| blob | 2b198acc300c5ea79058ceb1f7cd8b2feff7f779 |
1 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=99:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
41 /*
42 * JS bytecode generation.
43 */
44 #ifdef HAVE_MEMORY_H
45 #include <memory.h>
46 #endif
47 #include <new>
48 #include <string.h>
72 /* Allocation chunk counts, must be powers of two in general. */
77 /* Macros to compute byte sizes from typed element counts. */
78 #define BYTECODE_SIZE(n) ((n) * sizeof(jsbytecode))
79 #define SRCNOTE_SIZE(n) ((n) * sizeof(jssrcnote))
80 #define TRYNOTE_SIZE(n) ((n) * sizeof(JSTryNote))
82 static JSBool
88 uintN lineno)
98 {
106 }
109 {
113 /* NB: non-null only after OOM. */
119 }
121 static ptrdiff_t
123 {
135 ? BYTECODE_CHUNK
144 }
148 }
152 }
154 }
156 static void
158 {
160 JSOp op;
163 intN ndefs;
168 #ifdef JS_TRACER
171 #else
173 #endif
177 extra;
180 }
193 JSMSG_STACK_UNDERFLOW,
195 numBuf);
196 }
201 /* We just executed IndexParsedObject */
210 }
214 }
216 ptrdiff_t
218 {
224 }
226 }
228 ptrdiff_t
230 {
239 }
241 }
243 ptrdiff_t
245 jsbytecode op2)
246 {
256 }
258 }
260 ptrdiff_t
262 {
272 /*
273 * Don't UpdateDepth if op's use-count comes from the immediate
274 * operand yet to be stored in the extra bytes after op.
275 */
278 }
280 }
282 /* XXX too many "... statement" L10N gaffes below -- fix via js.msg! */
303 };
309 {
313 }
315 static void
317 {
320 }
322 /**
323 Span-dependent instructions in JS bytecode consist of the jump (JOF_JUMP)
324 and switch (JOF_LOOKUPSWITCH, JOF_TABLESWITCH) format opcodes, subdivided
325 into unconditional (gotos and gosubs), and conditional jumps or branches
326 (which pop a value, test it, and jump depending on its value). Most jumps
327 have just one immediate operand, a signed offset from the jump opcode's pc
328 to the target bytecode. The lookup and table switch opcodes may contain
329 many jump offsets.
331 Mozilla bug #80981 (http://bugzilla.mozilla.org/show_bug.cgi?id=80981) was
332 fixed by adding extended "X" counterparts to the opcodes/formats (NB: X is
333 suffixed to prefer JSOP_ORX thereby avoiding a JSOP_XOR name collision for
334 the extended form of the JSOP_OR branch opcode). The unextended or short
335 formats have 16-bit signed immediate offset operands, the extended or long
336 formats have 32-bit signed immediates. The span-dependency problem consists
337 of selecting as few long instructions as possible, or about as few -- since
338 jumps can span other jumps, extending one jump may cause another to need to
339 be extended.
341 Most JS scripts are short, so need no extended jumps. We optimize for this
342 case by generating short jumps until we know a long jump is needed. After
343 that point, we keep generating short jumps, but each jump's 16-bit immediate
344 offset operand is actually an unsigned index into cg->spanDeps, an array of
345 JSSpanDep structs. Each struct tells the top offset in the script of the
346 opcode, the "before" offset of the jump (which will be the same as top for
347 simplex jumps, but which will index further into the bytecode array for a
348 non-initial jump offset in a lookup or table switch), the after "offset"
349 adjusted during span-dependent instruction selection (initially the same
350 value as the "before" offset), and the jump target (more below).
352 Since we generate cg->spanDeps lazily, from within js_SetJumpOffset, we must
353 ensure that all bytecode generated so far can be inspected to discover where
354 the jump offset immediate operands lie within CG_CODE(cg). But the bonus is
355 that we generate span-dependency records sorted by their offsets, so we can
356 binary-search when trying to find a JSSpanDep for a given bytecode offset,
357 or the nearest JSSpanDep at or above a given pc.
359 To avoid limiting scripts to 64K jumps, if the cg->spanDeps index overflows
360 65534, we store SPANDEP_INDEX_HUGE in the jump's immediate operand. This
361 tells us that we need to binary-search for the cg->spanDeps entry by the
362 jump opcode's bytecode offset (sd->before).
364 Jump targets need to be maintained in a data structure that lets us look
365 up an already-known target by its address (jumps may have a common target),
366 and that also lets us update the addresses (script-relative, a.k.a. absolute
367 offsets) of targets that come after a jump target (for when a jump below
368 that target needs to be extended). We use an AVL tree, implemented using
369 recursion, but with some tricky optimizations to its height-balancing code
370 (see http://www.cmcrossroads.com/bradapp/ftp/src/libs/C++/AvlTrees.html).
372 A final wrinkle: backpatch chains are linked by jump-to-jump offsets with
373 positive sign, even though they link "backward" (i.e., toward lower bytecode
374 address). We don't want to waste space and search time in the AVL tree for
375 such temporary backpatch deltas, so we use a single-bit wildcard scheme to
376 tag true JSJumpTarget pointers and encode untagged, signed (positive) deltas
377 in JSSpanDep.target pointers, depending on whether the JSSpanDep has a known
378 target, or is still awaiting backpatching.
380 Note that backpatch chains would present a problem for BuildSpanDepTable,
381 which inspects bytecode to build cg->spanDeps on demand, when the first
382 short jump offset overflows. To solve this temporary problem, we emit a
383 proxy bytecode (JSOP_BACKPATCH; JSOP_BACKPATCH_POP for branch ops) whose
384 nuses/ndefs counts help keep the stack balanced, but whose opcode format
385 distinguishes its backpatch delta immediate operand from a normal jump
386 offset.
387 */
388 static int
390 {
393 JSBool doubleRotate;
406 }
430 }
433 }
442 static int
444 {
461 }
462 }
470 }
475 }
479 else
488 }
490 #ifdef DEBUG_brendan
492 {
501 }
502 #endif
504 static JSBool
507 {
508 AddJumpTargetArgs args;
513 }
523 #ifdef DEBUG_brendan
525 #endif
529 }
531 #define SPANDEPS_MIN 256
532 #define SPANDEPS_SIZE(n) ((n) * sizeof(JSSpanDep))
533 #define SPANDEPS_SIZE_MIN SPANDEPS_SIZE(SPANDEPS_MIN)
535 static JSBool
538 {
539 uintN index;
547 }
556 }
564 /* Jump offset will be backpatched if off is a non-zero "bpdelta". */
570 }
571 }
574 /* Jump offset will be patched directly, without backpatch chaining. */
577 /* The jump offset in off is non-zero, therefore it's already known. */
580 }
586 }
590 {
591 JSOp op;
615 }
623 }
625 }
627 static JSBool
629 {
631 JSOp op;
654 /* FALL THROUGH */
658 }
659 }
662 }
666 {
667 uintN index;
686 else
688 }
692 }
694 static JSBool
697 {
704 }
709 }
718 }
720 static void
722 {
727 }
730 }
735 {
750 else
752 }
758 }
760 static void
762 {
769 }
771 static JSBool
773 {
777 JSBool done;
778 JSOp op;
779 uint32 type;
785 #ifdef DEBUG_brendan
787 #endif
803 #ifdef DEBUG_brendan
804 passes++;
805 #endif
820 /*
821 * We already extended all the jump offset operands for
822 * the opcode at sd->top. Jumps and branches have only
823 * one jump offset operand, but switches have many, all
824 * of which are adjacent in cg->spanDeps.
825 */
827 }
832 }
855 }
860 /*
861 * sd2->offset already includes delta as it stood
862 * before we entered this loop, but it must also
863 * include the delta relative to top due to all the
864 * extended jump offset immediates for the opcode
865 * starting at top, which we extend in this loop.
866 *
867 * If there is only one extended jump offset, then
868 * sd2->offset won't change and this for loop will
869 * iterate once only.
870 */
874 /*
875 * sd2 comes after sd, and won't be revisited by
876 * the outer for loop, so we have to increase its
877 * offset by delta, not merely by deltaFromTop.
878 */
880 }
885 }
887 }
888 }
889 }
895 #ifdef DEBUG_brendan
902 #endif
904 /*
905 * Ensure that we have room for the extended jumps, but don't round up
906 * to a power of two -- we're done generating code, so we cut to fit.
907 */
919 }
922 }
925 /*
926 * Set up a fake span dependency record to guard the end of the code
927 * being generated. This guard record is returned as a fencepost by
928 * FindNearestSpanDep if there is no real spandep at or above a given
929 * unextended code offset.
930 */
935 }
937 /*
938 * Now work backwards through the span dependencies, copying chunks of
939 * bytecode between each extended jump toward the end of the grown code
940 * space, and restoring immediate offset operands for all jump bytecodes.
941 * The first chunk of bytecodes, starting at base and ending at the first
942 * extended jump offset (NB: this chunk includes the operation bytecode
943 * just before that immediate jump offset), doesn't need to be copied.
944 */
955 sd2++;
958 }
963 /*
964 * If this jump didn't need to be extended, restore its span immediate
965 * offset operand now, overwriting the index of sd within cg->spanDeps
966 * that was stored temporarily after *pc when BuildSpanDepTable ran.
967 *
968 * Note that span might fit in 16 bits even for an extended jump op,
969 * if the op has multiple span operands, not all of which overflowed
970 * (e.g. JSOP_LOOKUPSWITCH or JSOP_TABLESWITCH where some cases are in
971 * range for a short jump, but others are not).
972 */
977 }
979 /*
980 * Set up parameters needed to copy the next run of bytecode starting
981 * at offset (which is a cursor into the unextended, original bytecode
982 * vector), down to sd->before (a cursor of the same scale as offset,
983 * it's the index of the original jump pc). Reuse delta to count the
984 * nominal number of bytes to copy.
985 */
990 /*
991 * Don't bother copying the jump offset we're about to reset, but do
992 * copy the bytecode at oldpc (which comes just before its immediate
993 * jump offset operand), on the next iteration through the loop, by
994 * including it in offset's new value.
995 */
1001 size);
1002 }
1005 }
1008 /*
1009 * Fix source note deltas. Don't hardwire the delta fixup adjustment,
1010 * even though currently it must be JUMPX_OFFSET_LEN - JUMP_OFFSET_LEN
1011 * at each sd that moved. The future may bring different offset sizes
1012 * for span-dependent instruction operands. However, we fix only main
1013 * notes here, not prolog notes -- we know that prolog opcodes are not
1014 * span-dependent, and aren't likely ever to be.
1015 */
1021 /*
1022 * Recall that the offset of a given note includes its delta, and
1023 * tells the offset of the annotated bytecode from the main entry
1024 * point of the script.
1025 */
1028 /*
1029 * To compute the delta to add to sn, we need to look at the
1030 * spandep after sd, whose offset - (before + growth) tells by
1031 * how many bytes sd's instruction grew.
1032 */
1044 }
1045 sd++;
1046 }
1048 /*
1049 * If sn has span-dependent offset operands, check whether each
1050 * covers further span-dependencies, and increase those operands
1051 * accordingly. Some source notes measure offset not from the
1052 * annotated pc, but from that pc plus some small bias. NB: we
1053 * assume that spec->offsetBias can't itself span span-dependent
1054 * instructions!
1055 */
1071 /*
1072 * Increase target by sd2's before-vs-after offset delta,
1073 * which is absolute (i.e., relative to start of script,
1074 * as is target). Recompute the span by subtracting its
1075 * adjusted pivot from target.
1076 */
1085 }
1086 }
1087 }
1090 /*
1091 * Fix try/catch notes (O(numTryNotes * log2(numSpanDeps)), but it's
1092 * not clear how we can beat that).
1093 */
1095 /*
1096 * First, look for the nearest span dependency at/above tn->start.
1097 * There may not be any such spandep, in which case the guard will
1098 * be returned.
1099 */
1105 /*
1106 * Next, find the nearest spandep at/above tn->start + tn->length.
1107 * Use its delta minus tn->start's delta to increase tn->length.
1108 */
1114 }
1115 }
1116 }
1118 #ifdef DEBUG_brendan
1119 {
1125 /* NB: sd->top cursors into the original, unextended bytecode vector. */
1142 }
1148 bigspans++;
1152 }
1155 }
1157 }
1159 }
1160 #endif
1162 /*
1163 * Reset so we optimize at most once -- cg may be used for further code
1164 * generation of successive, independent, top-level statements. No jump
1165 * can span top-level statements, because JS lacks goto.
1166 */
1175 }
1177 static ptrdiff_t
1179 {
1180 JSBool extend;
1193 }
1195 }
1197 static ptrdiff_t
1199 {
1215 sd++;
1217 }
1219 JSBool
1222 {
1227 }
1231 }
1234 }
1236 bool
1238 {
1242 }
1244 }
1246 bool
1248 {
1249 #if JS_HAS_SHARP_VARS
1255 }
1271 /*
1272 * JSCompiler::compileScript will rebase immediate operands indexing
1273 * the sharp slots to come at the end of the global script's |nfixed|
1274 * slots storage, after gvars and regexps.
1275 */
1277 }
1279 #endif
1281 }
1283 void
1286 {
1300 }
1301 }
1303 void
1306 {
1314 }
1316 /*
1317 * Emit a backpatch op with offset pointing to the previous jump of this type,
1318 * so that we can walk back up the chain fixing up the op and jump offset.
1319 */
1320 static ptrdiff_t
1322 {
1330 }
1332 /*
1333 * Macro to emit a bytecode followed by a uint16 immediate operand stored in
1334 * big-endian order, used for arg and var numbers as well as for atomIndexes.
1335 * NB: We use cx and cg from our caller's lexical environment, and return
1336 * false on error.
1337 */
1338 #define EMIT_UINT16_IMM_OP(op, i) \
1339 JS_BEGIN_MACRO \
1340 if (js_Emit3(cx, cg, op, UINT16_HI(i), UINT16_LO(i)) < 0) \
1341 return JS_FALSE; \
1342 JS_END_MACRO
1344 #define EMIT_UINT16PAIR_IMM_OP(op, i, j) \
1345 JS_BEGIN_MACRO \
1346 ptrdiff_t off_ = js_EmitN(cx, cg, op, 2 * UINT16_LEN); \
1347 if (off_ < 0) \
1348 return JS_FALSE; \
1349 jsbytecode *pc_ = CG_CODE(cg, off_); \
1350 SET_UINT16(pc_, i); \
1351 pc_ += UINT16_LEN; \
1352 SET_UINT16(pc_, j); \
1353 JS_END_MACRO
1355 static JSBool
1357 {
1364 }
1366 /*
1367 * Emit additional bytecode(s) for non-local jumps.
1368 */
1369 static JSBool
1371 {
1375 /*
1376 * The non-local jump fixup we emit will unbalance cg->stackDepth, because
1377 * the fixup replicates balanced code such as JSOP_LEAVEWITH emitted at the
1378 * end of a with statement, so we save cg->stackDepth here and restore it
1379 * just before a successful return.
1380 */
1384 #define FLUSH_POPS() if (npops && !FlushPops(cx, cg, &npops)) return JS_FALSE
1397 /* There's a With object on the stack that we need to pop. */
1406 /*
1407 * The iterator and the object being iterated need to be popped.
1408 */
1417 /*
1418 * There's a [exception or hole, retsub pc-index] pair on the
1419 * stack that we need to pop.
1420 */
1425 }
1428 uintN i;
1430 /* There is a Block object with locals on the stack to pop. */
1436 }
1437 }
1443 #undef FLUSH_POPS
1444 }
1446 static ptrdiff_t
1449 {
1450 intN index;
1459 else
1465 }
1467 static JSBool
1470 {
1481 /*
1482 * Set *pc after jump offset in case bpdelta didn't overflow, but span
1483 * does (if so, CHECK_AND_SET_JUMP_OFFSET might call BuildSpanDepTable
1484 * and need to see the JSOP_BACKPATCH* op at *pc).
1485 */
1488 }
1490 }
1492 void
1494 {
1504 }
1505 }
1506 }
1508 JSBool
1510 {
1517 JSOP_GOTO))) {
1519 }
1522 }
1524 JSBool
1527 {
1528 jsdouble dval;
1529 jsint ival;
1531 jsval v;
1534 /* XXX just do numbers for now */
1540 /*
1541 * We atomize double to root a jsdouble instance that we wrap as
1542 * jsval and store in cg->constList. This works because atoms are
1543 * protected from GC during compilation.
1544 */
1549 }
1554 }
1556 }
1558 JSStmtInfo *
1560 {
1571 /* Skip "maybe scope" statements that don't contain let bindings. */
1586 }
1588 }
1589 }
1594 }
1596 /*
1597 * Check if the attributes describe a property holding a compile-time constant
1598 * or a permanent, read-only property without a getter.
1599 */
1600 #define IS_CONSTANT_PROPERTY(attrs) \
1601 (((attrs) & (JSPROP_READONLY | JSPROP_PERMANENT | JSPROP_GETTER)) == \
1602 (JSPROP_READONLY | JSPROP_PERMANENT))
1604 /*
1605 * The function sets vp to JSVAL_HOLE when the atom does not corresponds to a
1606 * name defining a constant.
1607 */
1608 static JSBool
1611 {
1612 JSBool ok;
1617 uintN attrs;
1619 /*
1620 * Chase down the cg stack, but only until we reach the outermost cg.
1621 * This enables propagating consts from top-level into switch cases in a
1622 * function compiled along with the top-level script.
1623 */
1627 /* XXX this will need revising if 'const' becomes block-scoped. */
1637 }
1639 /*
1640 * Try looking in the variable object for a direct property that
1641 * is readonly and permanent. We know such a property can't be
1642 * shadowed by another property on obj's prototype chain, or a
1643 * with object or catch variable; nor can prop's value be changed,
1644 * nor can prop be deleted.
1645 */
1656 /*
1657 * We're compiling code that will be executed immediately,
1658 * not re-executed against a different scope chain and/or
1659 * variable object. Therefore we can get constant values
1660 * from our variable object here.
1661 */
1666 }
1667 }
1674 }
1675 }
1678 }
1680 /*
1681 * Return JSOP_NOP to indicate that index fits 2 bytes and no index segment
1682 * reset instruction is necessary, JSOP_FALSE to indicate an error or either
1683 * JSOP_RESETBASE0 or JSOP_RESETBASE1 to indicate the reset bytecode to issue
1684 * after the main bytecode sequence.
1685 */
1686 static JSOp
1688 {
1689 uintN indexBase;
1691 /*
1692 * We have max 3 bytes for indexes and check for INDEX_LIMIT overflow only
1693 * for big indexes.
1694 */
1706 }
1710 JSMSG_TOO_MANY_LITERALS);
1712 }
1717 }
1719 /*
1720 * Emit a bytecode and its 2-byte constant index immediate operand. If the
1721 * index requires more than 2 bytes, emit a prefix op whose 8-bit immediate
1722 * operand effectively extends the 16-bit immediate of the prefixed opcode,
1723 * by changing index "segment" (see jsinterp.c). We optimize segments 1-3
1724 * with single-byte JSOP_INDEXBASE[123] codes.
1725 *
1726 * Such prefixing currently requires a suffix to restore the "zero segment"
1727 * register setting, but this could be optimized further.
1728 */
1729 static JSBool
1731 {
1732 JSOp bigSuffix;
1739 }
1741 /*
1742 * Slight sugar for EmitIndexOp, again accessing cx and cg from the macro
1743 * caller's lexical environment, and embedding a false return on error.
1744 */
1745 #define EMIT_INDEX_OP(op, index) \
1746 JS_BEGIN_MACRO \
1747 if (!EmitIndexOp(cx, op, index, cg)) \
1748 return JS_FALSE; \
1749 JS_END_MACRO
1751 static JSBool
1753 {
1760 }
1765 }
1767 static JSBool
1770 {
1773 }
1775 /*
1776 * What good are ARGNO_LEN and SLOTNO_LEN, you ask? The answer is that, apart
1777 * from EmitSlotIndexOp, they abstract out the detail that both are 2, and in
1778 * other parts of the code there's no necessary relationship between the two.
1779 * The abstraction cracks here in order to share EmitSlotIndexOp code among
1780 * the JSOP_DEFLOCALFUN and JSOP_GET{ARG,VAR,LOCAL}PROP cases.
1781 */
1785 static JSBool
1788 {
1789 JSOp bigSuffix;
1799 /* Emit [op, slot, index]. */
1808 }
1810 /*
1811 * Adjust the slot for a block local to account for the number of variables
1812 * that share the same index space with locals. Due to the incremental code
1813 * generation for top-level script, we do the adjustment via code patching in
1814 * JSCompiler::compileScript; see comments there.
1815 *
1816 * The function returns -1 on failures.
1817 */
1818 static jsint
1820 {
1826 JSREPORT_ERROR,
1827 JSMSG_TOO_MANY_LOCALS);
1829 }
1830 }
1832 }
1834 static bool
1836 {
1851 /* Beware the empty destructuring dummy. */
1855 }
1861 #ifdef DEBUG
1866 }
1867 #endif
1868 }
1872 }
1874 /*
1875 * When eval is called from a function, the eval code or function code it
1876 * compiles may reference upvars that live in the eval-calling function. The
1877 * eval-invoked compiler does not have explicit definitions for these upvars
1878 * and we do not attempt to create them a-priori (by inspecting the function's
1879 * args and vars) -- we could, but we'd take an avoidable penalty for each
1880 * function local not referenced by any upvar. Instead, we map such upvars
1881 * lazily, growing upvarMap.vector by powers of two.
1882 *
1883 * This function knows that it is called with pn pointing to a PN_NAME-arity
1884 * node, and cg->compiler->callerFrame having a non-null fun member, and the
1885 * static level of cg at least one greater than the eval-calling function's
1886 * static level.
1887 */
1888 static bool
1890 {
1897 /*
1898 * Treat top-level function definitions as escaping (i.e., as funargs),
1899 * required since we compile each such top level function or statement
1900 * and throw away the AST, so we can't yet see all funarg uses of this
1901 * function being compiled (cg->funbox->object). See bug 493177.
1902 */
1908 }
1916 }
1917 }
1921 uintN index;
1935 }
1953 }
1961 }
1967 }
1969 /*
1970 * BindNameToSlot attempts to optimize name gets and sets to stack slot loads
1971 * and stores, given the compile-time information in cg and a TOK_NAME node pn.
1972 * It returns false on error, true on success.
1973 *
1974 * The caller can inspect pn->pn_cookie for FREE_UPVAR_COOKIE to tell whether
1975 * optimization occurred, in which case BindNameToSlot also updated pn->pn_op.
1976 * If pn->pn_cookie is still FREE_UPVAR_COOKIE on return, pn->pn_op still may
1977 * have been optimized, e.g., from JSOP_NAME to JSOP_CALLEE. Whether or not
1978 * pn->pn_op was modified, if this function finds an argument or local variable
1979 * name, PND_CONST will be set in pn_dflags for read-only properties after a
1980 * successful return.
1981 *
1982 * NB: if you add more opcodes specialized from JSOP_NAME, etc., don't forget
1983 * to update the TOK_FOR (for-in) and TOK_ASSIGN (op=, e.g. +=) special cases
1984 * in js_EmitTree.
1985 */
1986 static JSBool
1988 {
1990 JSOp op;
1992 uint32 cookie;
1995 uintN index;
1999 /* Idempotency tests come first, since we may be called more than once. */
2003 /* No cookie initialized for these two, they're pre-bound by definition. */
2006 /*
2007 * The parser linked all uses (including forward references) to their
2008 * definitions, unless a with statement or direct eval intervened.
2009 */
2019 }
2030 /*
2031 * Turn attempts to mutate const-declared bindings into get ops (for
2032 * pre-increment and pre-decrement ops, our caller will have to emit
2033 * JSOP_POS, JSOP_ONE, and JSOP_ADD as well).
2034 *
2035 * Turn JSOP_DELNAME into JSOP_FALSE if dn is known, as all declared
2036 * bindings visible to the compiler are permanent in JS unless the
2037 * declaration originates in eval code. We detect eval code by testing
2038 * cg->compiler->callerFrame, which is set only by eval or a debugger
2039 * equivalent.
2040 *
2041 * Note that this callerFrame non-null test must be qualified by testing
2042 * !cg->funbox to exclude function code nested in eval code, which is not
2043 * subject to the deletable binding exception.
2044 */
2053 else
2057 }
2062 }
2069 /*
2070 * Don't generate upvars on the left side of a for loop. See
2071 * bug 470758.
2072 */
2080 /*
2081 * Make sure the variable object used by the compiler to initialize
2082 * parent links matches the caller's varobj. Compile-n-go compiler-
2083 * created function objects have the top-level cg's scopeChain set
2084 * as their parent by JSCompiler::newFunction.
2085 */
2092 /*
2093 * We are compiling eval or debug script inside a function frame
2094 * and the scope chain matches the function's variable object.
2095 * Optimize access to function's arguments and variable and the
2096 * arguments object.
2097 */
2102 }
2104 }
2107 /*
2108 * If this is a global reference from within a function, leave pn_op as
2109 * JSOP_NAME, etc. We could emit JSOP_*GVAR ops within function code if
2110 * only we could depend on the global frame's slots being valid for all
2111 * calls to the function.
2112 */
2116 /*
2117 * We are optimizing global variables and there may be no pre-existing
2118 * global property named atom when this global script runs. If atom was
2119 * declared via const or var, optimize pn to access fp->vars using the
2120 * appropriate JSOP_*GVAR op.
2121 *
2122 * FIXME: should be able to optimize global function access too.
2123 */
2137 }
2142 }
2147 /*
2148 * A JSDefinition witnessed as a declaration by the parser cannot be an
2149 * upvar, unless it is the degenerate kind of upvar selected above (in the
2150 * code before the PND_GVAR test) for the special case of compile-and-go
2151 * code generated from eval called from a function, where the eval code
2152 * uses local vars defined in the function. We detect this upvar-for-eval
2153 * case by checking dn's op.
2154 */
2160 #ifdef DEBUG
2162 #endif
2175 /*
2176 * Don't generate upvars on the left side of a for loop. See
2177 * bug 470758 and bug 520513.
2178 */
2187 }
2190 }
2200 /*
2201 * If op is a mutating opcode, this upvar's static level is too big to
2202 * index into the display, or the function is heavyweight, we fall back
2203 * on JSOP_*NAME*.
2204 */
2215 /*
2216 * The function we're compiling may not be heavyweight, but if it
2217 * escapes as a funarg, we can't use JSOP_GETUPVAR/JSOP_CALLUPVAR.
2218 * JSCompiler::analyzeFunctions has arranged for this function's
2219 * enclosing functions to be heavyweight, so we can safely stick
2220 * with JSOP_NAME/JSOP_CALLNAME.
2221 */
2225 /*
2226 * Generator functions may be resumed from any call stack, which
2227 * defeats the display optimization to static link searching used
2228 * by JSOP_{GET,CALL}UPVAR.
2229 */
2234 }
2257 }
2260 }
2270 }
2273 }
2279 }
2281 /*
2282 * We are compiling a function body and may be able to optimize name
2283 * to stack slot. Look for an argument or variable in the function and
2284 * rewrite pn_op and update pn accordingly.
2285 */
2300 }
2313 }
2322 /*
2323 * Leave pn->pn_op == JSOP_NAME if cg->fun is heavyweight, as we
2324 * cannot be sure cg->fun is not something of the form:
2325 *
2326 * var ff = (function f(s) { eval(s); return f; });
2327 *
2328 * where a caller invokes ff("var f = 42"). The result returned for
2329 * such an invocation must be 42, since the callee name is
2330 * lexically bound in an outer declarative environment from the
2331 * function's activation. See jsfun.cpp:call_resolve.
2332 */
2337 }
2342 }
2343 /* FALL THROUGH */
2359 }
2362 }
2369 }
2371 /*
2372 * If pn contains a useful expression, return true with *answer set to true.
2373 * If pn contains a useless expression, return true with *answer set to false.
2374 * Return false on error.
2375 *
2376 * The caller should initialize *answer to false and invoke this function on
2377 * an expression statement or similar subtree to decide whether the tree could
2378 * produce code that has any side effects. For an expression statement, we
2379 * define useless code as code with no side effects, because the main effect,
2380 * the value left on the stack after the code executes, will be discarded by a
2381 * pop bytecode.
2382 */
2383 static JSBool
2386 {
2387 JSBool ok;
2396 /*
2397 * A named function, contrary to ES3, is no longer useful, because we
2398 * bind its name lexically (using JSOP_CALLEE) instead of creating an
2399 * Object instance and binding a readonly, permanent property in it
2400 * (the object and binding can be detected and hijacked or captured).
2401 * This is a bug fix to ES3; it is fixed in ES3.1 drafts.
2402 */
2410 /*
2411 * Non-operators along with ||, &&, ===, and !== never invoke
2412 * toString or valueOf.
2413 */
2417 /*
2418 * All invocation operations (construct: TOK_NEW, call: TOK_LP)
2419 * are presumed to be useful, because they may have side effects
2420 * even if their main effect (their return value) is discarded.
2421 *
2422 * TOK_LB binary trees of 3 or more nodes are flattened into lists
2423 * to avoid too much recursion. All such lists must be presumed
2424 * to be useful because each index operation could invoke a getter
2425 * (the JSOP_ARGUMENTS special case below, in the PN_BINARY case,
2426 * does not apply here: arguments[i][j] might invoke a getter).
2427 *
2428 * Likewise, array and object initialisers may call prototype
2429 * setters (the __defineSetter__ built-in, and writable __proto__
2430 * on Array.prototype create this hazard). Initialiser list nodes
2431 * have JSOP_NEWINIT in their pn_op.
2432 */
2434 }
2445 /*
2446 * Assignment is presumed to be useful, even if the next operation
2447 * is another assignment overwriting this one's ostensible effect,
2448 * because the left operand may be a property with a setter that
2449 * has side effects.
2450 *
2451 * The only exception is assignment of a useless value to a const
2452 * declared in the function currently being compiled.
2453 */
2464 }
2468 /*
2469 * ||, &&, ===, and !== do not convert their operands via
2470 * toString or valueOf method calls.
2471 */
2475 /*
2476 * We can't easily prove that neither operand ever denotes an
2477 * object with a toString or valueOf method.
2478 */
2480 }
2481 }
2495 }
2496 /* FALL THROUGH */
2498 #if JS_HAS_XML_SUPPORT
2500 #endif
2503 /* All these delete addressing modes have effects too. */
2509 }
2514 /* ! does not convert its operand via toString or valueOf. */
2517 }
2518 /* FALL THROUGH */
2521 /*
2522 * All of TOK_INC, TOK_DEC, TOK_THROW, TOK_YIELD, and TOK_DEFSHARP
2523 * have direct effects. Of the remaining unary-arity node types,
2524 * we can't easily prove that the operand never denotes an object
2525 * with a toString or valueOf method.
2526 */
2529 }
2533 /*
2534 * Take care to avoid trying to bind a label name (labels, both for
2535 * statements and property values in object initialisers, have pn_op
2536 * defaulted to JSOP_NOP).
2537 */
2543 /*
2544 * Not an argument or local variable use, and not a use of a
2545 * unshadowed named function expression's given name, so this
2546 * expression could invoke a getter that has side effects.
2547 */
2549 }
2550 }
2557 /*
2558 * Any dotted property reference could call a getter, except
2559 * for arguments.length where arguments is unambiguous.
2560 */
2562 }
2563 }
2575 }
2577 }
2579 static JSBool
2581 JSBool callContext)
2582 {
2583 JSOp op;
2612 }
2613 }
2626 }
2627 }
2630 }
2632 #if JS_HAS_XML_SUPPORT
2633 static JSBool
2635 {
2637 uintN oldflags;
2652 }
2655 }
2656 #endif
2658 static JSBool
2660 {
2661 /*
2662 * Special case for obj.__proto__, obj.__parent__, obj.__count__ to
2663 * deoptimize away from fast paths in the interpreter and trace recorder,
2664 * which skip dense array instances by going up to Array.prototype before
2665 * looking up the property name.
2666 */
2675 }
2677 static JSBool
2679 JSBool callContext)
2680 {
2687 /* Special case deoptimization on __proto__, __count__ and __parent__. */
2695 }
2704 /* Fast path for gets of |this.foo|. */
2706 }
2708 /*
2709 * Try to optimize:
2710 * - arguments.length into JSOP_ARGCNT
2711 * - argname.prop into JSOP_GETARGPROP
2712 * - localname.prop into JSOP_GETLOCALPROP
2713 * but don't do this if the property is 'length' -- prefer to emit
2714 * JSOP_GETARG, etc., and then JSOP_LENGTH.
2715 */
2728 do_indexconst: {
2730 jsatomid atomIndex;
2737 }
2740 }
2741 }
2742 }
2743 }
2745 /*
2746 * If the object operand is also a dotted property reference, reverse the
2747 * list linked via pn_expr temporarily so we can iterate over it from the
2748 * bottom up (reversing again as we go), to avoid excessive recursion.
2749 */
2755 /* Reverse pndot->pn_expr to point up, not down. */
2764 }
2766 /* pndown is a primary expression, not a dotted property reference. */
2771 /* Walk back up the list, emitting annotated name ops. */
2775 }
2777 /*
2778 * Special case deoptimization on __proto__, __count__ and
2779 * __parent__, as above.
2780 */
2789 }
2791 /* Reverse the pn_expr link again. */
2799 }
2804 }
2807 }
2809 static JSBool
2811 {
2814 jsint slot;
2818 /* Left-associative operator chain to avoid too much recursion. */
2826 /*
2827 * Try to optimize arguments[0][j]... into JSOP_ARGSUB<0> followed by
2828 * one or more index expression and JSOP_GETELEM op pairs.
2829 */
2836 /*
2837 * arguments[i]() requires arguments object as "this".
2838 * Check that we never generates list for that usage.
2839 */
2845 }
2846 }
2848 /*
2849 * Check whether we generated JSOP_ARGSUB, just above, and have only
2850 * one more index expression to emit. Given arguments[0][j], we must
2851 * skip the while loop altogether, falling through to emit code for j
2852 * (in the subtree referenced by right), followed by the annotated op,
2853 * at the bottom of this function.
2854 */
2859 }
2868 }
2871 /*
2872 * Set left and right so pn appears to be a TOK_LB node, instead
2873 * of a TOK_DOT node. See the TOK_FOR/IN case in js_EmitTree, and
2874 * EmitDestructuringOps nearer below. In the destructuring case,
2875 * the base expression (pn_expr) of the name may be null, which
2876 * means we have to emit a JSOP_BINDNAME.
2877 */
2886 }
2891 ? JSOP_QNAMEPART
2900 }
2902 /* Try to optimize arguments[0] (e.g.) into JSOP_ARGSUB<0>. */
2914 }
2915 }
2919 }
2921 /* The right side of the descendant operator is implicitly quoted. */
2929 }
2931 static JSBool
2933 {
2934 jsint ival;
2935 uint32 u;
2964 }
2966 }
2976 }
2978 static JSBool
2981 {
2982 JSOp switchOp;
2988 jsdouble d;
2990 jsval v;
2993 intN noteIndex;
2996 #if JS_HAS_BLOCK_SCOPE
2997 jsint count;
2998 #endif
3000 /* Try for most optimal, fall back if not dense ints, and per ECMAv2. */
3006 /*
3007 * If the switch contains let variables scoped by its body, model the
3008 * resulting block on the stack first, before emitting the discriminant's
3009 * bytecode (in case the discriminant contains a stack-model dependency
3010 * such as a let expression).
3011 */
3013 #if JS_HAS_BLOCK_SCOPE
3015 /*
3016 * Push the body's block scope before discriminant code-gen for proper
3017 * static block scope linkage in case the discriminant contains a let
3018 * expression. The block's locals must lie under the discriminant on
3019 * the stack so that case-dispatch bytecodes can find the discriminant
3020 * on top of stack.
3021 */
3026 /* Emit JSOP_ENTERBLOCK before code to evaluate the discriminant. */
3030 /*
3031 * Pop the switch's statement info around discriminant code-gen. Note
3032 * how this leaves cg->blockChain referencing the switch's
3033 * block scope object, which is necessary for correct block parenting
3034 * in the case where the discriminant contains a let expression.
3035 */
3038 }
3039 #ifdef __GNUC__
3042 }
3043 #endif
3044 #endif
3046 /*
3047 * Emit code for the discriminant first (or nearly first, in the case of a
3048 * switch whose body is a block scope).
3049 */
3053 /* Switch bytecodes run from here till end of final case. */
3055 #if !JS_HAS_BLOCK_SCOPE
3057 #else
3061 /* Re-push the switch's statement info record. */
3064 /* Set the statement info record's idea of top. */
3067 /* Advance pn2 to refer to the switch case list. */
3069 }
3070 #endif
3083 #define INTMAP_LENGTH 256
3096 }
3115 }
3117 }
3129 /*
3130 * XXX JSOP_LOOKUPSWITCH does not support const-
3131 * propagated object values, see bug 407186.
3132 */
3135 }
3139 }
3140 }
3141 /* FALL THROUGH */
3146 }
3150 }
3151 /* FALL THROUGH */
3155 }
3164 }
3169 }
3175 /*
3176 * Check for duplicates, which require a JSOP_LOOKUPSWITCH.
3177 * We bias i by 65536 if it's negative, and hope that's a rare
3178 * case (because it requires a malloc'd bitmap).
3179 */
3188 /* Just grab 8K for the worst-case bitmap. */
3196 }
3197 }
3199 }
3203 }
3205 }
3207 release:
3213 /*
3214 * Compute table length and select lookup instead if overlarge or
3215 * more than half-sparse.
3216 */
3222 /*
3223 * Lookup switch supports only atom indexes below 64K limit.
3224 * Conservatively estimate the maximum possible index during
3225 * switch generation and use conditional switch if it exceeds
3226 * the limit.
3227 */
3230 }
3231 }
3233 /*
3234 * Emit a note with two offsets: first tells total switch code length,
3235 * second tells offset to first JSOP_CASE if condswitch.
3236 */
3242 /*
3243 * 0 bytes of immediate for unoptimized ECMAv2 switch.
3244 */
3247 /*
3248 * 3 offsets (len, low, high) before the table, 1 per entry.
3249 */
3252 /*
3253 * JSOP_LOOKUPSWITCH:
3254 * 1 offset (len) and 1 atom index (npairs) before the table,
3255 * 1 atom index and 1 jump offset per entry.
3256 */
3259 }
3261 /*
3262 * Emit switchOp followed by switchSize bytes of jump or lookup table.
3263 *
3264 * If switchOp is JSOP_LOOKUPSWITCH or JSOP_TABLESWITCH, it is crucial
3265 * to emit the immediate operand(s) by which bytecode readers such as
3266 * BuildSpanDepTable discover the length of the switch opcode *before*
3267 * calling js_SetJumpOffset (which may call BuildSpanDepTable). It's
3268 * also important to zero all unknown jump offset immediate operands,
3269 * so they can be converted to span dependencies with null targets to
3270 * be computed later (js_EmitN zeros switchSize bytes after switchOp).
3271 */
3280 /* Emit code for evaluating cases and jumping to case statements. */
3286 /* off is the previous JSOP_CASE's bytecode offset. */
3290 }
3291 }
3295 }
3306 /* Switch note's second offset is to first JSOP_CASE. */
3311 }
3316 }
3317 }
3319 /*
3320 * If we didn't have an explicit default (which could fall in between
3321 * cases, preventing us from fusing this js_SetSrcNoteOffset with the
3322 * call in the loop above), link the last case to the implicit default
3323 * for the decompiler.
3324 */
3330 }
3332 /* Emit default even if no explicit default statement. */
3340 /* Fill in switch bounds, which we know fit in 16-bit offsets. */
3346 /*
3347 * Use malloc to avoid arena bloat for programs with many switches.
3348 * We free table if non-null at label out, so all control flow must
3349 * exit this function through goto out or goto bad.
3350 */
3364 }
3365 }
3369 /* Fill in the number of cases. */
3372 }
3374 /*
3375 * After this point, all control flow involving JSOP_TABLESWITCH
3376 * must set ok and goto out to exit this function. To keep things
3377 * simple, all switchOp cases exit that way.
3378 */
3381 /*
3382 * We have already generated at least one big jump so we must
3383 * explicitly add span dependencies for the switch jumps. When
3384 * called below, js_SetJumpOffset can only do it when patching
3385 * the first big jump or when cg->spanDeps is null.
3386 */
3389 }
3392 /*
3393 * Skip switchOp, as we are not setting jump offsets in the two
3394 * for loops below. We'll restore CG_NEXT(cg) from savepc after,
3395 * unless there was an error.
3396 */
3405 /* Note a propagated constant with the const's name. */
3414 }
3415 }
3417 }
3422 /* Note a propagated constant with the const's name. */
3431 }
3432 }
3434 }
3435 }
3437 }
3438 }
3440 /* Emit code for each case's statements, copying pn_offset up to pn3. */
3451 }
3454 /* If no default case, offset for default is to end of switch. */
3456 }
3458 /* We better have set "off" by now. */
3461 /* Set the default offset (to end of switch if no default). */
3475 }
3477 /* Set the SRC_SWITCH note's offset operand to tell end of switch. */
3484 /* Skip over the already-initialized switch bounds. */
3487 /* Fill in the jump table, if there is one. */
3495 }
3497 /* Skip over the already-initialized number of cases. */
3516 }
3517 }
3519 out:
3525 #if JS_HAS_BLOCK_SCOPE
3528 #endif
3529 }
3532 bad:
3535 }
3537 JSBool
3539 {
3541 /* JSOP_GENERATOR must be the first instruction. */
3548 /*
3549 * Emit a trace hint opcode only if not in a generator, since generators
3550 * are not yet traced and both want to be the first instruction.
3551 */
3554 }
3559 }
3561 /* A macro for inlining at the top of js_EmitTree (whence it came). */
3562 #define UPDATE_LINE_NUMBER_NOTES(cx, cg, line) \
3563 JS_BEGIN_MACRO \
3564 uintN line_ = (line); \
3565 uintN delta_ = line_ - CG_CURRENT_LINE(cg); \
3566 if (delta_ != 0) { \
3567 /* \
3568 * Encode any change in the current source line number by using \
3569 * either several SRC_NEWLINE notes or just one SRC_SETLINE note, \
3570 * whichever consumes less space. \
3571 * \
3572 * NB: We handle backward line number deltas (possible with for \
3573 * loops where the update part is emitted after the body, but its \
3574 * line number is <= any line number in the body) here by letting \
3575 * unsigned delta_ wrap to a very large number, which triggers a \
3576 * SRC_SETLINE. \
3578 CG_CURRENT_LINE(cg) = line_; \
3579 if (delta_ >= (uintN)(2 + ((line_ > SN_3BYTE_OFFSET_MASK)<<1))) { \
3580 if (js_NewSrcNote2(cx, cg, SRC_SETLINE, (ptrdiff_t)line_) < 0)\
3581 return JS_FALSE; \
3582 } else { \
3583 do { \
3584 if (js_NewSrcNote(cx, cg, SRC_NEWLINE) < 0) \
3585 return JS_FALSE; \
3586 } while (--delta_ != 0); \
3587 } \
3588 } \
3589 JS_END_MACRO
3591 /* A function, so that we avoid macro-bloating all the other callsites. */
3592 static JSBool
3594 {
3597 }
3599 static JSBool
3602 {
3603 jsatomid atomIndex;
3613 }
3622 }
3627 }
3629 #if JS_HAS_DESTRUCTURING
3631 typedef JSBool
3635 static JSBool
3638 {
3645 }
3647 static JSBool
3650 {
3652 DestructuringDeclEmitter emitter;
3659 ? EmitDestructuringDecl
3663 }
3669 ? EmitDestructuringDecl
3673 }
3674 }
3676 }
3678 static JSBool
3681 static JSBool
3683 {
3684 jsuint slot;
3686 /*
3687 * Now emit the lvalue opcode sequence. If the lvalue is a nested
3688 * destructuring initialiser-form, call ourselves to handle it, then
3689 * pop the matched value. Otherwise emit an lvalue bytecode sequence
3690 * ending with a JSOP_ENUMELEM or equivalent op.
3691 */
3703 }
3707 /*
3708 * NB: pn is a PN_NAME node, not a PN_BINARY. Nevertheless,
3709 * we want to emit JSOP_ENUMELEM, which has format JOF_ELEM.
3710 * So here and for JSOP_ENUMCONSTELEM, we use EmitElemOp.
3711 */
3735 {
3746 }
3750 }
3751 }
3754 }
3756 /*
3757 * Recursive helper for EmitDestructuringOps.
3758 *
3759 * Given a value to destructure on the stack, walk over an object or array
3760 * initialiser at pn, emitting bytecodes to match property values and store
3761 * them in the lvalues identified by the matched property names.
3762 */
3763 static JSBool
3765 {
3766 jsuint index;
3768 JSBool doElemOp;
3770 #ifdef DEBUG
3775 #endif
3778 /* Emit a DUP;POP sequence for the decompiler. */
3781 }
3785 /*
3786 * Duplicate the value being destructured to use as a reference base.
3787 * If dup is not the first one, annotate it for the decompiler.
3788 */
3794 /*
3795 * Now push the property name currently being matched, which is either
3796 * the array initialiser's current index, or the current property name
3797 * "label" on the left of a colon in the object initialiser. Set pn3
3798 * to the lvalue node, which is in the value-initializing position.
3799 */
3810 /*
3811 * If we are emitting an object destructuring initialiser,
3812 * annotate the index op with SRC_INITPROP so we know we are
3813 * not decompiling an array initialiser.
3814 */
3825 }
3827 }
3830 /*
3831 * Ok, get the value of the matching property name. This leaves
3832 * that value on top of the value being destructured, so the stack
3833 * is one deeper than when we started.
3834 */
3838 }
3840 /* Nullary comma node makes a hole in the array destructurer. */
3849 }
3853 }
3856 }
3858 static ptrdiff_t
3860 {
3870 }
3871 }
3873 static JSBool
3876 {
3877 /*
3878 * If we're called from a variable declaration, help the decompiler by
3879 * annotating the first JSOP_DUP that EmitDestructuringOpsHelper emits.
3880 * If the destructuring initialiser is empty, our helper will emit a
3881 * JSOP_DUP followed by a JSOP_POP for the decompiler.
3882 */
3886 /*
3887 * Call our recursive helper to emit the destructuring assignments and
3888 * related stack manipulations.
3889 */
3891 }
3893 static JSBool
3896 {
3904 JSMSG_ARRAY_INIT_TOO_BIG);
3906 }
3908 /* MaybeEmitGroupAssignment won't call us if rhs is holey. */
3913 }
3920 /* MaybeEmitGroupAssignment requires lhs->pn_count <= rhs->pn_count. */
3933 }
3934 }
3940 }
3942 /*
3943 * Helper called with pop out param initialized to a JSOP_POP* opcode. If we
3944 * can emit a group assignment sequence, which results in 0 stack depth delta,
3945 * we set *pop to JSOP_NOP so callers can veto emitting pn followed by a pop.
3946 */
3947 static JSBool
3950 {
3963 }
3965 }
3969 static JSBool
3972 {
3974 #if JS_HAS_BLOCK_SCOPE
3977 #endif
3980 JSOp op;
3981 jsatomid atomIndex;
3982 uintN oldflags;
3984 /* Default in case of JS_HAS_BLOCK_SCOPE early return, below. */
3987 /*
3988 * Let blocks and expressions have a parenthesized head in which the new
3989 * scope is not yet open. Initializer evaluation uses the parent node's
3990 * lexical scope. If popScope is true below, then we hide the top lexical
3991 * block from any calls to BindNameToSlot hiding in pn2->pn_expr so that
3992 * it won't find any names in the new let block.
3993 *
3994 * The same goes for let declarations in the head of any kind of for loop.
3995 * Unlike a let declaration 'let x = i' within a block, where x is hoisted
3996 * to the start of the block, a 'for (let x = i...) ...' loop evaluates i
3997 * in the containing scope, and puts x in the loop body's scope.
3998 */
4001 #if JS_HAS_BLOCK_SCOPE
4007 }
4008 # ifdef __GNUC__
4010 # endif
4012 #endif
4020 #if JS_HAS_DESTRUCTURING
4022 /*
4023 * Emit variable binding ops, but not destructuring ops.
4024 * The parser (see Variables, jsparse.c) has ensured that
4025 * our caller will be the TOK_FOR/TOK_IN case in js_EmitTree,
4026 * and that case will emit the destructuring code only after
4027 * emitting an enumerating opcode and a branch that tests
4028 * whether the enumeration ended.
4029 */
4035 }
4036 #endif
4038 /*
4039 * A destructuring initialiser assignment preceded by var will
4040 * never occur to the left of 'in' in a for-in loop. As with 'for
4041 * (var x = i in o)...', this will cause the entire 'var [a, b] =
4042 * i' to be hoisted out of the loop.
4043 */
4047 /*
4048 * To allow the front end to rewrite var f = x; as f = x; when a
4049 * function f(){} precedes the var, detect simple name assignment
4050 * here and initialize the name.
4051 */
4052 #if !JS_HAS_DESTRUCTURING
4054 #else
4056 #endif
4057 {
4061 }
4063 #if JS_HAS_DESTRUCTURING
4065 /*
4066 * If this is the only destructuring assignment in the list,
4067 * try to optimize to a group assignment. If we're in a let
4068 * head, pass JSOP_POP rather than the pseudo-prolog JSOP_NOP
4069 * in pn->pn_op, to suppress a second (and misplaced) 'let'.
4070 */
4077 }
4081 }
4082 }
4091 /*
4092 * Veto pn->pn_op if inLetHead to avoid emitting a SRC_DESTRUCT
4093 * that's redundant with respect to the SRC_DECL/SRC_DECL_LET that
4094 * we will emit at the bottom of this function.
4095 */
4098 pn3)) {
4100 }
4102 #endif
4103 }
4105 /*
4106 * Load initializer early to share code above that jumps to do_name.
4107 * NB: if this var redeclares an existing binding, then pn2 is linked
4108 * on its definition's use-chain and pn_expr has been overlayed with
4109 * pn_lexdef.
4110 */
4113 do_name:
4119 /* JSOP_ARGUMENTS => no initializer */
4122 #ifdef __GNUC__
4124 #endif
4136 }
4140 }
4142 #if JS_HAS_BLOCK_SCOPE
4143 /* Evaluate expr in the outer lexical scope if requested. */
4147 }
4148 #endif
4156 #if JS_HAS_BLOCK_SCOPE
4160 }
4161 #endif
4162 }
4163 }
4165 /*
4166 * The parser rewrites 'for (var x = i in o)' to hoist 'var x = i' --
4167 * likewise 'for (let x = i in o)' becomes 'i; for (let x in o)' using
4168 * a TOK_SEQ node to make the two statements appear as one. Therefore
4169 * if this declaration is part of a for-in loop head, we do not need to
4170 * emit op or any source note. Our caller, the TOK_FOR/TOK_IN case in
4171 * js_EmitTree, will annotate appropriately.
4172 */
4178 }
4184 ? SRC_DECL_CONST
4186 ? SRC_DECL_VAR
4189 }
4197 }
4199 #if JS_HAS_DESTRUCTURING
4200 emit_note_pop:
4201 #endif
4206 }
4213 }
4215 /* If this is a let head, emit and return a srcnote on the pop. */
4222 }
4225 }
4227 #if defined DEBUG_brendan || defined DEBUG_mrbkap
4228 static JSBool
4230 {
4241 }
4243 }
4244 #endif
4246 /* Top-level named functions need a nop for decompilation. */
4247 static JSBool
4249 {
4252 }
4254 static bool
4256 {
4259 #if JS_HAS_SHARP_VARS
4267 }
4268 #endif
4270 }
4272 static bool
4274 {
4275 #if JS_HAS_SHARP_VARS
4276 /* Emit an op for sharp array cleanup and decompilation. */
4279 #endif
4281 }
4283 /* See the SRC_FOR source note offsetBias comments later in this file. */
4287 JSBool
4289 {
4296 jsatomid atomIndex;
4297 uintN index;
4299 JSSrcNoteType noteType;
4301 JSOp op;
4302 JSTokenType type;
4303 uint32 argc;
4304 #if JS_HAS_SHARP_VARS
4305 jsint sharpnum;
4306 #endif
4314 /* Emit notes to tell the current bytecode's source line number. */
4319 {
4321 uintN slot;
4323 #if JS_HAS_XML_SUPPORT
4328 }
4329 #endif
4334 /*
4335 * This second pass is needed to emit JSOP_NOP with a source note
4336 * for the already-emitted function definition prolog opcode. See
4337 * comments in the TOK_LC case.
4338 */
4344 }
4354 /* Generate code for the function's body. */
4361 }
4367 #if JS_HAS_SHARP_VARS
4372 }
4373 #endif
4378 /*
4379 * jsparse.cpp:SetStaticLevel limited static nesting depth to fit in 16
4380 * bits and to reserve the all-ones value, thereby reserving the magic
4381 * FREE_UPVAR_COOKIE value. Note the cg2->staticLevel assignment below.
4382 */
4386 /* We measured the max scope depth when we parsed the function. */
4397 /* Make the function object a literal in the outer script's pool. */
4400 /* Emit a bytecode pointing to the closure object in its immediate. */
4406 }
4409 }
4411 /*
4412 * For a script we emit the code as we parse. Thus the bytecode for
4413 * top-level functions should go in the prolog to predefine their
4414 * names in the variable object before the already-generated main code
4415 * is executed. This extra work for top-level scripts is not necessary
4416 * when we emit the code for a function. It is fully parsed prior to
4417 * invocation of the emitter and calls to js_EmitTree for function
4418 * definitions can be scheduled before generating the rest of code.
4419 */
4427 /* Emit NOP for the decompiler. */
4431 #ifdef DEBUG
4432 JSLocalKind localKind =
4433 #endif
4441 }
4443 }
4457 /* Initialize so we can detect else-if chains and avoid recursion. */
4462 if_again:
4463 /* Emit code for the condition before pushing stmtInfo. */
4470 /*
4471 * We came here from the goto further below that detects else-if
4472 * chains, so we must mutate stmtInfo back into a STMT_IF record.
4473 * Also (see below for why) we need a note offset for SRC_IF_ELSE
4474 * to help the decompiler. Actually, we need two offsets, one for
4475 * decompiling any else clause and the second for decompiling an
4476 * else-if chain without bracing, overindenting, or incorrectly
4477 * scoping let declarations.
4478 */
4486 }
4488 /* Emit an annotated branch-if-false around the then part. */
4497 /* Emit code for the then and optional else parts. */
4501 /* Modify stmtInfo so we know we're in the else part. */
4504 /*
4505 * Emit a JSOP_BACKPATCH op to jump from the end of our then part
4506 * around the else part. The js_PopStatementCG call at the bottom
4507 * of this switch case will fix up the backpatch chain linked from
4508 * stmtInfo.breaks.
4509 */
4514 /* Ensure the branch-if-false comes here, then emit the else. */
4519 }
4524 /*
4525 * Annotate SRC_IF_ELSE with the offset from branch to jump, for
4526 * the decompiler's benefit. We can't just "back up" from the pc
4527 * of the else clause, because we don't know whether an extended
4528 * jump was required to leap from the end of the then clause over
4529 * the else clause.
4530 */
4534 /* No else part, fixup the branch-if-false to come here. */
4536 }
4541 /* Out of line to avoid bloating js_EmitTree's stack frame size. */
4546 /*
4547 * Minimize bytecodes issued for one or more iterations by jumping to
4548 * the condition below the body and closing the loop if the condition
4549 * is true with a backward branch. For iteration count i:
4550 *
4551 * i test at the top test at the bottom
4552 * = =============== ==================
4553 * 0 ifeq-pass goto; ifne-fail
4554 * 1 ifeq-fail; goto; ifne-pass goto; ifne-pass; ifne-fail
4555 * 2 2*(ifeq-fail; goto); ifeq-pass goto; 2*ifne-pass; ifne-fail
4556 * . . .
4557 * N N*(ifeq-fail; goto); ifeq-pass goto; N*ifne-pass; ifne-fail
4558 *
4559 * SpiderMonkey, pre-mozilla.org, emitted while parsing and so used
4560 * test at the top. When JSParseNode trees were added during the ES3
4561 * work (1998-9), the code generation scheme was not optimized, and
4562 * the decompiler continued to take advantage of the branch and jump
4563 * that bracketed the body. But given the SRC_WHILE note, it is easy
4564 * to support the more efficient scheme.
4565 */
4590 /* Emit an annotated nop so we know to decompile a 'do' keyword. */
4595 /* Compile the loop body. */
4603 /* Set loop and enclosing label update offsets, for continue. */
4609 /* Compile the loop condition, now that continues know where to go. */
4613 /*
4614 * Since we use JSOP_IFNE for other purposes as well as for do-while
4615 * loops, we must store 1 + (beq - top) in the SRC_WHILE note offset,
4616 * and the decompiler must get that delta and decompile recursively.
4617 */
4633 /* Set stmtInfo type for later testing. */
4636 /*
4637 * If the left part is 'var x', emit code to define x if necessary
4638 * using a prolog opcode, but do not emit a pop. If the left part
4639 * is 'var x = i', emit prolog code to define x if necessary; then
4640 * emit code to evaluate i, assign the result to x, and pop the
4641 * result off the stack.
4642 *
4643 * All the logic to do this is implemented in the outer switch's
4644 * TOK_VAR case, conditioned on pn_xflags flags set by the parser.
4645 *
4646 * In the 'for (var x = i in o) ...' case, the js_EmitTree(...pn3)
4647 * called here will generate the proper note for the assignment
4648 * op that sets x = i, hoisting the initialized var declaration
4649 * out of the loop: 'var x = i; for (x in o) ...'.
4650 *
4651 * In the 'for (var x in o) ...' case, nothing but the prolog op
4652 * (if needed) should be generated here, we must emit the note
4653 * just before the JSOP_FOR* opcode in the switch on pn3->pn_type
4654 * a bit below, so nothing is hoisted: 'for (var x in o) ...'.
4655 *
4656 * A 'for (let x = i in o)' loop must not be hoisted, since in
4657 * this form the let variable is scoped by the loop body (but not
4658 * the head). The initializer expression i must be evaluated for
4659 * any side effects. So we hoist only i in the let case.
4660 */
4668 /* Compile the object expression to the right of 'in'. */
4672 /*
4673 * Emit a bytecode to convert top of stack value to the iterator
4674 * object depending on the loop variant (for-in, for-each-in, or
4675 * destructuring for-in).
4676 */
4681 /* Annotate so the decompiler can find the loop-closing jump. */
4686 /*
4687 * Jump down to the loop condition to minimize overhead assuming at
4688 * least one iteration, as the other loop forms do.
4689 */
4699 #ifdef DEBUG
4701 #endif
4703 /*
4704 * Compile a JSOP_FOR* bytecode based on the left hand side.
4705 *
4706 * Initialize op to JSOP_SETNAME in case of |for ([a, b] in o)...|
4707 * or similar, to signify assignment, rather than declaration, to
4708 * the decompiler. EmitDestructuringOps takes a prolog bytecode
4709 * parameter and emits the appropriate source note, defaulting to
4710 * assignment, so JSOP_SETNAME is not critical here; many similar
4711 * ops could be used -- just not JSOP_NOP (which means 'let').
4712 */
4715 #if JS_HAS_BLOCK_SCOPE
4717 #endif
4721 #if JS_HAS_DESTRUCTURING
4725 }
4729 }
4730 #else
4732 #endif
4733 /* FALL THROUGH */
4736 /*
4737 * Always annotate JSOP_FORLOCAL if given input of the form
4738 * 'for (let x in * o)' -- the decompiler must not hoist the
4739 * 'let x' out of the loop head, or x will be bound in the
4740 * wrong scope. Likewise, but in this case only for the sake
4741 * of higher decompilation fidelity only, do not hoist 'var x'
4742 * when given 'for (var x in o)'.
4743 */
4745 #if JS_HAS_BLOCK_SCOPE
4747 #endif
4751 ? SRC_DECL_VAR
4754 }
4765 }
4771 }
4774 JSMSG_BAD_FOR_LEFTSIDE);
4776 }
4783 }
4787 /*
4788 * 'for (o.p in q)' can use JSOP_FORPROP only if evaluating 'o'
4789 * has no side effects.
4790 */
4798 }
4799 /* FALL THROUGH */
4801 #if JS_HAS_DESTRUCTURING
4802 destructuring_for:
4803 #endif
4809 #if JS_HAS_DESTRUCTURING
4816 #endif
4824 #if JS_HAS_XML_SUPPORT
4832 #endif
4836 }
4838 /* The stack should be balanced around the JSOP_FOR* opcode sequence. */
4841 /* Set the first srcnote offset so we can find the start of the loop body. */
4845 /* Emit code for the loop body. */
4849 /* Set loop and enclosing "update" offsets, for continue. */
4855 /*
4856 * Fixup the goto that starts the loop to jump down to JSOP_NEXTITER.
4857 */
4865 /* Set the second srcnote offset so we can find the closing jump. */
4869 /* C-style for (init; cond; update) ... loop. */
4873 /* No initializer: emit an annotated nop for the decompiler. */
4877 #if JS_HAS_DESTRUCTURING
4881 }
4882 #endif
4887 /*
4888 * Check whether a destructuring-initialized var decl
4889 * was optimized to a group assignment. If so, we do
4890 * not need to emit a pop below, so switch to a nop,
4891 * just for the decompiler.
4892 */
4896 }
4897 }
4899 }
4901 /*
4902 * NB: the SRC_FOR note has offsetBias 1 (JSOP_{NOP,POP}_LENGTH).
4903 * Use tmp to hold the biased srcnote "top" offset, which differs
4904 * from the top local variable by the length of the JSOP_GOTO{,X}
4905 * emitted in between tmp and top if this loop has a condition.
4906 */
4913 /* Goto the loop condition, which branches back to iterate. */
4917 }
4922 /* Emit code for the loop body. */
4928 /* Set the second note offset so we can find the update part. */
4933 }
4935 /* Set loop and enclosing "update" offsets, for continue. */
4941 /* Check for update code to do before the condition (if any). */
4945 #if JS_HAS_DESTRUCTURING
4949 }
4950 #endif
4954 /* Always emit the POP or NOP, to help the decompiler. */
4958 /* Restore the absolute line number for source note readers. */
4964 }
4965 }
4967 /* Set the first note offset so we can find the loop condition. */
4971 }
4974 /* Fix up the goto from top to target the loop condition. */
4980 }
4982 /* The third note offset helps us find the loop-closing jump. */
4986 }
4993 /* No loop condition -- emit the loop-closing jump. */
4997 }
4998 }
5000 /* Now fixup all breaks and continues (before for/in's JSOP_ENDITER). */
5005 /*
5006 * JSOP_ENDITER must have a slot to save an exception thrown from
5007 * the body of for-in loop when closing the iterator object, and
5008 * fortunately it does: the slot that was set by JSOP_NEXTITER to
5009 * the return value of iterator.next().
5010 */
5015 }
5016 }
5034 }
5044 /* Find the loop statement enclosed by the matching label. */
5053 }
5061 }
5081 {
5083 intN depth;
5088 /*
5089 * Push stmtInfo to track jumps-over-catches and gosubs-to-finally
5090 * for later fixup.
5091 *
5092 * When a finally block is active (STMT_FINALLY in our tree context),
5093 * non-local jumps (including jumps-over-catches) result in a GOSUB
5094 * being written into the bytecode stream and fixed-up later (c.f.
5095 * EmitBackPatchOp and BackPatch).
5096 */
5101 /*
5102 * Since an exception can be thrown at any place inside the try block,
5103 * we need to restore the stack and the scope chain before we transfer
5104 * the control to the exception handler.
5105 *
5106 * For that we store in a try note associated with the catch or
5107 * finally block the stack depth upon the try entry. The interpreter
5108 * uses this depth to properly unwind the stack and the scope chain.
5109 */
5112 /* Mark try location for decompilation, then emit try block. */
5120 /* GOSUB to finally, if present. */
5127 }
5129 /* Emit (hidden) jump over catch and/or finally. */
5138 /* If this try has a catch block, emit it. */
5144 /*
5145 * The emitted code for a catch block looks like:
5146 *
5147 * [throwing] only if 2nd+ catch block
5148 * [leaveblock] only if 2nd+ catch block
5149 * enterblock with SRC_CATCH
5150 * exception
5151 * [dup] only if catchguard
5152 * setlocalpop <slot> or destructuring code
5153 * [< catchguard code >] if there's a catchguard
5154 * [ifeq <offset to next catch block>] " "
5155 * [pop] only if catchguard
5156 * < catch block contents >
5157 * leaveblock
5158 * goto <end of catch blocks> non-local; finally applies
5159 *
5160 * If there's no catch block without a catchguard, the last
5161 * <offset to next catch block> points to rethrow code. This
5162 * code will [gosub] to the finally code if appropriate, and is
5163 * also used for the catch-all trynote for capturing exceptions
5164 * thrown from catch{} blocks.
5165 */
5172 /* Fix up and clean up previous catch block. */
5175 /*
5176 * Account for JSOP_ENTERBLOCK (whose block object count
5177 * is saved below) and pushed exception object that we
5178 * still have after the jumping from the previous guard.
5179 */
5182 /*
5183 * Move exception back to cx->exception to prepare for
5184 * the next catch. We hide [throwing] from the decompiler
5185 * since it compensates for the hidden JSOP_DUP at the
5186 * start of the previous guarded catch.
5187 */
5191 }
5196 }
5198 /*
5199 * Annotate the JSOP_ENTERBLOCK that's about to be generated
5200 * by the call to js_EmitTree immediately below. Save this
5201 * source note's index in stmtInfo for use by the TOK_CATCH:
5202 * case, where the length of the catch guard is set as the
5203 * note's offset.
5204 */
5210 /*
5211 * Emit the lexical scope and catch body. Save the catch's
5212 * block object population via count, for use when targeting
5213 * guardJump at the next catch (the guard mismatch case).
5214 */
5220 /* gosub <finally>, if required */
5227 }
5229 /*
5230 * Jump over the remaining catch blocks. This will get fixed
5231 * up to jump to after catch/finally.
5232 */
5239 /*
5240 * Save a pointer to the last catch node to handle try-finally
5241 * and try-catch(guard)-finally special cases.
5242 */
5244 }
5245 }
5247 /*
5248 * Last catch guard jumps to the rethrow code sequence if none of the
5249 * guards match. Target guardJump at the beginning of the rethrow
5250 * sequence, just in case a guard expression throws and leaves the
5251 * stack unbalanced.
5252 */
5256 /* Sync the stack to take into account pushed exception. */
5260 /*
5261 * Rethrow the exception, delegating executing of finally if any
5262 * to the exception handler.
5263 */
5267 }
5268 }
5272 /* Emit finally handler if any. */
5275 /*
5276 * Fix up the gosubs that might have been emitted before non-local
5277 * jumps to the finally code.
5278 */
5284 /* Indicate that we're emitting a subroutine body. */
5292 }
5294 }
5301 }
5303 /* Fix up the end-of-try/catch jumps to come here. */
5307 /*
5308 * Add the try note last, to let post-order give us the right ordering
5309 * (first to last for a given nesting level, inner to outer by level).
5310 */
5314 }
5316 /*
5317 * If we've got a finally, mark try+catch region with additional
5318 * trynote to catch exceptions (re)thrown from a catch block or
5319 * for the try{}finally{} case.
5320 */
5324 }
5326 }
5329 {
5333 /*
5334 * Morph STMT_BLOCK to STMT_CATCH, note the block entry code offset,
5335 * and save the block object atom.
5336 */
5343 /* Go up one statement info record to the TRY or FINALLY record. */
5347 /* Pick up the pending exception and bind it to the catch variable. */
5351 /*
5352 * Dup the exception object if there is a guard for rethrowing to use
5353 * it later when rethrowing or in other catches.
5354 */
5360 #if JS_HAS_DESTRUCTURING
5368 #endif
5371 /* Inline and specialize BindNameToSlot for pn2. */
5378 }
5380 /* Emit the guard expression, if there is one. */
5387 }
5388 /* ifeq <next block> */
5394 /* Pop duplicated exception object as we no longer need it. */
5397 }
5399 /* Emit the catch body. */
5403 /*
5404 * Annotate the JSOP_LEAVEBLOCK that will be emitted as we unwind via
5405 * our TOK_LEXICALSCOPE parent, so the decompiler knows to pop.
5406 */
5411 }
5419 /* Push a return value */
5427 }
5429 /*
5430 * EmitNonLocalJumpFixup may add fixup bytecode to close open try
5431 * blocks having finally clauses and to exit intermingled let blocks.
5432 * We can't simply transfer control flow to our caller in that case,
5433 * because we must gosub to those finally clauses from inner to outer,
5434 * with the correct stack pointer (i.e., after popping any with,
5435 * for/in, etc., slots nested inside the finally's try).
5436 *
5437 * In this case we mutate JSOP_RETURN into JSOP_SETRVAL and add an
5438 * extra JSOP_RETRVAL after the fixups.
5439 */
5449 }
5452 #if JS_HAS_GENERATORS
5456 JSMSG_BAD_RETURN_OR_YIELD,
5457 js_yield_str);
5459 }
5466 }
5472 #endif
5475 {
5476 #if JS_HAS_XML_SUPPORT
5483 }
5484 #endif
5494 }
5500 /*
5501 * This block contains top-level function definitions. To ensure
5502 * that we emit the bytecode defining them before the rest of code
5503 * in the block we use a separate pass over functions. During the
5504 * main pass later the emitter will add JSOP_NOP with source notes
5505 * for the function to preserve the original functions position
5506 * when decompiling.
5507 *
5508 * Currently this is used only for functions, as compile-as-we go
5509 * mode for scripts does not allow separate emitter passes.
5510 */
5513 /*
5514 * Assign the destructuring arguments before defining any
5515 * functions, see bug 419662.
5516 */
5522 }
5530 /*
5531 * JSOP_DEFFUN in a top-level block with function
5532 * definitions appears, for example, when "if (true)"
5533 * is optimized away from "if (true) function x() {}".
5534 * See bug 428424.
5535 */
5537 }
5538 }
5539 }
5540 }
5544 }
5550 }
5554 }
5562 }
5569 /*
5570 * Top-level or called-from-a-native JS_Execute/EvaluateScript,
5571 * debugger, and eval frames may need the value of the ultimate
5572 * expression statement as the script's result, despite the fact
5573 * that it appears useless to the compiler.
5574 *
5575 * API users may also set the JSOPTION_NO_SCRIPT_RVAL option when
5576 * calling JS_Compile* to suppress JSOP_POPV.
5577 */
5582 }
5584 /*
5585 * Don't eliminate apparently useless expressions if they are
5586 * labeled expression statements. The tc->topStmt->update test
5587 * catches the case where we are nesting in js_EmitTree for a
5588 * labeled compound statement.
5589 */
5596 JSREPORT_WARNING |
5597 JSREPORT_STRICT,
5598 JSMSG_USELESS_EXPR)) {
5600 }
5603 #if JS_HAS_DESTRUCTURING
5608 }
5609 #endif
5615 }
5616 }
5617 }
5621 /* Emit an annotated nop so we know to decompile a label. */
5630 ? SRC_LABELBRACE
5637 }
5639 /* Emit code for the labeled statement. */
5647 /* If the statement was compound, emit a note for the end brace. */
5652 }
5653 }
5657 /*
5658 * Emit SRC_PCDELTA notes on each JSOP_POP between comma operands.
5659 * These notes help the decompiler bracket the bytecodes generated
5660 * from each sub-expression that follows a comma.
5661 */
5670 }
5678 }
5679 }
5683 /*
5684 * Check left operand type and generate specialized code for it.
5685 * Specialize to avoid ECMA "reference type" values on the operand
5686 * stack, which impose pervasive runtime "GetValue" costs.
5687 */
5703 }
5720 #if JS_HAS_DESTRUCTURING
5724 #endif
5729 #if JS_HAS_XML_SUPPORT
5737 #endif
5740 }
5743 #if JS_HAS_GETTER_SETTER
5746 /*
5747 * x getter = y where x is a local or let variable is not
5748 * supported.
5749 */
5753 JSMSG_BAD_GETTER_OR_SETTER,
5755 ? js_getter_str
5758 }
5760 /* We'll emit these prefix bytecodes after emitting the r.h.s. */
5762 #endif
5763 /* If += or similar, dup the left operand and get its value. */
5773 }
5780 ? JSOP_GETGVAR
5782 ? JSOP_GETUPVAR
5784 ? JSOP_GETARG
5786 atomIndex);
5787 }
5802 }
5806 #if JS_HAS_XML_SUPPORT
5808 #endif
5815 }
5816 }
5818 /* Now emit the right operand (it may affect the namespace). */
5822 /* If += etc., emit the binary operator with a decompiler note. */
5824 /*
5825 * Take care to avoid SRC_ASSIGNOP if the left-hand side is a const
5826 * declared in the current compilation unit, as in this case (just
5827 * a bit further below) we will avoid emitting the assignment op.
5828 */
5832 }
5835 }
5837 /* Left parts such as a.b.c and a[b].c need a decompiler note. */
5839 #if JS_HAS_DESTRUCTURING
5842 #endif
5845 }
5847 /* Finally, emit the specialized assignment bytecode. */
5852 /* FALL THROUGH */
5861 #if JS_HAS_DESTRUCTURING
5867 #endif
5868 #if JS_HAS_XML_SUPPORT
5873 #endif
5876 }
5880 /* Emit the condition, then branch if false to the else part. */
5890 /* Jump around else, fixup the branch, emit else, fixup jump. */
5896 /*
5897 * Because each branch pushes a single value, but our stack budgeting
5898 * analysis ignores branches, we now have to adjust cg->stackDepth to
5899 * ignore the value pushed by the first branch. Execution will follow
5900 * only one path, so we must decrement cg->stackDepth.
5901 *
5902 * Failing to do this will foil code, such as the try/catch/finally
5903 * exception handling code generator, that samples cg->stackDepth for
5904 * use at runtime (JSOP_SETSP), or in let expression and block code
5905 * generation, which must use the stack depth to compute local stack
5906 * indexes correctly.
5907 */
5919 /*
5920 * JSOP_OR converts the operand on the stack to boolean, and if true,
5921 * leaves the original operand value on the stack and jumps; otherwise
5922 * it pops and falls into the next bytecode, which evaluates the right
5923 * operand. The jump goes around the right operand evaluation.
5924 *
5925 * JSOP_AND converts the operand on the stack to boolean, and if false,
5926 * leaves the original operand value on the stack and jumps; otherwise
5927 * it pops and falls into the right operand's bytecode.
5928 */
5945 /* Left-associative operator chain: avoid too much recursion. */
5953 /* Emit nodes between the head and the tail. */
5965 }
5978 }
5982 /* For TCF_IN_FUNCTION test, see TOK_RB concerning JSOP_NEWARRAY. */
5985 /* Emit up to the first string literal conventionally. */
5993 }
5995 /* Emit remainder as a single JSOP_CONCATN. */
5999 }
6004 /* If we had a prefix, we need to be added to it now. */
6008 }
6009 }
6011 }
6024 /* Left-associative operator chain: avoid too much recursion. */
6034 }
6036 #if JS_HAS_XML_SUPPORT
6037 uintN oldflags;
6046 }
6048 /*
6049 * Binary :: has a right operand that brackets arbitrary code,
6050 * possibly including a let (a = b) ... expression. We must clear
6051 * TCF_IN_FOR_INIT to avoid mis-compiling such beasts.
6052 */
6055 #endif
6057 /* Binary operators that evaluate both operands unconditionally. */
6062 #if JS_HAS_XML_SUPPORT
6064 #endif
6067 }
6071 #if JS_HAS_XML_SUPPORT
6075 /* FALL THROUGH */
6076 #endif
6078 {
6079 uintN oldflags;
6081 /* Unary op, including unary +/-. */
6083 #if JS_HAS_XML_SUPPORT
6088 }
6089 #endif
6092 /* See js_FoldConstants for why this assertion holds true. */
6103 }
6107 /* Emit lvalue-specialized code for ++/-- operators. */
6129 }
6140 }
6141 }
6157 }
6161 #if JS_HAS_XML_SUPPORT
6171 #endif
6172 }
6176 /*
6177 * Under ECMA 3, deleting a non-reference returns true -- but alas we
6178 * must evaluate the operand if it appears it might have side effects.
6179 */
6192 }
6198 #if JS_HAS_XML_SUPPORT
6203 #endif
6209 /*
6210 * If useless, just emit JSOP_TRUE; otherwise convert delete foo()
6211 * to foo(), true (a comma expression, requiring SRC_PCDELTA).
6212 */
6227 }
6234 }
6235 }
6238 #if JS_HAS_XML_SUPPORT
6254 #endif
6257 /*
6258 * Pop a stack operand, convert it to object, get a property named by
6259 * this bytecode's immediate-indexed atom operand, and push its value
6260 * (not a reference to it).
6261 */
6266 #if JS_HAS_XML_SUPPORT
6268 #endif
6269 /*
6270 * Pop two operands, convert the left one to object and the right one
6271 * to property name (atom or tagged int), get the named property, and
6272 * push its value. Set the "obj" register to the result of ToObject
6273 * on the left operand.
6274 */
6280 {
6282 uintN oldflags;
6284 /*
6285 * Emit callable invocation or operator new (constructor call) code.
6286 * First, emit code for the left operand to evaluate the callable or
6287 * constructable object expression.
6288 *
6289 * For operator new applied to other expressions than E4X ones, we emit
6290 * JSOP_GETPROP instead of JSOP_CALLPROP, etc. This is necessary to
6291 * interpose the lambda-initialized method read barrier -- see the code
6292 * in jsops.cpp for JSOP_LAMBDA followed by JSOP_{SET,INIT}PROP.
6293 *
6294 * Then (or in a call case that has no explicit reference-base object)
6295 * we emit JSOP_NULL as a placeholder local GC root to hold the |this|
6296 * parameter: in the operator new case, the newborn instance; in the
6297 * base-less call case, a cookie meaning "use the global object as the
6298 * |this| value" (or in ES5 strict mode, "use undefined", so we should
6299 * use JSOP_PUSH instead of JSOP_NULL -- see bug 514570).
6300 */
6317 #if JS_HAS_XML_SUPPORT
6323 }
6324 #endif
6325 /* FALL THROUGH */
6327 /*
6328 * Push null as a placeholder for the global object, per ECMA-262
6329 * 11.2.3 step 6.
6330 */
6335 }
6339 /* Remember start of callable-object bytecode for decompilation hint. */
6342 /*
6343 * Emit code for each argument in order, then emit the JSOP_*CALL or
6344 * JSOP_NEW bytecode with a two-byte immediate telling how many args
6345 * were pushed on the operand stack.
6346 */
6352 }
6361 /* Add a trace hint opcode for recursion. */
6364 }
6368 }
6371 {
6373 uintN count;
6378 /*
6379 * If this lexical scope is not for a catch block, let block or let
6380 * expression, or any kind of for loop (where the scope starts in the
6381 * head after the first part if for (;;), else in the body if for-in);
6382 * and if our container is top-level but not a function body, or else
6383 * a block statement; then emit a SRC_BRACE note. All other container
6384 * statements get braces by default from the decompiler.
6385 */
6392 #if defined DEBUG_brendan || defined DEBUG_mrbkap
6393 /* There must be no source note already output for the next op. */
6397 #endif
6401 }
6419 }
6420 }
6422 /* Emit the JSOP_LEAVEBLOCK or JSOP_LEAVEBLOCKEXPR opcode. */
6428 }
6430 #if JS_HAS_BLOCK_SCOPE
6432 /* Let statements have their variable declarations on the left. */
6438 }
6440 /* Non-null pn2 means that pn is the variable list from a let head. */
6445 /* Thus non-null pn2 is the body of the let block or expression. */
6454 }
6458 #if JS_HAS_GENERATORS
6460 jsint slot;
6462 /*
6463 * The array object's stack index is in cg->arrayCompDepth. See below
6464 * under the array initialiser code generator for array comprehension
6465 * special casing.
6466 */
6474 }
6475 #endif
6478 #if JS_HAS_GENERATORS
6480 #endif
6481 /*
6482 * Emit code for [a, b, c] that is equivalent to constructing a new
6483 * array and in source order evaluating each element value and adding
6484 * it to the array, without invoking latent setters. We use the
6485 * JSOP_NEWINIT and JSOP_INITELEM bytecodes to ignore setters and to
6486 * avoid dup'ing and popping the array as each element is added, as
6487 * JSOP_SETELEM/JSOP_SETPROP would do.
6488 *
6489 * If no sharp variable is defined, the initializer is not for an array
6490 * comprehension, the initializer is not overlarge, and the initializer
6491 * is not in global code (whose stack growth cannot be precisely modeled
6492 * due to the need to reserve space for global variables and regular
6493 * expressions), use JSOP_NEWARRAY to minimize opcodes and to create the
6494 * array using a fast, all-at-once process rather than a slow, element-
6495 * by-element process.
6496 */
6497 #if JS_HAS_SHARP_VARS
6499 do_emit_array:
6500 #endif
6503 ? JSOP_NEWARRAY
6506 #if JS_HAS_GENERATORS
6509 #endif
6510 #if JS_HAS_SHARP_VARS
6514 #endif
6519 #if JS_HAS_GENERATORS
6521 uintN saveDepth;
6523 /*
6524 * Pass the new array's stack index to the TOK_ARRAYPUSH case via
6525 * cg->arrayCompDepth, then simply traverse the TOK_FOR node and
6526 * its kids under pn2 to generate this comprehension.
6527 */
6535 /* Emit the usual op needed for decompilation. */
6539 }
6552 }
6555 }
6559 /* Emit a source note so we know to decompile an extra comma. */
6562 }
6565 /*
6566 * Emit an op to finish the array and, secondarily, to aid in sharp
6567 * array cleanup (if JS_HAS_SHARP_VARS) and decompilation.
6568 */
6572 }
6579 #if JS_HAS_SHARP_VARS
6581 do_emit_object:
6582 #endif
6583 #if JS_HAS_DESTRUCTURING_SHORTHAND
6586 JSMSG_BAD_OBJECT_INIT);
6588 }
6589 #endif
6590 /*
6591 * Emit code for {p:a, '%q':b, 2:c} that is equivalent to constructing
6592 * a new object and in source order evaluating each property value and
6593 * adding the property to the object, without invoking latent setters.
6594 * We use the JSOP_NEWINIT and JSOP_INITELEM/JSOP_INITPROP bytecodes to
6595 * ignore setters and to avoid dup'ing and popping the object as each
6596 * property is added, as JSOP_SETELEM/JSOP_SETPROP would do.
6597 */
6602 /* Emit an index for t[2] for later consumption by JSOP_INITELEM. */
6607 }
6609 /* Emit code for the property initializer. */
6613 #if JS_HAS_GETTER_SETTER
6618 }
6619 #endif
6620 /* Annotate JSOP_INITELEM so we decompile 2:c and not just c. */
6636 #if JS_HAS_GETTER_SETTER
6638 #endif
6639 )
6640 ? JSOP_INITMETHOD
6643 }
6644 }
6650 #if JS_HAS_SHARP_VARS
6657 # if JS_HAS_GENERATORS
6660 # endif
6676 /*
6677 * Cope with a left-over function definition that was replaced by a use
6678 * of a later function definition of the same name. See FunctionDef and
6679 * MakeDefIntoUse in jsparse.cpp.
6680 */
6687 #if JS_HAS_XML_SUPPORT
6693 #endif
6703 /*
6704 * If the regexp's script is one-shot, we can avoid the extra
6705 * fork-on-exec costs of JSOP_REGEXP by selecting JSOP_OBJECT.
6706 * Otherwise, to avoid incorrect proto, parent, and lastIndex
6707 * sharing among threads and sequentially across re-execution,
6708 * select JSOP_REGEXP.
6709 */
6716 cg);
6717 }
6720 #if JS_HAS_XML_SUPPORT
6722 #endif
6728 #if JS_HAS_DEBUGGER_KEYWORD
6735 #if JS_HAS_XML_SUPPORT
6741 }
6747 /* FALL THROUGH */
6754 }
6760 }
6765 }
6775 }
6778 }
6779 #ifdef DEBUG
6780 else
6782 #endif
6789 }
6790 /* FALL THROUGH */
6794 {
6795 uint32 i;
6821 }
6827 }
6831 }
6832 }
6847 }
6856 }
6861 }
6867 }
6883 }
6890 }
6893 }
6895 /*
6896 * We should try to get rid of offsetBias (always 0 or 1, where 1 is
6897 * JSOP_{NOP,POP}_LENGTH), which is used only by SRC_FOR and SRC_DECL.
6898 */
6925 };
6927 static intN
6929 {
6930 intN index;
6939 /* Allocate the first note array lazily; leave noteMask alone. */
6942 /* Grow by doubling note array size; update noteMask on success. */
6946 }
6950 }
6951 }
6955 }
6957 intN
6959 {
6964 /*
6965 * Claim a note slot in CG_NOTES(cg) by growing it if necessary and then
6966 * incrementing CG_NOTE_COUNT(cg).
6967 */
6973 /*
6974 * Compute delta from the last annotated bytecode's offset. If it's too
6975 * big to fit in sn, allocate one or more xdelta notes and reset sn.
6976 */
6990 }
6992 /*
6993 * Initialize type and delta, then allocate the minimum number of notes
6994 * needed for type's arity. Usually, we won't need more, but if an offset
6995 * does take two bytes, js_SetSrcNoteOffset will grow CG_NOTES(cg).
6996 */
7001 }
7003 }
7005 intN
7008 {
7009 intN index;
7015 }
7017 }
7019 intN
7022 {
7023 intN index;
7031 }
7033 }
7035 static JSBool
7037 {
7041 /* Grow by doubling note array size; update noteMask on success. */
7048 }
7051 }
7053 jssrcnote *
7056 {
7058 intN index;
7060 /*
7061 * Called only from OptimizeSpanDeps and js_FinishTakingSrcNotes to add to
7062 * main script note deltas, and only by a small positive amount.
7063 */
7078 }
7083 sn++;
7084 }
7086 }
7090 {
7091 uintN arity;
7098 }
7100 }
7104 {
7105 /* Find the offset numbered which (i.e., skip exactly which offsets). */
7111 }
7116 }
7118 }
7120 JSBool
7123 {
7130 }
7132 /* Find the offset numbered which (i.e., skip exactly which offsets). */
7139 }
7141 /* See if the new offset requires three bytes. */
7143 /* Maybe this offset was already set to a three-byte value. */
7145 /* Losing, need to insert another two bytes for this offset. */
7148 /*
7149 * Simultaneously test to see if the source note array must grow to
7150 * accommodate either the first or second byte of additional storage
7151 * required by this 3-byte offset.
7152 */
7157 }
7164 }
7167 }
7170 }
7172 #ifdef DEBUG_notme
7173 #define DEBUG_srcnotesize
7174 #endif
7176 #ifdef DEBUG_srcnotesize
7177 #define NBINS 10
7181 {
7190 }
7197 }
7199 }
7200 #endif
7202 /*
7203 * Fill in the storage at notes with prolog and main srcnotes; the space at
7204 * notes was allocated using the CG_COUNT_FINAL_SRCNOTES macro from jsemit.h.
7205 * SO DON'T CHANGE THIS FUNCTION WITHOUT AT LEAST CHECKING WHETHER jsemit.h's
7206 * CG_COUNT_FINAL_SRCNOTES MACRO NEEDS CORRESPONDING CHANGES!
7207 */
7208 JSBool
7210 {
7225 /*
7226 * Either no prolog srcnotes, or no line number change over prolog.
7227 * We don't need a SRC_SETLINE, but we may need to adjust the offset
7228 * of the first main note, by adding to its delta and possibly even
7229 * prepending SRC_XDELTA notes to it to account for prolog bytecodes
7230 * that came at and after the last annotated bytecode.
7231 */
7235 /* NB: Use as much of the first main note's delta as we can. */
7250 }
7251 }
7252 }
7261 #ifdef DEBUG_notme
7266 }
7267 #endif
7269 }
7271 static JSBool
7274 {
7286 }
7296 }
7298 void
7300 {
7311 }
7313 /*
7314 * Find the index of the given object for code generator.
7315 *
7316 * Since the emitter refers to each parsed object only once, for the index we
7317 * use the number of already indexes objects. We also add the object to a list
7318 * to convert the list to a fixed-size array when we complete code generation,
7319 * see JSCGObjectList::finish below.
7320 *
7321 * Most of the objects go to JSCodeGenerator.objectList but for regexp we use a
7322 * separated JSCodeGenerator.regexpList. In this way the emitted index can be
7323 * directly used to store and fetch a reference to a cloned RegExp object that
7324 * shares the same JSRegExp private data created for the object literal in
7325 * objbox. We need a cloned object to hold lastIndex and other direct properties
7326 * that should not be shared among threads sharing a precompiled function or
7327 * script.
7328 *
7329 * If the code being compiled is function code, allocate a reserved slot in
7330 * the cloned function object that shares its precompiled script with other
7331 * cloned function objects and with the compiler-created clone-parent. There
7332 * are nregexps = script->regexps()->length such reserved slots in each
7333 * function object cloned from fun->object. NB: during compilation, a funobj
7334 * slots element must never be allocated, because js_AllocSlot could hand out
7335 * one of the slots that should be given to a regexp clone.
7336 *
7337 * If the code being compiled is global code, the cloned regexp are stored in
7338 * fp->vars slot after cg->ngvars and to protect regexp slots from GC we set
7339 * fp->nvars to ngvars + nregexps.
7340 *
7341 * The slots initially contain undefined or null. We populate them lazily when
7342 * JSOP_REGEXP is executed for the first time.
7343 *
7344 * Why clone regexp objects? ECMA specifies that when a regular expression
7345 * literal is scanned, a RegExp object is created. In the spec, compilation
7346 * and execution happen indivisibly, but in this implementation and many of
7347 * its embeddings, code is precompiled early and re-executed in multiple
7348 * threads, or using multiple global objects, or both, for efficiency.
7349 *
7350 * In such cases, naively following ECMA leads to wrongful sharing of RegExp
7351 * objects, which makes for collisions on the lastIndex property (especially
7352 * for global regexps) and on any ad-hoc properties. Also, __proto__ and
7353 * __parent__ refer to the pre-compilation prototype and global objects, a
7354 * pigeon-hole problem for instanceof tests.
7355 */
7356 uintN
7358 {
7363 }
7365 void
7367 {
7382 }