that delta and decompile recursively.
4535 */
4551 /* Set stmtInfo type for later testing. */
4554 /*
4555 * If the left part is 'var x', emit code to define x if necessary
4556 * using a prolog opcode, but do not emit a pop. If the left part
4557 * is 'var x = i', emit prolog code to define x if necessary; then
4558 * emit code to evaluate i, assign the result to x, and pop the
4559 * result off the stack.
4560 *
4561 * All the logic to do this is implemented in the outer switch's
4562 * TOK_VAR case, conditioned on pn_xflags flags set by the parser.
4563 *
4564 * In the 'for (var x = i in o) ...' case, the js_EmitTree(...pn3)
4565 * called here will generate the proper note for the assignment
4566 * op that sets x = i, hoisting the initialized var declaration
4567 * out of the loop: 'var x = i; for (x in o) ...'.
4568 *
4569 * In the 'for (var x in o) ...' case, nothing but the prolog op
4570 * (if needed) should be generated here, we must emit the note
4571 * just before the JSOP_FOR* opcode in the switch on pn3->pn_type
4572 * a bit below, so nothing is hoisted: 'for (var x in o) ...'.
4573 *
4574 * A 'for (let x = i in o)' loop must not be hoisted, since in
4575 * this form the let variable is scoped by the loop body (but not
4576 * the head). The initializer expression i must be evaluated for
4577 * any side effects. So we hoist only i in the let case.
4578 */
4586 /* Compile the object expression to the right of 'in'. */
4590 /*
4591 * Emit a bytecode to convert top of stack value to the iterator
4592 * object depending on the loop variant (for-in, for-each-in, or
4593 * destructuring for-in).
4594 */
4599 /* Annotate so the decompiler can find the loop-closing jump. */
4604 /*
4605 * Jump down to the loop condition to minimize overhead assuming at
4606 * least one iteration, as the other loop forms do.
4607 */
4617 #ifdef DEBUG
4619 #endif
4621 /*
4622 * Compile a JSOP_FOR* bytecode based on the left hand side.
4623 *
4624 * Initialize op to JSOP_SETNAME in case of |for ([a, b] in o)...|
4625 * or similar, to signify assignment, rather than declaration, to
4626 * the decompiler. EmitDestructuringOps takes a prolog bytecode
4627 * parameter and emits the appropriate source note, defaulting to
4628 * assignment, so JSOP_SETNAME is not critical here; many similar
4629 * ops could be used -- just not JSOP_NOP (which means 'let').
4630 */
4633 #if JS_HAS_BLOCK_SCOPE
4635 #endif
4639 #if JS_HAS_DESTRUCTURING
4643 }
4647 }
4648 #else
4650 #endif
4651 /* FALL THROUGH */
4654 /*
4655 * Always annotate JSOP_FORLOCAL if given input of the form
4656 * 'for (let x in * o)' -- the decompiler must not hoist the
4657 * 'let x' out of the loop head, or x will be bound in the
4658 * wrong scope. Likewise, but in this case only for the sake
4659 * of higher decompilation fidelity only, do not hoist 'var x'
4660 * when given 'for (var x in o)'.
4661 */
4663 #if JS_HAS_BLOCK_SCOPE
4665 #endif
4669 ? SRC_DECL_VAR
4672 }
4683 }
4689 }
4692 JSMSG_BAD_FOR_LEFTSIDE);
4694 }
4701 }
4705 /*
4706 * 'for (o.p in q)' can use JSOP_FORPROP only if evaluating 'o'
4707 * has no side effects.
4708 */
4716 }
4717 /* FALL THROUGH */
4719 #if JS_HAS_DESTRUCTURING
4720 destructuring_for:
4721 #endif
4727 #if JS_HAS_DESTRUCTURING
4734 #endif
4735 #if JS_HAS_LVALUE_RETURN
4743 #endif
4744 #if JS_HAS_XML_SUPPORT
4752 #endif
4756 }
4758 /* The stack should be balanced around the JSOP_FOR* opcode sequence. */
4761 /* Set the first srcnote offset so we can find the start of the loop body. */
4765 /* Emit code for the loop body. */
4769 /* Set loop and enclosing "update" offsets, for continue. */
4775 /*
4776 * Fixup the goto that starts the loop to jump down to JSOP_NEXTITER.
4777 */
4785 /* Set the second srcnote offset so we can find the closing jump. */
4789 /* C-style for (init; cond; update) ... loop. */
4793 /* No initializer: emit an annotated nop for the decompiler. */
4797 #if JS_HAS_DESTRUCTURING
4801 }
4802 #endif
4807 /*
4808 * Check whether a destructuring-initialized var decl
4809 * was optimized to a group assignment. If so, we do
4810 * not need to emit a pop below, so switch to a nop,
4811 * just for the decompiler.
4812 */
4816 }
4817 }
4819 }
4821 /*
4822 * NB: the SRC_FOR note has offsetBias 1 (JSOP_{NOP,POP}_LENGTH).
4823 * Use tmp to hold the biased srcnote "top" offset, which differs
4824 * from the top local variable by the length of the JSOP_GOTO{,X}
4825 * emitted in between tmp and top if this loop has a condition.
4826 */
4833 /* Goto the loop condition, which branches back to iterate. */
4837 }
4842 /* Emit code for the loop body. */
4848 /* Set the second note offset so we can find the update part. */
4853 }
4855 /* Set loop and enclosing "update" offsets, for continue. */
4861 /* Check for update code to do before the condition (if any). */
4865 #if JS_HAS_DESTRUCTURING
4869 }
4870 #endif
4874 /* Always emit the POP or NOP, to help the decompiler. */
4878 /* Restore the absolute line number for source note readers. */
4884 }
4885 }
4887 /* Set the first note offset so we can find the loop condition. */
4891 }
4894 /* Fix up the goto from top to target the loop condition. */
4900 }
4902 /* The third note offset helps us find the loop-closing jump. */
4906 }
4913 /* No loop condition -- emit the loop-closing jump. */
4917 }
4918 }
4920 /* Now fixup all breaks and continues (before for/in's JSOP_ENDITER). */
4925 /*
4926 * JSOP_ENDITER must have a slot to save an exception thrown from
4927 * the body of for-in loop when closing the iterator object, and
4928 * fortunately it does: the slot that was set by JSOP_NEXTITER to
4929 * the return value of iterator.next().
4930 */
4935 }
4936 }
4954 }
4964 /* Find the loop statement enclosed by the matching label. */
4973 }
4981 }
5001 {
5003 intN depth;
5008 /*
5009 * Push stmtInfo to track jumps-over-catches and gosubs-to-finally
5010 * for later fixup.
5011 *
5012 * When a finally block is active (STMT_FINALLY in our tree context),
5013 * non-local jumps (including jumps-over-catches) result in a GOSUB
5014 * being written into the bytecode stream and fixed-up later (c.f.
5015 * EmitBackPatchOp and BackPatch).
5016 */
5021 /*
5022 * Since an exception can be thrown at any place inside the try block,
5023 * we need to restore the stack and the scope chain before we transfer
5024 * the control to the exception handler.
5025 *
5026 * For that we store in a try note associated with the catch or
5027 * finally block the stack depth upon the try entry. The interpreter
5028 * uses this depth to properly unwind the stack and the scope chain.
5029 */
5032 /* Mark try location for decompilation, then emit try block. */
5040 /* GOSUB to finally, if present. */
5047 }
5049 /* Emit (hidden) jump over catch and/or finally. */
5058 /* If this try has a catch block, emit it. */
5064 /*
5065 * The emitted code for a catch block looks like:
5066 *
5067 * [throwing] only if 2nd+ catch block
5068 * [leaveblock] only if 2nd+ catch block
5069 * enterblock with SRC_CATCH
5070 * exception
5071 * [dup] only if catchguard
5072 * setlocalpop <slot> or destructuring code
5073 * [< catchguard code >] if there's a catchguard
5074 * [ifeq <offset to next catch block>] " "
5075 * [pop] only if catchguard
5076 * < catch block contents >
5077 * leaveblock
5078 * goto <end of catch blocks> non-local; finally applies
5079 *
5080 * If there's no catch block without a catchguard, the last
5081 * <offset to next catch block> points to rethrow code. This
5082 * code will [gosub] to the finally code if appropriate, and is
5083 * also used for the catch-all trynote for capturing exceptions
5084 * thrown from catch{} blocks.
5085 */
5092 /* Fix up and clean up previous catch block. */
5095 /*
5096 * Account for JSOP_ENTERBLOCK (whose block object count
5097 * is saved below) and pushed exception object that we
5098 * still have after the jumping from the previous guard.
5099 */
5102 /*
5103 * Move exception back to cx->exception to prepare for
5104 * the next catch. We hide [throwing] from the decompiler
5105 * since it compensates for the hidden JSOP_DUP at the
5106 * start of the previous guarded catch.
5107 */
5111 }
5116 }
5118 /*
5119 * Annotate the JSOP_ENTERBLOCK that's about to be generated
5120 * by the call to js_EmitTree immediately below. Save this
5121 * source note's index in stmtInfo for use by the TOK_CATCH:
5122 * case, where the length of the catch guard is set as the
5123 * note's offset.
5124 */
5130 /*
5131 * Emit the lexical scope and catch body. Save the catch's
5132 * block object population via count, for use when targeting
5133 * guardJump at the next catch (the guard mismatch case).
5134 */
5140 /* gosub <finally>, if required */
5147 }
5149 /*
5150 * Jump over the remaining catch blocks. This will get fixed
5151 * up to jump to after catch/finally.
5152 */
5159 /*
5160 * Save a pointer to the last catch node to handle try-finally
5161 * and try-catch(guard)-finally special cases.
5162 */
5164 }
5165 }
5167 /*
5168 * Last catch guard jumps to the rethrow code sequence if none of the
5169 * guards match. Target guardJump at the beginning of the rethrow
5170 * sequence, just in case a guard expression throws and leaves the
5171 * stack unbalanced.
5172 */
5176 /* Sync the stack to take into account pushed exception. */
5180 /*
5181 * Rethrow the exception, delegating executing of finally if any
5182 * to the exception handler.
5183 */
5187 }
5188 }
5192 /* Emit finally handler if any. */
5195 /*
5196 * Fix up the gosubs that might have been emitted before non-local
5197 * jumps to the finally code.
5198 */
5204 /* Indicate that we're emitting a subroutine body. */
5212 }
5214 }
5221 }
5223 /* Fix up the end-of-try/catch jumps to come here. */
5227 /*
5228 * Add the try note last, to let post-order give us the right ordering
5229 * (first to last for a given nesting level, inner to outer by level).
5230 */
5234 }
5236 /*
5237 * If we've got a finally, mark try+catch region with additional
5238 * trynote to catch exceptions (re)thrown from a catch block or
5239 * for the try{}finally{} case.
5240 */
5244 }
5246 }
5249 {
5253 /*
5254 * Morph STMT_BLOCK to STMT_CATCH, note the block entry code offset,
5255 * and save the block object atom.
5256 */
5263 /* Go up one statement info record to the TRY or FINALLY record. */
5267 /* Pick up the pending exception and bind it to the catch variable. */
5271 /*
5272 * Dup the exception object if there is a guard for rethrowing to use
5273 * it later when rethrowing or in other catches.
5274 */
5280 #if JS_HAS_DESTRUCTURING
5288 #endif
5291 /* Inline and specialize BindNameToSlot for pn2. */
5298 }
5300 /* Emit the guard expression, if there is one. */
5307 }
5308 /* ifeq <next block> */
5314 /* Pop duplicated exception object as we no longer need it. */
5317 }
5319 /* Emit the catch body. */
5323 /*
5324 * Annotate the JSOP_LEAVEBLOCK that will be emitted as we unwind via
5325 * our TOK_LEXICALSCOPE parent, so the decompiler knows to pop.
5326 */
5331 }
5339 /* Push a return value */
5347 }
5349 /*
5350 * EmitNonLocalJumpFixup may add fixup bytecode to close open try
5351 * blocks having finally clauses and to exit intermingled let blocks.
5352 * We can't simply transfer control flow to our caller in that case,
5353 * because we must gosub to those finally clauses from inner to outer,
5354 * with the correct stack pointer (i.e., after popping any with,
5355 * for/in, etc., slots nested inside the finally's try).
5356 *
5357 * In this case we mutate JSOP_RETURN into JSOP_SETRVAL and add an
5358 * extra JSOP_RETRVAL after the fixups.
5359 */
5369 }
5372 #if JS_HAS_GENERATORS
5376 JSMSG_BAD_RETURN_OR_YIELD,
5377 js_yield_str);
5379 }
5386 }
5392 #endif
5395 {
5396 #if JS_HAS_XML_SUPPORT
5403 }
5404 #endif
5414 }
5420 /*
5421 * This block contains top-level function definitions. To ensure
5422 * that we emit the bytecode defining them before the rest of code
5423 * in the block we use a separate pass over functions. During the
5424 * main pass later the emitter will add JSOP_NOP with source notes
5425 * for the function to preserve the original functions position
5426 * when decompiling.
5427 *
5428 * Currently this is used only for functions, as compile-as-we go
5429 * mode for scripts does not allow separate emitter passes.
5430 */
5433 /*
5434 * Assign the destructuring arguments before defining any
5435 * functions, see bug 419662.
5436 */
5442 }
5450 /*
5451 * JSOP_DEFFUN in a top-level block with function
5452 * definitions appears, for example, when "if (true)"
5453 * is optimized away from "if (true) function x() {}".
5454 * See bug 428424.
5455 */
5457 }
5458 }
5459 }
5460 }
5464 }
5470 }
5474 }
5482 }
5489 /*
5490 * Top-level or called-from-a-native JS_Execute/EvaluateScript,
5491 * debugger, and eval frames may need the value of the ultimate
5492 * expression statement as the script's result, despite the fact
5493 * that it appears useless to the compiler.
5494 *
5495 * API users may also set the JSOPTION_NO_SCRIPT_RVAL option when
5496 * calling JS_Compile* to suppress JSOP_POPV.
5497 */
5502 }
5504 /*
5505 * Don't eliminate apparently useless expressions if they are
5506 * labeled expression statements. The tc->topStmt->update test
5507 * catches the case where we are nesting in js_EmitTree for a
5508 * labeled compound statement.
5509 */
5516 JSREPORT_WARNING |
5517 JSREPORT_STRICT,
5518 JSMSG_USELESS_EXPR)) {
5520 }
5523 #if JS_HAS_DESTRUCTURING
5528 }
5529 #endif
5535 }
5536 }
5537 }
5541 /* Emit an annotated nop so we know to decompile a label. */
5550 ? SRC_LABELBRACE
5557 }
5559 /* Emit code for the labeled statement. */
5567 /* If the statement was compound, emit a note for the end brace. */
5572 }
5573 }
5577 /*
5578 * Emit SRC_PCDELTA notes on each JSOP_POP between comma operands.
5579 * These notes help the decompiler bracket the bytecodes generated
5580 * from each sub-expression that follows a comma.
5581 */
5590 }
5598 }
5599 }
5603 /*
5604 * Check left operand type and generate specialized code for it.
5605 * Specialize to avoid ECMA "reference type" values on the operand
5606 * stack, which impose pervasive runtime "GetValue" costs.
5607 */
5624 }
5641 #if JS_HAS_DESTRUCTURING
5645 #endif
5646 #if JS_HAS_LVALUE_RETURN
5651 #endif
5652 #if JS_HAS_XML_SUPPORT
5660 #endif
5663 }
5666 #if JS_HAS_GETTER_SETTER
5669 /*
5670 * x getter = y where x is a local or let variable is not
5671 * supported.
5672 */
5676 JSMSG_BAD_GETTER_OR_SETTER,
5678 ? js_getter_str
5681 }
5683 /* We'll emit these prefix bytecodes after emitting the r.h.s. */
5685 #endif
5686 /* If += or similar, dup the left operand and get its value. */
5696 }
5703 ? JSOP_GETGVAR
5705 ? JSOP_GETUPVAR
5707 ? JSOP_GETARG
5709 atomIndex);
5710 }
5725 }
5728 #if JS_HAS_LVALUE_RETURN
5730 #endif
5731 #if JS_HAS_XML_SUPPORT
5733 #endif
5740 }
5741 }
5743 /* Now emit the right operand (it may affect the namespace). */
5747 /* If += etc., emit the binary operator with a decompiler note. */
5749 /*
5750 * Take care to avoid SRC_ASSIGNOP if the left-hand side is a const
5751 * declared in the current compilation unit, as in this case (just
5752 * a bit further below) we will avoid emitting the assignment op.
5753 */
5757 }
5760 }
5762 /* Left parts such as a.b.c and a[b].c need a decompiler note. */
5764 #if JS_HAS_DESTRUCTURING
5767 #endif
5770 }
5772 /* Finally, emit the specialized assignment bytecode. */
5777 /* FALL THROUGH */
5782 #if JS_HAS_LVALUE_RETURN
5784 #endif
5788 #if JS_HAS_DESTRUCTURING
5794 #endif
5795 #if JS_HAS_XML_SUPPORT
5800 #endif
5803 }
5807 /* Emit the condition, then branch if false to the else part. */
5817 /* Jump around else, fixup the branch, emit else, fixup jump. */
5823 /*
5824 * Because each branch pushes a single value, but our stack budgeting
5825 * analysis ignores branches, we now have to adjust cg->stackDepth to
5826 * ignore the value pushed by the first branch. Execution will follow
5827 * only one path, so we must decrement cg->stackDepth.
5828 *
5829 * Failing to do this will foil code, such as the try/catch/finally
5830 * exception handling code generator, that samples cg->stackDepth for
5831 * use at runtime (JSOP_SETSP), or in let expression and block code
5832 * generation, which must use the stack depth to compute local stack
5833 * indexes correctly.
5834 */
5846 /*
5847 * JSOP_OR converts the operand on the stack to boolean, and if true,
5848 * leaves the original operand value on the stack and jumps; otherwise
5849 * it pops and falls into the next bytecode, which evaluates the right
5850 * operand. The jump goes around the right operand evaluation.
5851 *
5852 * JSOP_AND converts the operand on the stack to boolean, and if false,
5853 * leaves the original operand value on the stack and jumps; otherwise
5854 * it pops and falls into the right operand's bytecode.
5855 */
5872 /* Left-associative operator chain: avoid too much recursion. */
5880 /* Emit nodes between the head and the tail. */
5892 }
5905 }
5921 /* Left-associative operator chain: avoid too much recursion. */
5931 }
5933 #if JS_HAS_XML_SUPPORT
5934 uintN oldflags;
5943 }
5945 /*
5946 * Binary :: has a right operand that brackets arbitrary code,
5947 * possibly including a let (a = b) ... expression. We must clear
5948 * TCF_IN_FOR_INIT to avoid mis-compiling such beasts.
5949 */
5952 #endif
5954 /* Binary operators that evaluate both operands unconditionally. */
5959 #if JS_HAS_XML_SUPPORT
5961 #endif
5964 }
5968 #if JS_HAS_XML_SUPPORT
5972 /* FALL THROUGH */
5973 #endif
5975 {
5976 uintN oldflags;
5978 /* Unary op, including unary +/-. */
5980 #if JS_HAS_XML_SUPPORT
5985 }
5986 #endif
5993 }
6002 }
6006 /* Emit lvalue-specialized code for ++/-- operators. */
6028 }
6039 }
6040 }
6050 #if JS_HAS_LVALUE_RETURN
6057 }
6061 #endif
6062 #if JS_HAS_XML_SUPPORT
6072 #endif
6073 }
6077 /*
6078 * Under ECMA 3, deleting a non-reference returns true -- but alas we
6079 * must evaluate the operand if it appears it might have side effects.
6080 */
6093 }
6099 #if JS_HAS_XML_SUPPORT
6104 #endif
6105 #if JS_HAS_LVALUE_RETURN
6115 #endif
6121 /*
6122 * If useless, just emit JSOP_TRUE; otherwise convert delete foo()
6123 * to foo(), true (a comma expression, requiring SRC_PCDELTA).
6124 */
6137 }
6144 }
6145 }
6148 #if JS_HAS_XML_SUPPORT
6164 #endif
6167 /*
6168 * Pop a stack operand, convert it to object, get a property named by
6169 * this bytecode's immediate-indexed atom operand, and push its value
6170 * (not a reference to it).
6171 */
6176 #if JS_HAS_XML_SUPPORT
6178 #endif
6179 /*
6180 * Pop two operands, convert the left one to object and the right one
6181 * to property name (atom or tagged int), get the named property, and
6182 * push its value. Set the "obj" register to the result of ToObject
6183 * on the left operand.
6184 */
6190 {
6191 uintN oldflags;
6193 /*
6194 * Emit function call or operator new (constructor call) code.
6195 * First, emit code for the left operand to evaluate the callable or
6196 * constructable object expression.
6197 */
6214 #if JS_HAS_XML_SUPPORT
6219 }
6220 #endif
6221 /* FALL THROUGH */
6223 /*
6224 * Push null as a placeholder for the global object, per ECMA-262
6225 * 11.2.3 step 6.
6226 */
6231 }
6233 /* Remember start of callable-object bytecode for decompilation hint. */
6236 /*
6237 * Emit code for each argument in order, then emit the JSOP_*CALL or
6238 * JSOP_NEW bytecode with a two-byte immediate telling how many args
6239 * were pushed on the operand stack.
6240 */
6246 }
6257 }
6260 {
6262 uintN count;
6267 /*
6268 * If this lexical scope is not for a catch block, let block or let
6269 * expression, or any kind of for loop (where the scope starts in the
6270 * head after the first part if for (;;), else in the body if for-in);
6271 * and if our container is top-level but not a function body, or else
6272 * a block statement; then emit a SRC_BRACE note. All other container
6273 * statements get braces by default from the decompiler.
6274 */
6281 #if defined DEBUG_brendan || defined DEBUG_mrbkap
6282 /* There must be no source note already output for the next op. */
6286 #endif
6290 }
6308 }
6309 }
6311 /* Emit the JSOP_LEAVEBLOCK or JSOP_LEAVEBLOCKEXPR opcode. */
6317 }
6319 #if JS_HAS_BLOCK_SCOPE
6321 /* Let statements have their variable declarations on the left. */
6327 }
6329 /* Non-null pn2 means that pn is the variable list from a let head. */
6334 /* Thus non-null pn2 is the body of the let block or expression. */
6343 }
6347 #if JS_HAS_GENERATORS
6349 jsint slot;
6351 /*
6352 * The array object's stack index is in cg->arrayCompDepth. See below
6353 * under the array initialiser code generator for array comprehension
6354 * special casing.
6355 */
6363 }
6364 #endif
6367 #if JS_HAS_GENERATORS
6369 #endif
6370 /*
6371 * Emit code for [a, b, c] that is equivalent to constructing a new
6372 * array and in source order evaluating each element value and adding
6373 * it to the array, without invoking latent setters. We use the
6374 * JSOP_NEWINIT and JSOP_INITELEM bytecodes to ignore setters and to
6375 * avoid dup'ing and popping the array as each element is added, as
6376 * JSOP_SETELEM/JSOP_SETPROP would do.
6377 *
6378 * If no sharp variable is defined, the initializer is not for an array
6379 * comprehension, the initializer is not overlarge, and the initializer
6380 * is not in global code (whose stack growth cannot be precisely modeled
6381 * due to the need to reserve space for global variables and regular
6382 * expressions), use JSOP_NEWARRAY to minimize opcodes and to create the
6383 * array using a fast, all-at-once process rather than a slow, element-
6384 * by-element process.
6385 */
6386 #if JS_HAS_SHARP_VARS
6388 do_emit_array:
6389 #endif
6392 ? JSOP_NEWARRAY
6395 #if JS_HAS_GENERATORS
6398 #endif
6399 #if JS_HAS_SHARP_VARS
6403 #endif
6408 #if JS_HAS_SHARP_VARS
6411 # endif
6412 }
6414 #if JS_HAS_GENERATORS
6416 uintN saveDepth;
6418 /*
6419 * Pass the new array's stack index to the TOK_ARRAYPUSH case via
6420 * cg->arrayCompDepth, then simply traverse the TOK_FOR node and
6421 * its kids under pn2 to generate this comprehension.
6422 */
6430 /* Emit the usual op needed for decompilation. */
6434 }
6447 }
6450 }
6454 /* Emit a source note so we know to decompile an extra comma. */
6457 }
6460 /*
6461 * Emit an op to finish the array and, secondarily, to aid in sharp
6462 * array cleanup (if JS_HAS_SHARP_VARS) and decompilation.
6463 */
6467 }
6474 #if JS_HAS_SHARP_VARS
6476 do_emit_object:
6477 #endif
6478 #if JS_HAS_DESTRUCTURING_SHORTHAND
6481 JSMSG_BAD_OBJECT_INIT);
6483 }
6484 #endif
6485 /*
6486 * Emit code for {p:a, '%q':b, 2:c} that is equivalent to constructing
6487 * a new object and in source order evaluating each property value and
6488 * adding the property to the object, without invoking latent setters.
6489 * We use the JSOP_NEWINIT and JSOP_INITELEM/JSOP_INITPROP bytecodes to
6490 * ignore setters and to avoid dup'ing and popping the object as each
6491 * property is added, as JSOP_SETELEM/JSOP_SETPROP would do.
6492 */
6496 #if JS_HAS_SHARP_VARS
6499 #endif
6502 /* Emit an index for t[2] for later consumption by JSOP_INITELEM. */
6507 }
6509 /* Emit code for the property initializer. */
6513 #if JS_HAS_GETTER_SETTER
6518 }
6519 #endif
6520 /* Annotate JSOP_INITELEM so we decompile 2:c and not just c. */
6533 }
6534 }
6536 /* Emit an op for sharpArray cleanup and decompilation. */
6541 #if JS_HAS_SHARP_VARS
6548 # if JS_HAS_GENERATORS
6551 # endif
6567 {
6568 uintN oldflags;
6570 /*
6571 * The node for (e) has e as its kid, enabling users who want to nest
6572 * assignment expressions in conditions to avoid the error correction
6573 * done by Condition (from x = y to x == y) by double-parenthesizing.
6574 */
6581 }
6584 /*
6585 * Cope with a left-over function definition that was replaced by a use
6586 * of a later function definition of the same name. See FunctionDef and
6587 * MakeDefIntoUse in jsparse.cpp.
6588 */
6595 #if JS_HAS_XML_SUPPORT
6601 #endif
6611 /*
6612 * If the regexp's script is one-shot, we can avoid the extra
6613 * fork-on-exec costs of JSOP_REGEXP by selecting JSOP_OBJECT.
6614 * Otherwise, to avoid incorrect proto, parent, and lastIndex
6615 * sharing among threads and sequentially across re-execution,
6616 * select JSOP_REGEXP.
6617 */
6624 cg);
6625 }
6628 #if JS_HAS_XML_SUPPORT
6630 #endif
6636 #if JS_HAS_DEBUGGER_KEYWORD
6643 #if JS_HAS_XML_SUPPORT
6649 }
6655 /* FALL THROUGH */
6662 }
6668 }
6673 }
6683 }
6686 }
6687 #ifdef DEBUG
6688 else
6690 #endif
6697 }
6698 /* FALL THROUGH */
6702 {
6703 uint32 i;
6729 }
6735 }
6739 }
6740 }
6755 }
6764 }
6769 }
6775 }
6791 }
6798 }
6801 }
6803 /*
6804 * We should try to get rid of offsetBias (always 0 or 1, where 1 is
6805 * JSOP_{NOP,POP}_LENGTH), which is used only by SRC_FOR and SRC_DECL.
6806 */
6833 };
6835 static intN
6837 {
6838 intN index;
6847 /* Allocate the first note array lazily; leave noteMask alone. */
6850 /* Grow by doubling note array size; update noteMask on success. */
6854 }
6858 }
6859 }
6863 }
6865 intN
6867 {
6872 /*
6873 * Claim a note slot in CG_NOTES(cg) by growing it if necessary and then
6874 * incrementing CG_NOTE_COUNT(cg).
6875 */
6881 /*
6882 * Compute delta from the last annotated bytecode's offset. If it's too
6883 * big to fit in sn, allocate one or more xdelta notes and reset sn.
6884 */
6898 }
6900 /*
6901 * Initialize type and delta, then allocate the minimum number of notes
6902 * needed for type's arity. Usually, we won't need more, but if an offset
6903 * does take two bytes, js_SetSrcNoteOffset will grow CG_NOTES(cg).
6904 */
6909 }
6911 }
6913 intN
6916 {
6917 intN index;
6923 }
6925 }
6927 intN
6930 {
6931 intN index;
6939 }
6941 }
6943 static JSBool
6945 {
6949 /* Grow by doubling note array size; update noteMask on success. */
6956 }
6959 }
6961 jssrcnote *
6964 {
6966 intN index;
6968 /*
6969 * Called only from OptimizeSpanDeps and js_FinishTakingSrcNotes to add to
6970 * main script note deltas, and only by a small positive amount.
6971 */
6986 }
6991 sn++;
6992 }
6994 }
6998 {
6999 uintN arity;
7006 }
7008 }
7012 {
7013 /* Find the offset numbered which (i.e., skip exactly which offsets). */
7019 }
7024 }
7026 }
7028 JSBool
7031 {
7038 }
7040 /* Find the offset numbered which (i.e., skip exactly which offsets). */
7047 }
7049 /* See if the new offset requires three bytes. */
7051 /* Maybe this offset was already set to a three-byte value. */
7053 /* Losing, need to insert another two bytes for this offset. */
7056 /*
7057 * Simultaneously test to see if the source note array must grow to
7058 * accommodate either the first or second byte of additional storage
7059 * required by this 3-byte offset.
7060 */
7065 }
7072 }
7075 }
7078 }
7080 #ifdef DEBUG_notme
7081 #define DEBUG_srcnotesize
7082 #endif
7084 #ifdef DEBUG_srcnotesize
7085 #define NBINS 10
7089 {
7098 }
7105 }
7107 }
7108 #endif
7110 /*
7111 * Fill in the storage at notes with prolog and main srcnotes; the space at
7112 * notes was allocated using the CG_COUNT_FINAL_SRCNOTES macro from jsemit.h.
7113 * SO DON'T CHANGE THIS FUNCTION WITHOUT AT LEAST CHECKING WHETHER jsemit.h's
7114 * CG_COUNT_FINAL_SRCNOTES MACRO NEEDS CORRESPONDING CHANGES!
7115 */
7116 JSBool
7118 {
7133 /*
7134 * Either no prolog srcnotes, or no line number change over prolog.
7135 * We don't need a SRC_SETLINE, but we may need to adjust the offset
7136 * of the first main note, by adding to its delta and possibly even
7137 * prepending SRC_XDELTA notes to it to account for prolog bytecodes
7138 * that came at and after the last annotated bytecode.
7139 */
7143 /* NB: Use as much of the first main note's delta as we can. */
7158 }
7159 }
7160 }
7169 #ifdef DEBUG_notme
7174 }
7175 #endif
7177 }
7179 static JSBool
7182 {
7194 }
7204 }
7206 void
7208 {
7219 }
7221 /*
7222 * Find the index of the given object for code generator.
7223 *
7224 * Since the emitter refers to each parsed object only once, for the index we
7225 * use the number of already indexes objects. We also add the object to a list
7226 * to convert the list to a fixed-size array when we complete code generation,
7227 * see JSCGObjectList::finish below.
7228 *
7229 * Most of the objects go to JSCodeGenerator.objectList but for regexp we use a
7230 * separated JSCodeGenerator.regexpList. In this way the emitted index can be
7231 * directly used to store and fetch a reference to a cloned RegExp object that
7232 * shares the same JSRegExp private data created for the object literal in
7233 * objbox. We need a cloned object to hold lastIndex and other direct properties
7234 * that should not be shared among threads sharing a precompiled function or
7235 * script.
7236 *
7237 * If the code being compiled is function code, allocate a reserved slot in
7238 * the cloned function object that shares its precompiled script with other
7239 * cloned function objects and with the compiler-created clone-parent. There
7240 * are nregexps = JS_SCRIPT_REGEXPS(script)->length such reserved slots in each
7241 * function object cloned from fun->object. NB: during compilation, a funobj
7242 * slots element must never be allocated, because js_AllocSlot could hand out
7243 * one of the slots that should be given to a regexp clone.
7244 *
7245 * If the code being compiled is global code, the cloned regexp are stored in
7246 * fp->vars slot after cg->ngvars and to protect regexp slots from GC we set
7247 * fp->nvars to ngvars + nregexps.
7248 *
7249 * The slots initially contain undefined or null. We populate them lazily when
7250 * JSOP_REGEXP is executed for the first time.
7251 *
7252 * Why clone regexp objects? ECMA specifies that when a regular expression
7253 * literal is scanned, a RegExp object is created. In the spec, compilation
7254 * and execution happen indivisibly, but in this implementation and many of
7255 * its embeddings, code is precompiled early and re-executed in multiple
7256 * threads, or using multiple global objects, or both, for efficiency.
7257 *
7258 * In such cases, naively following ECMA leads to wrongful sharing of RegExp
7259 * objects, which makes for collisions on the lastIndex property (especially
7260 * for global regexps) and on any ad-hoc properties. Also, __proto__ and
7261 * __parent__ refer to the pre-compilation prototype and global objects, a
7262 * pigeon-hole problem for instanceof tests.
7263 */
7264 uintN
7266 {
7271 }
7273 void
7275 {
7290 }