search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 470455 - test_database_sync_embed_visits.js leaks, r=sdwilsh
[wine-gecko.git] / js / src / jsinterp.cpp
blob62141b5ada714e36ec5bfbb5b4bc191714d7b3ea
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
2 * vim: set ts=8 sw=4 et tw=79:
3 *
4 * ***** BEGIN LICENSE BLOCK *****
5 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
6 *
7 * The contents of this file are subject to the Mozilla Public License Version
8 * 1.1 (the "License"); you may not use this file except in compliance with
9 * the License. You may obtain a copy of the License at
10 * http://www.mozilla.org/MPL/
11 *
12 * Software distributed under the License is distributed on an "AS IS" basis,
13 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
14 * for the specific language governing rights and limitations under the
15 * License.
16 *
17 * The Original Code is Mozilla Communicator client code, released
18 * March 31, 1998.
19 *
20 * The Initial Developer of the Original Code is
21 * Netscape Communications Corporation.
22 * Portions created by the Initial Developer are Copyright (C) 1998
23 * the Initial Developer. All Rights Reserved.
24 *
25 * Contributor(s):
26 *
27 * Alternatively, the contents of this file may be used under the terms of
28 * either of the GNU General Public License Version 2 or later (the "GPL"),
29 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
30 * in which case the provisions of the GPL or the LGPL are applicable instead
31 * of those above. If you wish to allow use of your version of this file only
32 * under the terms of either the GPL or the LGPL, and not to allow others to
33 * use your version of this file under the terms of the MPL, indicate your
34 * decision by deleting the provisions above and replace them with the notice
35 * and other provisions required by the GPL or the LGPL. If you do not delete
36 * the provisions above, a recipient may use your version of this file under
37 * the terms of any one of the MPL, the GPL or the LGPL.
38 *
39 * ***** END LICENSE BLOCK ***** */
40
41 /*
42 * JavaScript bytecode interpreter.
43 */
44 #include "jsstddef.h"
45 #include <stdio.h>
46 #include <string.h>
47 #include <math.h>
48 #include "jstypes.h"
49 #include "jsarena.h" /* Added by JSIFY */
50 #include "jsutil.h" /* Added by JSIFY */
51 #include "jsprf.h"
52 #include "jsapi.h"
53 #include "jsarray.h"
54 #include "jsatom.h"
55 #include "jsbool.h"
56 #include "jscntxt.h"
57 #include "jsversion.h"
58 #include "jsdbgapi.h"
59 #include "jsfun.h"
60 #include "jsgc.h"
61 #include "jsinterp.h"
62 #include "jsiter.h"
63 #include "jslock.h"
64 #include "jsnum.h"
65 #include "jsobj.h"
66 #include "jsopcode.h"
67 #include "jsscan.h"
68 #include "jsscope.h"
69 #include "jsscript.h"
70 #include "jsstr.h"
71 #include "jsstaticcheck.h"
72 #include "jstracer.h"
73
74 #ifdef INCLUDE_MOZILLA_DTRACE
75 #include "jsdtracef.h"
76 #endif
77
78 #if JS_HAS_XML_SUPPORT
79 #include "jsxml.h"
80 #endif
81
82 #include "jsautooplen.h"
83
84 /* jsinvoke_cpp___ indicates inclusion from jsinvoke.cpp. */
85 #if !JS_LONE_INTERPRET ^ defined jsinvoke_cpp___
86
87 uint32
88 js_GenerateShape(JSContext *cx, JSBool gcLocked, JSScopeProperty *sprop)
89 {
90 JSRuntime *rt;
91 uint32 shape;
92 JSTempValueRooter tvr;
93
94 rt = cx->runtime;
95 shape = JS_ATOMIC_INCREMENT(&rt->shapeGen);
96 JS_ASSERT(shape != 0);
97 if (shape & SHAPE_OVERFLOW_BIT) {
98 rt->gcPoke = JS_TRUE;
99 if (sprop)
100 JS_PUSH_TEMP_ROOT_SPROP(cx, sprop, &tvr);
101 js_GC(cx, gcLocked ? GC_LOCK_HELD : GC_NORMAL);
102 if (sprop)
103 JS_POP_TEMP_ROOT(cx, &tvr);
104 shape = JS_ATOMIC_INCREMENT(&rt->shapeGen);
105 JS_ASSERT(shape != 0);
106 JS_ASSERT_IF(shape & SHAPE_OVERFLOW_BIT,
107 JS_PROPERTY_CACHE(cx).disabled);
108 }
109 return shape;
110 }
111
112 JS_REQUIRES_STACK void
113 js_FillPropertyCache(JSContext *cx, JSObject *obj, jsuword kshape,
114 uintN scopeIndex, uintN protoIndex,
115 JSObject *pobj, JSScopeProperty *sprop,
116 JSPropCacheEntry **entryp)
117 {
118 JSPropertyCache *cache;
119 jsbytecode *pc;
120 JSScope *scope;
121 JSOp op;
122 const JSCodeSpec *cs;
123 jsuword vword;
124 ptrdiff_t pcoff;
125 jsuword khash;
126 JSAtom *atom;
127 JSPropCacheEntry *entry;
128
129 JS_ASSERT(!cx->runtime->gcRunning);
130 cache = &JS_PROPERTY_CACHE(cx);
131 pc = cx->fp->regs->pc;
132 if (cache->disabled || (cx->fp->flags & JSFRAME_EVAL)) {
133 PCMETER(cache->disfills++);
134 *entryp = NULL;
135 return;
136 }
137
138 /*
139 * Check for fill from js_SetPropertyHelper where the setter removed sprop
140 * from pobj's scope (via unwatch or delete, e.g.).
141 */
142 scope = OBJ_SCOPE(pobj);
143 JS_ASSERT(scope->object == pobj);
144 if (!SCOPE_HAS_PROPERTY(scope, sprop)) {
145 PCMETER(cache->oddfills++);
146 *entryp = NULL;
147 return;
148 }
149
150 /*
151 * Check for overdeep scope and prototype chain. Because resolve, getter,
152 * and setter hooks can change the prototype chain using JS_SetPrototype
153 * after js_LookupPropertyWithFlags has returned the nominal protoIndex,
154 * we have to validate protoIndex if it is non-zero. If it is zero, then
155 * we know thanks to the SCOPE_HAS_PROPERTY test above, and from the fact
156 * that obj == pobj, that protoIndex is invariant.
157 *
158 * The scopeIndex can't be wrong. We require JS_SetParent calls to happen
159 * before any running script might consult a parent-linked scope chain. If
160 * this requirement is not satisfied, the fill in progress will never hit,
161 * but vcap vs. scope shape tests ensure nothing malfunctions.
162 */
163 JS_ASSERT_IF(scopeIndex == 0 && protoIndex == 0, obj == pobj);
164 if (protoIndex != 0) {
165 JSObject *tmp;
166
167 JS_ASSERT(pobj != obj);
168 protoIndex = 1;
169 tmp = obj;
170 for (;;) {
171 tmp = OBJ_GET_PROTO(cx, tmp);
172 if (!tmp) {
173 PCMETER(cache->noprotos++);
174 *entryp = NULL;
175 return;
176 }
177 if (tmp == pobj)
178 break;
179 ++protoIndex;
180 }
181 }
182 if (scopeIndex > PCVCAP_SCOPEMASK || protoIndex > PCVCAP_PROTOMASK) {
183 PCMETER(cache->longchains++);
184 *entryp = NULL;
185 return;
186 }
187
188 /*
189 * Optimize the cached vword based on our parameters and the current pc's
190 * opcode format flags.
191 */
192 op = (JSOp) *pc;
193 cs = &js_CodeSpec[op];
194
195 do {
196 /*
197 * Check for a prototype "plain old method" callee computation. What
198 * is a plain old method? It's a function-valued property with stub
199 * getter and setter, so get of a function is idempotent and set is
200 * transparent.
201 */
202 if (cs->format & JOF_CALLOP) {
203 if (SPROP_HAS_STUB_GETTER(sprop) &&
204 SPROP_HAS_VALID_SLOT(sprop, scope)) {
205 jsval v;
206
207 v = LOCKED_OBJ_GET_SLOT(pobj, sprop->slot);
208 if (VALUE_IS_FUNCTION(cx, v)) {
209 /*
210 * Great, we have a function-valued prototype property
211 * where the getter is JS_PropertyStub. The type id in
212 * pobj's scope does not evolve with changes to property
213 * values, however.
214 *
215 * So here, on first cache fill for this method, we brand
216 * the scope with a new shape and set the SCOPE_BRANDED
217 * flag. Once this scope flag is set, any write that adds
218 * or deletes a function-valued plain old property in
219 * scope->object will result in shape being regenerated.
220 */
221 if (!SCOPE_IS_BRANDED(scope)) {
222 PCMETER(cache->brandfills++);
223 #ifdef DEBUG_notme
224 fprintf(stderr,
225 "branding %p (%s) for funobj %p (%s), kshape %lu\n",
226 pobj, LOCKED_OBJ_GET_CLASS(pobj)->name,
227 JSVAL_TO_OBJECT(v),
228 JS_GetFunctionName(GET_FUNCTION_PRIVATE(cx,
229 JSVAL_TO_OBJECT(v))),
230 kshape);
231 #endif
232 SCOPE_MAKE_UNIQUE_SHAPE(cx, scope);
233 SCOPE_SET_BRANDED(scope);
234 if (OBJ_SCOPE(obj) == scope)
235 kshape = scope->shape;
236 }
237 vword = JSVAL_OBJECT_TO_PCVAL(v);
238 break;
239 }
240 }
241 }
242
243 /* If getting a value via a stub getter, we can cache the slot. */
244 if (!(cs->format & JOF_SET) &&
245 SPROP_HAS_STUB_GETTER(sprop) &&
246 SPROP_HAS_VALID_SLOT(sprop, scope)) {
247 /* Great, let's cache sprop's slot and use it on cache hit. */
248 vword = SLOT_TO_PCVAL(sprop->slot);
249 } else {
250 /* Best we can do is to cache sprop (still a nice speedup). */
251 vword = SPROP_TO_PCVAL(sprop);
252 }
253 } while (0);
254
255 /*
256 * Our caller preserved the scope shape prior to the js_GetPropertyHelper
257 * or similar call out of the interpreter. We want to cache under that
258 * shape if op is overtly mutating, to bias for the case where the mutator
259 * udpates shape predictably.
260 *
261 * Note that an apparently non-mutating op such as JSOP_NAME may still
262 * mutate the base object via, e.g., lazy standard class initialization,
263 * but that is a one-time event and we'll have to miss the old shape and
264 * re-fill under the new one.
265 */
266 if (!(cs->format & (JOF_SET | JOF_INCDEC)) && obj == pobj)
267 kshape = scope->shape;
268
269 khash = PROPERTY_CACHE_HASH_PC(pc, kshape);
270 if (obj == pobj) {
271 JS_ASSERT(kshape != 0 || scope->shape != 0);
272 JS_ASSERT(scopeIndex == 0 && protoIndex == 0);
273 JS_ASSERT(OBJ_SCOPE(obj)->object == obj);
274 } else {
275 if (op == JSOP_LENGTH) {
276 atom = cx->runtime->atomState.lengthAtom;
277 } else {
278 pcoff = (JOF_TYPE(cs->format) == JOF_SLOTATOM) ? 2 : 0;
279 GET_ATOM_FROM_BYTECODE(cx->fp->script, pc, pcoff, atom);
280 }
281 JS_ASSERT_IF(scopeIndex == 0,
282 protoIndex != 1 || OBJ_GET_PROTO(cx, obj) == pobj);
283 if (scopeIndex != 0 || protoIndex != 1) {
284 khash = PROPERTY_CACHE_HASH_ATOM(atom, obj, pobj);
285 PCMETER(if (PCVCAP_TAG(cache->table[khash].vcap) <= 1)
286 cache->pcrecycles++);
287 pc = (jsbytecode *) atom;
288 kshape = (jsuword) obj;
289 }
290 }
291
292 entry = &cache->table[khash];
293 PCMETER(if (entry != *entryp) cache->modfills++);
294 PCMETER(if (!PCVAL_IS_NULL(entry->vword)) cache->recycles++);
295 entry->kpc = pc;
296 entry->kshape = kshape;
297 entry->vcap = PCVCAP_MAKE(scope->shape, scopeIndex, protoIndex);
298 entry->vword = vword;
299 *entryp = entry;
300
301 cache->empty = JS_FALSE;
302 PCMETER(cache->fills++);
303 }
304
305 JS_REQUIRES_STACK JSAtom *
306 js_FullTestPropertyCache(JSContext *cx, jsbytecode *pc,
307 JSObject **objp, JSObject **pobjp,
308 JSPropCacheEntry **entryp)
309 {
310 JSOp op;
311 const JSCodeSpec *cs;
312 ptrdiff_t pcoff;
313 JSAtom *atom;
314 JSObject *obj, *pobj, *tmp;
315 JSPropCacheEntry *entry;
316 uint32 vcap;
317
318 JS_ASSERT(uintN((cx->fp->imacpc ? cx->fp->imacpc : pc) - cx->fp->script->code)
319 < cx->fp->script->length);
320
321 op = (JSOp) *pc;
322 cs = &js_CodeSpec[op];
323 if (op == JSOP_LENGTH) {
324 atom = cx->runtime->atomState.lengthAtom;
325 } else {
326 pcoff = (JOF_TYPE(cs->format) == JOF_SLOTATOM) ? 2 : 0;
327 GET_ATOM_FROM_BYTECODE(cx->fp->script, pc, pcoff, atom);
328 }
329
330 obj = *objp;
331 JS_ASSERT(OBJ_IS_NATIVE(obj));
332 entry = &JS_PROPERTY_CACHE(cx).table[PROPERTY_CACHE_HASH_ATOM(atom, obj, NULL)];
333 *entryp = entry;
334 vcap = entry->vcap;
335
336 if (entry->kpc != (jsbytecode *) atom) {
337 PCMETER(JS_PROPERTY_CACHE(cx).idmisses++);
338
339 #ifdef DEBUG_notme
340 entry = &JS_PROPERTY_CACHE(cx).table[PROPERTY_CACHE_HASH_PC(pc, OBJ_SHAPE(obj))];
341 fprintf(stderr,
342 "id miss for %s from %s:%u"
343 " (pc %u, kpc %u, kshape %u, shape %u)\n",
344 js_AtomToPrintableString(cx, atom),
345 cx->fp->script->filename,
346 js_PCToLineNumber(cx, cx->fp->script, pc),
347 pc - cx->fp->script->code,
348 entry->kpc - cx->fp->script->code,
349 entry->kshape,
350 OBJ_SHAPE(obj));
351 js_Disassemble1(cx, cx->fp->script, pc,
352 PTRDIFF(pc, cx->fp->script->code, jsbytecode),
353 JS_FALSE, stderr);
354 #endif
355
356 return atom;
357 }
358
359 if (entry->kshape != (jsuword) obj) {
360 PCMETER(JS_PROPERTY_CACHE(cx).komisses++);
361 return atom;
362 }
363
364 pobj = obj;
365 JS_LOCK_OBJ(cx, pobj);
366
367 if (JOF_MODE(cs->format) == JOF_NAME) {
368 while (vcap & (PCVCAP_SCOPEMASK << PCVCAP_PROTOBITS)) {
369 tmp = LOCKED_OBJ_GET_PARENT(pobj);
370 if (!tmp || !OBJ_IS_NATIVE(tmp))
371 break;
372 JS_UNLOCK_OBJ(cx, pobj);
373 pobj = tmp;
374 JS_LOCK_OBJ(cx, pobj);
375 vcap -= PCVCAP_PROTOSIZE;
376 }
377
378 *objp = pobj;
379 }
380
381 while (vcap & PCVCAP_PROTOMASK) {
382 tmp = LOCKED_OBJ_GET_PROTO(pobj);
383 if (!tmp || !OBJ_IS_NATIVE(tmp))
384 break;
385 JS_UNLOCK_OBJ(cx, pobj);
386 pobj = tmp;
387 JS_LOCK_OBJ(cx, pobj);
388 --vcap;
389 }
390
391 if (PCVCAP_SHAPE(vcap) == OBJ_SHAPE(pobj)) {
392 #ifdef DEBUG
393 jsid id = ATOM_TO_JSID(atom);
394
395 CHECK_FOR_STRING_INDEX(id);
396 JS_ASSERT(SCOPE_GET_PROPERTY(OBJ_SCOPE(pobj), id));
397 JS_ASSERT(OBJ_SCOPE(pobj)->object == pobj);
398 #endif
399 *pobjp = pobj;
400 return NULL;
401 }
402
403 PCMETER(JS_PROPERTY_CACHE(cx).vcmisses++);
404 JS_UNLOCK_OBJ(cx, pobj);
405 return atom;
406 }
407
408 #ifdef DEBUG
409 #define ASSERT_CACHE_IS_EMPTY(cache) \
410 JS_BEGIN_MACRO \
411 JSPropertyCache *cache_ = (cache); \
412 uintN i_; \
413 JS_ASSERT(cache_->empty); \
414 for (i_ = 0; i_ < PROPERTY_CACHE_SIZE; i_++) { \
415 JS_ASSERT(!cache_->table[i_].kpc); \
416 JS_ASSERT(!cache_->table[i_].kshape); \
417 JS_ASSERT(!cache_->table[i_].vcap); \
418 JS_ASSERT(!cache_->table[i_].vword); \
419 } \
420 JS_END_MACRO
421 #else
422 #define ASSERT_CACHE_IS_EMPTY(cache) ((void)0)
423 #endif
424
425 JS_STATIC_ASSERT(PCVAL_NULL == 0);
426
427 void
428 js_FlushPropertyCache(JSContext *cx)
429 {
430 JSPropertyCache *cache;
431
432 cache = &JS_PROPERTY_CACHE(cx);
433 if (cache->empty) {
434 ASSERT_CACHE_IS_EMPTY(cache);
435 return;
436 }
437
438 memset(cache->table, 0, sizeof cache->table);
439 cache->empty = JS_TRUE;
440
441 #ifdef JS_PROPERTY_CACHE_METERING
442 { static FILE *fp;
443 if (!fp)
444 fp = fopen("/tmp/propcache.stats", "w");
445 if (fp) {
446 fputs("Property cache stats for ", fp);
447 #ifdef JS_THREADSAFE
448 fprintf(fp, "thread %lu, ", (unsigned long) cx->thread->id);
449 #endif
450 fprintf(fp, "GC %u\n", cx->runtime->gcNumber);
451
452 # define P(mem) fprintf(fp, "%11s %10lu\n", #mem, (unsigned long)cache->mem)
453 P(fills);
454 P(nofills);
455 P(rofills);
456 P(disfills);
457 P(oddfills);
458 P(modfills);
459 P(brandfills);
460 P(noprotos);
461 P(longchains);
462 P(recycles);
463 P(pcrecycles);
464 P(tests);
465 P(pchits);
466 P(protopchits);
467 P(initests);
468 P(inipchits);
469 P(inipcmisses);
470 P(settests);
471 P(addpchits);
472 P(setpchits);
473 P(setpcmisses);
474 P(slotchanges);
475 P(setmisses);
476 P(idmisses);
477 P(komisses);
478 P(vcmisses);
479 P(misses);
480 P(flushes);
481 P(pcpurges);
482 # undef P
483
484 fprintf(fp, "hit rates: pc %g%% (proto %g%%), set %g%%, ini %g%%, full %g%%\n",
485 (100. * cache->pchits) / cache->tests,
486 (100. * cache->protopchits) / cache->tests,
487 (100. * (cache->addpchits + cache->setpchits))
488 / cache->settests,
489 (100. * cache->inipchits) / cache->initests,
490 (100. * (cache->tests - cache->misses)) / cache->tests);
491 fflush(fp);
492 }
493 }
494 #endif
495
496 PCMETER(cache->flushes++);
497 }
498
499 void
500 js_FlushPropertyCacheForScript(JSContext *cx, JSScript *script)
501 {
502 JSPropertyCache *cache;
503 JSPropCacheEntry *entry;
504
505 cache = &JS_PROPERTY_CACHE(cx);
506 for (entry = cache->table; entry < cache->table + PROPERTY_CACHE_SIZE;
507 entry++) {
508 if (JS_UPTRDIFF(entry->kpc, script->code) < script->length) {
509 entry->kpc = NULL;
510 entry->kshape = 0;
511 #ifdef DEBUG
512 entry->vcap = entry->vword = 0;
513 #endif
514 }
515 }
516 }
517
518 void
519 js_DisablePropertyCache(JSContext *cx)
520 {
521 JS_ASSERT(JS_PROPERTY_CACHE(cx).disabled >= 0);
522 ++JS_PROPERTY_CACHE(cx).disabled;
523 }
524
525 void
526 js_EnablePropertyCache(JSContext *cx)
527 {
528 --JS_PROPERTY_CACHE(cx).disabled;
529 JS_ASSERT(JS_PROPERTY_CACHE(cx).disabled >= 0);
530 }
531
532 /*
533 * Check if the current arena has enough space to fit nslots after sp and, if
534 * so, reserve the necessary space.
535 */
536 static JSBool
537 AllocateAfterSP(JSContext *cx, jsval *sp, uintN nslots)
538 {
539 uintN surplus;
540 jsval *sp2;
541
542 JS_ASSERT((jsval *) cx->stackPool.current->base <= sp);
543 JS_ASSERT(sp <= (jsval *) cx->stackPool.current->avail);
544 surplus = (jsval *) cx->stackPool.current->avail - sp;
545 if (nslots <= surplus)
546 return JS_TRUE;
547
548 /*
549 * No room before current->avail, check if the arena has enough space to
550 * fit the missing slots before the limit.
551 */
552 if (nslots > (size_t) ((jsval *) cx->stackPool.current->limit - sp))
553 return JS_FALSE;
554
555 JS_ARENA_ALLOCATE_CAST(sp2, jsval *, &cx->stackPool,
556 (nslots - surplus) * sizeof(jsval));
557 JS_ASSERT(sp2 == sp + surplus);
558 return JS_TRUE;
559 }
560
561 JS_STATIC_INTERPRET jsval *
562 js_AllocRawStack(JSContext *cx, uintN nslots, void **markp)
563 {
564 jsval *sp;
565
566 if (!cx->stackPool.first.next) {
567 int64 *timestamp;
568
569 JS_ARENA_ALLOCATE_CAST(timestamp, int64 *,
570 &cx->stackPool, sizeof *timestamp);
571 if (!timestamp) {
572 js_ReportOutOfScriptQuota(cx);
573 return NULL;
574 }
575 *timestamp = JS_Now();
576 }
577
578 if (markp)
579 *markp = JS_ARENA_MARK(&cx->stackPool);
580 JS_ARENA_ALLOCATE_CAST(sp, jsval *, &cx->stackPool, nslots * sizeof(jsval));
581 if (!sp)
582 js_ReportOutOfScriptQuota(cx);
583 return sp;
584 }
585
586 JS_STATIC_INTERPRET void
587 js_FreeRawStack(JSContext *cx, void *mark)
588 {
589 JS_ARENA_RELEASE(&cx->stackPool, mark);
590 }
591
592 JS_FRIEND_API(jsval *)
593 js_AllocStack(JSContext *cx, uintN nslots, void **markp)
594 {
595 jsval *sp;
596 JSArena *a;
597 JSStackHeader *sh;
598
599 /* Callers don't check for zero nslots: we do to avoid empty segments. */
600 if (nslots == 0) {
601 *markp = NULL;
602 return (jsval *) JS_ARENA_MARK(&cx->stackPool);
603 }
604
605 /* Allocate 2 extra slots for the stack segment header we'll likely need. */
606 sp = js_AllocRawStack(cx, 2 + nslots, markp);
607 if (!sp)
608 return NULL;
609
610 /* Try to avoid another header if we can piggyback on the last segment. */
611 a = cx->stackPool.current;
612 sh = cx->stackHeaders;
613 if (sh && JS_STACK_SEGMENT(sh) + sh->nslots == sp) {
614 /* Extend the last stack segment, give back the 2 header slots. */
615 sh->nslots += nslots;
616 a->avail -= 2 * sizeof(jsval);
617 } else {
618 /*
619 * Need a new stack segment, so allocate and push a stack segment
620 * header from the 2 extra slots.
621 */
622 sh = (JSStackHeader *)sp;
623 sh->nslots = nslots;
624 sh->down = cx->stackHeaders;
625 cx->stackHeaders = sh;
626 sp += 2;
627 }
628
629 /*
630 * Store JSVAL_NULL using memset, to let compilers optimize as they see
631 * fit, in case a caller allocates and pushes GC-things one by one, which
632 * could nest a last-ditch GC that will scan this segment.
633 */
634 memset(sp, 0, nslots * sizeof(jsval));
635 return sp;
636 }
637
638 JS_FRIEND_API(void)
639 js_FreeStack(JSContext *cx, void *mark)
640 {
641 JSStackHeader *sh;
642 jsuword slotdiff;
643
644 /* Check for zero nslots allocation special case. */
645 if (!mark)
646 return;
647
648 /* We can assert because js_FreeStack always balances js_AllocStack. */
649 sh = cx->stackHeaders;
650 JS_ASSERT(sh);
651
652 /* If mark is in the current segment, reduce sh->nslots, else pop sh. */
653 slotdiff = JS_UPTRDIFF(mark, JS_STACK_SEGMENT(sh)) / sizeof(jsval);
654 if (slotdiff < (jsuword)sh->nslots)
655 sh->nslots = slotdiff;
656 else
657 cx->stackHeaders = sh->down;
658
659 /* Release the stackPool space allocated since mark was set. */
660 JS_ARENA_RELEASE(&cx->stackPool, mark);
661 }
662
663 JSObject *
664 js_GetScopeChain(JSContext *cx, JSStackFrame *fp)
665 {
666 JSObject *obj, *cursor, *clonedChild, *parent;
667 JSTempValueRooter tvr;
668
669 obj = fp->blockChain;
670 if (!obj) {
671 /*
672 * Don't force a call object for a lightweight function call, but do
673 * insist that there is a call object for a heavyweight function call.
674 */
675 JS_ASSERT(!fp->fun ||
676 !(fp->fun->flags & JSFUN_HEAVYWEIGHT) ||
677 fp->callobj);
678 JS_ASSERT(fp->scopeChain);
679 return fp->scopeChain;
680 }
681
682 /*
683 * We have one or more lexical scopes to reflect into fp->scopeChain, so
684 * make sure there's a call object at the current head of the scope chain,
685 * if this frame is a call frame.
686 */
687 if (fp->fun && !fp->callobj) {
688 JS_ASSERT(OBJ_GET_CLASS(cx, fp->scopeChain) != &js_BlockClass ||
689 OBJ_GET_PRIVATE(cx, fp->scopeChain) != fp);
690 if (!js_GetCallObject(cx, fp, fp->scopeChain))
691 return NULL;
692 }
693
694 /*
695 * Clone the block chain. To avoid recursive cloning we set the parent of
696 * the cloned child after we clone the parent. In the following loop when
697 * clonedChild is null it indicates the first iteration when no special GC
698 * rooting is necessary. On the second and the following iterations we
699 * have to protect cloned so far chain against the GC during cloning of
700 * the cursor object.
701 */
702 cursor = obj;
703 clonedChild = NULL;
704 for (;;) {
705 parent = OBJ_GET_PARENT(cx, cursor);
706
707 /*
708 * We pass fp->scopeChain and not null even if we override the parent
709 * slot later as null triggers useless calculations of slot's value in
710 * js_NewObject that js_CloneBlockObject calls.
711 */
712 cursor = js_CloneBlockObject(cx, cursor, fp->scopeChain, fp);
713 if (!cursor) {
714 if (clonedChild)
715 JS_POP_TEMP_ROOT(cx, &tvr);
716 return NULL;
717 }
718 if (!clonedChild) {
719 /*
720 * The first iteration. Check if other follow and root obj if so
721 * to protect the whole cloned chain against GC.
722 */
723 obj = cursor;
724 if (!parent)
725 break;
726 JS_PUSH_TEMP_ROOT_OBJECT(cx, obj, &tvr);
727 } else {
728 /*
729 * Avoid OBJ_SET_PARENT overhead as clonedChild cannot escape to
730 * other threads.
731 */
732 STOBJ_SET_PARENT(clonedChild, cursor);
733 if (!parent) {
734 JS_ASSERT(tvr.u.value == OBJECT_TO_JSVAL(obj));
735 JS_POP_TEMP_ROOT(cx, &tvr);
736 break;
737 }
738 }
739 clonedChild = cursor;
740 cursor = parent;
741 }
742 fp->flags |= JSFRAME_POP_BLOCKS;
743 fp->scopeChain = obj;
744 fp->blockChain = NULL;
745 return obj;
746 }
747
748 JSBool
749 js_GetPrimitiveThis(JSContext *cx, jsval *vp, JSClass *clasp, jsval *thisvp)
750 {
751 jsval v;
752 JSObject *obj;
753
754 v = vp[1];
755 if (JSVAL_IS_OBJECT(v)) {
756 obj = JS_THIS_OBJECT(cx, vp);
757 if (!JS_InstanceOf(cx, obj, clasp, vp + 2))
758 return JS_FALSE;
759 v = OBJ_GET_SLOT(cx, obj, JSSLOT_PRIVATE);
760 }
761 *thisvp = v;
762 return JS_TRUE;
763 }
764
765 /*
766 * ECMA requires "the global object", but in embeddings such as the browser,
767 * which have multiple top-level objects (windows, frames, etc. in the DOM),
768 * we prefer fun's parent. An example that causes this code to run:
769 *
770 * // in window w1
771 * function f() { return this }
772 * function g() { return f }
773 *
774 * // in window w2
775 * var h = w1.g()
776 * alert(h() == w1)
777 *
778 * The alert should display "true".
779 */
780 JS_STATIC_INTERPRET JSObject *
781 js_ComputeGlobalThis(JSContext *cx, JSBool lazy, jsval *argv)
782 {
783 JSObject *thisp;
784
785 if (JSVAL_IS_PRIMITIVE(argv[-2]) ||
786 !OBJ_GET_PARENT(cx, JSVAL_TO_OBJECT(argv[-2]))) {
787 thisp = cx->globalObject;
788 } else {
789 JSStackFrame *fp;
790 jsid id;
791 jsval v;
792 uintN attrs;
793 JSBool ok;
794 JSObject *parent;
795
796 /*
797 * Walk up the parent chain, first checking that the running script
798 * has access to the callee's parent object. Note that if lazy, the
799 * running script whose principals we want to check is the script
800 * associated with fp->down, not with fp.
801 *
802 * FIXME: 417851 -- this access check should not be required, as it
803 * imposes a performance penalty on all js_ComputeGlobalThis calls,
804 * and it represents a maintenance hazard.
805 */
806 fp = js_GetTopStackFrame(cx); /* quell GCC overwarning */
807 if (lazy) {
808 JS_ASSERT(fp->argv == argv);
809 fp->dormantNext = cx->dormantFrameChain;
810 cx->dormantFrameChain = fp;
811 cx->fp = fp->down;
812 fp->down = NULL;
813 }
814 thisp = JSVAL_TO_OBJECT(argv[-2]);
815 id = ATOM_TO_JSID(cx->runtime->atomState.parentAtom);
816
817 ok = OBJ_CHECK_ACCESS(cx, thisp, id, JSACC_PARENT, &v, &attrs);
818 if (lazy) {
819 cx->dormantFrameChain = fp->dormantNext;
820 fp->dormantNext = NULL;
821 fp->down = cx->fp;
822 cx->fp = fp;
823 }
824 if (!ok)
825 return NULL;
826
827 thisp = JSVAL_IS_VOID(v)
828 ? OBJ_GET_PARENT(cx, thisp)
829 : JSVAL_TO_OBJECT(v);
830 while ((parent = OBJ_GET_PARENT(cx, thisp)) != NULL)
831 thisp = parent;
832 }
833
834 OBJ_TO_OUTER_OBJECT(cx, thisp);
835 if (!thisp)
836 return NULL;
837 argv[-1] = OBJECT_TO_JSVAL(thisp);
838 return thisp;
839 }
840
841 static JSObject *
842 ComputeThis(JSContext *cx, JSBool lazy, jsval *argv)
843 {
844 JSObject *thisp;
845
846 JS_ASSERT(!JSVAL_IS_NULL(argv[-1]));
847 if (!JSVAL_IS_OBJECT(argv[-1])) {
848 if (!js_PrimitiveToObject(cx, &argv[-1]))
849 return NULL;
850 thisp = JSVAL_TO_OBJECT(argv[-1]);
851 } else {
852 thisp = JSVAL_TO_OBJECT(argv[-1]);
853 if (OBJ_GET_CLASS(cx, thisp) == &js_CallClass ||
854 OBJ_GET_CLASS(cx, thisp) == &js_BlockClass) {
855 return js_ComputeGlobalThis(cx, lazy, argv);
856 }
857
858 if (thisp->map->ops->thisObject) {
859 /* Some objects (e.g., With) delegate 'this' to another object. */
860 thisp = thisp->map->ops->thisObject(cx, thisp);
861 if (!thisp)
862 return NULL;
863 }
864 OBJ_TO_OUTER_OBJECT(cx, thisp);
865 if (!thisp)
866 return NULL;
867 argv[-1] = OBJECT_TO_JSVAL(thisp);
868 }
869 return thisp;
870 }
871
872 JSObject *
873 js_ComputeThis(JSContext *cx, JSBool lazy, jsval *argv)
874 {
875 if (JSVAL_IS_NULL(argv[-1]))
876 return js_ComputeGlobalThis(cx, lazy, argv);
877 return ComputeThis(cx, lazy, argv);
878 }
879
880 #if JS_HAS_NO_SUCH_METHOD
881
882 #define JSSLOT_FOUND_FUNCTION JSSLOT_PRIVATE
883 #define JSSLOT_SAVED_ID (JSSLOT_PRIVATE + 1)
884
885 JSClass js_NoSuchMethodClass = {
886 "NoSuchMethod",
887 JSCLASS_HAS_RESERVED_SLOTS(2) | JSCLASS_IS_ANONYMOUS |
888 JSCLASS_HAS_CACHED_PROTO(JSProto_NoSuchMethod),
889 JS_PropertyStub, JS_PropertyStub, JS_PropertyStub, JS_PropertyStub,
890 JS_EnumerateStub, JS_ResolveStub, JS_ConvertStub, JS_FinalizeStub,
891 NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
892 };
893
894 JS_BEGIN_EXTERN_C
895
896 JSObject*
897 js_InitNoSuchMethodClass(JSContext *cx, JSObject* obj);
898
899 JS_END_EXTERN_C
900
901 JSObject*
902 js_InitNoSuchMethodClass(JSContext *cx, JSObject* obj)
903 {
904 JSObject *proto;
905
906 proto = JS_InitClass(cx, obj, NULL, &js_NoSuchMethodClass, NULL, 0, NULL,
907 NULL, NULL, NULL);
908 if (!proto)
909 return NULL;
910
911 OBJ_CLEAR_PROTO(cx, proto);
912 return proto;
913 }
914
915 /*
916 * When JSOP_CALLPROP or JSOP_CALLELEM does not find the method property of
917 * the base object, we search for the __noSuchMethod__ method in the base.
918 * If it exists, we store the method and the property's id into an object of
919 * NoSuchMethod class and store this object into the callee's stack slot.
920 * Later, js_Invoke will recognise such an object and transfer control to
921 * NoSuchMethod that invokes the method like:
922 *
923 * this.__noSuchMethod__(id, args)
924 *
925 * where id is the name of the method that this invocation attempted to
926 * call by name, and args is an Array containing this invocation's actual
927 * parameters.
928 */
929 JS_STATIC_INTERPRET JSBool
930 js_OnUnknownMethod(JSContext *cx, jsval *vp)
931 {
932 JSObject *obj;
933 jsid id;
934 JSTempValueRooter tvr;
935 JSBool ok;
936
937 JS_ASSERT(!JSVAL_IS_PRIMITIVE(vp[1]));
938 obj = JSVAL_TO_OBJECT(vp[1]);
939 JS_PUSH_SINGLE_TEMP_ROOT(cx, JSVAL_NULL, &tvr);
940
941 MUST_FLOW_THROUGH("out");
942 id = ATOM_TO_JSID(cx->runtime->atomState.noSuchMethodAtom);
943 #if JS_HAS_XML_SUPPORT
944 if (OBJECT_IS_XML(cx, obj)) {
945 JSXMLObjectOps *ops;
946
947 ops = (JSXMLObjectOps *) obj->map->ops;
948 obj = ops->getMethod(cx, obj, id, &tvr.u.value);
949 if (!obj) {
950 ok = JS_FALSE;
951 goto out;
952 }
953 vp[1] = OBJECT_TO_JSVAL(obj);
954 } else
955 #endif
956 {
957 ok = OBJ_GET_PROPERTY(cx, obj, id, &tvr.u.value);
958 if (!ok)
959 goto out;
960 }
961 if (JSVAL_IS_PRIMITIVE(tvr.u.value)) {
962 vp[0] = tvr.u.value;
963 } else {
964 #if JS_HAS_XML_SUPPORT
965 /* Extract the function name from function::name qname. */
966 if (!JSVAL_IS_PRIMITIVE(vp[0])) {
967 obj = JSVAL_TO_OBJECT(vp[0]);
968 ok = js_IsFunctionQName(cx, obj, &id);
969 if (!ok)
970 goto out;
971 if (id != 0)
972 vp[0] = ID_TO_VALUE(id);
973 }
974 #endif
975 obj = js_NewObject(cx, &js_NoSuchMethodClass, NULL, NULL, 0);
976 if (!obj) {
977 ok = JS_FALSE;
978 goto out;
979 }
980 obj->fslots[JSSLOT_FOUND_FUNCTION] = tvr.u.value;
981 obj->fslots[JSSLOT_SAVED_ID] = vp[0];
982 vp[0] = OBJECT_TO_JSVAL(obj);
983 }
984 ok = JS_TRUE;
985
986 out:
987 JS_POP_TEMP_ROOT(cx, &tvr);
988 return ok;
989 }
990
991 static JSBool
992 NoSuchMethod(JSContext *cx, uintN argc, jsval *vp, uint32 flags)
993 {
994 jsval *invokevp;
995 void *mark;
996 JSBool ok;
997 JSObject *obj, *argsobj;
998
999 invokevp = js_AllocStack(cx, 2 + 2, &mark);
1000 if (!invokevp)
1001 return JS_FALSE;
1002
1003 JS_ASSERT(!JSVAL_IS_PRIMITIVE(vp[0]));
1004 JS_ASSERT(!JSVAL_IS_PRIMITIVE(vp[1]));
1005 obj = JSVAL_TO_OBJECT(vp[0]);
1006 JS_ASSERT(STOBJ_GET_CLASS(obj) == &js_NoSuchMethodClass);
1007
1008 invokevp[0] = obj->fslots[JSSLOT_FOUND_FUNCTION];
1009 invokevp[1] = vp[1];
1010 invokevp[2] = obj->fslots[JSSLOT_SAVED_ID];
1011 argsobj = js_NewArrayObject(cx, argc, vp + 2);
1012 if (!argsobj) {
1013 ok = JS_FALSE;
1014 } else {
1015 invokevp[3] = OBJECT_TO_JSVAL(argsobj);
1016 ok = (flags & JSINVOKE_CONSTRUCT)
1017 ? js_InvokeConstructor(cx, 2, JS_TRUE, invokevp)
1018 : js_Invoke(cx, 2, invokevp, flags);
1019 vp[0] = invokevp[0];
1020 }
1021 js_FreeStack(cx, mark);
1022 return ok;
1023 }
1024
1025 #endif /* JS_HAS_NO_SUCH_METHOD */
1026
1027 /*
1028 * We check if the function accepts a primitive value as |this|. For that we
1029 * use a table that maps value's tag into the corresponding function flag.
1030 */
1031 JS_STATIC_ASSERT(JSVAL_INT == 1);
1032 JS_STATIC_ASSERT(JSVAL_DOUBLE == 2);
1033 JS_STATIC_ASSERT(JSVAL_STRING == 4);
1034 JS_STATIC_ASSERT(JSVAL_BOOLEAN == 6);
1035
1036 const uint16 js_PrimitiveTestFlags[] = {
1037 JSFUN_THISP_NUMBER, /* INT */
1038 JSFUN_THISP_NUMBER, /* DOUBLE */
1039 JSFUN_THISP_NUMBER, /* INT */
1040 JSFUN_THISP_STRING, /* STRING */
1041 JSFUN_THISP_NUMBER, /* INT */
1042 JSFUN_THISP_BOOLEAN, /* BOOLEAN */
1043 JSFUN_THISP_NUMBER /* INT */
1044 };
1045
1046 /*
1047 * Find a function reference and its 'this' object implicit first parameter
1048 * under argc arguments on cx's stack, and call the function. Push missing
1049 * required arguments, allocate declared local variables, and pop everything
1050 * when done. Then push the return value.
1051 */
1052 JS_FRIEND_API(JSBool)
1053 js_Invoke(JSContext *cx, uintN argc, jsval *vp, uintN flags)
1054 {
1055 void *mark;
1056 JSStackFrame frame;
1057 jsval *sp, *argv, *newvp;
1058 jsval v;
1059 JSObject *funobj, *parent;
1060 JSBool ok;
1061 JSClass *clasp;
1062 JSObjectOps *ops;
1063 JSNative native;
1064 JSFunction *fun;
1065 JSScript *script;
1066 uintN nslots, i;
1067 uint32 rootedArgsFlag;
1068 JSInterpreterHook hook;
1069 void *hookData;
1070
1071 /* [vp .. vp + 2 + argc) must belong to the last JS stack arena. */
1072 JS_ASSERT((jsval *) cx->stackPool.current->base <= vp);
1073 JS_ASSERT(vp + 2 + argc <= (jsval *) cx->stackPool.current->avail);
1074
1075 /*
1076 * Mark the top of stack and load frequently-used registers. After this
1077 * point the control should flow through label out2: to return.
1078 */
1079 mark = JS_ARENA_MARK(&cx->stackPool);
1080 v = *vp;
1081
1082 if (JSVAL_IS_PRIMITIVE(v))
1083 goto bad;
1084
1085 funobj = JSVAL_TO_OBJECT(v);
1086 parent = OBJ_GET_PARENT(cx, funobj);
1087 clasp = OBJ_GET_CLASS(cx, funobj);
1088 if (clasp != &js_FunctionClass) {
1089 #if JS_HAS_NO_SUCH_METHOD
1090 if (clasp == &js_NoSuchMethodClass) {
1091 ok = NoSuchMethod(cx, argc, vp, flags);
1092 goto out2;
1093 }
1094 #endif
1095
1096 /* Function is inlined, all other classes use object ops. */
1097 ops = funobj->map->ops;
1098
1099 /*
1100 * XXX this makes no sense -- why convert to function if clasp->call?
1101 * XXX better to call that hook without converting
1102 * XXX the only thing that needs fixing is liveconnect
1103 *
1104 * Try converting to function, for closure and API compatibility.
1105 * We attempt the conversion under all circumstances for 1.2, but
1106 * only if there is a call op defined otherwise.
1107 */
1108 if ((ops == &js_ObjectOps) ? clasp->call : ops->call) {
1109 ok = clasp->convert(cx, funobj, JSTYPE_FUNCTION, &v);
1110 if (!ok)
1111 goto out2;
1112
1113 if (VALUE_IS_FUNCTION(cx, v)) {
1114 /* Make vp refer to funobj to keep it available as argv[-2]. */
1115 *vp = v;
1116 funobj = JSVAL_TO_OBJECT(v);
1117 parent = OBJ_GET_PARENT(cx, funobj);
1118 goto have_fun;
1119 }
1120 }
1121 fun = NULL;
1122 script = NULL;
1123 nslots = 0;
1124
1125 /* Try a call or construct native object op. */
1126 if (flags & JSINVOKE_CONSTRUCT) {
1127 if (!JSVAL_IS_OBJECT(vp[1])) {
1128 ok = js_PrimitiveToObject(cx, &vp[1]);
1129 if (!ok)
1130 goto out2;
1131 }
1132 native = ops->construct;
1133 } else {
1134 native = ops->call;
1135 }
1136 if (!native)
1137 goto bad;
1138 } else {
1139 have_fun:
1140 /* Get private data and set derived locals from it. */
1141 fun = GET_FUNCTION_PRIVATE(cx, funobj);
1142 nslots = FUN_MINARGS(fun);
1143 nslots = (nslots > argc) ? nslots - argc : 0;
1144 if (FUN_INTERPRETED(fun)) {
1145 native = NULL;
1146 script = fun->u.i.script;
1147 } else {
1148 native = fun->u.n.native;
1149 script = NULL;
1150 nslots += fun->u.n.extra;
1151 }
1152
1153 if (JSFUN_BOUND_METHOD_TEST(fun->flags)) {
1154 /* Handle bound method special case. */
1155 vp[1] = OBJECT_TO_JSVAL(parent);
1156 } else if (!JSVAL_IS_OBJECT(vp[1])) {
1157 JS_ASSERT(!(flags & JSINVOKE_CONSTRUCT));
1158 if (PRIMITIVE_THIS_TEST(fun, vp[1]))
1159 goto start_call;
1160 }
1161 }
1162
1163 if (flags & JSINVOKE_CONSTRUCT) {
1164 JS_ASSERT(!JSVAL_IS_PRIMITIVE(vp[1]));
1165 } else {
1166 /*
1167 * We must call js_ComputeThis in case we are not called from the
1168 * interpreter, where a prior bytecode has computed an appropriate
1169 * |this| already.
1170 *
1171 * But we need to compute |this| eagerly only for so-called "slow"
1172 * (i.e., not fast) native functions. Fast natives must use either
1173 * JS_THIS or JS_THIS_OBJECT, and scripted functions will go through
1174 * the appropriate this-computing bytecode, e.g., JSOP_THIS.
1175 */
1176 if (native && (!fun || !(fun->flags & JSFUN_FAST_NATIVE))) {
1177 if (!js_ComputeThis(cx, JS_FALSE, vp + 2)) {
1178 ok = JS_FALSE;
1179 goto out2;
1180 }
1181 flags |= JSFRAME_COMPUTED_THIS;
1182 }
1183 }
1184
1185 start_call:
1186 if (native && fun && (fun->flags & JSFUN_FAST_NATIVE)) {
1187 #ifdef DEBUG_NOT_THROWING
1188 JSBool alreadyThrowing = cx->throwing;
1189 #endif
1190 JS_ASSERT(nslots == 0);
1191 #if JS_HAS_LVALUE_RETURN
1192 /* Set by JS_SetCallReturnValue2, used to return reference types. */
1193 cx->rval2set = JS_FALSE;
1194 #endif
1195 ok = ((JSFastNative) native)(cx, argc, vp);
1196 JS_RUNTIME_METER(cx->runtime, nativeCalls);
1197 #ifdef DEBUG_NOT_THROWING
1198 if (ok && !alreadyThrowing)
1199 ASSERT_NOT_THROWING(cx);
1200 #endif
1201 goto out2;
1202 }
1203
1204 argv = vp + 2;
1205 sp = argv + argc;
1206
1207 rootedArgsFlag = JSFRAME_ROOTED_ARGV;
1208 if (nslots != 0) {
1209 /*
1210 * The extra slots required by the function continue with argument
1211 * slots. Thus, when the last stack pool arena does not have room to
1212 * fit nslots right after sp and AllocateAfterSP fails, we have to copy
1213 * [vp..vp+2+argc) slots and clear rootedArgsFlag to root the copy.
1214 */
1215 if (!AllocateAfterSP(cx, sp, nslots)) {
1216 rootedArgsFlag = 0;
1217 newvp = js_AllocRawStack(cx, 2 + argc + nslots, NULL);
1218 if (!newvp) {
1219 ok = JS_FALSE;
1220 goto out2;
1221 }
1222 memcpy(newvp, vp, (2 + argc) * sizeof(jsval));
1223 argv = newvp + 2;
1224 sp = argv + argc;
1225 }
1226
1227 /* Push void to initialize missing args. */
1228 i = nslots;
1229 do {
1230 *sp++ = JSVAL_VOID;
1231 } while (--i != 0);
1232 }
1233
1234 /* Allocate space for local variables and stack of interpreted function. */
1235 if (script && script->nslots != 0) {
1236 if (!AllocateAfterSP(cx, sp, script->nslots)) {
1237 /* NB: Discontinuity between argv and slots, stack slots. */
1238 sp = js_AllocRawStack(cx, script->nslots, NULL);
1239 if (!sp) {
1240 ok = JS_FALSE;
1241 goto out2;
1242 }
1243 }
1244
1245 /* Push void to initialize local variables. */
1246 for (jsval *end = sp + fun->u.i.nvars; sp != end; ++sp)
1247 *sp = JSVAL_VOID;
1248 }
1249
1250 /*
1251 * Initialize the frame.
1252 *
1253 * To set thisp we use an explicit cast and not JSVAL_TO_OBJECT, as vp[1]
1254 * can be a primitive value here for those native functions specified with
1255 * JSFUN_THISP_(NUMBER|STRING|BOOLEAN) flags.
1256 */
1257 frame.thisp = (JSObject *)vp[1];
1258 frame.varobj = NULL;
1259 frame.callobj = frame.argsobj = NULL;
1260 frame.script = script;
1261 frame.callee = funobj;
1262 frame.fun = fun;
1263 frame.argc = argc;
1264 frame.argv = argv;
1265
1266 /* Default return value for a constructor is the new object. */
1267 frame.rval = (flags & JSINVOKE_CONSTRUCT) ? vp[1] : JSVAL_VOID;
1268 frame.down = js_GetTopStackFrame(cx);
1269 frame.annotation = NULL;
1270 frame.scopeChain = NULL; /* set below for real, after cx->fp is set */
1271 frame.regs = NULL;
1272 frame.imacpc = NULL;
1273 frame.slots = NULL;
1274 frame.sharpDepth = 0;
1275 frame.sharpArray = NULL;
1276 frame.flags = flags | rootedArgsFlag;
1277 frame.dormantNext = NULL;
1278 frame.xmlNamespace = NULL;
1279 frame.blockChain = NULL;
1280
1281 MUST_FLOW_THROUGH("out");
1282 cx->fp = &frame;
1283
1284 /* Init these now in case we goto out before first hook call. */
1285 hook = cx->debugHooks->callHook;
1286 hookData = NULL;
1287
1288 /* call the hook if present */
1289 if (hook && (native || script))
1290 hookData = hook(cx, &frame, JS_TRUE, 0, cx->debugHooks->callHookData);
1291
1292 /* Call the function, either a native method or an interpreted script. */
1293 if (native) {
1294 #ifdef DEBUG_NOT_THROWING
1295 JSBool alreadyThrowing = cx->throwing;
1296 #endif
1297
1298 #if JS_HAS_LVALUE_RETURN
1299 /* Set by JS_SetCallReturnValue2, used to return reference types. */
1300 cx->rval2set = JS_FALSE;
1301 #endif
1302
1303 /* If native, use caller varobj and scopeChain for eval. */
1304 JS_ASSERT(!frame.varobj);
1305 JS_ASSERT(!frame.scopeChain);
1306 if (frame.down) {
1307 frame.varobj = frame.down->varobj;
1308 frame.scopeChain = frame.down->scopeChain;
1309 }
1310
1311 /* But ensure that we have a scope chain. */
1312 if (!frame.scopeChain)
1313 frame.scopeChain = parent;
1314
1315 frame.displaySave = NULL;
1316 ok = native(cx, frame.thisp, argc, frame.argv, &frame.rval);
1317 JS_RUNTIME_METER(cx->runtime, nativeCalls);
1318 #ifdef DEBUG_NOT_THROWING
1319 if (ok && !alreadyThrowing)
1320 ASSERT_NOT_THROWING(cx);
1321 #endif
1322 } else if (script) {
1323 /* Use parent scope so js_GetCallObject can find the right "Call". */
1324 frame.scopeChain = parent;
1325 if (JSFUN_HEAVYWEIGHT_TEST(fun->flags)) {
1326 /* Scope with a call object parented by the callee's parent. */
1327 if (!js_GetCallObject(cx, &frame, parent)) {
1328 ok = JS_FALSE;
1329 goto out;
1330 }
1331 }
1332 frame.slots = sp - fun->u.i.nvars;
1333
1334 ok = js_Interpret(cx);
1335 } else {
1336 /* fun might be onerror trying to report a syntax error in itself. */
1337 frame.scopeChain = NULL;
1338 frame.displaySave = NULL;
1339 ok = JS_TRUE;
1340 }
1341
1342 out:
1343 if (hookData) {
1344 hook = cx->debugHooks->callHook;
1345 if (hook)
1346 hook(cx, &frame, JS_FALSE, &ok, hookData);
1347 }
1348
1349 /* If frame has a call object, sync values and clear back-pointer. */
1350 if (frame.callobj)
1351 ok &= js_PutCallObject(cx, &frame);
1352
1353 /* If frame has an arguments object, sync values and clear back-pointer. */
1354 if (frame.argsobj)
1355 ok &= js_PutArgsObject(cx, &frame);
1356
1357 *vp = frame.rval;
1358
1359 /* Restore cx->fp now that we're done releasing frame objects. */
1360 cx->fp = frame.down;
1361
1362 out2:
1363 /* Pop everything we may have allocated off the stack. */
1364 JS_ARENA_RELEASE(&cx->stackPool, mark);
1365 if (!ok)
1366 *vp = JSVAL_NULL;
1367 return ok;
1368
1369 bad:
1370 js_ReportIsNotFunction(cx, vp, flags & JSINVOKE_FUNFLAGS);
1371 ok = JS_FALSE;
1372 goto out2;
1373 }
1374
1375 JSBool
1376 js_InternalInvoke(JSContext *cx, JSObject *obj, jsval fval, uintN flags,
1377 uintN argc, jsval *argv, jsval *rval)
1378 {
1379 jsval *invokevp;
1380 void *mark;
1381 JSBool ok;
1382
1383 invokevp = js_AllocStack(cx, 2 + argc, &mark);
1384 if (!invokevp)
1385 return JS_FALSE;
1386
1387 invokevp[0] = fval;
1388 invokevp[1] = OBJECT_TO_JSVAL(obj);
1389 memcpy(invokevp + 2, argv, argc * sizeof *argv);
1390
1391 ok = js_Invoke(cx, argc, invokevp, flags);
1392 if (ok) {
1393 /*
1394 * Store *rval in the a scoped local root if a scope is open, else in
1395 * the lastInternalResult pigeon-hole GC root, solely so users of
1396 * js_InternalInvoke and its direct and indirect (js_ValueToString for
1397 * example) callers do not need to manage roots for local, temporary
1398 * references to such results.
1399 */
1400 *rval = *invokevp;
1401 if (JSVAL_IS_GCTHING(*rval) && *rval != JSVAL_NULL) {
1402 if (cx->localRootStack) {
1403 if (js_PushLocalRoot(cx, cx->localRootStack, *rval) < 0)
1404 ok = JS_FALSE;
1405 } else {
1406 cx->weakRoots.lastInternalResult = *rval;
1407 }
1408 }
1409 }
1410
1411 js_FreeStack(cx, mark);
1412 return ok;
1413 }
1414
1415 JSBool
1416 js_InternalGetOrSet(JSContext *cx, JSObject *obj, jsid id, jsval fval,
1417 JSAccessMode mode, uintN argc, jsval *argv, jsval *rval)
1418 {
1419 JSSecurityCallbacks *callbacks;
1420
1421 /*
1422 * js_InternalInvoke could result in another try to get or set the same id
1423 * again, see bug 355497.
1424 */
1425 JS_CHECK_RECURSION(cx, return JS_FALSE);
1426
1427 /*
1428 * Check general (not object-ops/class-specific) access from the running
1429 * script to obj.id only if id has a scripted getter or setter that we're
1430 * about to invoke. If we don't check this case, nothing else will -- no
1431 * other native code has the chance to check.
1432 *
1433 * Contrast this non-native (scripted) case with native getter and setter
1434 * accesses, where the native itself must do an access check, if security
1435 * policies requires it. We make a checkAccess or checkObjectAccess call
1436 * back to the embedding program only in those cases where we're not going
1437 * to call an embedding-defined native function, getter, setter, or class
1438 * hook anyway. Where we do call such a native, there's no need for the
1439 * engine to impose a separate access check callback on all embeddings --
1440 * many embeddings have no security policy at all.
1441 */
1442 JS_ASSERT(mode == JSACC_READ || mode == JSACC_WRITE);
1443 callbacks = JS_GetSecurityCallbacks(cx);
1444 if (callbacks &&
1445 callbacks->checkObjectAccess &&
1446 VALUE_IS_FUNCTION(cx, fval) &&
1447 FUN_INTERPRETED(GET_FUNCTION_PRIVATE(cx, JSVAL_TO_OBJECT(fval))) &&
1448 !callbacks->checkObjectAccess(cx, obj, ID_TO_VALUE(id), mode, &fval)) {
1449 return JS_FALSE;
1450 }
1451
1452 return js_InternalCall(cx, obj, fval, argc, argv, rval);
1453 }
1454
1455 JSBool
1456 js_Execute(JSContext *cx, JSObject *chain, JSScript *script,
1457 JSStackFrame *down, uintN flags, jsval *result)
1458 {
1459 JSInterpreterHook hook;
1460 void *hookData, *mark;
1461 JSStackFrame *oldfp, frame;
1462 JSObject *obj, *tmp;
1463 JSBool ok;
1464
1465 #ifdef INCLUDE_MOZILLA_DTRACE
1466 if (JAVASCRIPT_EXECUTE_START_ENABLED())
1467 jsdtrace_execute_start(script);
1468 #endif
1469
1470 hook = cx->debugHooks->executeHook;
1471 hookData = mark = NULL;
1472 oldfp = js_GetTopStackFrame(cx);
1473 frame.script = script;
1474 if (down) {
1475 /* Propagate arg state for eval and the debugger API. */
1476 frame.callobj = down->callobj;
1477 frame.argsobj = down->argsobj;
1478 frame.varobj = down->varobj;
1479 frame.callee = down->callee;
1480 frame.fun = down->fun;
1481 frame.thisp = down->thisp;
1482 if (down->flags & JSFRAME_COMPUTED_THIS)
1483 flags |= JSFRAME_COMPUTED_THIS;
1484 frame.argc = down->argc;
1485 frame.argv = down->argv;
1486 frame.annotation = down->annotation;
1487 frame.sharpArray = down->sharpArray;
1488 JS_ASSERT(script->nfixed == 0);
1489 } else {
1490 frame.callobj = frame.argsobj = NULL;
1491 obj = chain;
1492 if (cx->options & JSOPTION_VAROBJFIX) {
1493 while ((tmp = OBJ_GET_PARENT(cx, obj)) != NULL)
1494 obj = tmp;
1495 }
1496 frame.varobj = obj;
1497 frame.callee = NULL;
1498 frame.fun = NULL;
1499 frame.thisp = chain;
1500 frame.argc = 0;
1501 frame.argv = NULL;
1502 frame.annotation = NULL;
1503 frame.sharpArray = NULL;
1504 }
1505
1506 frame.imacpc = NULL;
1507 if (script->nslots != 0) {
1508 frame.slots = js_AllocRawStack(cx, script->nslots, &mark);
1509 if (!frame.slots) {
1510 ok = JS_FALSE;
1511 goto out;
1512 }
1513 memset(frame.slots, 0, script->nfixed * sizeof(jsval));
1514 } else {
1515 frame.slots = NULL;
1516 }
1517
1518 frame.rval = JSVAL_VOID;
1519 frame.down = down;
1520 frame.scopeChain = chain;
1521 frame.regs = NULL;
1522 frame.sharpDepth = 0;
1523 frame.flags = flags;
1524 frame.dormantNext = NULL;
1525 frame.xmlNamespace = NULL;
1526 frame.blockChain = NULL;
1527
1528 /*
1529 * Here we wrap the call to js_Interpret with code to (conditionally)
1530 * save and restore the old stack frame chain into a chain of 'dormant'
1531 * frame chains. Since we are replacing cx->fp, we were running into
1532 * the problem that if GC was called under this frame, some of the GC
1533 * things associated with the old frame chain (available here only in
1534 * the C variable 'oldfp') were not rooted and were being collected.
1535 *
1536 * So, now we preserve the links to these 'dormant' frame chains in cx
1537 * before calling js_Interpret and cleanup afterwards. The GC walks
1538 * these dormant chains and marks objects in the same way that it marks
1539 * objects in the primary cx->fp chain.
1540 */
1541 if (oldfp && oldfp != down) {
1542 JS_ASSERT(!oldfp->dormantNext);
1543 oldfp->dormantNext = cx->dormantFrameChain;
1544 cx->dormantFrameChain = oldfp;
1545 }
1546
1547 cx->fp = &frame;
1548 if (!down) {
1549 OBJ_TO_OUTER_OBJECT(cx, frame.thisp);
1550 if (!frame.thisp) {
1551 ok = JS_FALSE;
1552 goto out2;
1553 }
1554 frame.flags |= JSFRAME_COMPUTED_THIS;
1555 }
1556
1557 if (hook) {
1558 hookData = hook(cx, &frame, JS_TRUE, 0,
1559 cx->debugHooks->executeHookData);
1560 }
1561
1562 ok = js_Interpret(cx);
1563 if (result)
1564 *result = frame.rval;
1565
1566 if (hookData) {
1567 hook = cx->debugHooks->executeHook;
1568 if (hook)
1569 hook(cx, &frame, JS_FALSE, &ok, hookData);
1570 }
1571
1572 out2:
1573 if (mark)
1574 js_FreeRawStack(cx, mark);
1575 cx->fp = oldfp;
1576
1577 if (oldfp && oldfp != down) {
1578 JS_ASSERT(cx->dormantFrameChain == oldfp);
1579 cx->dormantFrameChain = oldfp->dormantNext;
1580 oldfp->dormantNext = NULL;
1581 }
1582
1583 out:
1584 #ifdef INCLUDE_MOZILLA_DTRACE
1585 if (JAVASCRIPT_EXECUTE_DONE_ENABLED())
1586 jsdtrace_execute_done(script);
1587 #endif
1588 return ok;
1589 }
1590
1591 JSBool
1592 js_CheckRedeclaration(JSContext *cx, JSObject *obj, jsid id, uintN attrs,
1593 JSObject **objp, JSProperty **propp)
1594 {
1595 JSObject *obj2;
1596 JSProperty *prop;
1597 uintN oldAttrs, report;
1598 JSBool isFunction;
1599 jsval value;
1600 const char *type, *name;
1601
1602 if (!OBJ_LOOKUP_PROPERTY(cx, obj, id, &obj2, &prop))
1603 return JS_FALSE;
1604 if (propp) {
1605 *objp = obj2;
1606 *propp = prop;
1607 }
1608 if (!prop)
1609 return JS_TRUE;
1610
1611 /*
1612 * Use prop as a speedup hint to OBJ_GET_ATTRIBUTES, but drop it on error.
1613 * An assertion at label bad: will insist that it is null.
1614 */
1615 if (!OBJ_GET_ATTRIBUTES(cx, obj2, id, prop, &oldAttrs)) {
1616 OBJ_DROP_PROPERTY(cx, obj2, prop);
1617 #ifdef DEBUG
1618 prop = NULL;
1619 #endif
1620 goto bad;
1621 }
1622
1623 /*
1624 * From here, return true, or else goto bad on failure to null out params.
1625 * If our caller doesn't want prop, drop it (we don't need it any longer).
1626 */
1627 if (!propp) {
1628 OBJ_DROP_PROPERTY(cx, obj2, prop);
1629 prop = NULL;
1630 }
1631
1632 if (attrs == JSPROP_INITIALIZER) {
1633 /* Allow the new object to override properties. */
1634 if (obj2 != obj)
1635 return JS_TRUE;
1636 report = JSREPORT_WARNING | JSREPORT_STRICT;
1637 } else {
1638 /* We allow redeclaring some non-readonly properties. */
1639 if (((oldAttrs | attrs) & JSPROP_READONLY) == 0) {
1640 /*
1641 * Allow redeclaration of variables and functions, but insist that
1642 * the new value is not a getter if the old value was, ditto for
1643 * setters -- unless prop is impermanent (in which case anyone
1644 * could delete it and redefine it, willy-nilly).
1645 */
1646 if (!(attrs & (JSPROP_GETTER | JSPROP_SETTER)))
1647 return JS_TRUE;
1648 if ((~(oldAttrs ^ attrs) & (JSPROP_GETTER | JSPROP_SETTER)) == 0)
1649 return JS_TRUE;
1650 if (!(oldAttrs & JSPROP_PERMANENT))
1651 return JS_TRUE;
1652 }
1653
1654 report = JSREPORT_ERROR;
1655 isFunction = (oldAttrs & (JSPROP_GETTER | JSPROP_SETTER)) != 0;
1656 if (!isFunction) {
1657 if (!OBJ_GET_PROPERTY(cx, obj, id, &value))
1658 goto bad;
1659 isFunction = VALUE_IS_FUNCTION(cx, value);
1660 }
1661 }
1662
1663 type = (attrs == JSPROP_INITIALIZER)
1664 ? "property"
1665 : (oldAttrs & attrs & JSPROP_GETTER)
1666 ? js_getter_str
1667 : (oldAttrs & attrs & JSPROP_SETTER)
1668 ? js_setter_str
1669 : (oldAttrs & JSPROP_READONLY)
1670 ? js_const_str
1671 : isFunction
1672 ? js_function_str
1673 : js_var_str;
1674 name = js_ValueToPrintableString(cx, ID_TO_VALUE(id));
1675 if (!name)
1676 goto bad;
1677 return JS_ReportErrorFlagsAndNumber(cx, report,
1678 js_GetErrorMessage, NULL,
1679 JSMSG_REDECLARED_VAR,
1680 type, name);
1681
1682 bad:
1683 if (propp) {
1684 *objp = NULL;
1685 *propp = NULL;
1686 }
1687 JS_ASSERT(!prop);
1688 return JS_FALSE;
1689 }
1690
1691 JSBool
1692 js_StrictlyEqual(JSContext *cx, jsval lval, jsval rval)
1693 {
1694 jsval ltag = JSVAL_TAG(lval), rtag = JSVAL_TAG(rval);
1695 jsdouble ld, rd;
1696
1697 if (ltag == rtag) {
1698 if (ltag == JSVAL_STRING) {
1699 JSString *lstr = JSVAL_TO_STRING(lval),
1700 *rstr = JSVAL_TO_STRING(rval);
1701 return js_EqualStrings(lstr, rstr);
1702 }
1703 if (ltag == JSVAL_DOUBLE) {
1704 ld = *JSVAL_TO_DOUBLE(lval);
1705 rd = *JSVAL_TO_DOUBLE(rval);
1706 return JSDOUBLE_COMPARE(ld, ==, rd, JS_FALSE);
1707 }
1708 if (ltag == JSVAL_OBJECT &&
1709 lval != rval &&
1710 !JSVAL_IS_NULL(lval) &&
1711 !JSVAL_IS_NULL(rval)) {
1712 JSObject *lobj, *robj;
1713
1714 lobj = js_GetWrappedObject(cx, JSVAL_TO_OBJECT(lval));
1715 robj = js_GetWrappedObject(cx, JSVAL_TO_OBJECT(rval));
1716 lval = OBJECT_TO_JSVAL(lobj);
1717 rval = OBJECT_TO_JSVAL(robj);
1718 }
1719 return lval == rval;
1720 }
1721 if (ltag == JSVAL_DOUBLE && JSVAL_IS_INT(rval)) {
1722 ld = *JSVAL_TO_DOUBLE(lval);
1723 rd = JSVAL_TO_INT(rval);
1724 return JSDOUBLE_COMPARE(ld, ==, rd, JS_FALSE);
1725 }
1726 if (JSVAL_IS_INT(lval) && rtag == JSVAL_DOUBLE) {
1727 ld = JSVAL_TO_INT(lval);
1728 rd = *JSVAL_TO_DOUBLE(rval);
1729 return JSDOUBLE_COMPARE(ld, ==, rd, JS_FALSE);
1730 }
1731 return lval == rval;
1732 }
1733
1734 JSBool
1735 js_InvokeConstructor(JSContext *cx, uintN argc, JSBool clampReturn, jsval *vp)
1736 {
1737 JSFunction *fun, *fun2;
1738 JSObject *obj, *obj2, *proto, *parent;
1739 jsval lval, rval;
1740 JSClass *clasp;
1741
1742 fun = NULL;
1743 obj2 = NULL;
1744 lval = *vp;
1745 if (!JSVAL_IS_OBJECT(lval) ||
1746 (obj2 = JSVAL_TO_OBJECT(lval)) == NULL ||
1747 /* XXX clean up to avoid special cases above ObjectOps layer */
1748 OBJ_GET_CLASS(cx, obj2) == &js_FunctionClass ||
1749 !obj2->map->ops->construct)
1750 {
1751 fun = js_ValueToFunction(cx, vp, JSV2F_CONSTRUCT);
1752 if (!fun)
1753 return JS_FALSE;
1754 }
1755
1756 clasp = &js_ObjectClass;
1757 if (!obj2) {
1758 proto = parent = NULL;
1759 fun = NULL;
1760 } else {
1761 /*
1762 * Get the constructor prototype object for this function.
1763 * Use the nominal 'this' parameter slot, vp[1], as a local
1764 * root to protect this prototype, in case it has no other
1765 * strong refs.
1766 */
1767 if (!OBJ_GET_PROPERTY(cx, obj2,
1768 ATOM_TO_JSID(cx->runtime->atomState
1769 .classPrototypeAtom),
1770 &vp[1])) {
1771 return JS_FALSE;
1772 }
1773 rval = vp[1];
1774 proto = JSVAL_IS_OBJECT(rval) ? JSVAL_TO_OBJECT(rval) : NULL;
1775 parent = OBJ_GET_PARENT(cx, obj2);
1776
1777 if (OBJ_GET_CLASS(cx, obj2) == &js_FunctionClass) {
1778 fun2 = GET_FUNCTION_PRIVATE(cx, obj2);
1779 if (!FUN_INTERPRETED(fun2) &&
1780 !(fun2->flags & JSFUN_TRACEABLE) &&
1781 fun2->u.n.u.clasp) {
1782 clasp = fun2->u.n.u.clasp;
1783 }
1784 }
1785 }
1786 obj = js_NewObject(cx, clasp, proto, parent, 0);
1787 if (!obj)
1788 return JS_FALSE;
1789
1790 /* Now we have an object with a constructor method; call it. */
1791 vp[1] = OBJECT_TO_JSVAL(obj);
1792 if (!js_Invoke(cx, argc, vp, JSINVOKE_CONSTRUCT)) {
1793 cx->weakRoots.newborn[GCX_OBJECT] = NULL;
1794 return JS_FALSE;
1795 }
1796
1797 /* Check the return value and if it's primitive, force it to be obj. */
1798 rval = *vp;
1799 if (clampReturn && JSVAL_IS_PRIMITIVE(rval)) {
1800 if (!fun) {
1801 /* native [[Construct]] returning primitive is error */
1802 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
1803 JSMSG_BAD_NEW_RESULT,
1804 js_ValueToPrintableString(cx, rval));
1805 return JS_FALSE;
1806 }
1807 *vp = OBJECT_TO_JSVAL(obj);
1808 }
1809
1810 JS_RUNTIME_METER(cx->runtime, constructs);
1811 return JS_TRUE;
1812 }
1813
1814 JSBool
1815 js_InternNonIntElementId(JSContext *cx, JSObject *obj, jsval idval, jsid *idp)
1816 {
1817 JS_ASSERT(!JSVAL_IS_INT(idval));
1818
1819 #if JS_HAS_XML_SUPPORT
1820 if (!JSVAL_IS_PRIMITIVE(idval)) {
1821 if (OBJECT_IS_XML(cx, obj)) {
1822 *idp = OBJECT_JSVAL_TO_JSID(idval);
1823 return JS_TRUE;
1824 }
1825 if (!js_IsFunctionQName(cx, JSVAL_TO_OBJECT(idval), idp))
1826 return JS_FALSE;
1827 if (*idp != 0)
1828 return JS_TRUE;
1829 }
1830 #endif
1831
1832 return js_ValueToStringId(cx, idval, idp);
1833 }
1834
1835 /*
1836 * Enter the new with scope using an object at sp[-1] and associate the depth
1837 * of the with block with sp + stackIndex.
1838 */
1839 JS_STATIC_INTERPRET JS_REQUIRES_STACK JSBool
1840 js_EnterWith(JSContext *cx, jsint stackIndex)
1841 {
1842 JSStackFrame *fp;
1843 jsval *sp;
1844 JSObject *obj, *parent, *withobj;
1845
1846 fp = cx->fp;
1847 sp = fp->regs->sp;
1848 JS_ASSERT(stackIndex < 0);
1849 JS_ASSERT(StackBase(fp) <= sp + stackIndex);
1850
1851 if (!JSVAL_IS_PRIMITIVE(sp[-1])) {
1852 obj = JSVAL_TO_OBJECT(sp[-1]);
1853 } else {
1854 obj = js_ValueToNonNullObject(cx, sp[-1]);
1855 if (!obj)
1856 return JS_FALSE;
1857 sp[-1] = OBJECT_TO_JSVAL(obj);
1858 }
1859
1860 parent = js_GetScopeChain(cx, fp);
1861 if (!parent)
1862 return JS_FALSE;
1863
1864 OBJ_TO_INNER_OBJECT(cx, obj);
1865 if (!obj)
1866 return JS_FALSE;
1867
1868 withobj = js_NewWithObject(cx, obj, parent,
1869 sp + stackIndex - StackBase(fp));
1870 if (!withobj)
1871 return JS_FALSE;
1872
1873 fp->scopeChain = withobj;
1874 js_DisablePropertyCache(cx);
1875 return JS_TRUE;
1876 }
1877
1878 JS_STATIC_INTERPRET JS_REQUIRES_STACK void
1879 js_LeaveWith(JSContext *cx)
1880 {
1881 JSObject *withobj;
1882
1883 withobj = cx->fp->scopeChain;
1884 JS_ASSERT(OBJ_GET_CLASS(cx, withobj) == &js_WithClass);
1885 JS_ASSERT(OBJ_GET_PRIVATE(cx, withobj) == cx->fp);
1886 JS_ASSERT(OBJ_BLOCK_DEPTH(cx, withobj) >= 0);
1887 cx->fp->scopeChain = OBJ_GET_PARENT(cx, withobj);
1888 JS_SetPrivate(cx, withobj, NULL);
1889 js_EnablePropertyCache(cx);
1890 }
1891
1892 JS_REQUIRES_STACK JSClass *
1893 js_IsActiveWithOrBlock(JSContext *cx, JSObject *obj, int stackDepth)
1894 {
1895 JSClass *clasp;
1896
1897 clasp = OBJ_GET_CLASS(cx, obj);
1898 if ((clasp == &js_WithClass || clasp == &js_BlockClass) &&
1899 OBJ_GET_PRIVATE(cx, obj) == cx->fp &&
1900 OBJ_BLOCK_DEPTH(cx, obj) >= stackDepth) {
1901 return clasp;
1902 }
1903 return NULL;
1904 }
1905
1906 JS_STATIC_INTERPRET JS_REQUIRES_STACK jsint
1907 js_CountWithBlocks(JSContext *cx, JSStackFrame *fp)
1908 {
1909 jsint n;
1910 JSObject *obj;
1911 JSClass *clasp;
1912
1913 n = 0;
1914 for (obj = fp->scopeChain;
1915 (clasp = js_IsActiveWithOrBlock(cx, obj, 0)) != NULL;
1916 obj = OBJ_GET_PARENT(cx, obj)) {
1917 if (clasp == &js_WithClass)
1918 ++n;
1919 }
1920 return n;
1921 }
1922
1923 /*
1924 * Unwind block and scope chains to match the given depth. The function sets
1925 * fp->sp on return to stackDepth.
1926 */
1927 JS_REQUIRES_STACK JSBool
1928 js_UnwindScope(JSContext *cx, JSStackFrame *fp, jsint stackDepth,
1929 JSBool normalUnwind)
1930 {
1931 JSObject *obj;
1932 JSClass *clasp;
1933
1934 JS_ASSERT(stackDepth >= 0);
1935 JS_ASSERT(StackBase(fp) + stackDepth <= fp->regs->sp);
1936
1937 for (obj = fp->blockChain; obj; obj = OBJ_GET_PARENT(cx, obj)) {
1938 JS_ASSERT(OBJ_GET_CLASS(cx, obj) == &js_BlockClass);
1939 if (OBJ_BLOCK_DEPTH(cx, obj) < stackDepth)
1940 break;
1941 }
1942 fp->blockChain = obj;
1943
1944 for (;;) {
1945 obj = fp->scopeChain;
1946 clasp = js_IsActiveWithOrBlock(cx, obj, stackDepth);
1947 if (!clasp)
1948 break;
1949 if (clasp == &js_BlockClass) {
1950 /* Don't fail until after we've updated all stacks. */
1951 normalUnwind &= js_PutBlockObject(cx, normalUnwind);
1952 } else {
1953 js_LeaveWith(cx);
1954 }
1955 }
1956
1957 fp->regs->sp = StackBase(fp) + stackDepth;
1958 return normalUnwind;
1959 }
1960
1961 JS_STATIC_INTERPRET JSBool
1962 js_DoIncDec(JSContext *cx, const JSCodeSpec *cs, jsval *vp, jsval *vp2)
1963 {
1964 jsval v;
1965 jsdouble d;
1966
1967 v = *vp;
1968 if (JSVAL_IS_DOUBLE(v)) {
1969 d = *JSVAL_TO_DOUBLE(v);
1970 } else if (JSVAL_IS_INT(v)) {
1971 d = JSVAL_TO_INT(v);
1972 } else {
1973 d = js_ValueToNumber(cx, vp);
1974 if (JSVAL_IS_NULL(*vp))
1975 return JS_FALSE;
1976 JS_ASSERT(JSVAL_IS_NUMBER(*vp) || *vp == JSVAL_TRUE);
1977
1978 /* Store the result of v conversion back in vp for post increments. */
1979 if ((cs->format & JOF_POST) &&
1980 *vp == JSVAL_TRUE
1981 && !js_NewNumberInRootedValue(cx, d, vp)) {
1982 return JS_FALSE;
1983 }
1984 }
1985
1986 (cs->format & JOF_INC) ? d++ : d--;
1987 if (!js_NewNumberInRootedValue(cx, d, vp2))
1988 return JS_FALSE;
1989
1990 if (!(cs->format & JOF_POST))
1991 *vp = *vp2;
1992 return JS_TRUE;
1993 }
1994
1995 #ifdef DEBUG
1996
1997 JS_STATIC_INTERPRET JS_REQUIRES_STACK void
1998 js_TraceOpcode(JSContext *cx, jsint len)
1999 {
2000 FILE *tracefp;
2001 JSStackFrame *fp;
2002 JSFrameRegs *regs;
2003 JSOp prevop;
2004 intN ndefs, n, nuses;
2005 jsval *siter;
2006 JSString *str;
2007 JSOp op;
2008
2009 tracefp = (FILE *) cx->tracefp;
2010 JS_ASSERT(tracefp);
2011 fp = cx->fp;
2012 regs = fp->regs;
2013 if (len != 0) {
2014 prevop = (JSOp) regs->pc[-len];
2015 ndefs = js_CodeSpec[prevop].ndefs;
2016 if (ndefs != 0) {
2017 for (n = -ndefs; n < 0; n++) {
2018 char *bytes = js_DecompileValueGenerator(cx, n, regs->sp[n],
2019 NULL);
2020 if (bytes) {
2021 fprintf(tracefp, "%s %s",
2022 (n == -ndefs) ? " output:" : ",",
2023 bytes);
2024 JS_free(cx, bytes);
2025 }
2026 }
2027 fprintf(tracefp, " @ %u\n", (uintN) (regs->sp - StackBase(fp)));
2028 }
2029 fprintf(tracefp, " stack: ");
2030 for (siter = StackBase(fp); siter < regs->sp; siter++) {
2031 str = js_ValueToString(cx, *siter);
2032 if (!str)
2033 fputs("<null>", tracefp);
2034 else
2035 js_FileEscapedString(tracefp, str, 0);
2036 fputc(' ', tracefp);
2037 }
2038 fputc('\n', tracefp);
2039 }
2040
2041 fprintf(tracefp, "%4u: ",
2042 js_PCToLineNumber(cx, fp->script, fp->imacpc ? fp->imacpc : regs->pc));
2043 js_Disassemble1(cx, fp->script, regs->pc,
2044 PTRDIFF(regs->pc, fp->script->code, jsbytecode),
2045 JS_FALSE, tracefp);
2046 op = (JSOp) *regs->pc;
2047 nuses = js_CodeSpec[op].nuses;
2048 if (nuses != 0) {
2049 for (n = -nuses; n < 0; n++) {
2050 char *bytes = js_DecompileValueGenerator(cx, n, regs->sp[n],
2051 NULL);
2052 if (bytes) {
2053 fprintf(tracefp, "%s %s",
2054 (n == -nuses) ? " inputs:" : ",",
2055 bytes);
2056 JS_free(cx, bytes);
2057 }
2058 }
2059 fprintf(tracefp, " @ %u\n", (uintN) (regs->sp - StackBase(fp)));
2060 }
2061 }
2062
2063 #endif /* DEBUG */
2064
2065 #ifdef JS_OPMETER
2066
2067 # include <stdlib.h>
2068
2069 # define HIST_NSLOTS 8
2070
2071 /*
2072 * The second dimension is hardcoded at 256 because we know that many bits fit
2073 * in a byte, and mainly to optimize away multiplying by JSOP_LIMIT to address
2074 * any particular row.
2075 */
2076 static uint32 succeeds[JSOP_LIMIT][256];
2077 static uint32 slot_ops[JSOP_LIMIT][HIST_NSLOTS];
2078
2079 JS_STATIC_INTERPRET void
2080 js_MeterOpcodePair(JSOp op1, JSOp op2)
2081 {
2082 if (op1 != JSOP_STOP)
2083 ++succeeds[op1][op2];
2084 }
2085
2086 JS_STATIC_INTERPRET void
2087 js_MeterSlotOpcode(JSOp op, uint32 slot)
2088 {
2089 if (slot < HIST_NSLOTS)
2090 ++slot_ops[op][slot];
2091 }
2092
2093 typedef struct Edge {
2094 const char *from;
2095 const char *to;
2096 uint32 count;
2097 } Edge;
2098
2099 static int
2100 compare_edges(const void *a, const void *b)
2101 {
2102 const Edge *ea = (const Edge *) a;
2103 const Edge *eb = (const Edge *) b;
2104
2105 return (int32)eb->count - (int32)ea->count;
2106 }
2107
2108 void
2109 js_DumpOpMeters()
2110 {
2111 const char *name, *from, *style;
2112 FILE *fp;
2113 uint32 total, count;
2114 uint32 i, j, nedges;
2115 Edge *graph;
2116
2117 name = getenv("JS_OPMETER_FILE");
2118 if (!name)
2119 name = "/tmp/ops.dot";
2120 fp = fopen(name, "w");
2121 if (!fp) {
2122 perror(name);
2123 return;
2124 }
2125
2126 total = nedges = 0;
2127 for (i = 0; i < JSOP_LIMIT; i++) {
2128 for (j = 0; j < JSOP_LIMIT; j++) {
2129 count = succeeds[i][j];
2130 if (count != 0) {
2131 total += count;
2132 ++nedges;
2133 }
2134 }
2135 }
2136
2137 # define SIGNIFICANT(count,total) (200. * (count) >= (total))
2138
2139 graph = (Edge *) calloc(nedges, sizeof graph[0]);
2140 for (i = nedges = 0; i < JSOP_LIMIT; i++) {
2141 from = js_CodeName[i];
2142 for (j = 0; j < JSOP_LIMIT; j++) {
2143 count = succeeds[i][j];
2144 if (count != 0 && SIGNIFICANT(count, total)) {
2145 graph[nedges].from = from;
2146 graph[nedges].to = js_CodeName[j];
2147 graph[nedges].count = count;
2148 ++nedges;
2149 }
2150 }
2151 }
2152 qsort(graph, nedges, sizeof(Edge), compare_edges);
2153
2154 # undef SIGNIFICANT
2155
2156 fputs("digraph {\n", fp);
2157 for (i = 0, style = NULL; i < nedges; i++) {
2158 JS_ASSERT(i == 0 || graph[i-1].count >= graph[i].count);
2159 if (!style || graph[i-1].count != graph[i].count) {
2160 style = (i > nedges * .75) ? "dotted" :
2161 (i > nedges * .50) ? "dashed" :
2162 (i > nedges * .25) ? "solid" : "bold";
2163 }
2164 fprintf(fp, " %s -> %s [label=\"%lu\" style=%s]\n",
2165 graph[i].from, graph[i].to,
2166 (unsigned long)graph[i].count, style);
2167 }
2168 free(graph);
2169 fputs("}\n", fp);
2170 fclose(fp);
2171
2172 name = getenv("JS_OPMETER_HIST");
2173 if (!name)
2174 name = "/tmp/ops.hist";
2175 fp = fopen(name, "w");
2176 if (!fp) {
2177 perror(name);
2178 return;
2179 }
2180 fputs("bytecode", fp);
2181 for (j = 0; j < HIST_NSLOTS; j++)
2182 fprintf(fp, " slot %1u", (unsigned)j);
2183 putc('\n', fp);
2184 fputs("========", fp);
2185 for (j = 0; j < HIST_NSLOTS; j++)
2186 fputs(" =======", fp);
2187 putc('\n', fp);
2188 for (i = 0; i < JSOP_LIMIT; i++) {
2189 for (j = 0; j < HIST_NSLOTS; j++) {
2190 if (slot_ops[i][j] != 0) {
2191 /* Reuse j in the next loop, since we break after. */
2192 fprintf(fp, "%-8.8s", js_CodeName[i]);
2193 for (j = 0; j < HIST_NSLOTS; j++)
2194 fprintf(fp, " %7lu", (unsigned long)slot_ops[i][j]);
2195 putc('\n', fp);
2196 break;
2197 }
2198 }
2199 }
2200 fclose(fp);
2201 }
2202
2203 #endif /* JS_OPSMETER */
2204
2205 #endif /* !JS_LONE_INTERPRET ^ defined jsinvoke_cpp___ */
2206
2207 #ifndef jsinvoke_cpp___
2208
2209 #define PUSH(v) (*regs.sp++ = (v))
2210 #define PUSH_OPND(v) PUSH(v)
2211 #define STORE_OPND(n,v) (regs.sp[n] = (v))
2212 #define POP() (*--regs.sp)
2213 #define POP_OPND() POP()
2214 #define FETCH_OPND(n) (regs.sp[n])
2215
2216 /*
2217 * Push the jsdouble d using sp from the lexical environment. Try to convert d
2218 * to a jsint that fits in a jsval, otherwise GC-alloc space for it and push a
2219 * reference.
2220 */
2221 #define STORE_NUMBER(cx, n, d) \
2222 JS_BEGIN_MACRO \
2223 jsint i_; \
2224 \
2225 if (JSDOUBLE_IS_INT(d, i_) && INT_FITS_IN_JSVAL(i_)) \
2226 regs.sp[n] = INT_TO_JSVAL(i_); \
2227 else if (!js_NewDoubleInRootedValue(cx, d, &regs.sp[n])) \
2228 goto error; \
2229 JS_END_MACRO
2230
2231 #define STORE_INT(cx, n, i) \
2232 JS_BEGIN_MACRO \
2233 if (INT_FITS_IN_JSVAL(i)) \
2234 regs.sp[n] = INT_TO_JSVAL(i); \
2235 else if (!js_NewDoubleInRootedValue(cx, (jsdouble) (i), &regs.sp[n])) \
2236 goto error; \
2237 JS_END_MACRO
2238
2239 #define STORE_UINT(cx, n, u) \
2240 JS_BEGIN_MACRO \
2241 if ((u) <= JSVAL_INT_MAX) \
2242 regs.sp[n] = INT_TO_JSVAL(u); \
2243 else if (!js_NewDoubleInRootedValue(cx, (jsdouble) (u), &regs.sp[n])) \
2244 goto error; \
2245 JS_END_MACRO
2246
2247 #define FETCH_NUMBER(cx, n, d) \
2248 JS_BEGIN_MACRO \
2249 jsval v_; \
2250 \
2251 v_ = FETCH_OPND(n); \
2252 VALUE_TO_NUMBER(cx, n, v_, d); \
2253 JS_END_MACRO
2254
2255 #define FETCH_INT(cx, n, i) \
2256 JS_BEGIN_MACRO \
2257 jsval v_; \
2258 \
2259 v_= FETCH_OPND(n); \
2260 if (JSVAL_IS_INT(v_)) { \
2261 i = JSVAL_TO_INT(v_); \
2262 } else { \
2263 i = js_ValueToECMAInt32(cx, &regs.sp[n]); \
2264 if (JSVAL_IS_NULL(regs.sp[n])) \
2265 goto error; \
2266 } \
2267 JS_END_MACRO
2268
2269 #define FETCH_UINT(cx, n, ui) \
2270 JS_BEGIN_MACRO \
2271 jsval v_; \
2272 \
2273 v_= FETCH_OPND(n); \
2274 if (JSVAL_IS_INT(v_)) { \
2275 ui = (uint32) JSVAL_TO_INT(v_); \
2276 } else { \
2277 ui = js_ValueToECMAUint32(cx, &regs.sp[n]); \
2278 if (JSVAL_IS_NULL(regs.sp[n])) \
2279 goto error; \
2280 } \
2281 JS_END_MACRO
2282
2283 /*
2284 * Optimized conversion macros that test for the desired type in v before
2285 * homing sp and calling a conversion function.
2286 */
2287 #define VALUE_TO_NUMBER(cx, n, v, d) \
2288 JS_BEGIN_MACRO \
2289 JS_ASSERT(v == regs.sp[n]); \
2290 if (JSVAL_IS_INT(v)) { \
2291 d = (jsdouble)JSVAL_TO_INT(v); \
2292 } else if (JSVAL_IS_DOUBLE(v)) { \
2293 d = *JSVAL_TO_DOUBLE(v); \
2294 } else { \
2295 d = js_ValueToNumber(cx, &regs.sp[n]); \
2296 if (JSVAL_IS_NULL(regs.sp[n])) \
2297 goto error; \
2298 JS_ASSERT(JSVAL_IS_NUMBER(regs.sp[n]) || \
2299 regs.sp[n] == JSVAL_TRUE); \
2300 } \
2301 JS_END_MACRO
2302
2303 #define POP_BOOLEAN(cx, v, b) \
2304 JS_BEGIN_MACRO \
2305 v = FETCH_OPND(-1); \
2306 if (v == JSVAL_NULL) { \
2307 b = JS_FALSE; \
2308 } else if (JSVAL_IS_BOOLEAN(v)) { \
2309 b = JSVAL_TO_BOOLEAN(v); \
2310 } else { \
2311 b = js_ValueToBoolean(v); \
2312 } \
2313 regs.sp--; \
2314 JS_END_MACRO
2315
2316 #define VALUE_TO_OBJECT(cx, n, v, obj) \
2317 JS_BEGIN_MACRO \
2318 if (!JSVAL_IS_PRIMITIVE(v)) { \
2319 obj = JSVAL_TO_OBJECT(v); \
2320 } else { \
2321 obj = js_ValueToNonNullObject(cx, v); \
2322 if (!obj) \
2323 goto error; \
2324 STORE_OPND(n, OBJECT_TO_JSVAL(obj)); \
2325 } \
2326 JS_END_MACRO
2327
2328 #define FETCH_OBJECT(cx, n, v, obj) \
2329 JS_BEGIN_MACRO \
2330 v = FETCH_OPND(n); \
2331 VALUE_TO_OBJECT(cx, n, v, obj); \
2332 JS_END_MACRO
2333
2334 #define DEFAULT_VALUE(cx, n, hint, v) \
2335 JS_BEGIN_MACRO \
2336 JS_ASSERT(!JSVAL_IS_PRIMITIVE(v)); \
2337 JS_ASSERT(v == regs.sp[n]); \
2338 if (!OBJ_DEFAULT_VALUE(cx, JSVAL_TO_OBJECT(v), hint, &regs.sp[n])) \
2339 goto error; \
2340 v = regs.sp[n]; \
2341 JS_END_MACRO
2342
2343 /*
2344 * Quickly test if v is an int from the [-2**29, 2**29) range, that is, when
2345 * the lowest bit of v is 1 and the bits 30 and 31 are both either 0 or 1. For
2346 * such v we can do increment or decrement via adding or subtracting two
2347 * without checking that the result overflows JSVAL_INT_MIN or JSVAL_INT_MAX.
2348 */
2349 #define CAN_DO_FAST_INC_DEC(v) (((((v) << 1) ^ v) & 0x80000001) == 1)
2350
2351 JS_STATIC_ASSERT(JSVAL_INT == 1);
2352 JS_STATIC_ASSERT(!CAN_DO_FAST_INC_DEC(INT_TO_JSVAL(JSVAL_INT_MIN)));
2353 JS_STATIC_ASSERT(!CAN_DO_FAST_INC_DEC(INT_TO_JSVAL(JSVAL_INT_MAX)));
2354
2355 /*
2356 * Conditional assert to detect failure to clear a pending exception that is
2357 * suppressed (or unintentional suppression of a wanted exception).
2358 */
2359 #if defined DEBUG_brendan || defined DEBUG_mrbkap || defined DEBUG_shaver
2360 # define DEBUG_NOT_THROWING 1
2361 #endif
2362
2363 #ifdef DEBUG_NOT_THROWING
2364 # define ASSERT_NOT_THROWING(cx) JS_ASSERT(!(cx)->throwing)
2365 #else
2366 # define ASSERT_NOT_THROWING(cx) /* nothing */
2367 #endif
2368
2369 /*
2370 * Define JS_OPMETER to instrument bytecode succession, generating a .dot file
2371 * on shutdown that shows the graph of significant predecessor/successor pairs
2372 * executed, where the edge labels give the succession counts. The .dot file
2373 * is named by the JS_OPMETER_FILE envariable, and defaults to /tmp/ops.dot.
2374 *
2375 * Bonus feature: JS_OPMETER also enables counters for stack-addressing ops
2376 * such as JSOP_GETLOCAL, JSOP_INCARG, via METER_SLOT_OP. The resulting counts
2377 * are written to JS_OPMETER_HIST, defaulting to /tmp/ops.hist.
2378 */
2379 #ifndef JS_OPMETER
2380 # define METER_OP_INIT(op) /* nothing */
2381 # define METER_OP_PAIR(op1,op2) /* nothing */
2382 # define METER_SLOT_OP(op,slot) /* nothing */
2383 #else
2384
2385 /*
2386 * The second dimension is hardcoded at 256 because we know that many bits fit
2387 * in a byte, and mainly to optimize away multiplying by JSOP_LIMIT to address
2388 * any particular row.
2389 */
2390 # define METER_OP_INIT(op) ((op) = JSOP_STOP)
2391 # define METER_OP_PAIR(op1,op2) (js_MeterOpcodePair(op1, op2))
2392 # define METER_SLOT_OP(op,slot) (js_MeterSlotOpcode(op, slot))
2393
2394 #endif
2395
2396 #define MAX_INLINE_CALL_COUNT 3000
2397
2398 /*
2399 * Threaded interpretation via computed goto appears to be well-supported by
2400 * GCC 3 and higher. IBM's C compiler when run with the right options (e.g.,
2401 * -qlanglvl=extended) also supports threading. Ditto the SunPro C compiler.
2402 * Currently it's broken for JS_VERSION < 160, though this isn't worth fixing.
2403 * Add your compiler support macros here.
2404 */
2405 #ifndef JS_THREADED_INTERP
2406 # if JS_VERSION >= 160 && ( \
2407 __GNUC__ >= 3 || \
2408 (__IBMC__ >= 700 && defined __IBM_COMPUTED_GOTO) || \
2409 __SUNPRO_C >= 0x570)
2410 # define JS_THREADED_INTERP 1
2411 # else
2412 # define JS_THREADED_INTERP 0
2413 # endif
2414 #endif
2415
2416 /*
2417 * Interpreter assumes the following to implement condition-free interrupt
2418 * implementation when !JS_THREADED_INTERP.
2419 */
2420 JS_STATIC_ASSERT(JSOP_INTERRUPT == 0);
2421
2422 /*
2423 * Ensure that the intrepreter switch can close call-bytecode cases in the
2424 * same way as non-call bytecodes.
2425 */
2426 JS_STATIC_ASSERT(JSOP_NAME_LENGTH == JSOP_CALLNAME_LENGTH);
2427 JS_STATIC_ASSERT(JSOP_GETGVAR_LENGTH == JSOP_CALLGVAR_LENGTH);
2428 JS_STATIC_ASSERT(JSOP_GETUPVAR_LENGTH == JSOP_CALLUPVAR_LENGTH);
2429 JS_STATIC_ASSERT(JSOP_GETARG_LENGTH == JSOP_CALLARG_LENGTH);
2430 JS_STATIC_ASSERT(JSOP_GETLOCAL_LENGTH == JSOP_CALLLOCAL_LENGTH);
2431 JS_STATIC_ASSERT(JSOP_XMLNAME_LENGTH == JSOP_CALLXMLNAME_LENGTH);
2432
2433 /*
2434 * Same for JSOP_SETNAME and JSOP_SETPROP, which differ only slightly but
2435 * remain distinct for the decompiler. Ditto for JSOP_NULL{,THIS}.
2436 */
2437 JS_STATIC_ASSERT(JSOP_SETNAME_LENGTH == JSOP_SETPROP_LENGTH);
2438 JS_STATIC_ASSERT(JSOP_NULL_LENGTH == JSOP_NULLTHIS_LENGTH);
2439
2440 /* See TRY_BRANCH_AFTER_COND. */
2441 JS_STATIC_ASSERT(JSOP_IFNE_LENGTH == JSOP_IFEQ_LENGTH);
2442 JS_STATIC_ASSERT(JSOP_IFNE == JSOP_IFEQ + 1);
2443
2444 /* For the fastest case inder JSOP_INCNAME, etc. */
2445 JS_STATIC_ASSERT(JSOP_INCNAME_LENGTH == JSOP_DECNAME_LENGTH);
2446 JS_STATIC_ASSERT(JSOP_INCNAME_LENGTH == JSOP_NAMEINC_LENGTH);
2447 JS_STATIC_ASSERT(JSOP_INCNAME_LENGTH == JSOP_NAMEDEC_LENGTH);
2448
2449 JS_REQUIRES_STACK JSBool
2450 js_Interpret(JSContext *cx)
2451 {
2452 JSRuntime *rt;
2453 JSStackFrame *fp;
2454 JSScript *script;
2455 uintN inlineCallCount;
2456 JSAtom **atoms;
2457 JSVersion currentVersion, originalVersion;
2458 JSFrameRegs regs;
2459 JSObject *obj, *obj2, *parent;
2460 JSBool ok, cond;
2461 jsint len;
2462 jsbytecode *endpc, *pc2;
2463 JSOp op, op2;
2464 jsatomid index;
2465 JSAtom *atom;
2466 uintN argc, attrs, flags;
2467 uint32 slot;
2468 jsval *vp, lval, rval, ltmp, rtmp;
2469 jsid id;
2470 JSProperty *prop;
2471 JSScopeProperty *sprop;
2472 JSString *str, *str2;
2473 jsint i, j;
2474 jsdouble d, d2;
2475 JSClass *clasp;
2476 JSFunction *fun;
2477 JSType type;
2478 #if JS_THREADED_INTERP
2479 register void * const *jumpTable;
2480 #else
2481 register uint32 switchMask;
2482 uintN switchOp;
2483 #endif
2484 jsint low, high, off, npairs;
2485 JSBool match;
2486 #if JS_HAS_GETTER_SETTER
2487 JSPropertyOp getter, setter;
2488 #endif
2489 JSAutoResolveFlags rf(cx, JSRESOLVE_INFER);
2490
2491 #ifdef __GNUC__
2492 # define JS_EXTENSION __extension__
2493 # define JS_EXTENSION_(s) __extension__ ({ s; })
2494 #else
2495 # define JS_EXTENSION
2496 # define JS_EXTENSION_(s) s
2497 #endif
2498
2499 #if JS_THREADED_INTERP
2500 static void *const normalJumpTable[] = {
2501 # define OPDEF(op,val,name,token,length,nuses,ndefs,prec,format) \
2502 JS_EXTENSION &&L_##op,
2503 # include "jsopcode.tbl"
2504 # undef OPDEF
2505 };
2506
2507 #ifdef JS_TRACER
2508 static void *const recordingJumpTable[] = {
2509 # define OPDEF(op,val,name,token,length,nuses,ndefs,prec,format) \
2510 JS_EXTENSION &&R_##op,
2511 # include "jsopcode.tbl"
2512 # undef OPDEF
2513 };
2514 #endif /* JS_TRACER */
2515
2516 static void *const interruptJumpTable[] = {
2517 # define OPDEF(op,val,name,token,length,nuses,ndefs,prec,format) \
2518 JS_EXTENSION &&L_JSOP_INTERRUPT,
2519 # include "jsopcode.tbl"
2520 # undef OPDEF
2521 };
2522
2523 METER_OP_INIT(op); /* to nullify first METER_OP_PAIR */
2524
2525 # ifdef JS_TRACER
2526 # define CHECK_RECORDER() JS_BEGIN_MACRO \
2527 JS_ASSERT(!TRACE_RECORDER(cx) ^ \
2528 (jumpTable == recordingJumpTable)); \
2529 JS_END_MACRO
2530 # else
2531 # define CHECK_RECORDER() ((void)0)
2532 # endif
2533
2534 # define DO_OP() JS_BEGIN_MACRO \
2535 CHECK_RECORDER(); \
2536 JS_EXTENSION_(goto *jumpTable[op]); \
2537 JS_END_MACRO
2538 # define DO_NEXT_OP(n) JS_BEGIN_MACRO \
2539 METER_OP_PAIR(op, regs.pc[n]); \
2540 op = (JSOp) *(regs.pc += (n)); \
2541 DO_OP(); \
2542 JS_END_MACRO
2543
2544 # define BEGIN_CASE(OP) L_##OP: \
2545 CHECK_RECORDER();
2546 # define END_CASE(OP) DO_NEXT_OP(OP##_LENGTH);
2547 # define END_VARLEN_CASE DO_NEXT_OP(len);
2548 # define ADD_EMPTY_CASE(OP) BEGIN_CASE(OP) \
2549 JS_ASSERT(js_CodeSpec[OP].length == 1); \
2550 op = (JSOp) *++regs.pc; \
2551 DO_OP();
2552
2553 # define END_EMPTY_CASES
2554
2555 #else /* !JS_THREADED_INTERP */
2556
2557 # define DO_OP() goto do_op
2558 # define DO_NEXT_OP(n) JS_BEGIN_MACRO \
2559 JS_ASSERT((n) == len); \
2560 goto advance_pc; \
2561 JS_END_MACRO
2562
2563 # define BEGIN_CASE(OP) case OP:
2564 # define END_CASE(OP) END_CASE_LEN(OP##_LENGTH)
2565 # define END_CASE_LEN(n) END_CASE_LENX(n)
2566 # define END_CASE_LENX(n) END_CASE_LEN##n
2567
2568 /*
2569 * To share the code for all len == 1 cases we use the specialized label with
2570 * code that falls through to advance_pc: .
2571 */
2572 # define END_CASE_LEN1 goto advance_pc_by_one;
2573 # define END_CASE_LEN2 len = 2; goto advance_pc;
2574 # define END_CASE_LEN3 len = 3; goto advance_pc;
2575 # define END_CASE_LEN4 len = 4; goto advance_pc;
2576 # define END_CASE_LEN5 len = 5; goto advance_pc;
2577 # define END_VARLEN_CASE goto advance_pc;
2578 # define ADD_EMPTY_CASE(OP) BEGIN_CASE(OP)
2579 # define END_EMPTY_CASES goto advance_pc_by_one;
2580
2581 #endif /* !JS_THREADED_INTERP */
2582
2583 #ifdef JS_TRACER
2584 /* We had better not be entering the interpreter from JIT-compiled code. */
2585 TraceRecorder *tr = NULL;
2586 if (JS_ON_TRACE(cx)) {
2587 tr = TRACE_RECORDER(cx);
2588 SET_TRACE_RECORDER(cx, NULL);
2589 JS_TRACE_MONITOR(cx).onTrace = JS_FALSE;
2590 /*
2591 * ON_TRACE means either recording or coming from traced code.
2592 * If there's no recorder (the latter case), don't care.
2593 */
2594 if (tr) {
2595 if (tr->wasDeepAborted())
2596 tr->removeFragmentoReferences();
2597 else
2598 tr->pushAbortStack();
2599 }
2600 }
2601 #endif
2602
2603 /* Check for too deep of a native thread stack. */
2604 JS_CHECK_RECURSION(cx, return JS_FALSE);
2605
2606 rt = cx->runtime;
2607
2608 /* Set registerized frame pointer and derived script pointer. */
2609 fp = cx->fp;
2610 script = fp->script;
2611 JS_ASSERT(script->length != 0);
2612
2613 /* Count of JS function calls that nest in this C js_Interpret frame. */
2614 inlineCallCount = 0;
2615
2616 /*
2617 * Initialize the index segment register used by LOAD_ATOM and
2618 * GET_FULL_INDEX macros below. As a register we use a pointer based on
2619 * the atom map to turn frequently executed LOAD_ATOM into simple array
2620 * access. For less frequent object and regexp loads we have to recover
2621 * the segment from atoms pointer first.
2622 */
2623 atoms = script->atomMap.vector;
2624
2625 #define LOAD_ATOM(PCOFF) \
2626 JS_BEGIN_MACRO \
2627 JS_ASSERT(fp->imacpc \
2628 ? atoms == COMMON_ATOMS_START(&rt->atomState) && \
2629 GET_INDEX(regs.pc + PCOFF) < js_common_atom_count \
2630 : (size_t)(atoms - script->atomMap.vector) < \
2631 (size_t)(script->atomMap.length - \
2632 GET_INDEX(regs.pc + PCOFF))); \
2633 atom = atoms[GET_INDEX(regs.pc + PCOFF)]; \
2634 JS_END_MACRO
2635
2636 #define GET_FULL_INDEX(PCOFF) \
2637 (atoms - script->atomMap.vector + GET_INDEX(regs.pc + PCOFF))
2638
2639 #define LOAD_OBJECT(PCOFF) \
2640 JS_GET_SCRIPT_OBJECT(script, GET_FULL_INDEX(PCOFF), obj)
2641
2642 #define LOAD_FUNCTION(PCOFF) \
2643 JS_GET_SCRIPT_FUNCTION(script, GET_FULL_INDEX(PCOFF), fun)
2644
2645 #ifdef JS_TRACER
2646
2647 #define MONITOR_BRANCH() \
2648 JS_BEGIN_MACRO \
2649 if (TRACING_ENABLED(cx)) { \
2650 ENABLE_TRACER(js_MonitorLoopEdge(cx, inlineCallCount)); \
2651 fp = cx->fp; \
2652 script = fp->script; \
2653 atoms = script->atomMap.vector; \
2654 currentVersion = (JSVersion) script->version; \
2655 JS_ASSERT(fp->regs == &regs); \
2656 if (cx->throwing) \
2657 goto error; \
2658 } \
2659 JS_END_MACRO
2660
2661 #else /* !JS_TRACER */
2662
2663 #define MONITOR_BRANCH() ((void) 0)
2664
2665 #endif /* !JS_TRACER */
2666
2667 /*
2668 * Prepare to call a user-supplied branch handler, and abort the script
2669 * if it returns false.
2670 */
2671 #define CHECK_BRANCH() \
2672 JS_BEGIN_MACRO \
2673 if ((cx->operationCount -= JSOW_SCRIPT_JUMP) <= 0) { \
2674 if (!js_ResetOperationCount(cx)) \
2675 goto error; \
2676 } \
2677 JS_END_MACRO
2678
2679 #define BRANCH(n) \
2680 JS_BEGIN_MACRO \
2681 regs.pc += n; \
2682 if (n <= 0) { \
2683 CHECK_BRANCH(); \
2684 MONITOR_BRANCH(); \
2685 } \
2686 op = (JSOp) *regs.pc; \
2687 DO_OP(); \
2688 JS_END_MACRO
2689
2690 MUST_FLOW_THROUGH("exit");
2691 ++cx->interpLevel;
2692
2693 /*
2694 * Optimized Get and SetVersion for proper script language versioning.
2695 *
2696 * If any native method or JSClass/JSObjectOps hook calls js_SetVersion
2697 * and changes cx->version, the effect will "stick" and we will stop
2698 * maintaining currentVersion. This is relied upon by testsuites, for
2699 * the most part -- web browsers select version before compiling and not
2700 * at run-time.
2701 */
2702 currentVersion = (JSVersion) script->version;
2703 originalVersion = (JSVersion) cx->version;
2704 if (currentVersion != originalVersion)
2705 js_SetVersion(cx, currentVersion);
2706
2707 /* Update the static-link display. */
2708 if (script->staticDepth < JS_DISPLAY_SIZE) {
2709 JSStackFrame **disp = &cx->display[script->staticDepth];
2710 fp->displaySave = *disp;
2711 *disp = fp;
2712 }
2713 #ifdef DEBUG
2714 fp->pcDisabledSave = JS_PROPERTY_CACHE(cx).disabled;
2715 #endif
2716
2717 /*
2718 * Load the debugger's interrupt hook here and after calling out to native
2719 * functions (but not to getters, setters, or other native hooks), so we do
2720 * not have to reload it each time through the interpreter loop -- we hope
2721 * the compiler can keep it in a register when it is non-null.
2722 */
2723 #if JS_THREADED_INTERP
2724 #ifdef JS_TRACER
2725 # define LOAD_INTERRUPT_HANDLER(cx) \
2726 ((void) (jumpTable = (cx)->debugHooks->interruptHandler \
2727 ? interruptJumpTable \
2728 : TRACE_RECORDER(cx) \
2729 ? recordingJumpTable \
2730 : normalJumpTable))
2731 # define ENABLE_TRACER(flag) \
2732 JS_BEGIN_MACRO \
2733 bool flag_ = (flag); \
2734 JS_ASSERT(flag_ == !!TRACE_RECORDER(cx)); \
2735 jumpTable = flag_ ? recordingJumpTable : normalJumpTable; \
2736 JS_END_MACRO
2737 #else /* !JS_TRACER */
2738 # define LOAD_INTERRUPT_HANDLER(cx) \
2739 ((void) (jumpTable = (cx)->debugHooks->interruptHandler \
2740 ? interruptJumpTable \
2741 : normalJumpTable))
2742 # define ENABLE_TRACER(flag) ((void)0)
2743 #endif /* !JS_TRACER */
2744 #else /* !JS_THREADED_INTERP */
2745 #ifdef JS_TRACER
2746 # define LOAD_INTERRUPT_HANDLER(cx) \
2747 ((void) (switchMask = ((cx)->debugHooks->interruptHandler || \
2748 TRACE_RECORDER(cx)) ? 0 : 255))
2749 # define ENABLE_TRACER(flag) \
2750 JS_BEGIN_MACRO \
2751 bool flag_ = (flag); \
2752 JS_ASSERT(flag_ == !!TRACE_RECORDER(cx)); \
2753 switchMask = flag_ ? 0 : 255; \
2754 JS_END_MACRO
2755 #else /* !JS_TRACER */
2756 # define LOAD_INTERRUPT_HANDLER(cx) \
2757 ((void) (switchMask = ((cx)->debugHooks->interruptHandler \
2758 ? 0 : 255)))
2759 # define ENABLE_TRACER(flag) ((void)0)
2760 #endif /* !JS_TRACER */
2761 #endif /* !JS_THREADED_INTERP */
2762
2763 LOAD_INTERRUPT_HANDLER(cx);
2764
2765 #if !JS_HAS_GENERATORS
2766 JS_ASSERT(!fp->regs);
2767 #else
2768 /* Initialize the pc and sp registers unless we're resuming a generator. */
2769 if (JS_LIKELY(!fp->regs)) {
2770 #endif
2771 ASSERT_NOT_THROWING(cx);
2772 regs.pc = script->code;
2773 regs.sp = StackBase(fp);
2774 fp->regs = &regs;
2775 #if JS_HAS_GENERATORS
2776 } else {
2777 JSGenerator *gen;
2778
2779 JS_ASSERT(fp->flags & JSFRAME_GENERATOR);
2780 gen = FRAME_TO_GENERATOR(fp);
2781 JS_ASSERT(fp->regs == &gen->savedRegs);
2782 regs = gen->savedRegs;
2783 fp->regs = &regs;
2784 JS_ASSERT((size_t) (regs.pc - script->code) <= script->length);
2785 JS_ASSERT((size_t) (regs.sp - StackBase(fp)) <= StackDepth(script));
2786 JS_ASSERT(JS_PROPERTY_CACHE(cx).disabled >= 0);
2787 JS_PROPERTY_CACHE(cx).disabled += js_CountWithBlocks(cx, fp);
2788
2789 /*
2790 * To support generator_throw and to catch ignored exceptions,
2791 * fail if cx->throwing is set.
2792 */
2793 if (cx->throwing) {
2794 #ifdef DEBUG_NOT_THROWING
2795 if (cx->exception != JSVAL_ARETURN) {
2796 printf("JS INTERPRETER CALLED WITH PENDING EXCEPTION %lx\n",
2797 (unsigned long) cx->exception);
2798 }
2799 #endif
2800 goto error;
2801 }
2802 }
2803 #endif /* JS_HAS_GENERATORS */
2804
2805 /*
2806 * It is important that "op" be initialized before calling DO_OP because
2807 * it is possible for "op" to be specially assigned during the normal
2808 * processing of an opcode while looping. We rely on DO_NEXT_OP to manage
2809 * "op" correctly in all other cases.
2810 */
2811 len = 0;
2812 DO_NEXT_OP(len);
2813
2814 #if JS_THREADED_INTERP
2815 /*
2816 * This is a loop, but it does not look like a loop. The loop-closing
2817 * jump is distributed throughout goto *jumpTable[op] inside of DO_OP.
2818 * When interrupts are enabled, jumpTable is set to interruptJumpTable
2819 * where all jumps point to the JSOP_INTERRUPT case. The latter, after
2820 * calling the interrupt handler, dispatches through normalJumpTable to
2821 * continue the normal bytecode processing.
2822 */
2823 #else
2824 for (;;) {
2825 advance_pc_by_one:
2826 JS_ASSERT(js_CodeSpec[op].length == 1);
2827 len = 1;
2828 advance_pc:
2829 regs.pc += len;
2830 op = (JSOp) *regs.pc;
2831 #ifdef DEBUG
2832 if (cx->tracefp)
2833 js_TraceOpcode(cx, len);
2834 #endif
2835
2836 do_op:
2837 switchOp = op & switchMask;
2838 do_switch:
2839 switch (switchOp) {
2840 #endif /* !JS_THREADED_INTERP */
2841
2842 BEGIN_CASE(JSOP_INTERRUPT)
2843 {
2844 JSTrapHandler handler;
2845
2846 handler = cx->debugHooks->interruptHandler;
2847 if (handler) {
2848 switch (handler(cx, script, regs.pc, &rval,
2849 cx->debugHooks->interruptHandlerData)) {
2850 case JSTRAP_ERROR:
2851 goto error;
2852 case JSTRAP_CONTINUE:
2853 break;
2854 case JSTRAP_RETURN:
2855 fp->rval = rval;
2856 ok = JS_TRUE;
2857 goto forced_return;
2858 case JSTRAP_THROW:
2859 cx->throwing = JS_TRUE;
2860 cx->exception = rval;
2861 goto error;
2862 default:;
2863 }
2864 #if !JS_THREADED_INTERP
2865 } else {
2866 /* this was not a real interrupt, the tracer is trying to
2867 record a trace */
2868 switchOp = op + 256;
2869 goto do_switch;
2870 #endif
2871 }
2872 LOAD_INTERRUPT_HANDLER(cx);
2873
2874 #if JS_THREADED_INTERP
2875 JS_EXTENSION_(goto *normalJumpTable[op]);
2876 #else
2877 switchOp = op;
2878 goto do_switch;
2879 #endif
2880 }
2881
2882 /* No-ops for ease of decompilation. */
2883 ADD_EMPTY_CASE(JSOP_NOP)
2884 ADD_EMPTY_CASE(JSOP_CONDSWITCH)
2885 ADD_EMPTY_CASE(JSOP_TRY)
2886 ADD_EMPTY_CASE(JSOP_FINALLY)
2887 #if JS_HAS_XML_SUPPORT
2888 ADD_EMPTY_CASE(JSOP_STARTXML)
2889 ADD_EMPTY_CASE(JSOP_STARTXMLEXPR)
2890 #endif
2891 END_EMPTY_CASES
2892
2893 /* ADD_EMPTY_CASE is not used here as JSOP_LINENO_LENGTH == 3. */
2894 BEGIN_CASE(JSOP_LINENO)
2895 END_CASE(JSOP_LINENO)
2896
2897 BEGIN_CASE(JSOP_PUSH)
2898 PUSH_OPND(JSVAL_VOID);
2899 END_CASE(JSOP_PUSH)
2900
2901 BEGIN_CASE(JSOP_POP)
2902 regs.sp--;
2903 END_CASE(JSOP_POP)
2904
2905 BEGIN_CASE(JSOP_POPN)
2906 regs.sp -= GET_UINT16(regs.pc);
2907 #ifdef DEBUG
2908 JS_ASSERT(StackBase(fp) <= regs.sp);
2909 obj = fp->blockChain;
2910 JS_ASSERT_IF(obj,
2911 OBJ_BLOCK_DEPTH(cx, obj) + OBJ_BLOCK_COUNT(cx, obj)
2912 <= (size_t) (regs.sp - StackBase(fp)));
2913 for (obj = fp->scopeChain; obj; obj = OBJ_GET_PARENT(cx, obj)) {
2914 clasp = OBJ_GET_CLASS(cx, obj);
2915 if (clasp != &js_BlockClass && clasp != &js_WithClass)
2916 continue;
2917 if (OBJ_GET_PRIVATE(cx, obj) != fp)
2918 break;
2919 JS_ASSERT(StackBase(fp) + OBJ_BLOCK_DEPTH(cx, obj)
2920 + ((clasp == &js_BlockClass)
2921 ? OBJ_BLOCK_COUNT(cx, obj)
2922 : 1)
2923 <= regs.sp);
2924 }
2925 #endif
2926 END_CASE(JSOP_POPN)
2927
2928 BEGIN_CASE(JSOP_SETRVAL)
2929 BEGIN_CASE(JSOP_POPV)
2930 ASSERT_NOT_THROWING(cx);
2931 fp->rval = POP_OPND();
2932 END_CASE(JSOP_POPV)
2933
2934 BEGIN_CASE(JSOP_ENTERWITH)
2935 if (!js_EnterWith(cx, -1))
2936 goto error;
2937
2938 /*
2939 * We must ensure that different "with" blocks have different
2940 * stack depth associated with them. This allows the try handler
2941 * search to properly recover the scope chain. Thus we must keep
2942 * the stack at least at the current level.
2943 *
2944 * We set sp[-1] to the current "with" object to help asserting
2945 * the enter/leave balance in [leavewith].
2946 */
2947 regs.sp[-1] = OBJECT_TO_JSVAL(fp->scopeChain);
2948 END_CASE(JSOP_ENTERWITH)
2949
2950 BEGIN_CASE(JSOP_LEAVEWITH)
2951 JS_ASSERT(regs.sp[-1] == OBJECT_TO_JSVAL(fp->scopeChain));
2952 regs.sp--;
2953 js_LeaveWith(cx);
2954 END_CASE(JSOP_LEAVEWITH)
2955
2956 BEGIN_CASE(JSOP_RETURN)
2957 CHECK_BRANCH();
2958 fp->rval = POP_OPND();
2959 /* FALL THROUGH */
2960
2961 BEGIN_CASE(JSOP_RETRVAL) /* fp->rval already set */
2962 BEGIN_CASE(JSOP_STOP)
2963 /*
2964 * When the inlined frame exits with an exception or an error, ok
2965 * will be false after the inline_return label.
2966 */
2967 ASSERT_NOT_THROWING(cx);
2968
2969 if (fp->imacpc) {
2970 /*
2971 * If we are at the end of an imacro, return to its caller in
2972 * the current frame.
2973 */
2974 JS_ASSERT(op == JSOP_STOP);
2975
2976 end_imacro:
2977 JS_ASSERT((uintN)(regs.sp - fp->slots) <= script->nslots);
2978 regs.pc = fp->imacpc + js_CodeSpec[*fp->imacpc].length;
2979 fp->imacpc = NULL;
2980 atoms = script->atomMap.vector;
2981 op = JSOp(*regs.pc);
2982 DO_OP();
2983 }
2984
2985 JS_ASSERT(regs.sp == StackBase(fp));
2986 if ((fp->flags & JSFRAME_CONSTRUCTING) &&
2987 JSVAL_IS_PRIMITIVE(fp->rval)) {
2988 if (!fp->fun) {
2989 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
2990 JSMSG_BAD_NEW_RESULT,
2991 js_ValueToPrintableString(cx, rval));
2992 goto error;
2993 }
2994 fp->rval = OBJECT_TO_JSVAL(fp->thisp);
2995 }
2996 ok = JS_TRUE;
2997 if (inlineCallCount)
2998 inline_return:
2999 {
3000 JSInlineFrame *ifp = (JSInlineFrame *) fp;
3001 void *hookData = ifp->hookData;
3002
3003 JS_ASSERT(JS_PROPERTY_CACHE(cx).disabled == fp->pcDisabledSave);
3004 JS_ASSERT(!fp->blockChain);
3005 JS_ASSERT(!js_IsActiveWithOrBlock(cx, fp->scopeChain, 0));
3006
3007 if (script->staticDepth < JS_DISPLAY_SIZE)
3008 cx->display[script->staticDepth] = fp->displaySave;
3009
3010 if (hookData) {
3011 JSInterpreterHook hook;
3012 JSBool status;
3013
3014 hook = cx->debugHooks->callHook;
3015 if (hook) {
3016 /*
3017 * Do not pass &ok directly as exposing the address
3018 * inhibits optimizations and uninitialised warnings.
3019 */
3020 status = ok;
3021 hook(cx, fp, JS_FALSE, &status, hookData);
3022 ok = status;
3023 LOAD_INTERRUPT_HANDLER(cx);
3024 }
3025 }
3026
3027 /*
3028 * If fp has a call object, sync values and clear the back-
3029 * pointer. This can happen for a lightweight function if it
3030 * calls eval unexpectedly (in a way that is hidden from the
3031 * compiler). See bug 325540.
3032 */
3033 if (fp->callobj)
3034 ok &= js_PutCallObject(cx, fp);
3035
3036 if (fp->argsobj)
3037 ok &= js_PutArgsObject(cx, fp);
3038
3039 #ifdef INCLUDE_MOZILLA_DTRACE
3040 /* DTrace function return, inlines */
3041 if (JAVASCRIPT_FUNCTION_RVAL_ENABLED())
3042 jsdtrace_function_rval(cx, fp, fp->fun);
3043 if (JAVASCRIPT_FUNCTION_RETURN_ENABLED())
3044 jsdtrace_function_return(cx, fp, fp->fun);
3045 #endif
3046
3047 /* Restore context version only if callee hasn't set version. */
3048 if (JS_LIKELY(cx->version == currentVersion)) {
3049 currentVersion = ifp->callerVersion;
3050 if (currentVersion != cx->version)
3051 js_SetVersion(cx, currentVersion);
3052 }
3053
3054 /*
3055 * If inline-constructing, replace primitive rval with the new
3056 * object passed in via |this|, and instrument this constructor
3057 * invocation
3058 */
3059 if (fp->flags & JSFRAME_CONSTRUCTING) {
3060 if (JSVAL_IS_PRIMITIVE(fp->rval))
3061 fp->rval = OBJECT_TO_JSVAL(fp->thisp);
3062 JS_RUNTIME_METER(cx->runtime, constructs);
3063 }
3064
3065 /* Restore caller's registers. */
3066 regs = ifp->callerRegs;
3067
3068 /* Store the return value in the caller's operand frame. */
3069 regs.sp -= 1 + (size_t) ifp->frame.argc;
3070 regs.sp[-1] = fp->rval;
3071
3072 /* Restore cx->fp and release the inline frame's space. */
3073 cx->fp = fp = fp->down;
3074 JS_ASSERT(fp->regs == &ifp->callerRegs);
3075 fp->regs = &regs;
3076 JS_ARENA_RELEASE(&cx->stackPool, ifp->mark);
3077
3078 /* Restore the calling script's interpreter registers. */
3079 script = fp->script;
3080 atoms = script->atomMap.vector;
3081
3082 /* Resume execution in the calling frame. */
3083 inlineCallCount--;
3084 if (JS_LIKELY(ok)) {
3085 TRACE_0(LeaveFrame);
3086 JS_ASSERT(js_CodeSpec[*regs.pc].length == JSOP_CALL_LENGTH);
3087 len = JSOP_CALL_LENGTH;
3088 DO_NEXT_OP(len);
3089 }
3090 goto error;
3091 }
3092 goto exit;
3093
3094 BEGIN_CASE(JSOP_DEFAULT)
3095 (void) POP();
3096 /* FALL THROUGH */
3097 BEGIN_CASE(JSOP_GOTO)
3098 len = GET_JUMP_OFFSET(regs.pc);
3099 BRANCH(len);
3100 END_CASE(JSOP_GOTO)
3101
3102 BEGIN_CASE(JSOP_IFEQ)
3103 POP_BOOLEAN(cx, rval, cond);
3104 if (cond == JS_FALSE) {
3105 len = GET_JUMP_OFFSET(regs.pc);
3106 BRANCH(len);
3107 }
3108 END_CASE(JSOP_IFEQ)
3109
3110 BEGIN_CASE(JSOP_IFNE)
3111 POP_BOOLEAN(cx, rval, cond);
3112 if (cond != JS_FALSE) {
3113 len = GET_JUMP_OFFSET(regs.pc);
3114 BRANCH(len);
3115 }
3116 END_CASE(JSOP_IFNE)
3117
3118 BEGIN_CASE(JSOP_OR)
3119 POP_BOOLEAN(cx, rval, cond);
3120 if (cond == JS_TRUE) {
3121 len = GET_JUMP_OFFSET(regs.pc);
3122 PUSH_OPND(rval);
3123 DO_NEXT_OP(len);
3124 }
3125 END_CASE(JSOP_OR)
3126
3127 BEGIN_CASE(JSOP_AND)
3128 POP_BOOLEAN(cx, rval, cond);
3129 if (cond == JS_FALSE) {
3130 len = GET_JUMP_OFFSET(regs.pc);
3131 PUSH_OPND(rval);
3132 DO_NEXT_OP(len);
3133 }
3134 END_CASE(JSOP_AND)
3135
3136 BEGIN_CASE(JSOP_DEFAULTX)
3137 (void) POP();
3138 /* FALL THROUGH */
3139 BEGIN_CASE(JSOP_GOTOX)
3140 len = GET_JUMPX_OFFSET(regs.pc);
3141 BRANCH(len);
3142 END_CASE(JSOP_GOTOX);
3143
3144 BEGIN_CASE(JSOP_IFEQX)
3145 POP_BOOLEAN(cx, rval, cond);
3146 if (cond == JS_FALSE) {
3147 len = GET_JUMPX_OFFSET(regs.pc);
3148 BRANCH(len);
3149 }
3150 END_CASE(JSOP_IFEQX)
3151
3152 BEGIN_CASE(JSOP_IFNEX)
3153 POP_BOOLEAN(cx, rval, cond);
3154 if (cond != JS_FALSE) {
3155 len = GET_JUMPX_OFFSET(regs.pc);
3156 BRANCH(len);
3157 }
3158 END_CASE(JSOP_IFNEX)
3159
3160 BEGIN_CASE(JSOP_ORX)
3161 POP_BOOLEAN(cx, rval, cond);
3162 if (cond == JS_TRUE) {
3163 len = GET_JUMPX_OFFSET(regs.pc);
3164 PUSH_OPND(rval);
3165 DO_NEXT_OP(len);
3166 }
3167 END_CASE(JSOP_ORX)
3168
3169 BEGIN_CASE(JSOP_ANDX)
3170 POP_BOOLEAN(cx, rval, cond);
3171 if (cond == JS_FALSE) {
3172 len = GET_JUMPX_OFFSET(regs.pc);
3173 PUSH_OPND(rval);
3174 DO_NEXT_OP(len);
3175 }
3176 END_CASE(JSOP_ANDX)
3177
3178 /*
3179 * If the index value at sp[n] is not an int that fits in a jsval, it could
3180 * be an object (an XML QName, AttributeName, or AnyName), but only if we are
3181 * compiling with JS_HAS_XML_SUPPORT. Otherwise convert the index value to a
3182 * string atom id.
3183 */
3184 #define FETCH_ELEMENT_ID(obj, n, id) \
3185 JS_BEGIN_MACRO \
3186 jsval idval_ = FETCH_OPND(n); \
3187 if (JSVAL_IS_INT(idval_)) { \
3188 id = INT_JSVAL_TO_JSID(idval_); \
3189 } else { \
3190 if (!js_InternNonIntElementId(cx, obj, idval_, &id)) \
3191 goto error; \
3192 regs.sp[n] = ID_TO_VALUE(id); \
3193 } \
3194 JS_END_MACRO
3195
3196 #define TRY_BRANCH_AFTER_COND(cond,spdec) \
3197 JS_BEGIN_MACRO \
3198 uintN diff_; \
3199 JS_ASSERT(js_CodeSpec[op].length == 1); \
3200 diff_ = (uintN) regs.pc[1] - (uintN) JSOP_IFEQ; \
3201 if (diff_ <= 1) { \
3202 regs.sp -= spdec; \
3203 if (cond == (diff_ != 0)) { \
3204 ++regs.pc; \
3205 len = GET_JUMP_OFFSET(regs.pc); \
3206 BRANCH(len); \
3207 } \
3208 len = 1 + JSOP_IFEQ_LENGTH; \
3209 DO_NEXT_OP(len); \
3210 } \
3211 JS_END_MACRO
3212
3213 BEGIN_CASE(JSOP_IN)
3214 rval = FETCH_OPND(-1);
3215 if (JSVAL_IS_PRIMITIVE(rval)) {
3216 js_ReportValueError(cx, JSMSG_IN_NOT_OBJECT, -1, rval, NULL);
3217 goto error;
3218 }
3219 obj = JSVAL_TO_OBJECT(rval);
3220 FETCH_ELEMENT_ID(obj, -2, id);
3221 if (!OBJ_LOOKUP_PROPERTY(cx, obj, id, &obj2, &prop))
3222 goto error;
3223 cond = prop != NULL;
3224 if (prop)
3225 OBJ_DROP_PROPERTY(cx, obj2, prop);
3226 TRY_BRANCH_AFTER_COND(cond, 2);
3227 regs.sp--;
3228 STORE_OPND(-1, BOOLEAN_TO_JSVAL(cond));
3229 END_CASE(JSOP_IN)
3230
3231 BEGIN_CASE(JSOP_ITER)
3232 JS_ASSERT(regs.sp > StackBase(fp));
3233 flags = regs.pc[1];
3234 if (!js_ValueToIterator(cx, flags, &regs.sp[-1]))
3235 goto error;
3236 LOAD_INTERRUPT_HANDLER(cx);
3237 JS_ASSERT(!JSVAL_IS_PRIMITIVE(regs.sp[-1]));
3238 PUSH(JSVAL_VOID);
3239 END_CASE(JSOP_ITER)
3240
3241 BEGIN_CASE(JSOP_NEXTITER)
3242 JS_ASSERT(regs.sp - 2 >= StackBase(fp));
3243 JS_ASSERT(!JSVAL_IS_PRIMITIVE(regs.sp[-2]));
3244 if (!js_CallIteratorNext(cx, JSVAL_TO_OBJECT(regs.sp[-2]), &regs.sp[-1]))
3245 goto error;
3246 LOAD_INTERRUPT_HANDLER(cx);
3247 rval = BOOLEAN_TO_JSVAL(regs.sp[-1] != JSVAL_HOLE);
3248 PUSH(rval);
3249 TRACE_0(IteratorNextComplete);
3250 END_CASE(JSOP_NEXTITER)
3251
3252 BEGIN_CASE(JSOP_ENDITER)
3253 /*
3254 * Decrease the stack pointer even when !ok -- see comments in the
3255 * exception capturing code for details.
3256 */
3257 JS_ASSERT(regs.sp - 2 >= StackBase(fp));
3258 ok = js_CloseIterator(cx, regs.sp[-2]);
3259 regs.sp -= 2;
3260 if (!ok)
3261 goto error;
3262 END_CASE(JSOP_ENDITER)
3263
3264 BEGIN_CASE(JSOP_FORARG)
3265 JS_ASSERT(regs.sp - 2 >= StackBase(fp));
3266 slot = GET_ARGNO(regs.pc);
3267 JS_ASSERT(slot < fp->fun->nargs);
3268 fp->argv[slot] = regs.sp[-1];
3269 END_CASE(JSOP_FORARG)
3270
3271 BEGIN_CASE(JSOP_FORLOCAL)
3272 JS_ASSERT(regs.sp - 2 >= StackBase(fp));
3273 slot = GET_SLOTNO(regs.pc);
3274 JS_ASSERT(slot < fp->script->nslots);
3275 vp = &fp->slots[slot];
3276 GC_POKE(cx, *vp);
3277 *vp = regs.sp[-1];
3278 END_CASE(JSOP_FORLOCAL)
3279
3280 BEGIN_CASE(JSOP_FORNAME)
3281 JS_ASSERT(regs.sp - 2 >= StackBase(fp));
3282 LOAD_ATOM(0);
3283 id = ATOM_TO_JSID(atom);
3284 if (!js_FindProperty(cx, id, &obj, &obj2, &prop))
3285 goto error;
3286 if (prop)
3287 OBJ_DROP_PROPERTY(cx, obj2, prop);
3288 ok = OBJ_SET_PROPERTY(cx, obj, id, &regs.sp[-1]);
3289 if (!ok)
3290 goto error;
3291 END_CASE(JSOP_FORNAME)
3292
3293 BEGIN_CASE(JSOP_FORPROP)
3294 JS_ASSERT(regs.sp - 2 >= StackBase(fp));
3295 LOAD_ATOM(0);
3296 id = ATOM_TO_JSID(atom);
3297 FETCH_OBJECT(cx, -1, lval, obj);
3298 ok = OBJ_SET_PROPERTY(cx, obj, id, &regs.sp[-2]);
3299 if (!ok)
3300 goto error;
3301 regs.sp--;
3302 END_CASE(JSOP_FORPROP)
3303
3304 BEGIN_CASE(JSOP_FORELEM)
3305 /*
3306 * JSOP_FORELEM simply dups the property identifier at top of stack
3307 * and lets the subsequent JSOP_ENUMELEM opcode sequence handle the
3308 * left-hand side expression evaluation and assignment. This opcode
3309 * exists solely to help the decompiler.
3310 */
3311 JS_ASSERT(regs.sp - 2 >= StackBase(fp));
3312 rval = FETCH_OPND(-1);
3313 PUSH(rval);
3314 END_CASE(JSOP_FORELEM)
3315
3316 BEGIN_CASE(JSOP_DUP)
3317 JS_ASSERT(regs.sp > StackBase(fp));
3318 rval = FETCH_OPND(-1);
3319 PUSH(rval);
3320 END_CASE(JSOP_DUP)
3321
3322 BEGIN_CASE(JSOP_DUP2)
3323 JS_ASSERT(regs.sp - 2 >= StackBase(fp));
3324 lval = FETCH_OPND(-2);
3325 rval = FETCH_OPND(-1);
3326 PUSH(lval);
3327 PUSH(rval);
3328 END_CASE(JSOP_DUP2)
3329
3330 BEGIN_CASE(JSOP_SWAP)
3331 JS_ASSERT(regs.sp - 2 >= StackBase(fp));
3332 lval = FETCH_OPND(-2);
3333 rval = FETCH_OPND(-1);
3334 STORE_OPND(-1, lval);
3335 STORE_OPND(-2, rval);
3336 END_CASE(JSOP_SWAP)
3337
3338 #define PROPERTY_OP(n, call) \
3339 JS_BEGIN_MACRO \
3340 /* Fetch the left part and resolve it to a non-null object. */ \
3341 FETCH_OBJECT(cx, n, lval, obj); \
3342 \
3343 /* Get or set the property. */ \
3344 if (!call) \
3345 goto error; \
3346 JS_END_MACRO
3347
3348 #define ELEMENT_OP(n, call) \
3349 JS_BEGIN_MACRO \
3350 /* Fetch the left part and resolve it to a non-null object. */ \
3351 FETCH_OBJECT(cx, n - 1, lval, obj); \
3352 \
3353 /* Fetch index and convert it to id suitable for use with obj. */ \
3354 FETCH_ELEMENT_ID(obj, n, id); \
3355 \
3356 /* Get or set the element. */ \
3357 if (!call) \
3358 goto error; \
3359 JS_END_MACRO
3360
3361 #define NATIVE_GET(cx,obj,pobj,sprop,vp) \
3362 JS_BEGIN_MACRO \
3363 if (SPROP_HAS_STUB_GETTER(sprop)) { \
3364 /* Fast path for Object instance properties. */ \
3365 JS_ASSERT((sprop)->slot != SPROP_INVALID_SLOT || \
3366 !SPROP_HAS_STUB_SETTER(sprop)); \
3367 *vp = ((sprop)->slot != SPROP_INVALID_SLOT) \
3368 ? LOCKED_OBJ_GET_SLOT(pobj, (sprop)->slot) \
3369 : JSVAL_VOID; \
3370 } else { \
3371 if (!js_NativeGet(cx, obj, pobj, sprop, vp)) \
3372 goto error; \
3373 } \
3374 JS_END_MACRO
3375
3376 #define NATIVE_SET(cx,obj,sprop,vp) \
3377 JS_BEGIN_MACRO \
3378 if (SPROP_HAS_STUB_SETTER(sprop) && \
3379 (sprop)->slot != SPROP_INVALID_SLOT) { \
3380 /* Fast path for, e.g., Object instance properties. */ \
3381 LOCKED_OBJ_WRITE_BARRIER(cx, obj, (sprop)->slot, *vp); \
3382 } else { \
3383 if (!js_NativeSet(cx, obj, sprop, vp)) \
3384 goto error; \
3385 } \
3386 JS_END_MACRO
3387
3388 /*
3389 * Deadlocks or else bad races are likely if JS_THREADSAFE, so we must rely on
3390 * single-thread DEBUG js shell testing to verify property cache hits.
3391 */
3392 #if defined DEBUG && !defined JS_THREADSAFE
3393 # define ASSERT_VALID_PROPERTY_CACHE_HIT(pcoff,obj,pobj,entry) \
3394 do { \
3395 JSAtom *atom_; \
3396 JSObject *obj_, *pobj_; \
3397 JSProperty *prop_; \
3398 JSScopeProperty *sprop_; \
3399 uint32 sample_ = rt->gcNumber; \
3400 if (pcoff >= 0) \
3401 GET_ATOM_FROM_BYTECODE(script, regs.pc, pcoff, atom_); \
3402 else \
3403 atom_ = rt->atomState.lengthAtom; \
3404 if (JOF_OPMODE(*regs.pc) == JOF_NAME) { \
3405 ok = js_FindProperty(cx, ATOM_TO_JSID(atom_), &obj_, &pobj_, \
3406 &prop_); \
3407 } else { \
3408 obj_ = obj; \
3409 ok = js_LookupProperty(cx, obj, ATOM_TO_JSID(atom_), &pobj_, \
3410 &prop_); \
3411 } \
3412 if (!ok) \
3413 goto error; \
3414 if (rt->gcNumber != sample_) \
3415 break; \
3416 JS_ASSERT(prop_); \
3417 JS_ASSERT(pobj_ == pobj); \
3418 sprop_ = (JSScopeProperty *) prop_; \
3419 if (PCVAL_IS_SLOT(entry->vword)) { \
3420 JS_ASSERT(PCVAL_TO_SLOT(entry->vword) == sprop_->slot); \
3421 } else if (PCVAL_IS_SPROP(entry->vword)) { \
3422 JS_ASSERT(PCVAL_TO_SPROP(entry->vword) == sprop_); \
3423 } else { \
3424 jsval v_; \
3425 JS_ASSERT(PCVAL_IS_OBJECT(entry->vword)); \
3426 JS_ASSERT(entry->vword != PCVAL_NULL); \
3427 JS_ASSERT(SCOPE_IS_BRANDED(OBJ_SCOPE(pobj))); \
3428 JS_ASSERT(SPROP_HAS_STUB_GETTER(sprop_)); \
3429 JS_ASSERT(SPROP_HAS_VALID_SLOT(sprop_, OBJ_SCOPE(pobj_))); \
3430 v_ = LOCKED_OBJ_GET_SLOT(pobj_, sprop_->slot); \
3431 JS_ASSERT(VALUE_IS_FUNCTION(cx, v_)); \
3432 JS_ASSERT(PCVAL_TO_OBJECT(entry->vword) == JSVAL_TO_OBJECT(v_)); \
3433 } \
3434 OBJ_DROP_PROPERTY(cx, pobj_, prop_); \
3435 } while (0)
3436 #else
3437 # define ASSERT_VALID_PROPERTY_CACHE_HIT(pcoff,obj,pobj,entry) ((void) 0)
3438 #endif
3439
3440 /*
3441 * Skip the JSOP_POP typically found after a JSOP_SET* opcode, where oplen is
3442 * the constant length of the SET opcode sequence, and spdec is the constant
3443 * by which to decrease the stack pointer to pop all of the SET op's operands.
3444 *
3445 * NB: unlike macros that could conceivably be replaced by functions (ignoring
3446 * goto error), where a call should not have to be braced in order to expand
3447 * correctly (e.g., in if (cond) FOO(); else BAR()), these three macros lack
3448 * JS_{BEGIN,END}_MACRO brackets. They are also indented so as to align with
3449 * nearby opcode code.
3450 */
3451 #define SKIP_POP_AFTER_SET(oplen,spdec) \
3452 if (regs.pc[oplen] == JSOP_POP) { \
3453 regs.sp -= spdec; \
3454 regs.pc += oplen + JSOP_POP_LENGTH; \
3455 op = (JSOp) *regs.pc; \
3456 DO_OP(); \
3457 }
3458
3459 #define END_SET_CASE(OP) \
3460 SKIP_POP_AFTER_SET(OP##_LENGTH, 1); \
3461 END_CASE(OP)
3462
3463 #define END_SET_CASE_STORE_RVAL(OP,spdec) \
3464 SKIP_POP_AFTER_SET(OP##_LENGTH, spdec); \
3465 rval = FETCH_OPND(-1); \
3466 regs.sp -= (spdec) - 1; \
3467 STORE_OPND(-1, rval); \
3468 END_CASE(OP)
3469
3470 BEGIN_CASE(JSOP_SETCONST)
3471 LOAD_ATOM(0);
3472 obj = fp->varobj;
3473 rval = FETCH_OPND(-1);
3474 if (!OBJ_DEFINE_PROPERTY(cx, obj, ATOM_TO_JSID(atom), rval,
3475 JS_PropertyStub, JS_PropertyStub,
3476 JSPROP_ENUMERATE | JSPROP_PERMANENT |
3477 JSPROP_READONLY,
3478 NULL)) {
3479 goto error;
3480 }
3481 END_SET_CASE(JSOP_SETCONST);
3482
3483 #if JS_HAS_DESTRUCTURING
3484 BEGIN_CASE(JSOP_ENUMCONSTELEM)
3485 rval = FETCH_OPND(-3);
3486 FETCH_OBJECT(cx, -2, lval, obj);
3487 FETCH_ELEMENT_ID(obj, -1, id);
3488 if (!OBJ_DEFINE_PROPERTY(cx, obj, id, rval,
3489 JS_PropertyStub, JS_PropertyStub,
3490 JSPROP_ENUMERATE | JSPROP_PERMANENT |
3491 JSPROP_READONLY,
3492 NULL)) {
3493 goto error;
3494 }
3495 regs.sp -= 3;
3496 END_CASE(JSOP_ENUMCONSTELEM)
3497 #endif
3498
3499 BEGIN_CASE(JSOP_BINDNAME)
3500 do {
3501 JSPropCacheEntry *entry;
3502
3503 obj = fp->scopeChain;
3504 if (JS_LIKELY(OBJ_IS_NATIVE(obj))) {
3505 PROPERTY_CACHE_TEST(cx, regs.pc, obj, obj2, entry, atom);
3506 if (!atom) {
3507 ASSERT_VALID_PROPERTY_CACHE_HIT(0, obj, obj2, entry);
3508 JS_UNLOCK_OBJ(cx, obj2);
3509 break;
3510 }
3511 } else {
3512 entry = NULL;
3513 LOAD_ATOM(0);
3514 }
3515 id = ATOM_TO_JSID(atom);
3516 obj = js_FindIdentifierBase(cx, id, entry);
3517 if (!obj)
3518 goto error;
3519 } while (0);
3520 PUSH_OPND(OBJECT_TO_JSVAL(obj));
3521 END_CASE(JSOP_BINDNAME)
3522
3523 BEGIN_CASE(JSOP_IMACOP)
3524 JS_ASSERT(JS_UPTRDIFF(fp->imacpc, script->code) < script->length);
3525 op = JSOp(*fp->imacpc);
3526 DO_OP();
3527
3528 #define BITWISE_OP(OP) \
3529 JS_BEGIN_MACRO \
3530 FETCH_INT(cx, -2, i); \
3531 FETCH_INT(cx, -1, j); \
3532 i = i OP j; \
3533 regs.sp--; \
3534 STORE_INT(cx, -1, i); \
3535 JS_END_MACRO
3536
3537 BEGIN_CASE(JSOP_BITOR)
3538 BITWISE_OP(|);
3539 END_CASE(JSOP_BITOR)
3540
3541 BEGIN_CASE(JSOP_BITXOR)
3542 BITWISE_OP(^);
3543 END_CASE(JSOP_BITXOR)
3544
3545 BEGIN_CASE(JSOP_BITAND)
3546 BITWISE_OP(&);
3547 END_CASE(JSOP_BITAND)
3548
3549 #define RELATIONAL_OP(OP) \
3550 JS_BEGIN_MACRO \
3551 rval = FETCH_OPND(-1); \
3552 lval = FETCH_OPND(-2); \
3553 /* Optimize for two int-tagged operands (typical loop control). */ \
3554 if ((lval & rval) & JSVAL_INT) { \
3555 cond = JSVAL_TO_INT(lval) OP JSVAL_TO_INT(rval); \
3556 } else { \
3557 if (!JSVAL_IS_PRIMITIVE(lval)) \
3558 DEFAULT_VALUE(cx, -2, JSTYPE_NUMBER, lval); \
3559 if (!JSVAL_IS_PRIMITIVE(rval)) \
3560 DEFAULT_VALUE(cx, -1, JSTYPE_NUMBER, rval); \
3561 if (JSVAL_IS_STRING(lval) && JSVAL_IS_STRING(rval)) { \
3562 str = JSVAL_TO_STRING(lval); \
3563 str2 = JSVAL_TO_STRING(rval); \
3564 cond = js_CompareStrings(str, str2) OP 0; \
3565 } else { \
3566 VALUE_TO_NUMBER(cx, -2, lval, d); \
3567 VALUE_TO_NUMBER(cx, -1, rval, d2); \
3568 cond = JSDOUBLE_COMPARE(d, OP, d2, JS_FALSE); \
3569 } \
3570 } \
3571 TRY_BRANCH_AFTER_COND(cond, 2); \
3572 regs.sp--; \
3573 STORE_OPND(-1, BOOLEAN_TO_JSVAL(cond)); \
3574 JS_END_MACRO
3575
3576 /*
3577 * NB: These macros can't use JS_BEGIN_MACRO/JS_END_MACRO around their bodies
3578 * because they begin if/else chains, so callers must not put semicolons after
3579 * the call expressions!
3580 */
3581 #if JS_HAS_XML_SUPPORT
3582 #define XML_EQUALITY_OP(OP) \
3583 if ((ltmp == JSVAL_OBJECT && \
3584 (obj2 = JSVAL_TO_OBJECT(lval)) && \
3585 OBJECT_IS_XML(cx, obj2)) || \
3586 (rtmp == JSVAL_OBJECT && \
3587 (obj2 = JSVAL_TO_OBJECT(rval)) && \
3588 OBJECT_IS_XML(cx, obj2))) { \
3589 JSXMLObjectOps *ops; \
3590 \
3591 ops = (JSXMLObjectOps *) obj2->map->ops; \
3592 if (obj2 == JSVAL_TO_OBJECT(rval)) \
3593 rval = lval; \
3594 if (!ops->equality(cx, obj2, rval, &cond)) \
3595 goto error; \
3596 cond = cond OP JS_TRUE; \
3597 } else
3598
3599 #define EXTENDED_EQUALITY_OP(OP) \
3600 if (ltmp == JSVAL_OBJECT && \
3601 (obj2 = JSVAL_TO_OBJECT(lval)) && \
3602 ((clasp = OBJ_GET_CLASS(cx, obj2))->flags & JSCLASS_IS_EXTENDED)) { \
3603 JSExtendedClass *xclasp; \
3604 \
3605 xclasp = (JSExtendedClass *) clasp; \
3606 if (!xclasp->equality(cx, obj2, rval, &cond)) \
3607 goto error; \
3608 cond = cond OP JS_TRUE; \
3609 } else
3610 #else
3611 #define XML_EQUALITY_OP(OP) /* nothing */
3612 #define EXTENDED_EQUALITY_OP(OP) /* nothing */
3613 #endif
3614
3615 #define EQUALITY_OP(OP, IFNAN) \
3616 JS_BEGIN_MACRO \
3617 rval = FETCH_OPND(-1); \
3618 lval = FETCH_OPND(-2); \
3619 ltmp = JSVAL_TAG(lval); \
3620 rtmp = JSVAL_TAG(rval); \
3621 XML_EQUALITY_OP(OP) \
3622 if (ltmp == rtmp) { \
3623 if (ltmp == JSVAL_STRING) { \
3624 str = JSVAL_TO_STRING(lval); \
3625 str2 = JSVAL_TO_STRING(rval); \
3626 cond = js_EqualStrings(str, str2) OP JS_TRUE; \
3627 } else if (ltmp == JSVAL_DOUBLE) { \
3628 d = *JSVAL_TO_DOUBLE(lval); \
3629 d2 = *JSVAL_TO_DOUBLE(rval); \
3630 cond = JSDOUBLE_COMPARE(d, OP, d2, IFNAN); \
3631 } else { \
3632 EXTENDED_EQUALITY_OP(OP) \
3633 /* Handle all undefined (=>NaN) and int combinations. */ \
3634 cond = lval OP rval; \
3635 } \
3636 } else { \
3637 if (JSVAL_IS_NULL(lval) || JSVAL_IS_VOID(lval)) { \
3638 cond = (JSVAL_IS_NULL(rval) || JSVAL_IS_VOID(rval)) OP 1; \
3639 } else if (JSVAL_IS_NULL(rval) || JSVAL_IS_VOID(rval)) { \
3640 cond = 1 OP 0; \
3641 } else { \
3642 if (ltmp == JSVAL_OBJECT) { \
3643 DEFAULT_VALUE(cx, -2, JSTYPE_VOID, lval); \
3644 ltmp = JSVAL_TAG(lval); \
3645 } else if (rtmp == JSVAL_OBJECT) { \
3646 DEFAULT_VALUE(cx, -1, JSTYPE_VOID, rval); \
3647 rtmp = JSVAL_TAG(rval); \
3648 } \
3649 if (ltmp == JSVAL_STRING && rtmp == JSVAL_STRING) { \
3650 str = JSVAL_TO_STRING(lval); \
3651 str2 = JSVAL_TO_STRING(rval); \
3652 cond = js_EqualStrings(str, str2) OP JS_TRUE; \
3653 } else { \
3654 VALUE_TO_NUMBER(cx, -2, lval, d); \
3655 VALUE_TO_NUMBER(cx, -1, rval, d2); \
3656 cond = JSDOUBLE_COMPARE(d, OP, d2, IFNAN); \
3657 } \
3658 } \
3659 } \
3660 TRY_BRANCH_AFTER_COND(cond, 2); \
3661 regs.sp--; \
3662 STORE_OPND(-1, BOOLEAN_TO_JSVAL(cond)); \
3663 JS_END_MACRO
3664
3665 BEGIN_CASE(JSOP_EQ)
3666 EQUALITY_OP(==, JS_FALSE);
3667 END_CASE(JSOP_EQ)
3668
3669 BEGIN_CASE(JSOP_NE)
3670 EQUALITY_OP(!=, JS_TRUE);
3671 END_CASE(JSOP_NE)
3672
3673 #define STRICT_EQUALITY_OP(OP) \
3674 JS_BEGIN_MACRO \
3675 rval = FETCH_OPND(-1); \
3676 lval = FETCH_OPND(-2); \
3677 cond = js_StrictlyEqual(cx, lval, rval) OP JS_TRUE; \
3678 regs.sp--; \
3679 STORE_OPND(-1, BOOLEAN_TO_JSVAL(cond)); \
3680 JS_END_MACRO
3681
3682 BEGIN_CASE(JSOP_STRICTEQ)
3683 STRICT_EQUALITY_OP(==);
3684 END_CASE(JSOP_STRICTEQ)
3685
3686 BEGIN_CASE(JSOP_STRICTNE)
3687 STRICT_EQUALITY_OP(!=);
3688 END_CASE(JSOP_STRICTNE)
3689
3690 BEGIN_CASE(JSOP_CASE)
3691 STRICT_EQUALITY_OP(==);
3692 (void) POP();
3693 if (cond) {
3694 len = GET_JUMP_OFFSET(regs.pc);
3695 BRANCH(len);
3696 }
3697 PUSH(lval);
3698 END_CASE(JSOP_CASE)
3699
3700 BEGIN_CASE(JSOP_CASEX)
3701 STRICT_EQUALITY_OP(==);
3702 (void) POP();
3703 if (cond) {
3704 len = GET_JUMPX_OFFSET(regs.pc);
3705 BRANCH(len);
3706 }
3707 PUSH(lval);
3708 END_CASE(JSOP_CASEX)
3709
3710 BEGIN_CASE(JSOP_LT)
3711 RELATIONAL_OP(<);
3712 END_CASE(JSOP_LT)
3713
3714 BEGIN_CASE(JSOP_LE)
3715 RELATIONAL_OP(<=);
3716 END_CASE(JSOP_LE)
3717
3718 BEGIN_CASE(JSOP_GT)
3719 RELATIONAL_OP(>);
3720 END_CASE(JSOP_GT)
3721
3722 BEGIN_CASE(JSOP_GE)
3723 RELATIONAL_OP(>=);
3724 END_CASE(JSOP_GE)
3725
3726 #undef EQUALITY_OP
3727 #undef RELATIONAL_OP
3728
3729 #define SIGNED_SHIFT_OP(OP) \
3730 JS_BEGIN_MACRO \
3731 FETCH_INT(cx, -2, i); \
3732 FETCH_INT(cx, -1, j); \
3733 i = i OP (j & 31); \
3734 regs.sp--; \
3735 STORE_INT(cx, -1, i); \
3736 JS_END_MACRO
3737
3738 BEGIN_CASE(JSOP_LSH)
3739 SIGNED_SHIFT_OP(<<);
3740 END_CASE(JSOP_LSH)
3741
3742 BEGIN_CASE(JSOP_RSH)
3743 SIGNED_SHIFT_OP(>>);
3744 END_CASE(JSOP_RSH)
3745
3746 BEGIN_CASE(JSOP_URSH)
3747 {
3748 uint32 u;
3749
3750 FETCH_UINT(cx, -2, u);
3751 FETCH_INT(cx, -1, j);
3752 u >>= (j & 31);
3753 regs.sp--;
3754 STORE_UINT(cx, -1, u);
3755 }
3756 END_CASE(JSOP_URSH)
3757
3758 #undef BITWISE_OP
3759 #undef SIGNED_SHIFT_OP
3760
3761 BEGIN_CASE(JSOP_ADD)
3762 rval = FETCH_OPND(-1);
3763 lval = FETCH_OPND(-2);
3764 #if JS_HAS_XML_SUPPORT
3765 if (!JSVAL_IS_PRIMITIVE(lval) &&
3766 (obj2 = JSVAL_TO_OBJECT(lval), OBJECT_IS_XML(cx, obj2)) &&
3767 VALUE_IS_XML(cx, rval)) {
3768 JSXMLObjectOps *ops;
3769
3770 ops = (JSXMLObjectOps *) obj2->map->ops;
3771 if (!ops->concatenate(cx, obj2, rval, &rval))
3772 goto error;
3773 regs.sp--;
3774 STORE_OPND(-1, rval);
3775 } else
3776 #endif
3777 {
3778 if (!JSVAL_IS_PRIMITIVE(lval))
3779 DEFAULT_VALUE(cx, -2, JSTYPE_VOID, lval);
3780 if (!JSVAL_IS_PRIMITIVE(rval))
3781 DEFAULT_VALUE(cx, -1, JSTYPE_VOID, rval);
3782 if ((cond = JSVAL_IS_STRING(lval)) || JSVAL_IS_STRING(rval)) {
3783 if (cond) {
3784 str = JSVAL_TO_STRING(lval);
3785 str2 = js_ValueToString(cx, rval);
3786 if (!str2)
3787 goto error;
3788 regs.sp[-1] = STRING_TO_JSVAL(str2);
3789 } else {
3790 str2 = JSVAL_TO_STRING(rval);
3791 str = js_ValueToString(cx, lval);
3792 if (!str)
3793 goto error;
3794 regs.sp[-2] = STRING_TO_JSVAL(str);
3795 }
3796 str = js_ConcatStrings(cx, str, str2);
3797 if (!str)
3798 goto error;
3799 regs.sp--;
3800 STORE_OPND(-1, STRING_TO_JSVAL(str));
3801 } else {
3802 VALUE_TO_NUMBER(cx, -2, lval, d);
3803 VALUE_TO_NUMBER(cx, -1, rval, d2);
3804 d += d2;
3805 regs.sp--;
3806 STORE_NUMBER(cx, -1, d);
3807 }
3808 }
3809 END_CASE(JSOP_ADD)
3810
3811 #define BINARY_OP(OP) \
3812 JS_BEGIN_MACRO \
3813 FETCH_NUMBER(cx, -2, d); \
3814 FETCH_NUMBER(cx, -1, d2); \
3815 d = d OP d2; \
3816 regs.sp--; \
3817 STORE_NUMBER(cx, -1, d); \
3818 JS_END_MACRO
3819
3820 BEGIN_CASE(JSOP_SUB)
3821 BINARY_OP(-);
3822 END_CASE(JSOP_SUB)
3823
3824 BEGIN_CASE(JSOP_MUL)
3825 BINARY_OP(*);
3826 END_CASE(JSOP_MUL)
3827
3828 BEGIN_CASE(JSOP_DIV)
3829 FETCH_NUMBER(cx, -1, d2);
3830 FETCH_NUMBER(cx, -2, d);
3831 regs.sp--;
3832 if (d2 == 0) {
3833 #ifdef XP_WIN
3834 /* XXX MSVC miscompiles such that (NaN == 0) */
3835 if (JSDOUBLE_IS_NaN(d2))
3836 rval = DOUBLE_TO_JSVAL(rt->jsNaN);
3837 else
3838 #endif
3839 if (d == 0 || JSDOUBLE_IS_NaN(d))
3840 rval = DOUBLE_TO_JSVAL(rt->jsNaN);
3841 else if ((JSDOUBLE_HI32(d) ^ JSDOUBLE_HI32(d2)) >> 31)
3842 rval = DOUBLE_TO_JSVAL(rt->jsNegativeInfinity);
3843 else
3844 rval = DOUBLE_TO_JSVAL(rt->jsPositiveInfinity);
3845 STORE_OPND(-1, rval);
3846 } else {
3847 d /= d2;
3848 STORE_NUMBER(cx, -1, d);
3849 }
3850 END_CASE(JSOP_DIV)
3851
3852 BEGIN_CASE(JSOP_MOD)
3853 FETCH_NUMBER(cx, -1, d2);
3854 FETCH_NUMBER(cx, -2, d);
3855 regs.sp--;
3856 if (d2 == 0) {
3857 STORE_OPND(-1, DOUBLE_TO_JSVAL(rt->jsNaN));
3858 } else {
3859 #ifdef XP_WIN
3860 /* Workaround MS fmod bug where 42 % (1/0) => NaN, not 42. */
3861 if (!(JSDOUBLE_IS_FINITE(d) && JSDOUBLE_IS_INFINITE(d2)))
3862 #endif
3863 d = fmod(d, d2);
3864 STORE_NUMBER(cx, -1, d);
3865 }
3866 END_CASE(JSOP_MOD)
3867
3868 BEGIN_CASE(JSOP_NOT)
3869 POP_BOOLEAN(cx, rval, cond);
3870 PUSH_OPND(BOOLEAN_TO_JSVAL(!cond));
3871 END_CASE(JSOP_NOT)
3872
3873 BEGIN_CASE(JSOP_BITNOT)
3874 FETCH_INT(cx, -1, i);
3875 i = ~i;
3876 STORE_INT(cx, -1, i);
3877 END_CASE(JSOP_BITNOT)
3878
3879 BEGIN_CASE(JSOP_NEG)
3880 /*
3881 * When the operand is int jsval, INT_FITS_IN_JSVAL(i) implies
3882 * INT_FITS_IN_JSVAL(-i) unless i is 0 or JSVAL_INT_MIN when the
3883 * results, -0.0 or JSVAL_INT_MAX + 1, are jsdouble values.
3884 */
3885 rval = FETCH_OPND(-1);
3886 if (JSVAL_IS_INT(rval) &&
3887 rval != INT_TO_JSVAL(JSVAL_INT_MIN) &&
3888 (i = JSVAL_TO_INT(rval)) != 0) {
3889 JS_STATIC_ASSERT(!INT_FITS_IN_JSVAL(-JSVAL_INT_MIN));
3890 i = -i;
3891 JS_ASSERT(INT_FITS_IN_JSVAL(i));
3892 regs.sp[-1] = INT_TO_JSVAL(i);
3893 } else {
3894 if (JSVAL_IS_DOUBLE(rval)) {
3895 d = *JSVAL_TO_DOUBLE(rval);
3896 } else {
3897 d = js_ValueToNumber(cx, &regs.sp[-1]);
3898 if (JSVAL_IS_NULL(regs.sp[-1]))
3899 goto error;
3900 JS_ASSERT(JSVAL_IS_NUMBER(regs.sp[-1]) ||
3901 regs.sp[-1] == JSVAL_TRUE);
3902 }
3903 #ifdef HPUX
3904 /*
3905 * Negation of a zero doesn't produce a negative
3906 * zero on HPUX. Perform the operation by bit
3907 * twiddling.
3908 */
3909 JSDOUBLE_HI32(d) ^= JSDOUBLE_HI32_SIGNBIT;
3910 #else
3911 d = -d;
3912 #endif
3913 if (!js_NewNumberInRootedValue(cx, d, &regs.sp[-1]))
3914 goto error;
3915 }
3916 END_CASE(JSOP_NEG)
3917
3918 BEGIN_CASE(JSOP_POS)
3919 rval = FETCH_OPND(-1);
3920 if (!JSVAL_IS_NUMBER(rval)) {
3921 d = js_ValueToNumber(cx, &regs.sp[-1]);
3922 rval = regs.sp[-1];
3923 if (JSVAL_IS_NULL(rval))
3924 goto error;
3925 if (rval == JSVAL_TRUE) {
3926 if (!js_NewNumberInRootedValue(cx, d, &regs.sp[-1]))
3927 goto error;
3928 } else {
3929 JS_ASSERT(JSVAL_IS_NUMBER(rval));
3930 }
3931 }
3932 END_CASE(JSOP_POS)
3933
3934 BEGIN_CASE(JSOP_DELNAME)
3935 LOAD_ATOM(0);
3936 id = ATOM_TO_JSID(atom);
3937 if (!js_FindProperty(cx, id, &obj, &obj2, &prop))
3938 goto error;
3939
3940 /* ECMA says to return true if name is undefined or inherited. */
3941 PUSH_OPND(JSVAL_TRUE);
3942 if (prop) {
3943 OBJ_DROP_PROPERTY(cx, obj2, prop);
3944 if (!OBJ_DELETE_PROPERTY(cx, obj, id, &regs.sp[-1]))
3945 goto error;
3946 }
3947 END_CASE(JSOP_DELNAME)
3948
3949 BEGIN_CASE(JSOP_DELPROP)
3950 LOAD_ATOM(0);
3951 id = ATOM_TO_JSID(atom);
3952 PROPERTY_OP(-1, OBJ_DELETE_PROPERTY(cx, obj, id, &rval));
3953 STORE_OPND(-1, rval);
3954 END_CASE(JSOP_DELPROP)
3955
3956 BEGIN_CASE(JSOP_DELELEM)
3957 ELEMENT_OP(-1, OBJ_DELETE_PROPERTY(cx, obj, id, &rval));
3958 regs.sp--;
3959 STORE_OPND(-1, rval);
3960 END_CASE(JSOP_DELELEM)
3961
3962 BEGIN_CASE(JSOP_TYPEOFEXPR)
3963 BEGIN_CASE(JSOP_TYPEOF)
3964 rval = FETCH_OPND(-1);
3965 type = JS_TypeOfValue(cx, rval);
3966 atom = rt->atomState.typeAtoms[type];
3967 STORE_OPND(-1, ATOM_KEY(atom));
3968 END_CASE(JSOP_TYPEOF)
3969
3970 BEGIN_CASE(JSOP_VOID)
3971 STORE_OPND(-1, JSVAL_VOID);
3972 END_CASE(JSOP_VOID)
3973
3974 BEGIN_CASE(JSOP_INCELEM)
3975 BEGIN_CASE(JSOP_DECELEM)
3976 BEGIN_CASE(JSOP_ELEMINC)
3977 BEGIN_CASE(JSOP_ELEMDEC)
3978 /*
3979 * Delay fetching of id until we have the object to ensure
3980 * the proper evaluation order. See bug 372331.
3981 */
3982 id = 0;
3983 i = -2;
3984 goto fetch_incop_obj;
3985
3986 BEGIN_CASE(JSOP_INCPROP)
3987 BEGIN_CASE(JSOP_DECPROP)
3988 BEGIN_CASE(JSOP_PROPINC)
3989 BEGIN_CASE(JSOP_PROPDEC)
3990 LOAD_ATOM(0);
3991 id = ATOM_TO_JSID(atom);
3992 i = -1;
3993
3994 fetch_incop_obj:
3995 FETCH_OBJECT(cx, i, lval, obj);
3996 if (id == 0)
3997 FETCH_ELEMENT_ID(obj, -1, id);
3998 goto do_incop;
3999
4000 BEGIN_CASE(JSOP_INCNAME)
4001 BEGIN_CASE(JSOP_DECNAME)
4002 BEGIN_CASE(JSOP_NAMEINC)
4003 BEGIN_CASE(JSOP_NAMEDEC)
4004 {
4005 JSPropCacheEntry *entry;
4006
4007 obj = fp->scopeChain;
4008 if (JS_LIKELY(OBJ_IS_NATIVE(obj))) {
4009 PROPERTY_CACHE_TEST(cx, regs.pc, obj, obj2, entry, atom);
4010 if (!atom) {
4011 ASSERT_VALID_PROPERTY_CACHE_HIT(0, obj, obj2, entry);
4012 if (obj == obj2 && PCVAL_IS_SLOT(entry->vword)) {
4013 slot = PCVAL_TO_SLOT(entry->vword);
4014 JS_ASSERT(slot < obj->map->freeslot);
4015 rval = LOCKED_OBJ_GET_SLOT(obj, slot);
4016 if (JS_LIKELY(CAN_DO_FAST_INC_DEC(rval))) {
4017 rtmp = rval;
4018 rval += (js_CodeSpec[op].format & JOF_INC) ? 2 : -2;
4019 if (!(js_CodeSpec[op].format & JOF_POST))
4020 rtmp = rval;
4021 LOCKED_OBJ_SET_SLOT(obj, slot, rval);
4022 JS_UNLOCK_OBJ(cx, obj);
4023 PUSH_OPND(rtmp);
4024 len = JSOP_INCNAME_LENGTH;
4025 DO_NEXT_OP(len);
4026 }
4027 }
4028 JS_UNLOCK_OBJ(cx, obj2);
4029 LOAD_ATOM(0);
4030 }
4031 } else {
4032 entry = NULL;
4033 LOAD_ATOM(0);
4034 }
4035 id = ATOM_TO_JSID(atom);
4036 if (js_FindPropertyHelper(cx, id, &obj, &obj2, &prop, &entry) < 0)
4037 goto error;
4038 if (!prop)
4039 goto atom_not_defined;
4040 OBJ_DROP_PROPERTY(cx, obj2, prop);
4041 }
4042
4043 do_incop:
4044 {
4045 const JSCodeSpec *cs;
4046 jsval v;
4047
4048 /*
4049 * We need a root to store the value to leave on the stack until
4050 * we have done with OBJ_SET_PROPERTY.
4051 */
4052 PUSH_OPND(JSVAL_NULL);
4053 if (!OBJ_GET_PROPERTY(cx, obj, id, &regs.sp[-1]))
4054 goto error;
4055
4056 cs = &js_CodeSpec[op];
4057 JS_ASSERT(cs->ndefs == 1);
4058 JS_ASSERT((cs->format & JOF_TMPSLOT_MASK) == JOF_TMPSLOT2);
4059 v = regs.sp[-1];
4060 if (JS_LIKELY(CAN_DO_FAST_INC_DEC(v))) {
4061 jsval incr;
4062
4063 incr = (cs->format & JOF_INC) ? 2 : -2;
4064 if (cs->format & JOF_POST) {
4065 regs.sp[-1] = v + incr;
4066 } else {
4067 v += incr;
4068 regs.sp[-1] = v;
4069 }
4070 fp->flags |= JSFRAME_ASSIGNING;
4071 ok = OBJ_SET_PROPERTY(cx, obj, id, &regs.sp[-1]);
4072 fp->flags &= ~JSFRAME_ASSIGNING;
4073 if (!ok)
4074 goto error;
4075
4076 /*
4077 * We must set regs.sp[-1] to v for both post and pre increments
4078 * as the setter overwrites regs.sp[-1].
4079 */
4080 regs.sp[-1] = v;
4081 } else {
4082 /* We need an extra root for the result. */
4083 PUSH_OPND(JSVAL_NULL);
4084 if (!js_DoIncDec(cx, cs, &regs.sp[-2], &regs.sp[-1]))
4085 goto error;
4086 fp->flags |= JSFRAME_ASSIGNING;
4087 ok = OBJ_SET_PROPERTY(cx, obj, id, &regs.sp[-1]);
4088 fp->flags &= ~JSFRAME_ASSIGNING;
4089 if (!ok)
4090 goto error;
4091 regs.sp--;
4092 }
4093
4094 if (cs->nuses == 0) {
4095 /* regs.sp[-1] already contains the result of name increment. */
4096 } else {
4097 rtmp = regs.sp[-1];
4098 regs.sp -= cs->nuses;
4099 regs.sp[-1] = rtmp;
4100 }
4101 len = cs->length;
4102 DO_NEXT_OP(len);
4103 }
4104
4105 {
4106 jsval incr, incr2;
4107
4108 /* Position cases so the most frequent i++ does not need a jump. */
4109 BEGIN_CASE(JSOP_DECARG)
4110 incr = -2; incr2 = -2; goto do_arg_incop;
4111 BEGIN_CASE(JSOP_ARGDEC)
4112 incr = -2; incr2 = 0; goto do_arg_incop;
4113 BEGIN_CASE(JSOP_INCARG)
4114 incr = 2; incr2 = 2; goto do_arg_incop;
4115 BEGIN_CASE(JSOP_ARGINC)
4116 incr = 2; incr2 = 0;
4117
4118 do_arg_incop:
4119 slot = GET_ARGNO(regs.pc);
4120 JS_ASSERT(slot < fp->fun->nargs);
4121 METER_SLOT_OP(op, slot);
4122 vp = fp->argv + slot;
4123 goto do_int_fast_incop;
4124
4125 BEGIN_CASE(JSOP_DECLOCAL)
4126 incr = -2; incr2 = -2; goto do_local_incop;
4127 BEGIN_CASE(JSOP_LOCALDEC)
4128 incr = -2; incr2 = 0; goto do_local_incop;
4129 BEGIN_CASE(JSOP_INCLOCAL)
4130 incr = 2; incr2 = 2; goto do_local_incop;
4131 BEGIN_CASE(JSOP_LOCALINC)
4132 incr = 2; incr2 = 0;
4133
4134 /*
4135 * do_local_incop comes right before do_int_fast_incop as we want to
4136 * avoid an extra jump for variable cases as local++ is more frequent
4137 * than arg++.
4138 */
4139 do_local_incop:
4140 slot = GET_SLOTNO(regs.pc);
4141 JS_ASSERT(slot < fp->script->nslots);
4142 vp = fp->slots + slot;
4143 METER_SLOT_OP(op, slot);
4144 vp = fp->slots + slot;
4145
4146 do_int_fast_incop:
4147 rval = *vp;
4148 if (JS_LIKELY(CAN_DO_FAST_INC_DEC(rval))) {
4149 *vp = rval + incr;
4150 JS_ASSERT(JSOP_INCARG_LENGTH == js_CodeSpec[op].length);
4151 SKIP_POP_AFTER_SET(JSOP_INCARG_LENGTH, 0);
4152 PUSH_OPND(rval + incr2);
4153 } else {
4154 PUSH_OPND(rval);
4155 if (!js_DoIncDec(cx, &js_CodeSpec[op], &regs.sp[-1], vp))
4156 goto error;
4157 }
4158 len = JSOP_INCARG_LENGTH;
4159 JS_ASSERT(len == js_CodeSpec[op].length);
4160 DO_NEXT_OP(len);
4161 }
4162
4163 /* NB: This macro doesn't use JS_BEGIN_MACRO/JS_END_MACRO around its body. */
4164 #define FAST_GLOBAL_INCREMENT_OP(SLOWOP,INCR,INCR2) \
4165 op2 = SLOWOP; \
4166 incr = INCR; \
4167 incr2 = INCR2; \
4168 goto do_global_incop
4169
4170 {
4171 jsval incr, incr2;
4172
4173 BEGIN_CASE(JSOP_DECGVAR)
4174 FAST_GLOBAL_INCREMENT_OP(JSOP_DECNAME, -2, -2);
4175 BEGIN_CASE(JSOP_GVARDEC)
4176 FAST_GLOBAL_INCREMENT_OP(JSOP_NAMEDEC, -2, 0);
4177 BEGIN_CASE(JSOP_INCGVAR)
4178 FAST_GLOBAL_INCREMENT_OP(JSOP_INCNAME, 2, 2);
4179 BEGIN_CASE(JSOP_GVARINC)
4180 FAST_GLOBAL_INCREMENT_OP(JSOP_NAMEINC, 2, 0);
4181
4182 #undef FAST_GLOBAL_INCREMENT_OP
4183
4184 do_global_incop:
4185 JS_ASSERT((js_CodeSpec[op].format & JOF_TMPSLOT_MASK) ==
4186 JOF_TMPSLOT2);
4187 slot = GET_SLOTNO(regs.pc);
4188 JS_ASSERT(slot < GlobalVarCount(fp));
4189 METER_SLOT_OP(op, slot);
4190 lval = fp->slots[slot];
4191 if (JSVAL_IS_NULL(lval)) {
4192 op = op2;
4193 DO_OP();
4194 }
4195 slot = JSVAL_TO_INT(lval);
4196 rval = OBJ_GET_SLOT(cx, fp->varobj, slot);
4197 if (JS_LIKELY(CAN_DO_FAST_INC_DEC(rval))) {
4198 PUSH_OPND(rval + incr2);
4199 rval += incr;
4200 } else {
4201 PUSH_OPND(rval);
4202 PUSH_OPND(JSVAL_NULL); /* Extra root */
4203 if (!js_DoIncDec(cx, &js_CodeSpec[op], &regs.sp[-2], &regs.sp[-1]))
4204 goto error;
4205 rval = regs.sp[-1];
4206 --regs.sp;
4207 }
4208 OBJ_SET_SLOT(cx, fp->varobj, slot, rval);
4209 len = JSOP_INCGVAR_LENGTH; /* all gvar incops are same length */
4210 JS_ASSERT(len == js_CodeSpec[op].length);
4211 DO_NEXT_OP(len);
4212 }
4213
4214 #define COMPUTE_THIS(cx, fp, obj) \
4215 JS_BEGIN_MACRO \
4216 if (fp->flags & JSFRAME_COMPUTED_THIS) { \
4217 obj = fp->thisp; \
4218 } else { \
4219 obj = js_ComputeThis(cx, JS_TRUE, fp->argv); \
4220 if (!obj) \
4221 goto error; \
4222 fp->thisp = obj; \
4223 fp->flags |= JSFRAME_COMPUTED_THIS; \
4224 } \
4225 JS_END_MACRO
4226
4227 BEGIN_CASE(JSOP_THIS)
4228 COMPUTE_THIS(cx, fp, obj);
4229 PUSH_OPND(OBJECT_TO_JSVAL(obj));
4230 END_CASE(JSOP_THIS)
4231
4232 BEGIN_CASE(JSOP_GETTHISPROP)
4233 i = 0;
4234 COMPUTE_THIS(cx, fp, obj);
4235 PUSH(JSVAL_NULL);
4236 goto do_getprop_with_obj;
4237
4238 #undef COMPUTE_THIS
4239
4240 BEGIN_CASE(JSOP_GETARGPROP)
4241 i = ARGNO_LEN;
4242 slot = GET_ARGNO(regs.pc);
4243 JS_ASSERT(slot < fp->fun->nargs);
4244 PUSH_OPND(fp->argv[slot]);
4245 goto do_getprop_body;
4246
4247 BEGIN_CASE(JSOP_GETLOCALPROP)
4248 i = SLOTNO_LEN;
4249 slot = GET_SLOTNO(regs.pc);
4250 JS_ASSERT(slot < script->nslots);
4251 PUSH_OPND(fp->slots[slot]);
4252 goto do_getprop_body;
4253
4254 BEGIN_CASE(JSOP_GETPROP)
4255 BEGIN_CASE(JSOP_GETXPROP)
4256 i = 0;
4257
4258 do_getprop_body:
4259 lval = FETCH_OPND(-1);
4260
4261 do_getprop_with_lval:
4262 VALUE_TO_OBJECT(cx, -1, lval, obj);
4263
4264 do_getprop_with_obj:
4265 do {
4266 JSObject *aobj;
4267 JSPropCacheEntry *entry;
4268
4269 aobj = OBJ_IS_DENSE_ARRAY(cx, obj) ? OBJ_GET_PROTO(cx, obj) : obj;
4270 if (JS_LIKELY(aobj->map->ops->getProperty == js_GetProperty)) {
4271 PROPERTY_CACHE_TEST(cx, regs.pc, aobj, obj2, entry, atom);
4272 if (!atom) {
4273 ASSERT_VALID_PROPERTY_CACHE_HIT(i, aobj, obj2, entry);
4274 if (PCVAL_IS_OBJECT(entry->vword)) {
4275 rval = PCVAL_OBJECT_TO_JSVAL(entry->vword);
4276 } else if (PCVAL_IS_SLOT(entry->vword)) {
4277 slot = PCVAL_TO_SLOT(entry->vword);
4278 JS_ASSERT(slot < obj2->map->freeslot);
4279 rval = LOCKED_OBJ_GET_SLOT(obj2, slot);
4280 } else {
4281 JS_ASSERT(PCVAL_IS_SPROP(entry->vword));
4282 sprop = PCVAL_TO_SPROP(entry->vword);
4283 NATIVE_GET(cx, obj, obj2, sprop, &rval);
4284 }
4285 JS_UNLOCK_OBJ(cx, obj2);
4286 break;
4287 }
4288 } else {
4289 entry = NULL;
4290 if (i < 0)
4291 atom = rt->atomState.lengthAtom;
4292 else
4293 LOAD_ATOM(i);
4294 }
4295 id = ATOM_TO_JSID(atom);
4296 if (entry
4297 ? !js_GetPropertyHelper(cx, aobj, id, &rval, &entry)
4298 : !OBJ_GET_PROPERTY(cx, obj, id, &rval)) {
4299 goto error;
4300 }
4301 } while (0);
4302
4303 STORE_OPND(-1, rval);
4304 JS_ASSERT(JSOP_GETPROP_LENGTH + i == js_CodeSpec[op].length);
4305 len = JSOP_GETPROP_LENGTH + i;
4306 END_VARLEN_CASE
4307
4308 BEGIN_CASE(JSOP_LENGTH)
4309 lval = FETCH_OPND(-1);
4310 if (JSVAL_IS_STRING(lval)) {
4311 str = JSVAL_TO_STRING(lval);
4312 regs.sp[-1] = INT_TO_JSVAL(JSSTRING_LENGTH(str));
4313 } else if (!JSVAL_IS_PRIMITIVE(lval) &&
4314 (obj = JSVAL_TO_OBJECT(lval), OBJ_IS_ARRAY(cx, obj))) {
4315 jsuint length;
4316
4317 /*
4318 * We know that the array is created with only its 'length'
4319 * private data in a fixed slot at JSSLOT_ARRAY_LENGTH. See
4320 * also JSOP_ARRAYPUSH, far below.
4321 */
4322 length = obj->fslots[JSSLOT_ARRAY_LENGTH];
4323 if (length <= JSVAL_INT_MAX) {
4324 regs.sp[-1] = INT_TO_JSVAL(length);
4325 } else if (!js_NewDoubleInRootedValue(cx, (jsdouble) length,
4326 &regs.sp[-1])) {
4327 goto error;
4328 }
4329 } else {
4330 i = -2;
4331 goto do_getprop_with_lval;
4332 }
4333 END_CASE(JSOP_LENGTH)
4334
4335 BEGIN_CASE(JSOP_CALLPROP)
4336 {
4337 JSObject *aobj;
4338 JSPropCacheEntry *entry;
4339
4340 lval = FETCH_OPND(-1);
4341 if (!JSVAL_IS_PRIMITIVE(lval)) {
4342 obj = JSVAL_TO_OBJECT(lval);
4343 } else {
4344 if (JSVAL_IS_STRING(lval)) {
4345 i = JSProto_String;
4346 } else if (JSVAL_IS_NUMBER(lval)) {
4347 i = JSProto_Number;
4348 } else if (JSVAL_IS_BOOLEAN(lval)) {
4349 i = JSProto_Boolean;
4350 } else {
4351 JS_ASSERT(JSVAL_IS_NULL(lval) || JSVAL_IS_VOID(lval));
4352 js_ReportIsNullOrUndefined(cx, -1, lval, NULL);
4353 goto error;
4354 }
4355
4356 if (!js_GetClassPrototype(cx, NULL, INT_TO_JSID(i), &obj))
4357 goto error;
4358 }
4359
4360 aobj = OBJ_IS_DENSE_ARRAY(cx, obj) ? OBJ_GET_PROTO(cx, obj) : obj;
4361 if (JS_LIKELY(aobj->map->ops->getProperty == js_GetProperty)) {
4362 PROPERTY_CACHE_TEST(cx, regs.pc, aobj, obj2, entry, atom);
4363 if (!atom) {
4364 ASSERT_VALID_PROPERTY_CACHE_HIT(0, aobj, obj2, entry);
4365 if (PCVAL_IS_OBJECT(entry->vword)) {
4366 rval = PCVAL_OBJECT_TO_JSVAL(entry->vword);
4367 } else if (PCVAL_IS_SLOT(entry->vword)) {
4368 slot = PCVAL_TO_SLOT(entry->vword);
4369 JS_ASSERT(slot < obj2->map->freeslot);
4370 rval = LOCKED_OBJ_GET_SLOT(obj2, slot);
4371 } else {
4372 JS_ASSERT(PCVAL_IS_SPROP(entry->vword));
4373 sprop = PCVAL_TO_SPROP(entry->vword);
4374 NATIVE_GET(cx, obj, obj2, sprop, &rval);
4375 }
4376 JS_UNLOCK_OBJ(cx, obj2);
4377 STORE_OPND(-1, rval);
4378 PUSH_OPND(lval);
4379 goto end_callprop;
4380 }
4381 } else {
4382 entry = NULL;
4383 LOAD_ATOM(0);
4384 }
4385
4386 /*
4387 * Cache miss: use the immediate atom that was loaded for us under
4388 * PROPERTY_CACHE_TEST.
4389 */
4390 id = ATOM_TO_JSID(atom);
4391 PUSH(JSVAL_NULL);
4392 if (!JSVAL_IS_PRIMITIVE(lval)) {
4393 #if JS_HAS_XML_SUPPORT
4394 /* Special-case XML object method lookup, per ECMA-357. */
4395 if (OBJECT_IS_XML(cx, obj)) {
4396 JSXMLObjectOps *ops;
4397
4398 ops = (JSXMLObjectOps *) obj->map->ops;
4399 obj = ops->getMethod(cx, obj, id, &rval);
4400 if (!obj)
4401 goto error;
4402 } else
4403 #endif
4404 if (entry
4405 ? !js_GetPropertyHelper(cx, aobj, id, &rval, &entry)
4406 : !OBJ_GET_PROPERTY(cx, obj, id, &rval)) {
4407 goto error;
4408 }
4409 STORE_OPND(-1, OBJECT_TO_JSVAL(obj));
4410 STORE_OPND(-2, rval);
4411 } else {
4412 JS_ASSERT(obj->map->ops->getProperty == js_GetProperty);
4413 if (!js_GetPropertyHelper(cx, obj, id, &rval, &entry))
4414 goto error;
4415 STORE_OPND(-1, lval);
4416 STORE_OPND(-2, rval);
4417 }
4418
4419 end_callprop:
4420 /* Wrap primitive lval in object clothing if necessary. */
4421 if (JSVAL_IS_PRIMITIVE(lval)) {
4422 /* FIXME: https://bugzilla.mozilla.org/show_bug.cgi?id=412571 */
4423 if (!VALUE_IS_FUNCTION(cx, rval) ||
4424 (obj = JSVAL_TO_OBJECT(rval),
4425 fun = GET_FUNCTION_PRIVATE(cx, obj),
4426 !PRIMITIVE_THIS_TEST(fun, lval))) {
4427 if (!js_PrimitiveToObject(cx, &regs.sp[-1]))
4428 goto error;
4429 }
4430 }
4431 #if JS_HAS_NO_SUCH_METHOD
4432 if (JS_UNLIKELY(JSVAL_IS_VOID(rval))) {
4433 LOAD_ATOM(0);
4434 regs.sp[-2] = ATOM_KEY(atom);
4435 if (!js_OnUnknownMethod(cx, regs.sp - 2))
4436 goto error;
4437 }
4438 #endif
4439 }
4440 END_CASE(JSOP_CALLPROP)
4441
4442 BEGIN_CASE(JSOP_SETNAME)
4443 BEGIN_CASE(JSOP_SETPROP)
4444 rval = FETCH_OPND(-1);
4445 lval = FETCH_OPND(-2);
4446 JS_ASSERT(!JSVAL_IS_PRIMITIVE(lval) || op == JSOP_SETPROP);
4447 VALUE_TO_OBJECT(cx, -2, lval, obj);
4448
4449 do {
4450 JSPropCacheEntry *entry;
4451
4452 entry = NULL;
4453 atom = NULL;
4454 if (JS_LIKELY(obj->map->ops->setProperty == js_SetProperty)) {
4455 JSPropertyCache *cache = &JS_PROPERTY_CACHE(cx);
4456 uint32 kshape = OBJ_SHAPE(obj);
4457
4458 /*
4459 * Open-code JS_PROPERTY_CACHE_TEST, specializing for two
4460 * important set-property cases. First:
4461 *
4462 * function f(a, b, c) {
4463 * var o = {p:a, q:b, r:c};
4464 * return o;
4465 * }
4466 *
4467 * or similar real-world cases, which evolve a newborn
4468 * native object predicatably through some bounded number
4469 * of property additions. And second:
4470 *
4471 * o.p = x;
4472 *
4473 * in a frequently executed method or loop body, where p
4474 * will (possibly after the first iteration) always exist
4475 * in native object o.
4476 */
4477 entry = &cache->table[PROPERTY_CACHE_HASH_PC(regs.pc, kshape)];
4478 PCMETER(cache->tests++);
4479 PCMETER(cache->settests++);
4480 if (entry->kpc == regs.pc && entry->kshape == kshape) {
4481 JSScope *scope;
4482
4483 JS_LOCK_OBJ(cx, obj);
4484 scope = OBJ_SCOPE(obj);
4485 if (scope->shape == kshape) {
4486 JS_ASSERT(PCVAL_IS_SPROP(entry->vword));
4487 sprop = PCVAL_TO_SPROP(entry->vword);
4488 JS_ASSERT(!(sprop->attrs & JSPROP_READONLY));
4489 JS_ASSERT(!SCOPE_IS_SEALED(OBJ_SCOPE(obj)));
4490
4491 if (scope->object == obj) {
4492 /*
4493 * Fastest path: the cached sprop is already
4494 * in scope. Just NATIVE_SET and break to get
4495 * out of the do-while(0).
4496 */
4497 if (sprop == scope->lastProp ||
4498 SCOPE_HAS_PROPERTY(scope, sprop)) {
4499 PCMETER(cache->pchits++);
4500 PCMETER(cache->setpchits++);
4501 NATIVE_SET(cx, obj, sprop, &rval);
4502 JS_UNLOCK_SCOPE(cx, scope);
4503 TRACE_2(SetPropHit, entry, sprop);
4504 break;
4505 }
4506 } else {
4507 scope = js_GetMutableScope(cx, obj);
4508 if (!scope) {
4509 JS_UNLOCK_OBJ(cx, obj);
4510 goto error;
4511 }
4512 }
4513
4514 if (sprop->parent == scope->lastProp &&
4515 !SCOPE_HAD_MIDDLE_DELETE(scope) &&
4516 SPROP_HAS_STUB_SETTER(sprop) &&
4517 (slot = sprop->slot) == scope->map.freeslot) {
4518 /*
4519 * Fast path: adding a plain old property that
4520 * was once at the frontier of the property
4521 * tree, whose slot is next to claim among the
4522 * allocated slots in obj, where scope->table
4523 * has not been created yet.
4524 *
4525 * We may want to remove hazard conditions
4526 * above and inline compensation code here,
4527 * depending on real-world workloads.
4528 */
4529 JS_ASSERT(!(LOCKED_OBJ_GET_CLASS(obj)->flags &
4530 JSCLASS_SHARE_ALL_PROPERTIES));
4531
4532 PCMETER(cache->pchits++);
4533 PCMETER(cache->addpchits++);
4534
4535 /*
4536 * Beware classes such as Function that use
4537 * the reserveSlots hook to allocate a number
4538 * of reserved slots that may vary with obj.
4539 */
4540 if (slot < STOBJ_NSLOTS(obj) &&
4541 !OBJ_GET_CLASS(cx, obj)->reserveSlots) {
4542 ++scope->map.freeslot;
4543 } else {
4544 if (!js_AllocSlot(cx, obj, &slot)) {
4545 JS_UNLOCK_SCOPE(cx, scope);
4546 goto error;
4547 }
4548 }
4549
4550 /*
4551 * If this obj's number of reserved slots
4552 * differed, or if something created a hash
4553 * table for scope, we must pay the price of
4554 * js_AddScopeProperty.
4555 *
4556 * If slot does not match the cached sprop's
4557 * slot, update the cache entry in the hope
4558 * that obj and other instances with the same
4559 * number of reserved slots are now "hot".
4560 */
4561 if (slot != sprop->slot || scope->table) {
4562 JSScopeProperty *sprop2 =
4563 js_AddScopeProperty(cx, scope,
4564 sprop->id,
4565 sprop->getter,
4566 sprop->setter,
4567 slot,
4568 sprop->attrs,
4569 sprop->flags,
4570 sprop->shortid);
4571 if (!sprop2) {
4572 js_FreeSlot(cx, obj, slot);
4573 JS_UNLOCK_SCOPE(cx, scope);
4574 goto error;
4575 }
4576 if (sprop2 != sprop) {
4577 PCMETER(cache->slotchanges++);
4578 JS_ASSERT(slot != sprop->slot &&
4579 slot == sprop2->slot &&
4580 sprop2->id == sprop->id);
4581 entry->vword = SPROP_TO_PCVAL(sprop2);
4582 }
4583 sprop = sprop2;
4584 } else {
4585 SCOPE_EXTEND_SHAPE(cx, scope, sprop);
4586 ++scope->entryCount;
4587 scope->lastProp = sprop;
4588 }
4589
4590 GC_WRITE_BARRIER(cx, scope,
4591 LOCKED_OBJ_GET_SLOT(obj, slot),
4592 rval);
4593 LOCKED_OBJ_SET_SLOT(obj, slot, rval);
4594 JS_UNLOCK_SCOPE(cx, scope);
4595 TRACE_2(SetPropHit, entry, sprop);
4596 break;
4597 }
4598
4599 PCMETER(cache->setpcmisses++);
4600 atom = NULL;
4601 }
4602
4603 JS_UNLOCK_OBJ(cx, obj);
4604 }
4605
4606 atom = js_FullTestPropertyCache(cx, regs.pc, &obj, &obj2,
4607 &entry);
4608 if (atom) {
4609 PCMETER(cache->misses++);
4610 PCMETER(cache->setmisses++);
4611 } else {
4612 ASSERT_VALID_PROPERTY_CACHE_HIT(0, obj, obj2, entry);
4613 sprop = NULL;
4614 if (obj == obj2) {
4615 JS_ASSERT(PCVAL_IS_SPROP(entry->vword));
4616 sprop = PCVAL_TO_SPROP(entry->vword);
4617 JS_ASSERT(!(sprop->attrs & JSPROP_READONLY));
4618 JS_ASSERT(!SCOPE_IS_SEALED(OBJ_SCOPE(obj2)));
4619 NATIVE_SET(cx, obj, sprop, &rval);
4620 }
4621 JS_UNLOCK_OBJ(cx, obj2);
4622 if (sprop) {
4623 TRACE_2(SetPropHit, entry, sprop);
4624 break;
4625 }
4626 }
4627 }
4628
4629 if (!atom)
4630 LOAD_ATOM(0);
4631 id = ATOM_TO_JSID(atom);
4632 if (entry) {
4633 if (!js_SetPropertyHelper(cx, obj, id, &rval, &entry))
4634 goto error;
4635 #ifdef JS_TRACER
4636 if (entry)
4637 TRACE_1(SetPropMiss, entry);
4638 #endif
4639 } else {
4640 if (!OBJ_SET_PROPERTY(cx, obj, id, &rval))
4641 goto error;
4642 }
4643 #ifdef JS_TRACER
4644 if (!entry && TRACE_RECORDER(cx)) {
4645 js_AbortRecording(cx, "SetPropUncached");
4646 ENABLE_TRACER(0);
4647 }
4648 #endif
4649 } while (0);
4650 END_SET_CASE_STORE_RVAL(JSOP_SETPROP, 2);
4651
4652 BEGIN_CASE(JSOP_GETELEM)
4653 /* Open-coded ELEMENT_OP optimized for strings and dense arrays. */
4654 lval = FETCH_OPND(-2);
4655 rval = FETCH_OPND(-1);
4656 if (JSVAL_IS_STRING(lval) && JSVAL_IS_INT(rval)) {
4657 str = JSVAL_TO_STRING(lval);
4658 i = JSVAL_TO_INT(rval);
4659 if ((size_t)i < JSSTRING_LENGTH(str)) {
4660 str = js_GetUnitString(cx, str, (size_t)i);
4661 if (!str)
4662 goto error;
4663 rval = STRING_TO_JSVAL(str);
4664 goto end_getelem;
4665 }
4666 }
4667
4668 VALUE_TO_OBJECT(cx, -2, lval, obj);
4669 if (JSVAL_IS_INT(rval)) {
4670 if (OBJ_IS_DENSE_ARRAY(cx, obj)) {
4671 jsuint length;
4672
4673 length = ARRAY_DENSE_LENGTH(obj);
4674 i = JSVAL_TO_INT(rval);
4675 if ((jsuint)i < length &&
4676 i < obj->fslots[JSSLOT_ARRAY_LENGTH]) {
4677 rval = obj->dslots[i];
4678 if (rval != JSVAL_HOLE)
4679 goto end_getelem;
4680
4681 /* Reload rval from the stack in the rare hole case. */
4682 rval = FETCH_OPND(-1);
4683 }
4684 }
4685 id = INT_JSVAL_TO_JSID(rval);
4686 } else {
4687 if (!js_InternNonIntElementId(cx, obj, rval, &id))
4688 goto error;
4689 }
4690
4691 if (!OBJ_GET_PROPERTY(cx, obj, id, &rval))
4692 goto error;
4693 end_getelem:
4694 regs.sp--;
4695 STORE_OPND(-1, rval);
4696 END_CASE(JSOP_GETELEM)
4697
4698 BEGIN_CASE(JSOP_CALLELEM)
4699 /*
4700 * FIXME: JSOP_CALLELEM should call getMethod on XML objects as
4701 * CALLPROP does. See bug 362910.
4702 */
4703 ELEMENT_OP(-1, OBJ_GET_PROPERTY(cx, obj, id, &rval));
4704 #if JS_HAS_NO_SUCH_METHOD
4705 if (JS_UNLIKELY(JSVAL_IS_VOID(rval))) {
4706 regs.sp[-2] = regs.sp[-1];
4707 regs.sp[-1] = OBJECT_TO_JSVAL(obj);
4708 if (!js_OnUnknownMethod(cx, regs.sp - 2))
4709 goto error;
4710 } else
4711 #endif
4712 {
4713 STORE_OPND(-2, rval);
4714 STORE_OPND(-1, OBJECT_TO_JSVAL(obj));
4715 }
4716 END_CASE(JSOP_CALLELEM)
4717
4718 BEGIN_CASE(JSOP_SETELEM)
4719 rval = FETCH_OPND(-1);
4720 FETCH_OBJECT(cx, -3, lval, obj);
4721 FETCH_ELEMENT_ID(obj, -2, id);
4722 do {
4723 if (OBJ_IS_DENSE_ARRAY(cx, obj) && JSID_IS_INT(id)) {
4724 jsuint length;
4725
4726 length = ARRAY_DENSE_LENGTH(obj);
4727 i = JSID_TO_INT(id);
4728 if ((jsuint)i < length) {
4729 if (obj->dslots[i] == JSVAL_HOLE) {
4730 if (rt->anyArrayProtoHasElement)
4731 break;
4732 if (i >= obj->fslots[JSSLOT_ARRAY_LENGTH])
4733 obj->fslots[JSSLOT_ARRAY_LENGTH] = i + 1;
4734 obj->fslots[JSSLOT_ARRAY_COUNT]++;
4735 }
4736 obj->dslots[i] = rval;
4737 goto end_setelem;
4738 }
4739 }
4740 } while (0);
4741 if (!OBJ_SET_PROPERTY(cx, obj, id, &rval))
4742 goto error;
4743 end_setelem:
4744 END_SET_CASE_STORE_RVAL(JSOP_SETELEM, 3)
4745
4746 BEGIN_CASE(JSOP_ENUMELEM)
4747 /* Funky: the value to set is under the [obj, id] pair. */
4748 rval = FETCH_OPND(-3);
4749 FETCH_OBJECT(cx, -2, lval, obj);
4750 FETCH_ELEMENT_ID(obj, -1, id);
4751 if (!OBJ_SET_PROPERTY(cx, obj, id, &rval))
4752 goto error;
4753 regs.sp -= 3;
4754 END_CASE(JSOP_ENUMELEM)
4755
4756 BEGIN_CASE(JSOP_NEW)
4757 /* Get immediate argc and find the constructor function. */
4758 argc = GET_ARGC(regs.pc);
4759 vp = regs.sp - (2 + argc);
4760 JS_ASSERT(vp >= StackBase(fp));
4761
4762 /*
4763 * Assign lval, obj, and fun exactly as the code at inline_call:
4764 * expects to find them, to avoid nesting a js_Interpret call via
4765 * js_InvokeConstructor.
4766 */
4767 lval = *vp;
4768 if (VALUE_IS_FUNCTION(cx, lval)) {
4769 obj = JSVAL_TO_OBJECT(lval);
4770 fun = GET_FUNCTION_PRIVATE(cx, obj);
4771 if (FUN_INTERPRETED(fun)) {
4772 /* Root as we go using vp[1]. */
4773 if (!OBJ_GET_PROPERTY(cx, obj,
4774 ATOM_TO_JSID(cx->runtime->atomState
4775 .classPrototypeAtom),
4776 &vp[1])) {
4777 goto error;
4778 }
4779 rval = vp[1];
4780 obj2 = js_NewObject(cx, &js_ObjectClass,
4781 JSVAL_IS_OBJECT(rval)
4782 ? JSVAL_TO_OBJECT(rval)
4783 : NULL,
4784 OBJ_GET_PARENT(cx, obj),
4785 0);
4786 if (!obj2)
4787 goto error;
4788 vp[1] = OBJECT_TO_JSVAL(obj2);
4789 flags = JSFRAME_CONSTRUCTING;
4790 goto inline_call;
4791 }
4792 }
4793
4794 if (!js_InvokeConstructor(cx, argc, JS_FALSE, vp))
4795 goto error;
4796 regs.sp = vp + 1;
4797 LOAD_INTERRUPT_HANDLER(cx);
4798 END_CASE(JSOP_NEW)
4799
4800 BEGIN_CASE(JSOP_APPLY)
4801 {
4802 argc = GET_ARGC(regs.pc);
4803 vp = regs.sp - (argc + 2);
4804 lval = *vp;
4805 if (!VALUE_IS_FUNCTION(cx, lval))
4806 goto do_call;
4807 obj = JSVAL_TO_OBJECT(lval);
4808 fun = GET_FUNCTION_PRIVATE(cx, obj);
4809 if (FUN_INTERPRETED(fun))
4810 goto do_call;
4811
4812 bool apply = (JSFastNative)fun->u.n.native == js_fun_apply;
4813 if (!apply && (JSFastNative)fun->u.n.native != js_fun_call)
4814 goto do_call;
4815
4816 /*
4817 * If the second arg to apply is null or void, treat it as an empty
4818 * array.
4819 */
4820 jsuint applylen = 0;
4821 if (apply && argc >= 2 &&
4822 !JSVAL_IS_VOID(vp[3]) && !JSVAL_IS_NULL(vp[3])) {
4823 /*
4824 * Fall back on js_Invoke when the array argument has a wrong
4825 * type or when it has too many elements to fit into the
4826 * current stack chunk.
4827 */
4828 if (!JSVAL_IS_OBJECT(vp[3]))
4829 goto do_call;
4830
4831 JSBool arraylike;
4832 JSObject* aobj = JSVAL_TO_OBJECT(vp[3]);
4833 if (!js_IsArrayLike(cx, aobj, &arraylike, &applylen))
4834 goto error;
4835 if (!arraylike || applylen > ARGC_LIMIT)
4836 goto do_call;
4837
4838 JSArena *a = cx->stackPool.current;
4839 JS_ASSERT(jsuword(vp + 2) <= a->limit);
4840
4841 /*
4842 * We need space for applylen elements plus an extra slot to
4843 * temporary root the array object when we unpack its elements
4844 * using OBJ_GET_PROPERTY below.
4845 */
4846 if (a->limit - jsuword(vp + 2) < (applylen + 1) * sizeof(jsval))
4847 goto do_call;
4848 }
4849
4850 if (!VALUE_IS_FUNCTION(cx, vp[1]))
4851 goto do_call;
4852 vp[0] = vp[1];
4853
4854 if (argc == 0) {
4855 /*
4856 * Call fun with its global object as the 'this' param if
4857 * no args.
4858 */
4859 obj = NULL;
4860 } else {
4861 /* Convert the first arg to 'this'. */
4862 if (!JSVAL_IS_PRIMITIVE(vp[2]))
4863 obj = JSVAL_TO_OBJECT(vp[2]);
4864 else if (!js_ValueToObject(cx, vp[2], &obj))
4865 goto error;
4866 }
4867 vp[1] = OBJECT_TO_JSVAL(obj);
4868
4869 if (!apply) {
4870 if (argc != 0) {
4871 --argc;
4872 memmove(vp + 2, vp + 3, argc * sizeof *vp);
4873 }
4874 } else if (applylen == 0) {
4875 argc = 0;
4876 } else {
4877 /*
4878 * Make room for missing arguments to the right including the
4879 * temporary root nulling any extra stack slots for GC safety.
4880 */
4881 jsval* newsp = vp + 2 + applylen + 1;
4882 if (newsp > regs.sp) {
4883 JSArena *a = cx->stackPool.current;
4884 JS_ASSERT(jsuword(newsp) <= a->limit); /* see above */
4885 if ((jsuword) newsp > a->avail)
4886 a->avail = (jsuword) newsp;
4887 memset(vp + 2 + argc, 0, (applylen - argc) * sizeof(jsval));
4888 }
4889
4890 JSObject *aobj = JSVAL_TO_OBJECT(vp[3]);
4891 newsp[-1] = vp[3];
4892 regs.sp = newsp;
4893
4894 /* Expand array content onto the stack. */
4895 for (i = 0; i < jsint(applylen); i++) {
4896 id = INT_TO_JSID(i);
4897 if (!OBJ_GET_PROPERTY(cx, aobj, id, &vp[2 + i])) {
4898 /*
4899 * There is no good way to restore the original stack
4900 * state here, but it is in a reasonable state with
4901 * either original elements or nulls for all arguments
4902 * we didn't unpack yet, so we leave it at that.
4903 */
4904 goto error;
4905 }
4906 }
4907 argc = applylen;
4908 }
4909 regs.sp = vp + 2 + argc;
4910 TRACE_1(ApplyComplete, argc);
4911 goto do_call_with_specified_vp_and_argc;
4912 }
4913
4914 BEGIN_CASE(JSOP_CALL)
4915 BEGIN_CASE(JSOP_EVAL)
4916 do_call:
4917 argc = GET_ARGC(regs.pc);
4918 vp = regs.sp - (argc + 2);
4919
4920 do_call_with_specified_vp_and_argc:
4921 lval = *vp;
4922 if (VALUE_IS_FUNCTION(cx, lval)) {
4923 obj = JSVAL_TO_OBJECT(lval);
4924 fun = GET_FUNCTION_PRIVATE(cx, obj);
4925
4926 /* Clear frame flags since this is not a constructor call. */
4927 flags = 0;
4928 if (FUN_INTERPRETED(fun))
4929 inline_call:
4930 {
4931 uintN nframeslots, nvars, missing;
4932 JSArena *a;
4933 jsuword nbytes;
4934 void *newmark;
4935 jsval *newsp;
4936 JSInlineFrame *newifp;
4937 JSInterpreterHook hook;
4938
4939 /* Restrict recursion of lightweight functions. */
4940 if (inlineCallCount == MAX_INLINE_CALL_COUNT) {
4941 js_ReportOverRecursed(cx);
4942 goto error;
4943 }
4944
4945 /* Compute the total number of stack slots needed by fun. */
4946 nframeslots = JS_HOWMANY(sizeof(JSInlineFrame),
4947 sizeof(jsval));
4948 script = fun->u.i.script;
4949 atoms = script->atomMap.vector;
4950 nbytes = (nframeslots + script->nslots) * sizeof(jsval);
4951
4952 /* Allocate missing expected args adjacent to actuals. */
4953 a = cx->stackPool.current;
4954 newmark = (void *) a->avail;
4955 if (fun->nargs <= argc) {
4956 missing = 0;
4957 } else {
4958 newsp = vp + 2 + fun->nargs;
4959 JS_ASSERT(newsp > regs.sp);
4960 if ((jsuword) newsp <= a->limit) {
4961 if ((jsuword) newsp > a->avail)
4962 a->avail = (jsuword) newsp;
4963 jsval *argsp = newsp;
4964 do {
4965 *--argsp = JSVAL_VOID;
4966 } while (argsp != regs.sp);
4967 missing = 0;
4968 } else {
4969 missing = fun->nargs - argc;
4970 nbytes += (2 + fun->nargs) * sizeof(jsval);
4971 }
4972 }
4973
4974 /* Allocate the inline frame with its slots and operands. */
4975 if (a->avail + nbytes <= a->limit) {
4976 newsp = (jsval *) a->avail;
4977 a->avail += nbytes;
4978 JS_ASSERT(missing == 0);
4979 } else {
4980 JS_ARENA_ALLOCATE_CAST(newsp, jsval *, &cx->stackPool,
4981 nbytes);
4982 if (!newsp) {
4983 js_ReportOutOfScriptQuota(cx);
4984 goto bad_inline_call;
4985 }
4986
4987 /*
4988 * Move args if the missing ones overflow arena a, then
4989 * push undefined for the missing args.
4990 */
4991 if (missing) {
4992 memcpy(newsp, vp, (2 + argc) * sizeof(jsval));
4993 vp = newsp;
4994 newsp = vp + 2 + argc;
4995 do {
4996 *newsp++ = JSVAL_VOID;
4997 } while (--missing != 0);
4998 }
4999 }
5000
5001 /* Claim space for the stack frame and initialize it. */
5002 newifp = (JSInlineFrame *) newsp;
5003 newsp += nframeslots;
5004 newifp->frame.callobj = NULL;
5005 newifp->frame.argsobj = NULL;
5006 newifp->frame.varobj = NULL;
5007 newifp->frame.script = script;
5008 newifp->frame.callee = obj;
5009 newifp->frame.fun = fun;
5010 newifp->frame.argc = argc;
5011 newifp->frame.argv = vp + 2;
5012 newifp->frame.rval = JSVAL_VOID;
5013 newifp->frame.down = fp;
5014 newifp->frame.annotation = NULL;
5015 newifp->frame.scopeChain = parent = OBJ_GET_PARENT(cx, obj);
5016 newifp->frame.sharpDepth = 0;
5017 newifp->frame.sharpArray = NULL;
5018 newifp->frame.flags = flags;
5019 newifp->frame.dormantNext = NULL;
5020 newifp->frame.xmlNamespace = NULL;
5021 newifp->frame.blockChain = NULL;
5022 if (script->staticDepth < JS_DISPLAY_SIZE) {
5023 JSStackFrame **disp = &cx->display[script->staticDepth];
5024 newifp->frame.displaySave = *disp;
5025 *disp = &newifp->frame;
5026 }
5027 #ifdef DEBUG
5028 newifp->frame.pcDisabledSave =
5029 JS_PROPERTY_CACHE(cx).disabled;
5030 #endif
5031 newifp->mark = newmark;
5032
5033 /* Compute the 'this' parameter now that argv is set. */
5034 JS_ASSERT(!JSFUN_BOUND_METHOD_TEST(fun->flags));
5035 JS_ASSERT(JSVAL_IS_OBJECT(vp[1]));
5036 newifp->frame.thisp = (JSObject *)vp[1];
5037
5038 newifp->frame.regs = NULL;
5039 newifp->frame.imacpc = NULL;
5040 newifp->frame.slots = newsp;
5041
5042 /* Push void to initialize local variables. */
5043 nvars = fun->u.i.nvars;
5044 while (nvars--)
5045 *newsp++ = JSVAL_VOID;
5046
5047 /* Call the debugger hook if present. */
5048 hook = cx->debugHooks->callHook;
5049 if (hook) {
5050 newifp->hookData = hook(cx, &newifp->frame, JS_TRUE, 0,
5051 cx->debugHooks->callHookData);
5052 LOAD_INTERRUPT_HANDLER(cx);
5053 } else {
5054 newifp->hookData = NULL;
5055 }
5056
5057 /* Scope with a call object parented by callee's parent. */
5058 if (JSFUN_HEAVYWEIGHT_TEST(fun->flags) &&
5059 !js_GetCallObject(cx, &newifp->frame, parent)) {
5060 goto bad_inline_call;
5061 }
5062
5063 /* Switch version if currentVersion wasn't overridden. */
5064 newifp->callerVersion = (JSVersion) cx->version;
5065 if (JS_LIKELY(cx->version == currentVersion)) {
5066 currentVersion = (JSVersion) script->version;
5067 if (currentVersion != cx->version)
5068 js_SetVersion(cx, currentVersion);
5069 }
5070
5071 /* Push the frame and set interpreter registers. */
5072 newifp->callerRegs = regs;
5073 fp->regs = &newifp->callerRegs;
5074 regs.sp = newsp;
5075 regs.pc = script->code;
5076 newifp->frame.regs = &regs;
5077 cx->fp = fp = &newifp->frame;
5078
5079 TRACE_0(EnterFrame);
5080
5081 inlineCallCount++;
5082 JS_RUNTIME_METER(rt, inlineCalls);
5083
5084 #ifdef INCLUDE_MOZILLA_DTRACE
5085 /* DTrace function entry, inlines */
5086 if (JAVASCRIPT_FUNCTION_ENTRY_ENABLED())
5087 jsdtrace_function_entry(cx, fp, fun);
5088 if (JAVASCRIPT_FUNCTION_INFO_ENABLED())
5089 jsdtrace_function_info(cx, fp, fp->down, fun);
5090 if (JAVASCRIPT_FUNCTION_ARGS_ENABLED())
5091 jsdtrace_function_args(cx, fp, fun);
5092 #endif
5093
5094 /* Load first op and dispatch it (safe since JSOP_STOP). */
5095 op = (JSOp) *regs.pc;
5096 DO_OP();
5097
5098 bad_inline_call:
5099 JS_ASSERT(fp->regs == &regs);
5100 script = fp->script;
5101 atoms = script->atomMap.vector;
5102 js_FreeRawStack(cx, newmark);
5103 goto error;
5104 }
5105
5106 #ifdef INCLUDE_MOZILLA_DTRACE
5107 /* DTrace function entry, non-inlines */
5108 if (VALUE_IS_FUNCTION(cx, lval)) {
5109 if (JAVASCRIPT_FUNCTION_ENTRY_ENABLED())
5110 jsdtrace_function_entry(cx, fp, fun);
5111 if (JAVASCRIPT_FUNCTION_INFO_ENABLED())
5112 jsdtrace_function_info(cx, fp, fp, fun);
5113 if (JAVASCRIPT_FUNCTION_ARGS_ENABLED())
5114 jsdtrace_function_args(cx, fp, fun);
5115 }
5116 #endif
5117
5118 if (fun->flags & JSFUN_FAST_NATIVE) {
5119 JS_ASSERT(fun->u.n.extra == 0);
5120 JS_ASSERT(JSVAL_IS_OBJECT(vp[1]) ||
5121 PRIMITIVE_THIS_TEST(fun, vp[1]));
5122 ok = ((JSFastNative) fun->u.n.native)(cx, argc, vp);
5123 #ifdef INCLUDE_MOZILLA_DTRACE
5124 if (VALUE_IS_FUNCTION(cx, lval)) {
5125 if (JAVASCRIPT_FUNCTION_RVAL_ENABLED())
5126 jsdtrace_function_rval(cx, fp, fun);
5127 if (JAVASCRIPT_FUNCTION_RETURN_ENABLED())
5128 jsdtrace_function_return(cx, fp, fun);
5129 }
5130 #endif
5131 regs.sp = vp + 1;
5132 if (!ok)
5133 goto error;
5134 TRACE_0(FastNativeCallComplete);
5135 goto end_call;
5136 }
5137 }
5138
5139 ok = js_Invoke(cx, argc, vp, 0);
5140 #ifdef INCLUDE_MOZILLA_DTRACE
5141 /* DTrace function return, non-inlines */
5142 if (VALUE_IS_FUNCTION(cx, lval)) {
5143 if (JAVASCRIPT_FUNCTION_RVAL_ENABLED())
5144 jsdtrace_function_rval(cx, fp, fun);
5145 if (JAVASCRIPT_FUNCTION_RETURN_ENABLED())
5146 jsdtrace_function_return(cx, fp, fun);
5147 }
5148 #endif
5149 regs.sp = vp + 1;
5150 LOAD_INTERRUPT_HANDLER(cx);
5151 if (!ok)
5152 goto error;
5153 JS_RUNTIME_METER(rt, nonInlineCalls);
5154
5155 end_call:
5156 #if JS_HAS_LVALUE_RETURN
5157 if (cx->rval2set) {
5158 /*
5159 * Use the stack depth we didn't claim in our budget, but that
5160 * we know is there on account of [fun, this] already having
5161 * been pushed, at a minimum (if no args). Those two slots
5162 * have been popped and [rval] has been pushed, which leaves
5163 * one more slot for rval2 before we might overflow.
5164 *
5165 * NB: rval2 must be the property identifier, and rval the
5166 * object from which to get the property. The pair form an
5167 * ECMA "reference type", which can be used on the right- or
5168 * left-hand side of assignment ops. Note well: only native
5169 * methods can return reference types. See JSOP_SETCALL just
5170 * below for the left-hand-side case.
5171 */
5172 PUSH_OPND(cx->rval2);
5173 ELEMENT_OP(-1, OBJ_GET_PROPERTY(cx, obj, id, &rval));
5174
5175 regs.sp--;
5176 STORE_OPND(-1, rval);
5177 cx->rval2set = JS_FALSE;
5178 }
5179 #endif /* JS_HAS_LVALUE_RETURN */
5180 END_CASE(JSOP_CALL)
5181
5182 #if JS_HAS_LVALUE_RETURN
5183 BEGIN_CASE(JSOP_SETCALL)
5184 argc = GET_ARGC(regs.pc);
5185 vp = regs.sp - argc - 2;
5186 ok = js_Invoke(cx, argc, vp, 0);
5187 regs.sp = vp + 1;
5188 LOAD_INTERRUPT_HANDLER(cx);
5189 if (!ok)
5190 goto error;
5191 if (!cx->rval2set) {
5192 op2 = (JSOp) regs.pc[JSOP_SETCALL_LENGTH];
5193 if (op2 != JSOP_DELELEM) {
5194 JS_ASSERT(!(js_CodeSpec[op2].format & JOF_DEL));
5195 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
5196 JSMSG_BAD_LEFTSIDE_OF_ASS);
5197 goto error;
5198 }
5199
5200 /*
5201 * Store true as the result of the emulated delete of a
5202 * non-existent property. NB: We don't METER_OP_PAIR here;
5203 * it doesn't seem worth the code for this obscure case.
5204 */
5205 *vp = JSVAL_TRUE;
5206 regs.pc += JSOP_SETCALL_LENGTH + JSOP_DELELEM_LENGTH;
5207 op = (JSOp) *regs.pc;
5208 DO_OP();
5209 }
5210 PUSH_OPND(cx->rval2);
5211 cx->rval2set = JS_FALSE;
5212 END_CASE(JSOP_SETCALL)
5213 #endif
5214
5215 BEGIN_CASE(JSOP_NAME)
5216 BEGIN_CASE(JSOP_CALLNAME)
5217 {
5218 JSPropCacheEntry *entry;
5219
5220 obj = fp->scopeChain;
5221 if (JS_LIKELY(OBJ_IS_NATIVE(obj))) {
5222 PROPERTY_CACHE_TEST(cx, regs.pc, obj, obj2, entry, atom);
5223 if (!atom) {
5224 ASSERT_VALID_PROPERTY_CACHE_HIT(0, obj, obj2, entry);
5225 if (PCVAL_IS_OBJECT(entry->vword)) {
5226 rval = PCVAL_OBJECT_TO_JSVAL(entry->vword);
5227 JS_UNLOCK_OBJ(cx, obj2);
5228 goto do_push_rval;
5229 }
5230
5231 if (PCVAL_IS_SLOT(entry->vword)) {
5232 slot = PCVAL_TO_SLOT(entry->vword);
5233 JS_ASSERT(slot < obj2->map->freeslot);
5234 rval = LOCKED_OBJ_GET_SLOT(obj2, slot);
5235 JS_UNLOCK_OBJ(cx, obj2);
5236 goto do_push_rval;
5237 }
5238
5239 JS_ASSERT(PCVAL_IS_SPROP(entry->vword));
5240 sprop = PCVAL_TO_SPROP(entry->vword);
5241 goto do_native_get;
5242 }
5243 } else {
5244 entry = NULL;
5245 LOAD_ATOM(0);
5246 }
5247
5248 id = ATOM_TO_JSID(atom);
5249 if (js_FindPropertyHelper(cx, id, &obj, &obj2, &prop, &entry) < 0)
5250 goto error;
5251 if (!prop) {
5252 /* Kludge to allow (typeof foo == "undefined") tests. */
5253 endpc = script->code + script->length;
5254 op2 = (JSOp) regs.pc[JSOP_NAME_LENGTH];
5255 if (op2 == JSOP_TYPEOF) {
5256 PUSH_OPND(JSVAL_VOID);
5257 len = JSOP_NAME_LENGTH;
5258 DO_NEXT_OP(len);
5259 }
5260 goto atom_not_defined;
5261 }
5262
5263 /* Take the slow path if prop was not found in a native object. */
5264 if (!OBJ_IS_NATIVE(obj) || !OBJ_IS_NATIVE(obj2)) {
5265 OBJ_DROP_PROPERTY(cx, obj2, prop);
5266 if (!OBJ_GET_PROPERTY(cx, obj, id, &rval))
5267 goto error;
5268 entry = NULL;
5269 } else {
5270 sprop = (JSScopeProperty *)prop;
5271 do_native_get:
5272 NATIVE_GET(cx, obj, obj2, sprop, &rval);
5273 OBJ_DROP_PROPERTY(cx, obj2, (JSProperty *) sprop);
5274 }
5275
5276 do_push_rval:
5277 PUSH_OPND(rval);
5278 if (op == JSOP_CALLNAME)
5279 PUSH_OPND(OBJECT_TO_JSVAL(obj));
5280 }
5281 END_CASE(JSOP_NAME)
5282
5283 BEGIN_CASE(JSOP_UINT16)
5284 i = (jsint) GET_UINT16(regs.pc);
5285 rval = INT_TO_JSVAL(i);
5286 PUSH_OPND(rval);
5287 END_CASE(JSOP_UINT16)
5288
5289 BEGIN_CASE(JSOP_UINT24)
5290 i = (jsint) GET_UINT24(regs.pc);
5291 rval = INT_TO_JSVAL(i);
5292 PUSH_OPND(rval);
5293 END_CASE(JSOP_UINT24)
5294
5295 BEGIN_CASE(JSOP_INT8)
5296 i = GET_INT8(regs.pc);
5297 rval = INT_TO_JSVAL(i);
5298 PUSH_OPND(rval);
5299 END_CASE(JSOP_INT8)
5300
5301 BEGIN_CASE(JSOP_INT32)
5302 i = GET_INT32(regs.pc);
5303 rval = INT_TO_JSVAL(i);
5304 PUSH_OPND(rval);
5305 END_CASE(JSOP_INT32)
5306
5307 BEGIN_CASE(JSOP_INDEXBASE)
5308 /*
5309 * Here atoms can exceed script->atomMap.length as we use atoms
5310 * as a segment register for object literals as well.
5311 */
5312 atoms += GET_INDEXBASE(regs.pc);
5313 END_CASE(JSOP_INDEXBASE)
5314
5315 BEGIN_CASE(JSOP_INDEXBASE1)
5316 BEGIN_CASE(JSOP_INDEXBASE2)
5317 BEGIN_CASE(JSOP_INDEXBASE3)
5318 atoms += (op - JSOP_INDEXBASE1 + 1) << 16;
5319 END_CASE(JSOP_INDEXBASE3)
5320
5321 BEGIN_CASE(JSOP_RESETBASE0)
5322 BEGIN_CASE(JSOP_RESETBASE)
5323 atoms = script->atomMap.vector;
5324 END_CASE(JSOP_RESETBASE)
5325
5326 BEGIN_CASE(JSOP_DOUBLE)
5327 BEGIN_CASE(JSOP_STRING)
5328 LOAD_ATOM(0);
5329 PUSH_OPND(ATOM_KEY(atom));
5330 END_CASE(JSOP_DOUBLE)
5331
5332 BEGIN_CASE(JSOP_OBJECT)
5333 LOAD_OBJECT(0);
5334 PUSH_OPND(OBJECT_TO_JSVAL(obj));
5335 END_CASE(JSOP_OBJECT)
5336
5337 BEGIN_CASE(JSOP_REGEXP)
5338 {
5339 JSObject *funobj;
5340
5341 /*
5342 * Push a regexp object for the atom mapped by the bytecode at pc,
5343 * cloning the literal's regexp object if necessary, to simulate in
5344 * the pre-compile/execute-later case what ECMA specifies for the
5345 * compile-and-go case: that scanning each regexp literal creates
5346 * a single corresponding RegExp object.
5347 *
5348 * To support pre-compilation transparently, we must handle the
5349 * case where a regexp object literal is used in a different global
5350 * at execution time from the global with which it was scanned at
5351 * compile time. We do this by re-wrapping the JSRegExp private
5352 * data struct with a cloned object having the right prototype and
5353 * parent, and having its own lastIndex property value storage.
5354 *
5355 * Unlike JSOP_DEFFUN and other prolog bytecodes that may clone
5356 * literal objects, we don't want to pay a script prolog execution
5357 * price for all regexp literals in a script (many may not be used
5358 * by a particular execution of that script, depending on control
5359 * flow), so we initialize lazily here.
5360 *
5361 * XXX This code is specific to regular expression objects. If we
5362 * need a similar op for other kinds of object literals, we should
5363 * push cloning down under JSObjectOps and reuse code here.
5364 */
5365 index = GET_FULL_INDEX(0);
5366 JS_ASSERT(index < JS_SCRIPT_REGEXPS(script)->length);
5367
5368 slot = index;
5369 if (fp->fun) {
5370 /*
5371 * We're in function code, not global or eval code (in eval
5372 * code, JSOP_REGEXP is never emitted). The cloned funobj
5373 * contains JS_SCRIPT_REGEXPS(script)->length reserved slots
5374 * for the cloned regexps; see fun_reserveSlots, jsfun.c.
5375 */
5376 funobj = fp->callee;
5377 slot += JSCLASS_RESERVED_SLOTS(&js_FunctionClass);
5378 if (script->upvarsOffset != 0)
5379 slot += JS_SCRIPT_UPVARS(script)->length;
5380 if (!JS_GetReservedSlot(cx, funobj, slot, &rval))
5381 goto error;
5382 if (JSVAL_IS_VOID(rval))
5383 rval = JSVAL_NULL;
5384 } else {
5385 /*
5386 * We're in global code. The code generator reserved a slot
5387 * for the regexp among script->nfixed slots. All such slots
5388 * are initialized to null, not void, for faster testing in
5389 * JSOP_*GVAR cases. To simplify index calculations we count
5390 * regexps in the reverse order down from script->nslots - 1.
5391 */
5392 JS_ASSERT(slot < script->nfixed);
5393 slot = script->nfixed - slot - 1;
5394 rval = fp->slots[slot];
5395 #ifdef __GNUC__
5396 funobj = NULL; /* suppress bogus gcc warnings */
5397 #endif
5398 }
5399
5400 if (JSVAL_IS_NULL(rval)) {
5401 /* Compute the current global object in obj2. */
5402 obj2 = fp->scopeChain;
5403 while ((parent = OBJ_GET_PARENT(cx, obj2)) != NULL)
5404 obj2 = parent;
5405
5406 /*
5407 * If obj's parent is not obj2, we must clone obj so that it
5408 * has the right parent, and therefore, the right prototype.
5409 *
5410 * Yes, this means we assume that the correct RegExp.prototype
5411 * to which regexp instances (including literals) delegate can
5412 * be distinguished solely by the instance's parent, which was
5413 * set to the parent of the RegExp constructor function object
5414 * when the instance was created. In other words,
5415 *
5416 * (/x/.__parent__ == RegExp.__parent__) implies
5417 * (/x/.__proto__ == RegExp.prototype)
5418 *
5419 * (unless you assign a different object to RegExp.prototype
5420 * at runtime, in which case, ECMA doesn't specify operation,
5421 * and you get what you deserve).
5422 *
5423 * This same coupling between instance parent and constructor
5424 * parent turns up everywhere (see jsobj.c's FindClassObject,
5425 * js_ConstructObject, and js_NewObject). It's fundamental to
5426 * the design of the language when you consider multiple global
5427 * objects and separate compilation and execution, even though
5428 * it is not specified fully in ECMA.
5429 */
5430 JS_GET_SCRIPT_REGEXP(script, index, obj);
5431 if (OBJ_GET_PARENT(cx, obj) != obj2) {
5432 obj = js_CloneRegExpObject(cx, obj, obj2);
5433 if (!obj)
5434 goto error;
5435 }
5436 rval = OBJECT_TO_JSVAL(obj);
5437
5438 /* Store the regexp object value in its cloneIndex slot. */
5439 if (fp->fun) {
5440 if (!JS_SetReservedSlot(cx, funobj, slot, rval))
5441 goto error;
5442 } else {
5443 fp->slots[slot] = rval;
5444 }
5445 }
5446
5447 PUSH_OPND(rval);
5448 }
5449 END_CASE(JSOP_REGEXP)
5450
5451 BEGIN_CASE(JSOP_ZERO)
5452 PUSH_OPND(JSVAL_ZERO);
5453 END_CASE(JSOP_ZERO)
5454
5455 BEGIN_CASE(JSOP_ONE)
5456 PUSH_OPND(JSVAL_ONE);
5457 END_CASE(JSOP_ONE)
5458
5459 BEGIN_CASE(JSOP_NULL)
5460 BEGIN_CASE(JSOP_NULLTHIS)
5461 PUSH_OPND(JSVAL_NULL);
5462 END_CASE(JSOP_NULL)
5463
5464 BEGIN_CASE(JSOP_FALSE)
5465 PUSH_OPND(JSVAL_FALSE);
5466 END_CASE(JSOP_FALSE)
5467
5468 BEGIN_CASE(JSOP_TRUE)
5469 PUSH_OPND(JSVAL_TRUE);
5470 END_CASE(JSOP_TRUE)
5471
5472 BEGIN_CASE(JSOP_TABLESWITCH)
5473 pc2 = regs.pc;
5474 len = GET_JUMP_OFFSET(pc2);
5475
5476 /*
5477 * ECMAv2+ forbids conversion of discriminant, so we will skip to
5478 * the default case if the discriminant isn't already an int jsval.
5479 * (This opcode is emitted only for dense jsint-domain switches.)
5480 */
5481 rval = POP_OPND();
5482 if (JSVAL_IS_INT(rval)) {
5483 i = JSVAL_TO_INT(rval);
5484 } else if (JSVAL_IS_DOUBLE(rval) && *JSVAL_TO_DOUBLE(rval) == 0) {
5485 /* Treat -0 (double) as 0. */
5486 i = 0;
5487 } else {
5488 DO_NEXT_OP(len);
5489 }
5490
5491 pc2 += JUMP_OFFSET_LEN;
5492 low = GET_JUMP_OFFSET(pc2);
5493 pc2 += JUMP_OFFSET_LEN;
5494 high = GET_JUMP_OFFSET(pc2);
5495
5496 i -= low;
5497 if ((jsuint)i < (jsuint)(high - low + 1)) {
5498 pc2 += JUMP_OFFSET_LEN + JUMP_OFFSET_LEN * i;
5499 off = (jsint) GET_JUMP_OFFSET(pc2);
5500 if (off)
5501 len = off;
5502 }
5503 END_VARLEN_CASE
5504
5505 BEGIN_CASE(JSOP_TABLESWITCHX)
5506 pc2 = regs.pc;
5507 len = GET_JUMPX_OFFSET(pc2);
5508
5509 /*
5510 * ECMAv2+ forbids conversion of discriminant, so we will skip to
5511 * the default case if the discriminant isn't already an int jsval.
5512 * (This opcode is emitted only for dense jsint-domain switches.)
5513 */
5514 rval = POP_OPND();
5515 if (JSVAL_IS_INT(rval)) {
5516 i = JSVAL_TO_INT(rval);
5517 } else if (JSVAL_IS_DOUBLE(rval) && *JSVAL_TO_DOUBLE(rval) == 0) {
5518 /* Treat -0 (double) as 0. */
5519 i = 0;
5520 } else {
5521 DO_NEXT_OP(len);
5522 }
5523
5524 pc2 += JUMPX_OFFSET_LEN;
5525 low = GET_JUMP_OFFSET(pc2);
5526 pc2 += JUMP_OFFSET_LEN;
5527 high = GET_JUMP_OFFSET(pc2);
5528
5529 i -= low;
5530 if ((jsuint)i < (jsuint)(high - low + 1)) {
5531 pc2 += JUMP_OFFSET_LEN + JUMPX_OFFSET_LEN * i;
5532 off = (jsint) GET_JUMPX_OFFSET(pc2);
5533 if (off)
5534 len = off;
5535 }
5536 END_VARLEN_CASE
5537
5538 BEGIN_CASE(JSOP_LOOKUPSWITCHX)
5539 off = JUMPX_OFFSET_LEN;
5540 goto do_lookup_switch;
5541
5542 BEGIN_CASE(JSOP_LOOKUPSWITCH)
5543 off = JUMP_OFFSET_LEN;
5544
5545 do_lookup_switch:
5546 /*
5547 * JSOP_LOOKUPSWITCH and JSOP_LOOKUPSWITCHX are never used if
5548 * any atom index in it would exceed 64K limit.
5549 */
5550 JS_ASSERT(atoms == script->atomMap.vector);
5551 pc2 = regs.pc;
5552 lval = POP_OPND();
5553
5554 if (!JSVAL_IS_NUMBER(lval) &&
5555 !JSVAL_IS_STRING(lval) &&
5556 !JSVAL_IS_BOOLEAN(lval)) {
5557 goto end_lookup_switch;
5558 }
5559
5560 pc2 += off;
5561 npairs = (jsint) GET_UINT16(pc2);
5562 pc2 += UINT16_LEN;
5563 JS_ASSERT(npairs); /* empty switch uses JSOP_TABLESWITCH */
5564
5565 #define SEARCH_PAIRS(MATCH_CODE) \
5566 for (;;) { \
5567 JS_ASSERT(GET_INDEX(pc2) < script->atomMap.length); \
5568 atom = atoms[GET_INDEX(pc2)]; \
5569 rval = ATOM_KEY(atom); \
5570 MATCH_CODE \
5571 pc2 += INDEX_LEN; \
5572 if (match) \
5573 break; \
5574 pc2 += off; \
5575 if (--npairs == 0) { \
5576 pc2 = regs.pc; \
5577 break; \
5578 } \
5579 }
5580 if (JSVAL_IS_STRING(lval)) {
5581 str = JSVAL_TO_STRING(lval);
5582 SEARCH_PAIRS(
5583 match = (JSVAL_IS_STRING(rval) &&
5584 ((str2 = JSVAL_TO_STRING(rval)) == str ||
5585 js_EqualStrings(str2, str)));
5586 )
5587 } else if (JSVAL_IS_DOUBLE(lval)) {
5588 d = *JSVAL_TO_DOUBLE(lval);
5589 SEARCH_PAIRS(
5590 match = (JSVAL_IS_DOUBLE(rval) &&
5591 *JSVAL_TO_DOUBLE(rval) == d);
5592 )
5593 } else {
5594 SEARCH_PAIRS(
5595 match = (lval == rval);
5596 )
5597 }
5598 #undef SEARCH_PAIRS
5599
5600 end_lookup_switch:
5601 len = (op == JSOP_LOOKUPSWITCH)
5602 ? GET_JUMP_OFFSET(pc2)
5603 : GET_JUMPX_OFFSET(pc2);
5604 END_VARLEN_CASE
5605
5606 BEGIN_CASE(JSOP_TRAP)
5607 {
5608 JSTrapStatus status;
5609
5610 status = JS_HandleTrap(cx, script, regs.pc, &rval);
5611 switch (status) {
5612 case JSTRAP_ERROR:
5613 goto error;
5614 case JSTRAP_RETURN:
5615 fp->rval = rval;
5616 ok = JS_TRUE;
5617 goto forced_return;
5618 case JSTRAP_THROW:
5619 cx->throwing = JS_TRUE;
5620 cx->exception = rval;
5621 goto error;
5622 default:;
5623 break;
5624 }
5625 JS_ASSERT(status == JSTRAP_CONTINUE);
5626 LOAD_INTERRUPT_HANDLER(cx);
5627 JS_ASSERT(JSVAL_IS_INT(rval));
5628 op = (JSOp) JSVAL_TO_INT(rval);
5629 JS_ASSERT((uintN)op < (uintN)JSOP_LIMIT);
5630 DO_OP();
5631 }
5632
5633 BEGIN_CASE(JSOP_ARGUMENTS)
5634 if (!js_GetArgsValue(cx, fp, &rval))
5635 goto error;
5636 PUSH_OPND(rval);
5637 END_CASE(JSOP_ARGUMENTS)
5638
5639 BEGIN_CASE(JSOP_ARGSUB)
5640 id = INT_TO_JSID(GET_ARGNO(regs.pc));
5641 if (!js_GetArgsProperty(cx, fp, id, &rval))
5642 goto error;
5643 PUSH_OPND(rval);
5644 END_CASE(JSOP_ARGSUB)
5645
5646 BEGIN_CASE(JSOP_ARGCNT)
5647 id = ATOM_TO_JSID(rt->atomState.lengthAtom);
5648 if (!js_GetArgsProperty(cx, fp, id, &rval))
5649 goto error;
5650 PUSH_OPND(rval);
5651 END_CASE(JSOP_ARGCNT)
5652
5653 BEGIN_CASE(JSOP_GETARG)
5654 BEGIN_CASE(JSOP_CALLARG)
5655 slot = GET_ARGNO(regs.pc);
5656 JS_ASSERT(slot < fp->fun->nargs);
5657 METER_SLOT_OP(op, slot);
5658 PUSH_OPND(fp->argv[slot]);
5659 if (op == JSOP_CALLARG)
5660 PUSH_OPND(JSVAL_NULL);
5661 END_CASE(JSOP_GETARG)
5662
5663 BEGIN_CASE(JSOP_SETARG)
5664 slot = GET_ARGNO(regs.pc);
5665 JS_ASSERT(slot < fp->fun->nargs);
5666 METER_SLOT_OP(op, slot);
5667 vp = &fp->argv[slot];
5668 GC_POKE(cx, *vp);
5669 *vp = FETCH_OPND(-1);
5670 END_SET_CASE(JSOP_SETARG)
5671
5672 BEGIN_CASE(JSOP_GETLOCAL)
5673 slot = GET_SLOTNO(regs.pc);
5674 JS_ASSERT(slot < script->nslots);
5675 PUSH_OPND(fp->slots[slot]);
5676 END_CASE(JSOP_GETLOCAL)
5677
5678 BEGIN_CASE(JSOP_CALLLOCAL)
5679 slot = GET_SLOTNO(regs.pc);
5680 JS_ASSERT(slot < script->nslots);
5681 PUSH_OPND(fp->slots[slot]);
5682 PUSH_OPND(JSVAL_NULL);
5683 END_CASE(JSOP_CALLLOCAL)
5684
5685 BEGIN_CASE(JSOP_SETLOCAL)
5686 slot = GET_SLOTNO(regs.pc);
5687 JS_ASSERT(slot < script->nslots);
5688 vp = &fp->slots[slot];
5689 GC_POKE(cx, *vp);
5690 *vp = FETCH_OPND(-1);
5691 END_SET_CASE(JSOP_SETLOCAL)
5692
5693 BEGIN_CASE(JSOP_GETUPVAR)
5694 BEGIN_CASE(JSOP_CALLUPVAR)
5695 {
5696 JSUpvarArray *uva;
5697 uint32 skip;
5698 JSStackFrame *fp2;
5699
5700 index = GET_UINT16(regs.pc);
5701 uva = JS_SCRIPT_UPVARS(script);
5702 JS_ASSERT(index < uva->length);
5703 skip = UPVAR_FRAME_SKIP(uva->vector[index]);
5704 fp2 = cx->display[script->staticDepth - skip];
5705 JS_ASSERT(fp2->fun && fp2->script);
5706
5707 slot = UPVAR_FRAME_SLOT(uva->vector[index]);
5708 if (slot < fp2->fun->nargs) {
5709 vp = fp2->argv;
5710 } else {
5711 slot -= fp2->fun->nargs;
5712 JS_ASSERT(slot < fp2->script->nslots);
5713 vp = fp2->slots;
5714 }
5715
5716 PUSH_OPND(vp[slot]);
5717 if (op == JSOP_CALLUPVAR)
5718 PUSH_OPND(JSVAL_NULL);
5719 }
5720 END_CASE(JSOP_GETUPVAR)
5721
5722 BEGIN_CASE(JSOP_GETGVAR)
5723 BEGIN_CASE(JSOP_CALLGVAR)
5724 slot = GET_SLOTNO(regs.pc);
5725 JS_ASSERT(slot < GlobalVarCount(fp));
5726 METER_SLOT_OP(op, slot);
5727 lval = fp->slots[slot];
5728 if (JSVAL_IS_NULL(lval)) {
5729 op = (op == JSOP_GETGVAR) ? JSOP_NAME : JSOP_CALLNAME;
5730 DO_OP();
5731 }
5732 obj = fp->varobj;
5733 slot = JSVAL_TO_INT(lval);
5734 rval = OBJ_GET_SLOT(cx, obj, slot);
5735 PUSH_OPND(rval);
5736 if (op == JSOP_CALLGVAR)
5737 PUSH_OPND(OBJECT_TO_JSVAL(obj));
5738 END_CASE(JSOP_GETGVAR)
5739
5740 BEGIN_CASE(JSOP_SETGVAR)
5741 slot = GET_SLOTNO(regs.pc);
5742 JS_ASSERT(slot < GlobalVarCount(fp));
5743 METER_SLOT_OP(op, slot);
5744 rval = FETCH_OPND(-1);
5745 obj = fp->varobj;
5746 lval = fp->slots[slot];
5747 if (JSVAL_IS_NULL(lval)) {
5748 /*
5749 * Inline-clone and deoptimize JSOP_SETNAME code here because
5750 * JSOP_SETGVAR has arity 1: [rval], not arity 2: [obj, rval]
5751 * as JSOP_SETNAME does, where [obj] is due to JSOP_BINDNAME.
5752 */
5753 LOAD_ATOM(0);
5754 id = ATOM_TO_JSID(atom);
5755 if (!OBJ_SET_PROPERTY(cx, obj, id, &rval))
5756 goto error;
5757 } else {
5758 slot = JSVAL_TO_INT(lval);
5759 JS_LOCK_OBJ(cx, obj);
5760 LOCKED_OBJ_WRITE_BARRIER(cx, obj, slot, rval);
5761 JS_UNLOCK_OBJ(cx, obj);
5762 }
5763 END_SET_CASE(JSOP_SETGVAR)
5764
5765 BEGIN_CASE(JSOP_DEFCONST)
5766 BEGIN_CASE(JSOP_DEFVAR)
5767 index = GET_INDEX(regs.pc);
5768 atom = atoms[index];
5769
5770 /*
5771 * index is relative to atoms at this point but for global var
5772 * code below we need the absolute value.
5773 */
5774 index += atoms - script->atomMap.vector;
5775 obj = fp->varobj;
5776 attrs = JSPROP_ENUMERATE;
5777 if (!(fp->flags & JSFRAME_EVAL))
5778 attrs |= JSPROP_PERMANENT;
5779 if (op == JSOP_DEFCONST)
5780 attrs |= JSPROP_READONLY;
5781
5782 /* Lookup id in order to check for redeclaration problems. */
5783 id = ATOM_TO_JSID(atom);
5784 if (!js_CheckRedeclaration(cx, obj, id, attrs, &obj2, &prop))
5785 goto error;
5786
5787 /* Bind a variable only if it's not yet defined. */
5788 if (!prop) {
5789 if (!OBJ_DEFINE_PROPERTY(cx, obj, id, JSVAL_VOID,
5790 JS_PropertyStub, JS_PropertyStub,
5791 attrs, &prop)) {
5792 goto error;
5793 }
5794 JS_ASSERT(prop);
5795 obj2 = obj;
5796 }
5797
5798 /*
5799 * Try to optimize a property we either just created, or found
5800 * directly in the global object, that is permanent, has a slot,
5801 * and has stub getter and setter, into a "fast global" accessed
5802 * by the JSOP_*GVAR opcodes.
5803 */
5804 if (!fp->fun &&
5805 index < GlobalVarCount(fp) &&
5806 (attrs & JSPROP_PERMANENT) &&
5807 obj2 == obj &&
5808 OBJ_IS_NATIVE(obj)) {
5809 sprop = (JSScopeProperty *) prop;
5810 if (SPROP_HAS_VALID_SLOT(sprop, OBJ_SCOPE(obj)) &&
5811 SPROP_HAS_STUB_GETTER(sprop) &&
5812 SPROP_HAS_STUB_SETTER(sprop)) {
5813 /*
5814 * Fast globals use frame variables to map the global
5815 * name's atom index to the permanent fp->varobj slot
5816 * number, tagged as a jsval. The atom index for the
5817 * global's name literal is identical to its variable
5818 * index.
5819 */
5820 fp->slots[index] = INT_TO_JSVAL(sprop->slot);
5821 }
5822 }
5823
5824 OBJ_DROP_PROPERTY(cx, obj2, prop);
5825 END_CASE(JSOP_DEFVAR)
5826
5827 BEGIN_CASE(JSOP_DEFFUN)
5828 /*
5829 * A top-level function defined in Global or Eval code (see
5830 * ECMA-262 Ed. 3), or else a SpiderMonkey extension: a named
5831 * function statement in a compound statement (not at the top
5832 * statement level of global code, or at the top level of a
5833 * function body).
5834 */
5835 LOAD_FUNCTION(0);
5836
5837 if (!fp->blockChain) {
5838 obj2 = fp->scopeChain;
5839 } else {
5840 obj2 = js_GetScopeChain(cx, fp);
5841 if (!obj2)
5842 goto error;
5843 }
5844
5845 /*
5846 * If static link is not current scope, clone fun's object to link
5847 * to the current scope via parent. This clause exists to enable
5848 * sharing of compiled functions among multiple equivalent scopes,
5849 * splitting the cost of compilation evenly among the scopes and
5850 * amortizing it over a number of executions. Examples include XUL
5851 * scripts and event handlers shared among Mozilla chrome windows,
5852 * and server-side JS user-defined functions shared among requests.
5853 */
5854 obj = FUN_OBJECT(fun);
5855 if (OBJ_GET_PARENT(cx, obj) != obj2) {
5856 obj = js_CloneFunctionObject(cx, fun, obj2);
5857 if (!obj)
5858 goto error;
5859 }
5860
5861 /*
5862 * Protect obj from any GC hiding below OBJ_DEFINE_PROPERTY. All
5863 * paths from here must flow through the "Restore fp->scopeChain"
5864 * code below the OBJ_DEFINE_PROPERTY call.
5865 */
5866 MUST_FLOW_THROUGH("restore");
5867 fp->scopeChain = obj;
5868 rval = OBJECT_TO_JSVAL(obj);
5869
5870 /*
5871 * ECMA requires functions defined when entering Eval code to be
5872 * impermanent.
5873 */
5874 attrs = (fp->flags & JSFRAME_EVAL)
5875 ? JSPROP_ENUMERATE
5876 : JSPROP_ENUMERATE | JSPROP_PERMANENT;
5877
5878 /*
5879 * Load function flags that are also property attributes. Getters
5880 * and setters do not need a slot, their value is stored elsewhere
5881 * in the property itself, not in obj slots.
5882 */
5883 flags = JSFUN_GSFLAG2ATTR(fun->flags);
5884 if (flags) {
5885 attrs |= flags | JSPROP_SHARED;
5886 rval = JSVAL_VOID;
5887 }
5888
5889 /*
5890 * We define the function as a property of the variable object and
5891 * not the current scope chain even for the case of function
5892 * expression statements and functions defined by eval inside let
5893 * or with blocks.
5894 */
5895 parent = fp->varobj;
5896 JS_ASSERT(parent);
5897
5898 /*
5899 * Check for a const property of the same name -- or any kind
5900 * of property if executing with the strict option. We check
5901 * here at runtime as well as at compile-time, to handle eval
5902 * as well as multiple HTML script tags.
5903 */
5904 id = ATOM_TO_JSID(fun->atom);
5905 ok = js_CheckRedeclaration(cx, parent, id, attrs, NULL, NULL);
5906 if (ok) {
5907 if (attrs == JSPROP_ENUMERATE) {
5908 JS_ASSERT(fp->flags & JSFRAME_EVAL);
5909 ok = OBJ_SET_PROPERTY(cx, parent, id, &rval);
5910 } else {
5911 JS_ASSERT(attrs & JSPROP_PERMANENT);
5912
5913 ok = OBJ_DEFINE_PROPERTY(cx, parent, id, rval,
5914 (flags & JSPROP_GETTER)
5915 ? JS_EXTENSION (JSPropertyOp) obj
5916 : JS_PropertyStub,
5917 (flags & JSPROP_SETTER)
5918 ? JS_EXTENSION (JSPropertyOp) obj
5919 : JS_PropertyStub,
5920 attrs,
5921 NULL);
5922 }
5923 }
5924
5925 /* Restore fp->scopeChain now that obj is defined in fp->varobj. */
5926 MUST_FLOW_LABEL(restore)
5927 fp->scopeChain = obj2;
5928 if (!ok) {
5929 cx->weakRoots.newborn[GCX_OBJECT] = NULL;
5930 goto error;
5931 }
5932 END_CASE(JSOP_DEFFUN)
5933
5934 BEGIN_CASE(JSOP_DEFLOCALFUN)
5935 LOAD_FUNCTION(SLOTNO_LEN);
5936
5937 /*
5938 * Define a local function (i.e., one nested at the top level of
5939 * another function), parented by the current scope chain, and
5940 * stored in a local variable slot that the compiler allocated.
5941 * This is an optimization over JSOP_DEFFUN that avoids requiring
5942 * a call object for the outer function's activation.
5943 */
5944 slot = GET_SLOTNO(regs.pc);
5945
5946 parent = js_GetScopeChain(cx, fp);
5947 if (!parent)
5948 goto error;
5949
5950 obj = FUN_OBJECT(fun);
5951 if (OBJ_GET_PARENT(cx, obj) != parent) {
5952 obj = js_CloneFunctionObject(cx, fun, parent);
5953 if (!obj)
5954 goto error;
5955 }
5956
5957 TRACE_2(DefLocalFunSetSlot, slot, obj);
5958
5959 fp->slots[slot] = OBJECT_TO_JSVAL(obj);
5960 END_CASE(JSOP_DEFLOCALFUN)
5961
5962 BEGIN_CASE(JSOP_ANONFUNOBJ)
5963 /* Load the specified function object literal. */
5964 LOAD_FUNCTION(0);
5965
5966 /* If re-parenting, push a clone of the function object. */
5967 parent = js_GetScopeChain(cx, fp);
5968 if (!parent)
5969 goto error;
5970 obj = FUN_OBJECT(fun);
5971 if (OBJ_GET_PARENT(cx, obj) != parent) {
5972 obj = js_CloneFunctionObject(cx, fun, parent);
5973 if (!obj)
5974 goto error;
5975 }
5976 PUSH_OPND(OBJECT_TO_JSVAL(obj));
5977 END_CASE(JSOP_ANONFUNOBJ)
5978
5979 BEGIN_CASE(JSOP_NAMEDFUNOBJ)
5980 LOAD_FUNCTION(0);
5981
5982 /*
5983 * ECMA ed. 3 FunctionExpression: function Identifier [etc.].
5984 *
5985 * 1. Create a new object as if by the expression new Object().
5986 * 2. Add Result(1) to the front of the scope chain.
5987 *
5988 * Step 2 is achieved by making the new object's parent be the
5989 * current scope chain, and then making the new object the parent
5990 * of the Function object clone.
5991 */
5992 obj2 = js_GetScopeChain(cx, fp);
5993 if (!obj2)
5994 goto error;
5995 parent = js_NewObject(cx, &js_ObjectClass, NULL, obj2, 0);
5996 if (!parent)
5997 goto error;
5998
5999 /*
6000 * 3. Create a new Function object as specified in section 13.2
6001 * with [parameters and body specified by the function expression
6002 * that was parsed by the compiler into a Function object, and
6003 * saved in the script's atom map].
6004 *
6005 * Protect parent from the GC.
6006 */
6007 fp->scopeChain = parent;
6008 obj = js_CloneFunctionObject(cx, fun, parent);
6009 if (!obj)
6010 goto error;
6011
6012 /*
6013 * Protect obj from any GC hiding below OBJ_DEFINE_PROPERTY. All
6014 * paths from here must flow through the "Restore fp->scopeChain"
6015 * code below the OBJ_DEFINE_PROPERTY call.
6016 */
6017 MUST_FLOW_THROUGH("restore2");
6018 fp->scopeChain = obj;
6019 rval = OBJECT_TO_JSVAL(obj);
6020
6021 /*
6022 * 4. Create a property in the object Result(1). The property's
6023 * name is [fun->atom, the identifier parsed by the compiler],
6024 * value is Result(3), and attributes are { DontDelete, ReadOnly }.
6025 */
6026 attrs = JSFUN_GSFLAG2ATTR(fun->flags);
6027 if (attrs) {
6028 attrs |= JSPROP_SHARED;
6029 rval = JSVAL_VOID;
6030 }
6031 ok = OBJ_DEFINE_PROPERTY(cx, parent, ATOM_TO_JSID(fun->atom), rval,
6032 (attrs & JSPROP_GETTER)
6033 ? JS_EXTENSION (JSPropertyOp) obj
6034 : JS_PropertyStub,
6035 (attrs & JSPROP_SETTER)
6036 ? JS_EXTENSION (JSPropertyOp) obj
6037 : JS_PropertyStub,
6038 attrs |
6039 JSPROP_ENUMERATE | JSPROP_PERMANENT |
6040 JSPROP_READONLY,
6041 NULL);
6042
6043 /* Restore fp->scopeChain now that obj is defined in parent. */
6044 MUST_FLOW_LABEL(restore2)
6045 fp->scopeChain = obj2;
6046 if (!ok) {
6047 cx->weakRoots.newborn[GCX_OBJECT] = NULL;
6048 goto error;
6049 }
6050
6051 /*
6052 * 5. Remove Result(1) from the front of the scope chain [no-op].
6053 * 6. Return Result(3).
6054 */
6055 PUSH_OPND(OBJECT_TO_JSVAL(obj));
6056 END_CASE(JSOP_NAMEDFUNOBJ)
6057
6058 #if JS_HAS_GETTER_SETTER
6059 BEGIN_CASE(JSOP_GETTER)
6060 BEGIN_CASE(JSOP_SETTER)
6061 do_getter_setter:
6062 op2 = (JSOp) *++regs.pc;
6063 switch (op2) {
6064 case JSOP_INDEXBASE:
6065 atoms += GET_INDEXBASE(regs.pc);
6066 regs.pc += JSOP_INDEXBASE_LENGTH - 1;
6067 goto do_getter_setter;
6068 case JSOP_INDEXBASE1:
6069 case JSOP_INDEXBASE2:
6070 case JSOP_INDEXBASE3:
6071 atoms += (op2 - JSOP_INDEXBASE1 + 1) << 16;
6072 goto do_getter_setter;
6073
6074 case JSOP_SETNAME:
6075 case JSOP_SETPROP:
6076 LOAD_ATOM(0);
6077 id = ATOM_TO_JSID(atom);
6078 rval = FETCH_OPND(-1);
6079 i = -1;
6080 goto gs_pop_lval;
6081
6082 case JSOP_SETELEM:
6083 rval = FETCH_OPND(-1);
6084 id = 0;
6085 i = -2;
6086 gs_pop_lval:
6087 FETCH_OBJECT(cx, i - 1, lval, obj);
6088 break;
6089
6090 case JSOP_INITPROP:
6091 JS_ASSERT(regs.sp - StackBase(fp) >= 2);
6092 rval = FETCH_OPND(-1);
6093 i = -1;
6094 LOAD_ATOM(0);
6095 id = ATOM_TO_JSID(atom);
6096 goto gs_get_lval;
6097
6098 default:
6099 JS_ASSERT(op2 == JSOP_INITELEM);
6100
6101 JS_ASSERT(regs.sp - StackBase(fp) >= 3);
6102 rval = FETCH_OPND(-1);
6103 id = 0;
6104 i = -2;
6105 gs_get_lval:
6106 lval = FETCH_OPND(i-1);
6107 JS_ASSERT(JSVAL_IS_OBJECT(lval));
6108 obj = JSVAL_TO_OBJECT(lval);
6109 break;
6110 }
6111
6112 /* Ensure that id has a type suitable for use with obj. */
6113 if (id == 0)
6114 FETCH_ELEMENT_ID(obj, i, id);
6115
6116 if (JS_TypeOfValue(cx, rval) != JSTYPE_FUNCTION) {
6117 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
6118 JSMSG_BAD_GETTER_OR_SETTER,
6119 (op == JSOP_GETTER)
6120 ? js_getter_str
6121 : js_setter_str);
6122 goto error;
6123 }
6124
6125 /*
6126 * Getters and setters are just like watchpoints from an access
6127 * control point of view.
6128 */
6129 if (!OBJ_CHECK_ACCESS(cx, obj, id, JSACC_WATCH, &rtmp, &attrs))
6130 goto error;
6131
6132 if (op == JSOP_GETTER) {
6133 getter = JS_EXTENSION (JSPropertyOp) JSVAL_TO_OBJECT(rval);
6134 setter = JS_PropertyStub;
6135 attrs = JSPROP_GETTER;
6136 } else {
6137 getter = JS_PropertyStub;
6138 setter = JS_EXTENSION (JSPropertyOp) JSVAL_TO_OBJECT(rval);
6139 attrs = JSPROP_SETTER;
6140 }
6141 attrs |= JSPROP_ENUMERATE | JSPROP_SHARED;
6142
6143 /* Check for a readonly or permanent property of the same name. */
6144 if (!js_CheckRedeclaration(cx, obj, id, attrs, NULL, NULL))
6145 goto error;
6146
6147 if (!OBJ_DEFINE_PROPERTY(cx, obj, id, JSVAL_VOID, getter, setter,
6148 attrs, NULL)) {
6149 goto error;
6150 }
6151
6152 regs.sp += i;
6153 if (js_CodeSpec[op2].ndefs)
6154 STORE_OPND(-1, rval);
6155 len = js_CodeSpec[op2].length;
6156 DO_NEXT_OP(len);
6157 #endif /* JS_HAS_GETTER_SETTER */
6158
6159 BEGIN_CASE(JSOP_HOLE)
6160 PUSH_OPND(JSVAL_HOLE);
6161 END_CASE(JSOP_HOLE)
6162
6163 BEGIN_CASE(JSOP_NEWARRAY)
6164 len = GET_UINT24(regs.pc);
6165 JS_ASSERT(len <= regs.sp - StackBase(fp));
6166 obj = js_NewArrayObject(cx, len, regs.sp - len, JS_TRUE);
6167 if (!obj)
6168 goto error;
6169 regs.sp -= len - 1;
6170 STORE_OPND(-1, OBJECT_TO_JSVAL(obj));
6171 END_CASE(JSOP_NEWARRAY)
6172
6173 BEGIN_CASE(JSOP_NEWINIT)
6174 i = GET_INT8(regs.pc);
6175 JS_ASSERT(i == JSProto_Array || i == JSProto_Object);
6176 obj = (i == JSProto_Array)
6177 ? js_NewArrayObject(cx, 0, NULL)
6178 : js_NewObject(cx, &js_ObjectClass, NULL, NULL, 0);
6179 if (!obj)
6180 goto error;
6181 PUSH_OPND(OBJECT_TO_JSVAL(obj));
6182 fp->sharpDepth++;
6183 LOAD_INTERRUPT_HANDLER(cx);
6184 END_CASE(JSOP_NEWINIT)
6185
6186 BEGIN_CASE(JSOP_ENDINIT)
6187 if (--fp->sharpDepth == 0)
6188 fp->sharpArray = NULL;
6189
6190 /* Re-set the newborn root to the top of this object tree. */
6191 JS_ASSERT(regs.sp - StackBase(fp) >= 1);
6192 lval = FETCH_OPND(-1);
6193 JS_ASSERT(JSVAL_IS_OBJECT(lval));
6194 cx->weakRoots.newborn[GCX_OBJECT] = JSVAL_TO_GCTHING(lval);
6195 END_CASE(JSOP_ENDINIT)
6196
6197 BEGIN_CASE(JSOP_INITPROP)
6198 /* Load the property's initial value into rval. */
6199 JS_ASSERT(regs.sp - StackBase(fp) >= 2);
6200 rval = FETCH_OPND(-1);
6201
6202 /* Load the object being initialized into lval/obj. */
6203 lval = FETCH_OPND(-2);
6204 obj = JSVAL_TO_OBJECT(lval);
6205 JS_ASSERT(OBJ_IS_NATIVE(obj));
6206 JS_ASSERT(!OBJ_GET_CLASS(cx, obj)->reserveSlots);
6207 JS_ASSERT(!(LOCKED_OBJ_GET_CLASS(obj)->flags &
6208 JSCLASS_SHARE_ALL_PROPERTIES));
6209
6210 do {
6211 JSScope *scope;
6212 uint32 kshape;
6213 JSPropertyCache *cache;
6214 JSPropCacheEntry *entry;
6215
6216 JS_LOCK_OBJ(cx, obj);
6217 scope = OBJ_SCOPE(obj);
6218 JS_ASSERT(!SCOPE_IS_SEALED(scope));
6219 kshape = scope->shape;
6220 cache = &JS_PROPERTY_CACHE(cx);
6221 entry = &cache->table[PROPERTY_CACHE_HASH_PC(regs.pc, kshape)];
6222 PCMETER(cache->tests++);
6223 PCMETER(cache->initests++);
6224
6225 if (entry->kpc == regs.pc && entry->kshape == kshape) {
6226 PCMETER(cache->pchits++);
6227 PCMETER(cache->inipchits++);
6228
6229 JS_ASSERT(PCVAL_IS_SPROP(entry->vword));
6230 sprop = PCVAL_TO_SPROP(entry->vword);
6231 JS_ASSERT(!(sprop->attrs & JSPROP_READONLY));
6232
6233 /*
6234 * If this property has a non-stub setter, it must be
6235 * __proto__, __parent__, or another "shared prototype"
6236 * built-in. Force a miss to save code size here and let
6237 * the standard code path take care of business.
6238 */
6239 if (!SPROP_HAS_STUB_SETTER(sprop))
6240 goto do_initprop_miss;
6241
6242 if (scope->object != obj) {
6243 scope = js_GetMutableScope(cx, obj);
6244 if (!scope) {
6245 JS_UNLOCK_OBJ(cx, obj);
6246 goto error;
6247 }
6248 }
6249
6250 /*
6251 * Detect a repeated property name and force a miss to
6252 * share the strict warning code and cope with complexity
6253 * managed by js_AddScopeProperty.
6254 */
6255 if (sprop->parent != scope->lastProp)
6256 goto do_initprop_miss;
6257
6258 TRACE_2(SetPropHit, entry, sprop);
6259
6260 /*
6261 * Otherwise this entry must be for a direct property of
6262 * obj, not a proto-property, and there cannot have been
6263 * any deletions of prior properties.
6264 */
6265 JS_ASSERT(PCVCAP_MAKE(sprop->shape, 0, 0) == entry->vcap);
6266 JS_ASSERT(!SCOPE_HAD_MIDDLE_DELETE(scope));
6267 JS_ASSERT(!scope->table ||
6268 !SCOPE_HAS_PROPERTY(scope, sprop));
6269
6270 slot = sprop->slot;
6271 JS_ASSERT(slot == scope->map.freeslot);
6272 if (slot < STOBJ_NSLOTS(obj)) {
6273 ++scope->map.freeslot;
6274 } else {
6275 if (!js_AllocSlot(cx, obj, &slot)) {
6276 JS_UNLOCK_SCOPE(cx, scope);
6277 goto error;
6278 }
6279 JS_ASSERT(slot == sprop->slot);
6280 }
6281
6282 JS_ASSERT(!scope->lastProp ||
6283 scope->shape == scope->lastProp->shape);
6284 if (scope->table) {
6285 JSScopeProperty *sprop2 =
6286 js_AddScopeProperty(cx, scope, sprop->id,
6287 sprop->getter, sprop->setter,
6288 slot, sprop->attrs,
6289 sprop->flags, sprop->shortid);
6290 if (!sprop2) {
6291 js_FreeSlot(cx, obj, slot);
6292 JS_UNLOCK_SCOPE(cx, scope);
6293 goto error;
6294 }
6295 JS_ASSERT(sprop2 == sprop);
6296 } else {
6297 scope->shape = sprop->shape;
6298 ++scope->entryCount;
6299 scope->lastProp = sprop;
6300 }
6301
6302 GC_WRITE_BARRIER(cx, scope,
6303 LOCKED_OBJ_GET_SLOT(obj, slot),
6304 rval);
6305 LOCKED_OBJ_SET_SLOT(obj, slot, rval);
6306 JS_UNLOCK_SCOPE(cx, scope);
6307 break;
6308 }
6309
6310 do_initprop_miss:
6311 PCMETER(cache->inipcmisses++);
6312 JS_UNLOCK_SCOPE(cx, scope);
6313
6314 /* Get the immediate property name into id. */
6315 LOAD_ATOM(0);
6316 id = ATOM_TO_JSID(atom);
6317
6318 /* Set the property named by obj[id] to rval. */
6319 if (!js_CheckRedeclaration(cx, obj, id, JSPROP_INITIALIZER,
6320 NULL, NULL)) {
6321 goto error;
6322 }
6323 if (!js_SetPropertyHelper(cx, obj, id, &rval, &entry))
6324 goto error;
6325 #ifdef JS_TRACER
6326 if (entry)
6327 TRACE_1(SetPropMiss, entry);
6328 #endif
6329 } while (0);
6330
6331 /* Common tail for property cache hit and miss cases. */
6332 regs.sp--;
6333 END_CASE(JSOP_INITPROP);
6334
6335 BEGIN_CASE(JSOP_INITELEM)
6336 /* Pop the element's value into rval. */
6337 JS_ASSERT(regs.sp - StackBase(fp) >= 3);
6338 rval = FETCH_OPND(-1);
6339
6340 /* Find the object being initialized at top of stack. */
6341 lval = FETCH_OPND(-3);
6342 JS_ASSERT(!JSVAL_IS_PRIMITIVE(lval));
6343 obj = JSVAL_TO_OBJECT(lval);
6344
6345 /* Fetch id now that we have obj. */
6346 FETCH_ELEMENT_ID(obj, -2, id);
6347
6348 /*
6349 * Check for property redeclaration strict warning (we may be in
6350 * an object initialiser, not an array initialiser).
6351 */
6352 if (!js_CheckRedeclaration(cx, obj, id, JSPROP_INITIALIZER, NULL,
6353 NULL)) {
6354 goto error;
6355 }
6356
6357 /*
6358 * If rval is a hole, do not call OBJ_SET_PROPERTY. In this case,
6359 * obj must be an array, so if the current op is the last element
6360 * initialiser, set the array length to one greater than id.
6361 */
6362 if (rval == JSVAL_HOLE) {
6363 JS_ASSERT(OBJ_IS_ARRAY(cx, obj));
6364 JS_ASSERT(JSID_IS_INT(id));
6365 JS_ASSERT((jsuint) JSID_TO_INT(id) < ARRAY_INIT_LIMIT);
6366 if ((JSOp) regs.pc[JSOP_INITELEM_LENGTH] == JSOP_ENDINIT &&
6367 !js_SetLengthProperty(cx, obj,
6368 (jsuint) (JSID_TO_INT(id) + 1))) {
6369 goto error;
6370 }
6371 } else {
6372 if (!OBJ_SET_PROPERTY(cx, obj, id, &rval))
6373 goto error;
6374 }
6375 regs.sp -= 2;
6376 END_CASE(JSOP_INITELEM)
6377
6378 #if JS_HAS_SHARP_VARS
6379 BEGIN_CASE(JSOP_DEFSHARP)
6380 obj = fp->sharpArray;
6381 if (!obj) {
6382 obj = js_NewArrayObject(cx, 0, NULL);
6383 if (!obj)
6384 goto error;
6385 fp->sharpArray = obj;
6386 }
6387 i = (jsint) GET_UINT16(regs.pc);
6388 id = INT_TO_JSID(i);
6389 rval = FETCH_OPND(-1);
6390 if (JSVAL_IS_PRIMITIVE(rval)) {
6391 char numBuf[12];
6392 JS_snprintf(numBuf, sizeof numBuf, "%u", (unsigned) i);
6393 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
6394 JSMSG_BAD_SHARP_DEF, numBuf);
6395 goto error;
6396 }
6397 if (!OBJ_SET_PROPERTY(cx, obj, id, &rval))
6398 goto error;
6399 END_CASE(JSOP_DEFSHARP)
6400
6401 BEGIN_CASE(JSOP_USESHARP)
6402 i = (jsint) GET_UINT16(regs.pc);
6403 id = INT_TO_JSID(i);
6404 obj = fp->sharpArray;
6405 if (!obj) {
6406 rval = JSVAL_VOID;
6407 } else {
6408 if (!OBJ_GET_PROPERTY(cx, obj, id, &rval))
6409 goto error;
6410 }
6411 if (!JSVAL_IS_OBJECT(rval)) {
6412 char numBuf[12];
6413
6414 JS_snprintf(numBuf, sizeof numBuf, "%u", (unsigned) i);
6415 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
6416 JSMSG_BAD_SHARP_USE, numBuf);
6417 goto error;
6418 }
6419 PUSH_OPND(rval);
6420 END_CASE(JSOP_USESHARP)
6421 #endif /* JS_HAS_SHARP_VARS */
6422
6423 BEGIN_CASE(JSOP_GOSUB)
6424 PUSH(JSVAL_FALSE);
6425 i = PTRDIFF(regs.pc, script->main, jsbytecode) + JSOP_GOSUB_LENGTH;
6426 PUSH(INT_TO_JSVAL(i));
6427 len = GET_JUMP_OFFSET(regs.pc);
6428 END_VARLEN_CASE
6429
6430 BEGIN_CASE(JSOP_GOSUBX)
6431 PUSH(JSVAL_FALSE);
6432 i = PTRDIFF(regs.pc, script->main, jsbytecode) + JSOP_GOSUBX_LENGTH;
6433 len = GET_JUMPX_OFFSET(regs.pc);
6434 PUSH(INT_TO_JSVAL(i));
6435 END_VARLEN_CASE
6436
6437 BEGIN_CASE(JSOP_RETSUB)
6438 /* Pop [exception or hole, retsub pc-index]. */
6439 rval = POP();
6440 lval = POP();
6441 JS_ASSERT(JSVAL_IS_BOOLEAN(lval));
6442 if (JSVAL_TO_BOOLEAN(lval)) {
6443 /*
6444 * Exception was pending during finally, throw it *before* we
6445 * adjust pc, because pc indexes into script->trynotes. This
6446 * turns out not to be necessary, but it seems clearer. And
6447 * it points out a FIXME: 350509, due to Igor Bukanov.
6448 */
6449 cx->throwing = JS_TRUE;
6450 cx->exception = rval;
6451 goto error;
6452 }
6453 JS_ASSERT(JSVAL_IS_INT(rval));
6454 len = JSVAL_TO_INT(rval);
6455 regs.pc = script->main;
6456 END_VARLEN_CASE
6457
6458 BEGIN_CASE(JSOP_EXCEPTION)
6459 JS_ASSERT(cx->throwing);
6460 PUSH(cx->exception);
6461 cx->throwing = JS_FALSE;
6462 END_CASE(JSOP_EXCEPTION)
6463
6464 BEGIN_CASE(JSOP_THROWING)
6465 JS_ASSERT(!cx->throwing);
6466 cx->throwing = JS_TRUE;
6467 cx->exception = POP_OPND();
6468 END_CASE(JSOP_THROWING)
6469
6470 BEGIN_CASE(JSOP_THROW)
6471 JS_ASSERT(!cx->throwing);
6472 cx->throwing = JS_TRUE;
6473 cx->exception = POP_OPND();
6474 /* let the code at error try to catch the exception. */
6475 goto error;
6476
6477 BEGIN_CASE(JSOP_SETLOCALPOP)
6478 /*
6479 * The stack must have a block with at least one local slot below
6480 * the exception object.
6481 */
6482 JS_ASSERT((size_t) (regs.sp - StackBase(fp)) >= 2);
6483 slot = GET_UINT16(regs.pc);
6484 JS_ASSERT(slot + 1 < script->nslots);
6485 fp->slots[slot] = POP_OPND();
6486 END_CASE(JSOP_SETLOCALPOP)
6487
6488 BEGIN_CASE(JSOP_INSTANCEOF)
6489 rval = FETCH_OPND(-1);
6490 if (JSVAL_IS_PRIMITIVE(rval) ||
6491 !(obj = JSVAL_TO_OBJECT(rval))->map->ops->hasInstance) {
6492 js_ReportValueError(cx, JSMSG_BAD_INSTANCEOF_RHS,
6493 -1, rval, NULL);
6494 goto error;
6495 }
6496 lval = FETCH_OPND(-2);
6497 cond = JS_FALSE;
6498 if (!obj->map->ops->hasInstance(cx, obj, lval, &cond))
6499 goto error;
6500 regs.sp--;
6501 STORE_OPND(-1, BOOLEAN_TO_JSVAL(cond));
6502 END_CASE(JSOP_INSTANCEOF)
6503
6504 #if JS_HAS_DEBUGGER_KEYWORD
6505 BEGIN_CASE(JSOP_DEBUGGER)
6506 {
6507 JSTrapHandler handler = cx->debugHooks->debuggerHandler;
6508 if (handler) {
6509 switch (handler(cx, script, regs.pc, &rval,
6510 cx->debugHooks->debuggerHandlerData)) {
6511 case JSTRAP_ERROR:
6512 goto error;
6513 case JSTRAP_CONTINUE:
6514 break;
6515 case JSTRAP_RETURN:
6516 fp->rval = rval;
6517 ok = JS_TRUE;
6518 goto forced_return;
6519 case JSTRAP_THROW:
6520 cx->throwing = JS_TRUE;
6521 cx->exception = rval;
6522 goto error;
6523 default:;
6524 }
6525 LOAD_INTERRUPT_HANDLER(cx);
6526 }
6527 }
6528 END_CASE(JSOP_DEBUGGER)
6529 #endif /* JS_HAS_DEBUGGER_KEYWORD */
6530
6531 #if JS_HAS_XML_SUPPORT
6532 BEGIN_CASE(JSOP_DEFXMLNS)
6533 rval = POP();
6534 if (!js_SetDefaultXMLNamespace(cx, rval))
6535 goto error;
6536 END_CASE(JSOP_DEFXMLNS)
6537
6538 BEGIN_CASE(JSOP_ANYNAME)
6539 if (!js_GetAnyName(cx, &rval))
6540 goto error;
6541 PUSH_OPND(rval);
6542 END_CASE(JSOP_ANYNAME)
6543
6544 BEGIN_CASE(JSOP_QNAMEPART)
6545 LOAD_ATOM(0);
6546 PUSH_OPND(ATOM_KEY(atom));
6547 END_CASE(JSOP_QNAMEPART)
6548
6549 BEGIN_CASE(JSOP_QNAMECONST)
6550 LOAD_ATOM(0);
6551 rval = ATOM_KEY(atom);
6552 lval = FETCH_OPND(-1);
6553 obj = js_ConstructXMLQNameObject(cx, lval, rval);
6554 if (!obj)
6555 goto error;
6556 STORE_OPND(-1, OBJECT_TO_JSVAL(obj));
6557 END_CASE(JSOP_QNAMECONST)
6558
6559 BEGIN_CASE(JSOP_QNAME)
6560 rval = FETCH_OPND(-1);
6561 lval = FETCH_OPND(-2);
6562 obj = js_ConstructXMLQNameObject(cx, lval, rval);
6563 if (!obj)
6564 goto error;
6565 regs.sp--;
6566 STORE_OPND(-1, OBJECT_TO_JSVAL(obj));
6567 END_CASE(JSOP_QNAME)
6568
6569 BEGIN_CASE(JSOP_TOATTRNAME)
6570 rval = FETCH_OPND(-1);
6571 if (!js_ToAttributeName(cx, &rval))
6572 goto error;
6573 STORE_OPND(-1, rval);
6574 END_CASE(JSOP_TOATTRNAME)
6575
6576 BEGIN_CASE(JSOP_TOATTRVAL)
6577 rval = FETCH_OPND(-1);
6578 JS_ASSERT(JSVAL_IS_STRING(rval));
6579 str = js_EscapeAttributeValue(cx, JSVAL_TO_STRING(rval), JS_FALSE);
6580 if (!str)
6581 goto error;
6582 STORE_OPND(-1, STRING_TO_JSVAL(str));
6583 END_CASE(JSOP_TOATTRVAL)
6584
6585 BEGIN_CASE(JSOP_ADDATTRNAME)
6586 BEGIN_CASE(JSOP_ADDATTRVAL)
6587 rval = FETCH_OPND(-1);
6588 lval = FETCH_OPND(-2);
6589 str = JSVAL_TO_STRING(lval);
6590 str2 = JSVAL_TO_STRING(rval);
6591 str = js_AddAttributePart(cx, op == JSOP_ADDATTRNAME, str, str2);
6592 if (!str)
6593 goto error;
6594 regs.sp--;
6595 STORE_OPND(-1, STRING_TO_JSVAL(str));
6596 END_CASE(JSOP_ADDATTRNAME)
6597
6598 BEGIN_CASE(JSOP_BINDXMLNAME)
6599 lval = FETCH_OPND(-1);
6600 if (!js_FindXMLProperty(cx, lval, &obj, &id))
6601 goto error;
6602 STORE_OPND(-1, OBJECT_TO_JSVAL(obj));
6603 PUSH_OPND(ID_TO_VALUE(id));
6604 END_CASE(JSOP_BINDXMLNAME)
6605
6606 BEGIN_CASE(JSOP_SETXMLNAME)
6607 obj = JSVAL_TO_OBJECT(FETCH_OPND(-3));
6608 rval = FETCH_OPND(-1);
6609 FETCH_ELEMENT_ID(obj, -2, id);
6610 if (!OBJ_SET_PROPERTY(cx, obj, id, &rval))
6611 goto error;
6612 rval = FETCH_OPND(-1);
6613 regs.sp -= 2;
6614 STORE_OPND(-1, rval);
6615 END_CASE(JSOP_SETXMLNAME)
6616
6617 BEGIN_CASE(JSOP_CALLXMLNAME)
6618 BEGIN_CASE(JSOP_XMLNAME)
6619 lval = FETCH_OPND(-1);
6620 if (!js_FindXMLProperty(cx, lval, &obj, &id))
6621 goto error;
6622 if (!OBJ_GET_PROPERTY(cx, obj, id, &rval))
6623 goto error;
6624 STORE_OPND(-1, rval);
6625 if (op == JSOP_CALLXMLNAME)
6626 PUSH_OPND(OBJECT_TO_JSVAL(obj));
6627 END_CASE(JSOP_XMLNAME)
6628
6629 BEGIN_CASE(JSOP_DESCENDANTS)
6630 BEGIN_CASE(JSOP_DELDESC)
6631 FETCH_OBJECT(cx, -2, lval, obj);
6632 rval = FETCH_OPND(-1);
6633 if (!js_GetXMLDescendants(cx, obj, rval, &rval))
6634 goto error;
6635
6636 if (op == JSOP_DELDESC) {
6637 regs.sp[-1] = rval; /* set local root */
6638 if (!js_DeleteXMLListElements(cx, JSVAL_TO_OBJECT(rval)))
6639 goto error;
6640 rval = JSVAL_TRUE; /* always succeed */
6641 }
6642
6643 regs.sp--;
6644 STORE_OPND(-1, rval);
6645 END_CASE(JSOP_DESCENDANTS)
6646
6647 BEGIN_CASE(JSOP_FILTER)
6648 /*
6649 * We push the hole value before jumping to [enditer] so we can
6650 * detect the first iteration and direct js_StepXMLListFilter to
6651 * initialize filter's state.
6652 */
6653 PUSH_OPND(JSVAL_HOLE);
6654 len = GET_JUMP_OFFSET(regs.pc);
6655 JS_ASSERT(len > 0);
6656 END_VARLEN_CASE
6657
6658 BEGIN_CASE(JSOP_ENDFILTER)
6659 cond = (regs.sp[-1] != JSVAL_HOLE);
6660 if (cond) {
6661 /* Exit the "with" block left from the previous iteration. */
6662 js_LeaveWith(cx);
6663 }
6664 if (!js_StepXMLListFilter(cx, cond))
6665 goto error;
6666 if (regs.sp[-1] != JSVAL_NULL) {
6667 /*
6668 * Decrease sp after EnterWith returns as we use sp[-1] there
6669 * to root temporaries.
6670 */
6671 JS_ASSERT(VALUE_IS_XML(cx, regs.sp[-1]));
6672 if (!js_EnterWith(cx, -2))
6673 goto error;
6674 regs.sp--;
6675 len = GET_JUMP_OFFSET(regs.pc);
6676 JS_ASSERT(len < 0);
6677 BRANCH(len);
6678 }
6679 regs.sp--;
6680 END_CASE(JSOP_ENDFILTER);
6681
6682 BEGIN_CASE(JSOP_TOXML)
6683 rval = FETCH_OPND(-1);
6684 obj = js_ValueToXMLObject(cx, rval);
6685 if (!obj)
6686 goto error;
6687 STORE_OPND(-1, OBJECT_TO_JSVAL(obj));
6688 END_CASE(JSOP_TOXML)
6689
6690 BEGIN_CASE(JSOP_TOXMLLIST)
6691 rval = FETCH_OPND(-1);
6692 obj = js_ValueToXMLListObject(cx, rval);
6693 if (!obj)
6694 goto error;
6695 STORE_OPND(-1, OBJECT_TO_JSVAL(obj));
6696 END_CASE(JSOP_TOXMLLIST)
6697
6698 BEGIN_CASE(JSOP_XMLTAGEXPR)
6699 rval = FETCH_OPND(-1);
6700 str = js_ValueToString(cx, rval);
6701 if (!str)
6702 goto error;
6703 STORE_OPND(-1, STRING_TO_JSVAL(str));
6704 END_CASE(JSOP_XMLTAGEXPR)
6705
6706 BEGIN_CASE(JSOP_XMLELTEXPR)
6707 rval = FETCH_OPND(-1);
6708 if (VALUE_IS_XML(cx, rval)) {
6709 str = js_ValueToXMLString(cx, rval);
6710 } else {
6711 str = js_ValueToString(cx, rval);
6712 if (str)
6713 str = js_EscapeElementValue(cx, str);
6714 }
6715 if (!str)
6716 goto error;
6717 STORE_OPND(-1, STRING_TO_JSVAL(str));
6718 END_CASE(JSOP_XMLELTEXPR)
6719
6720 BEGIN_CASE(JSOP_XMLOBJECT)
6721 LOAD_OBJECT(0);
6722 obj = js_CloneXMLObject(cx, obj);
6723 if (!obj)
6724 goto error;
6725 PUSH_OPND(OBJECT_TO_JSVAL(obj));
6726 END_CASE(JSOP_XMLOBJECT)
6727
6728 BEGIN_CASE(JSOP_XMLCDATA)
6729 LOAD_ATOM(0);
6730 str = ATOM_TO_STRING(atom);
6731 obj = js_NewXMLSpecialObject(cx, JSXML_CLASS_TEXT, NULL, str);
6732 if (!obj)
6733 goto error;
6734 PUSH_OPND(OBJECT_TO_JSVAL(obj));
6735 END_CASE(JSOP_XMLCDATA)
6736
6737 BEGIN_CASE(JSOP_XMLCOMMENT)
6738 LOAD_ATOM(0);
6739 str = ATOM_TO_STRING(atom);
6740 obj = js_NewXMLSpecialObject(cx, JSXML_CLASS_COMMENT, NULL, str);
6741 if (!obj)
6742 goto error;
6743 PUSH_OPND(OBJECT_TO_JSVAL(obj));
6744 END_CASE(JSOP_XMLCOMMENT)
6745
6746 BEGIN_CASE(JSOP_XMLPI)
6747 LOAD_ATOM(0);
6748 str = ATOM_TO_STRING(atom);
6749 rval = FETCH_OPND(-1);
6750 str2 = JSVAL_TO_STRING(rval);
6751 obj = js_NewXMLSpecialObject(cx,
6752 JSXML_CLASS_PROCESSING_INSTRUCTION,
6753 str, str2);
6754 if (!obj)
6755 goto error;
6756 STORE_OPND(-1, OBJECT_TO_JSVAL(obj));
6757 END_CASE(JSOP_XMLPI)
6758
6759 BEGIN_CASE(JSOP_GETFUNNS)
6760 if (!js_GetFunctionNamespace(cx, &rval))
6761 goto error;
6762 PUSH_OPND(rval);
6763 END_CASE(JSOP_GETFUNNS)
6764 #endif /* JS_HAS_XML_SUPPORT */
6765
6766 BEGIN_CASE(JSOP_ENTERBLOCK)
6767 LOAD_OBJECT(0);
6768 JS_ASSERT(!OBJ_IS_CLONED_BLOCK(obj));
6769 JS_ASSERT(StackBase(fp) + OBJ_BLOCK_DEPTH(cx, obj) == regs.sp);
6770 vp = regs.sp + OBJ_BLOCK_COUNT(cx, obj);
6771 JS_ASSERT(regs.sp < vp);
6772 JS_ASSERT(vp <= fp->slots + script->nslots);
6773 while (regs.sp < vp) {
6774 STORE_OPND(0, JSVAL_VOID);
6775 regs.sp++;
6776 }
6777
6778 /*
6779 * If this frame had to reflect the compile-time block chain into
6780 * the runtime scope chain, we can't optimize block scopes out of
6781 * runtime any longer, because an outer block that parents obj has
6782 * been cloned onto the scope chain. To avoid re-cloning such a
6783 * parent and accumulating redundant clones via js_GetScopeChain,
6784 * we must clone each block eagerly on entry, and push it on the
6785 * scope chain, until this frame pops.
6786 */
6787 if (fp->flags & JSFRAME_POP_BLOCKS) {
6788 JS_ASSERT(!fp->blockChain);
6789 obj = js_CloneBlockObject(cx, obj, fp->scopeChain, fp);
6790 if (!obj)
6791 goto error;
6792 fp->scopeChain = obj;
6793 } else {
6794 JS_ASSERT(!fp->blockChain ||
6795 OBJ_GET_PARENT(cx, obj) == fp->blockChain);
6796 fp->blockChain = obj;
6797 }
6798 END_CASE(JSOP_ENTERBLOCK)
6799
6800 BEGIN_CASE(JSOP_LEAVEBLOCKEXPR)
6801 BEGIN_CASE(JSOP_LEAVEBLOCK)
6802 {
6803 #ifdef DEBUG
6804 uintN blockDepth = OBJ_BLOCK_DEPTH(cx,
6805 fp->blockChain
6806 ? fp->blockChain
6807 : fp->scopeChain);
6808
6809 JS_ASSERT(blockDepth <= StackDepth(script));
6810 #endif
6811 if (fp->blockChain) {
6812 JS_ASSERT(OBJ_GET_CLASS(cx, fp->blockChain) == &js_BlockClass);
6813 fp->blockChain = OBJ_GET_PARENT(cx, fp->blockChain);
6814 } else {
6815 /*
6816 * This block was cloned into fp->scopeChain, so clear its
6817 * private data and sync its locals to their property slots.
6818 */
6819 if (!js_PutBlockObject(cx, JS_TRUE))
6820 goto error;
6821 }
6822
6823 /*
6824 * We will move the result of the expression to the new topmost
6825 * stack slot.
6826 */
6827 if (op == JSOP_LEAVEBLOCKEXPR)
6828 rval = FETCH_OPND(-1);
6829 regs.sp -= GET_UINT16(regs.pc);
6830 if (op == JSOP_LEAVEBLOCKEXPR) {
6831 JS_ASSERT(StackBase(fp) + blockDepth == regs.sp - 1);
6832 STORE_OPND(-1, rval);
6833 } else {
6834 JS_ASSERT(StackBase(fp) + blockDepth == regs.sp);
6835 }
6836 }
6837 END_CASE(JSOP_LEAVEBLOCK)
6838
6839 #if JS_HAS_GENERATORS
6840 BEGIN_CASE(JSOP_GENERATOR)
6841 ASSERT_NOT_THROWING(cx);
6842 regs.pc += JSOP_GENERATOR_LENGTH;
6843 obj = js_NewGenerator(cx, fp);
6844 if (!obj)
6845 goto error;
6846 JS_ASSERT(!fp->callobj && !fp->argsobj);
6847 fp->rval = OBJECT_TO_JSVAL(obj);
6848 ok = JS_TRUE;
6849 if (inlineCallCount != 0)
6850 goto inline_return;
6851 goto exit;
6852
6853 BEGIN_CASE(JSOP_YIELD)
6854 ASSERT_NOT_THROWING(cx);
6855 if (FRAME_TO_GENERATOR(fp)->state == JSGEN_CLOSING) {
6856 js_ReportValueError(cx, JSMSG_BAD_GENERATOR_YIELD,
6857 JSDVG_SEARCH_STACK, fp->argv[-2], NULL);
6858 goto error;
6859 }
6860 fp->rval = FETCH_OPND(-1);
6861 fp->flags |= JSFRAME_YIELDING;
6862 regs.pc += JSOP_YIELD_LENGTH;
6863 ok = JS_TRUE;
6864 goto exit;
6865
6866 BEGIN_CASE(JSOP_ARRAYPUSH)
6867 slot = GET_UINT16(regs.pc);
6868 JS_ASSERT(script->nfixed <= slot);
6869 JS_ASSERT(slot < script->nslots);
6870 lval = fp->slots[slot];
6871 obj = JSVAL_TO_OBJECT(lval);
6872 JS_ASSERT(OBJ_GET_CLASS(cx, obj) == &js_ArrayClass);
6873 rval = FETCH_OPND(-1);
6874
6875 /*
6876 * We know that the array is created with only a 'length' private
6877 * data slot at JSSLOT_ARRAY_LENGTH, and that previous iterations
6878 * of the comprehension have added the only properties directly in
6879 * the array object.
6880 */
6881 i = obj->fslots[JSSLOT_ARRAY_LENGTH];
6882 if (i == ARRAY_INIT_LIMIT) {
6883 JS_ReportErrorNumberUC(cx, js_GetErrorMessage, NULL,
6884 JSMSG_ARRAY_INIT_TOO_BIG);
6885 goto error;
6886 }
6887 id = INT_TO_JSID(i);
6888 if (!OBJ_SET_PROPERTY(cx, obj, id, &rval))
6889 goto error;
6890 regs.sp--;
6891 END_CASE(JSOP_ARRAYPUSH)
6892 #endif /* JS_HAS_GENERATORS */
6893
6894 #if JS_THREADED_INTERP
6895 L_JSOP_BACKPATCH:
6896 L_JSOP_BACKPATCH_POP:
6897
6898 # if !JS_HAS_GENERATORS
6899 L_JSOP_GENERATOR:
6900 L_JSOP_YIELD:
6901 L_JSOP_ARRAYPUSH:
6902 # endif
6903
6904 # if !JS_HAS_DESTRUCTURING
6905 L_JSOP_ENUMCONSTELEM:
6906 # endif
6907
6908 # if !JS_HAS_XML_SUPPORT
6909 L_JSOP_CALLXMLNAME:
6910 L_JSOP_STARTXMLEXPR:
6911 L_JSOP_STARTXML:
6912 L_JSOP_DELDESC:
6913 L_JSOP_GETFUNNS:
6914 L_JSOP_XMLPI:
6915 L_JSOP_XMLCOMMENT:
6916 L_JSOP_XMLCDATA:
6917 L_JSOP_XMLOBJECT:
6918 L_JSOP_XMLELTEXPR:
6919 L_JSOP_XMLTAGEXPR:
6920 L_JSOP_TOXMLLIST:
6921 L_JSOP_TOXML:
6922 L_JSOP_ENDFILTER:
6923 L_JSOP_FILTER:
6924 L_JSOP_DESCENDANTS:
6925 L_JSOP_XMLNAME:
6926 L_JSOP_SETXMLNAME:
6927 L_JSOP_BINDXMLNAME:
6928 L_JSOP_ADDATTRVAL:
6929 L_JSOP_ADDATTRNAME:
6930 L_JSOP_TOATTRVAL:
6931 L_JSOP_TOATTRNAME:
6932 L_JSOP_QNAME:
6933 L_JSOP_QNAMECONST:
6934 L_JSOP_QNAMEPART:
6935 L_JSOP_ANYNAME:
6936 L_JSOP_DEFXMLNS:
6937 # endif
6938
6939 L_JSOP_UNUSED131:
6940 L_JSOP_UNUSED201:
6941 L_JSOP_UNUSED202:
6942 L_JSOP_UNUSED203:
6943 L_JSOP_UNUSED204:
6944 L_JSOP_UNUSED205:
6945 L_JSOP_UNUSED206:
6946 L_JSOP_UNUSED207:
6947 L_JSOP_UNUSED208:
6948 L_JSOP_UNUSED209:
6949 L_JSOP_UNUSED219:
6950 L_JSOP_UNUSED226:
6951
6952 #else /* !JS_THREADED_INTERP */
6953 default:
6954 #endif
6955 {
6956 char numBuf[12];
6957 JS_snprintf(numBuf, sizeof numBuf, "%d", op);
6958 JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL,
6959 JSMSG_BAD_BYTECODE, numBuf);
6960 goto error;
6961 }
6962
6963 #ifdef JS_TRACER
6964
6965 #if JS_THREADED_INTERP
6966 # define OPDEF(x,val,name,token,length,nuses,ndefs,prec,format) \
6967 R_##x: RECORD(x); goto L_##x;
6968 #else
6969 # define OPDEF(x,val,name,token,length,nuses,ndefs,prec,format) \
6970 case 256 + x: RECORD(x); op = x; switchOp = x; goto do_switch;
6971 #endif
6972 #include "jsopcode.tbl"
6973 #undef OPDEF
6974
6975 #endif /* JS_TRACER */
6976
6977 #if !JS_THREADED_INTERP
6978
6979 } /* switch (op) */
6980 }
6981 #endif /* !JS_THREADED_INTERP */
6982
6983 error:
6984 if (fp->imacpc && cx->throwing) {
6985 // To keep things simple, we hard-code imacro exception handlers here.
6986 if (*fp->imacpc == JSOP_NEXTITER) {
6987 JS_ASSERT(*regs.pc == JSOP_CALL);
6988 if (js_ValueIsStopIteration(cx->exception)) {
6989 cx->throwing = JS_FALSE;
6990 cx->exception = JSVAL_VOID;
6991 regs.sp[-1] = JSVAL_HOLE;
6992 PUSH(JSVAL_FALSE);
6993 goto end_imacro;
6994 }
6995 }
6996
6997 // Handle other exceptions as if they came from the imacro-calling pc.
6998 regs.pc = fp->imacpc;
6999 fp->imacpc = NULL;
7000 atoms = script->atomMap.vector;
7001 }
7002
7003 JS_ASSERT((size_t)(regs.pc - script->code) < script->length);
7004 if (!cx->throwing) {
7005 /* This is an error, not a catchable exception, quit the frame ASAP. */
7006 ok = JS_FALSE;
7007 } else {
7008 JSTrapHandler handler;
7009 JSTryNote *tn, *tnlimit;
7010 uint32 offset;
7011
7012 /* Call debugger throw hook if set. */
7013 handler = cx->debugHooks->throwHook;
7014 if (handler) {
7015 switch (handler(cx, script, regs.pc, &rval,
7016 cx->debugHooks->throwHookData)) {
7017 case JSTRAP_ERROR:
7018 cx->throwing = JS_FALSE;
7019 goto error;
7020 case JSTRAP_RETURN:
7021 cx->throwing = JS_FALSE;
7022 fp->rval = rval;
7023 ok = JS_TRUE;
7024 goto forced_return;
7025 case JSTRAP_THROW:
7026 cx->exception = rval;
7027 case JSTRAP_CONTINUE:
7028 default:;
7029 }
7030 LOAD_INTERRUPT_HANDLER(cx);
7031 }
7032
7033 /*
7034 * Look for a try block in script that can catch this exception.
7035 */
7036 if (script->trynotesOffset == 0)
7037 goto no_catch;
7038
7039 offset = (uint32)(regs.pc - script->main);
7040 tn = JS_SCRIPT_TRYNOTES(script)->vector;
7041 tnlimit = tn + JS_SCRIPT_TRYNOTES(script)->length;
7042 do {
7043 if (offset - tn->start >= tn->length)
7044 continue;
7045
7046 /*
7047 * We have a note that covers the exception pc but we must check
7048 * whether the interpreter has already executed the corresponding
7049 * handler. This is possible when the executed bytecode
7050 * implements break or return from inside a for-in loop.
7051 *
7052 * In this case the emitter generates additional [enditer] and
7053 * [gosub] opcodes to close all outstanding iterators and execute
7054 * the finally blocks. If such an [enditer] throws an exception,
7055 * its pc can still be inside several nested for-in loops and
7056 * try-finally statements even if we have already closed the
7057 * corresponding iterators and invoked the finally blocks.
7058 *
7059 * To address this, we make [enditer] always decrease the stack
7060 * even when its implementation throws an exception. Thus already
7061 * executed [enditer] and [gosub] opcodes will have try notes
7062 * with the stack depth exceeding the current one and this
7063 * condition is what we use to filter them out.
7064 */
7065 if (tn->stackDepth > regs.sp - StackBase(fp))
7066 continue;
7067
7068 /*
7069 * Set pc to the first bytecode after the the try note to point
7070 * to the beginning of catch or finally or to [enditer] closing
7071 * the for-in loop.
7072 */
7073 regs.pc = (script)->main + tn->start + tn->length;
7074
7075 ok = js_UnwindScope(cx, fp, tn->stackDepth, JS_TRUE);
7076 JS_ASSERT(fp->regs->sp == StackBase(fp) + tn->stackDepth);
7077 if (!ok) {
7078 /*
7079 * Restart the handler search with updated pc and stack depth
7080 * to properly notify the debugger.
7081 */
7082 goto error;
7083 }
7084
7085 switch (tn->kind) {
7086 case JSTRY_CATCH:
7087 JS_ASSERT(*regs.pc == JSOP_ENTERBLOCK);
7088
7089 #if JS_HAS_GENERATORS
7090 /* Catch cannot intercept the closing of a generator. */
7091 if (JS_UNLIKELY(cx->exception == JSVAL_ARETURN))
7092 break;
7093 #endif
7094
7095 /*
7096 * Don't clear cx->throwing to save cx->exception from GC
7097 * until it is pushed to the stack via [exception] in the
7098 * catch block.
7099 */
7100 len = 0;
7101 DO_NEXT_OP(len);
7102
7103 case JSTRY_FINALLY:
7104 /*
7105 * Push (true, exception) pair for finally to indicate that
7106 * [retsub] should rethrow the exception.
7107 */
7108 PUSH(JSVAL_TRUE);
7109 PUSH(cx->exception);
7110 cx->throwing = JS_FALSE;
7111 len = 0;
7112 DO_NEXT_OP(len);
7113
7114 case JSTRY_ITER:
7115 /*
7116 * This is similar to JSOP_ENDITER in the interpreter loop,
7117 * except the code now uses the stack slot normally used by
7118 * JSOP_NEXTITER, namely regs.sp[-1] before the regs.sp -= 2
7119 * adjustment and regs.sp[1] after, to save and restore the
7120 * pending exception.
7121 */
7122 JS_ASSERT(*regs.pc == JSOP_ENDITER);
7123 regs.sp[-1] = cx->exception;
7124 cx->throwing = JS_FALSE;
7125 ok = js_CloseIterator(cx, regs.sp[-2]);
7126 regs.sp -= 2;
7127 if (!ok)
7128 goto error;
7129 cx->throwing = JS_TRUE;
7130 cx->exception = regs.sp[1];
7131 }
7132 } while (++tn != tnlimit);
7133
7134 no_catch:
7135 /*
7136 * Propagate the exception or error to the caller unless the exception
7137 * is an asynchronous return from a generator.
7138 */
7139 ok = JS_FALSE;
7140 #if JS_HAS_GENERATORS
7141 if (JS_UNLIKELY(cx->throwing && cx->exception == JSVAL_ARETURN)) {
7142 cx->throwing = JS_FALSE;
7143 ok = JS_TRUE;
7144 fp->rval = JSVAL_VOID;
7145 }
7146 #endif
7147 }
7148
7149 forced_return:
7150 /*
7151 * Unwind the scope making sure that ok stays false even when UnwindScope
7152 * returns true.
7153 *
7154 * When a trap handler returns JSTRAP_RETURN, we jump here with ok set to
7155 * true bypassing any finally blocks.
7156 */
7157 ok &= js_UnwindScope(cx, fp, 0, ok || cx->throwing);
7158 JS_ASSERT(regs.sp == StackBase(fp));
7159
7160 if (inlineCallCount)
7161 goto inline_return;
7162
7163 exit:
7164 /*
7165 * At this point we are inevitably leaving an interpreted function or a
7166 * top-level script, and returning to one of:
7167 * (a) an "out of line" call made through js_Invoke;
7168 * (b) a js_Execute activation;
7169 * (c) a generator (SendToGenerator, jsiter.c).
7170 *
7171 * We must not be in an inline frame. The check above ensures that for the
7172 * error case and for a normal return, the code jumps directly to parent's
7173 * frame pc.
7174 */
7175 JS_ASSERT(inlineCallCount == 0);
7176 JS_ASSERT(fp->regs == &regs);
7177 #ifdef JS_TRACER
7178 if (TRACE_RECORDER(cx))
7179 js_AbortRecording(cx, "recording out of js_Interpret");
7180 #endif
7181 #if JS_HAS_GENERATORS
7182 if (JS_UNLIKELY(fp->flags & JSFRAME_YIELDING)) {
7183 JSGenerator *gen;
7184
7185 gen = FRAME_TO_GENERATOR(fp);
7186 gen->savedRegs = regs;
7187 gen->frame.regs = &gen->savedRegs;
7188 JS_PROPERTY_CACHE(cx).disabled -= js_CountWithBlocks(cx, fp);
7189 JS_ASSERT(JS_PROPERTY_CACHE(cx).disabled >= 0);
7190 } else
7191 #endif /* JS_HAS_GENERATORS */
7192 {
7193 JS_ASSERT(!fp->blockChain);
7194 JS_ASSERT(!js_IsActiveWithOrBlock(cx, fp->scopeChain, 0));
7195 fp->regs = NULL;
7196 }
7197
7198 /* Undo the remaining effects committed on entry to js_Interpret. */
7199 if (script->staticDepth < JS_DISPLAY_SIZE)
7200 cx->display[script->staticDepth] = fp->displaySave;
7201 JS_ASSERT(JS_PROPERTY_CACHE(cx).disabled == fp->pcDisabledSave);
7202 if (cx->version == currentVersion && currentVersion != originalVersion)
7203 js_SetVersion(cx, originalVersion);
7204 --cx->interpLevel;
7205
7206 #ifdef JS_TRACER
7207 if (tr) {
7208 JS_TRACE_MONITOR(cx).onTrace = JS_TRUE;
7209 SET_TRACE_RECORDER(cx, tr);
7210 if (!tr->wasDeepAborted()) {
7211 tr->popAbortStack();
7212 tr->deepAbort();
7213 }
7214 }
7215 #endif
7216 return ok;
7217
7218 atom_not_defined:
7219 {
7220 const char *printable;
7221
7222 printable = js_AtomToPrintableString(cx, atom);
7223 if (printable)
7224 js_ReportIsNotDefined(cx, printable);
7225 goto error;
7226 }
7227 }
7228
7229 #endif /* !defined jsinvoke_cpp___ */
Wine Gecko package