Changeset 181466 in webkit

Timestamp:

Mar 12, 2015, 6:11:15 PM (10 years ago)

Author:

rniwa@webkit.org

Message:

"this" should be in TDZ until super is called in the constructor of a derived class
​https://bugs.webkit.org/show_bug.cgi?id=142527

Reviewed by Mark Hahnenberg.

DFG and FTL implementations co-authored by Filip Pizlo.

In ES6 class syntax, "this" register must be in the "temporal dead zone" (TDZ) and throw ReferenceError until
super() is called inside the constructor of a derived class.

Added op_check_tdz, a new OP code, which throws a reference error when the first operand is an empty value
to all tiers of JIT and LLint. The op code throws in the slow path on the basis that a TDZ error should be
a programming error and not a part of the programs' normal control flow. In DFG, this op code is represented
by a no-op must-generate node CheckNotEmpty modeled after CheckCell.

Also made the constructor of a derived class assign the empty value to "this" register rather than undefined
so that ThisNode can emit the op_check_tdz to check the initialized-ness of "this" in such a constructor.

• bytecode/BytecodeList.json: Added op_check_tdz.
• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset): Ditto.
(JSC::computeDefsForBytecodeOffset): Ditto.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode): Ditto.

• bytecode/ExitKind.cpp:

(JSC::exitKindToString): Added TDZFailure.

• bytecode/ExitKind.h: Ditto.
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator): Assign the empty value to "this" register to indicate it's in TDZ.
(JSC::BytecodeGenerator::emitTDZCheck): Added.
(JSC::BytecodeGenerator::emitReturn): Emit the TDZ check since "this" can still be in TDZ if super() was never
called. e.g. class B extends A { constructor() { } }

• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp:

(JSC::ThisNode::emitBytecode): Always emit the TDZ check if we're inside the constructor of a derived class.
We can't omit this check even if the result was ignored per spec.

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Previously, empty value could never appear
in a local variable. This is no longer true so generalize this code. Also added the support for CheckNotEmpty.
Like CheckCell, we phantomize this DFG node in the constant folding phase if the type of the operand is already
found to be not empty. Otherwise filter out SpecEmpty.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock): Added op_check_tdz.

• dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel): op_check_tdz can be compiled and inlined.

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize): CheckNotEmpty doesn't read or write values.

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants): Convert CheckNotEmpty to a phantom if non-emptiness had already
been proven for the operand prior to this node.

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC): CheckNotEmpty does not trigger GC.

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode): CheckNotEmpty is a no-op in the fixup phase.

• dfg/DFGNodeType.h: CheckNotEmpty cannot be removed even if the result was ignored. See ThisNode::emitBytecode.
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate): CheckNotEmpty doesn't return any value.

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute): CheckNotEmpty doesn't load from heap so it's safe.

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile): Speculative the operand to be not empty. OSR exit if the speculation fails.

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile): Ditto.

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile): CheckNotEmpty can be compiled in FTL.

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::compileNode): Calls compileCheckNotEmpty for CheckNotEmpty.
(JSC::FTL::LowerDFGToLLVM::compileCheckNotEmpty): OSR exit with "TDZFailure" if the operand is not empty.

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass): Added op_check_tdz.
(JSC::JIT::privateCompileSlowCases): Ditto.

• jit/JIT.h:
• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_check_tdz): Implements op_check_tdz in Baseline JIT.
(JSC::JIT::emitSlow_op_check_tdz): Ditto.

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_check_tdz): Ditto.
(JSC::JIT::emitSlow_op_check_tdz): Ditto.

• llint/LowLevelInterpreter32_64.asm: Implements op_check_tdz in LLint.
• llint/LowLevelInterpreter64.asm: Ditto.
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL): Throws a reference error for op_check_tdz. Shared by LLint and Baseline JIT.

• runtime/CommonSlowPaths.h:
• tests/stress/class-syntax-no-loop-tdz.js: Added.
• tests/stress/class-syntax-no-tdz-in-catch.js: Added.
• tests/stress/class-syntax-no-tdz-in-conditional.js: Added.
• tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js: Added.
• tests/stress/class-syntax-no-tdz-in-loop.js: Added.
• tests/stress/class-syntax-no-tdz.js: Added.
• tests/stress/class-syntax-tdz-in-catch.js: Added.
• tests/stress/class-syntax-tdz-in-conditional.js: Added.
• tests/stress/class-syntax-tdz-in-loop.js: Added.
• tests/stress/class-syntax-tdz.js: Added.

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/BytecodeList.json (modified) (1 diff)
• bytecode/BytecodeUseDef.h (modified) (2 diffs)
• bytecode/CodeBlock.cpp (modified) (1 diff)
• bytecode/ExitKind.cpp (modified) (1 diff)
• bytecode/ExitKind.h (modified) (1 diff)
• bytecompiler/BytecodeGenerator.cpp (modified) (3 diffs)
• bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• bytecompiler/NodesCodegen.cpp (modified) (1 diff)
• dfg/DFGAbstractInterpreterInlines.h (modified) (2 diffs)
• dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• dfg/DFGCapabilities.cpp (modified) (1 diff)
• dfg/DFGClobberize.h (modified) (1 diff)
• dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
• dfg/DFGDoesGC.cpp (modified) (1 diff)
• dfg/DFGFixupPhase.cpp (modified) (1 diff)
• dfg/DFGNodeType.h (modified) (1 diff)
• dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• dfg/DFGSafeToExecute.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• ftl/FTLCapabilities.cpp (modified) (1 diff)
• ftl/FTLLowerDFGToLLVM.cpp (modified) (2 diffs)
• jit/JIT.cpp (modified) (2 diffs)
• jit/JIT.h (modified) (2 diffs)
• jit/JITOpcodes.cpp (modified) (1 diff)
• jit/JITOpcodes32_64.cpp (modified) (1 diff)
• llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• llint/LowLevelInterpreter64.asm (modified) (1 diff)
• runtime/CommonSlowPaths.cpp (modified) (1 diff)
• runtime/CommonSlowPaths.h (modified) (1 diff)
• tests/stress/class-syntax-no-loop-tdz.js (added)
• tests/stress/class-syntax-no-tdz-in-catch.js (added)
• tests/stress/class-syntax-no-tdz-in-conditional.js (added)
• tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js (added)
• tests/stress/class-syntax-no-tdz-in-loop.js (added)
• tests/stress/class-syntax-no-tdz.js (added)
• tests/stress/class-syntax-tdz-in-catch.js (added)
• tests/stress/class-syntax-tdz-in-conditional.js (added)
• tests/stress/class-syntax-tdz-in-loop.js (added)
• tests/stress/class-syntax-tdz.js (added)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-03-12  Ryosuke Niwa  <rniwa@webkit.org>
+
+        "this" should be in TDZ until super is called in the constructor of a derived class
+        https://bugs.webkit.org/show_bug.cgi?id=142527
+
+        Reviewed by Mark Hahnenberg.
+
+        DFG and FTL implementations co-authored by Filip Pizlo.
+
+        In ES6 class syntax, "this" register must be in the "temporal dead zone" (TDZ) and throw ReferenceError until
+        super() is called inside the constructor of a derived class.
+
+        Added op_check_tdz, a new OP code, which throws a reference error when the first operand is an empty value
+        to all tiers of JIT and LLint. The op code throws in the slow path on the basis that a TDZ error should be
+        a programming error and not a part of the programs' normal control flow. In DFG, this op code is represented
+        by a no-op must-generate node CheckNotEmpty modeled after CheckCell.
+
+        Also made the constructor of a derived class assign the empty value to "this" register rather than undefined
+        so that ThisNode can emit the op_check_tdz to check the initialized-ness of "this" in such a constructor.
+
+        * bytecode/BytecodeList.json: Added op_check_tdz.
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset): Ditto.
+        (JSC::computeDefsForBytecodeOffset): Ditto.
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpBytecode): Ditto.
+        * bytecode/ExitKind.cpp:
+        (JSC::exitKindToString): Added TDZFailure.
+        * bytecode/ExitKind.h: Ditto.
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator): Assign the empty value to "this" register to indicate it's in TDZ.
+        (JSC::BytecodeGenerator::emitTDZCheck): Added.
+        (JSC::BytecodeGenerator::emitReturn): Emit the TDZ check since "this" can still be in TDZ if super() was never
+        called. e.g. class B extends A { constructor() { } }
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ThisNode::emitBytecode): Always emit the TDZ check if we're inside the constructor of a derived class.
+        We can't omit this check even if the result was ignored per spec.
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): Previously, empty value could never appear
+        in a local variable. This is no longer true so generalize this code. Also added the support for CheckNotEmpty.
+        Like CheckCell, we phantomize this DFG node in the constant folding phase if the type of the operand is already
+        found to be not empty. Otherwise filter out SpecEmpty.
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock): Added op_check_tdz.
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel): op_check_tdz can be compiled and inlined.
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize): CheckNotEmpty doesn't read or write values.
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants): Convert CheckNotEmpty to a phantom if non-emptiness had already
+        been proven for the operand prior to this node.
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC): CheckNotEmpty does not trigger GC.
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode): CheckNotEmpty is a no-op in the fixup phase.
+        * dfg/DFGNodeType.h: CheckNotEmpty cannot be removed even if the result was ignored. See ThisNode::emitBytecode.
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate): CheckNotEmpty doesn't return any value.
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute): CheckNotEmpty doesn't load from heap so it's safe.
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Speculative the operand to be not empty. OSR exit if the speculation fails.
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Ditto.
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile): CheckNotEmpty can be compiled in FTL.
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::LowerDFGToLLVM::compileNode): Calls compileCheckNotEmpty for CheckNotEmpty.
+        (JSC::FTL::LowerDFGToLLVM::compileCheckNotEmpty): OSR exit with "TDZFailure" if the operand is not empty.
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass): Added op_check_tdz.
+        (JSC::JIT::privateCompileSlowCases): Ditto.
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_check_tdz): Implements op_check_tdz in Baseline JIT.
+        (JSC::JIT::emitSlow_op_check_tdz): Ditto.
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_check_tdz): Ditto.
+        (JSC::JIT::emitSlow_op_check_tdz): Ditto.
+        * llint/LowLevelInterpreter32_64.asm: Implements op_check_tdz in LLint.
+        * llint/LowLevelInterpreter64.asm: Ditto.
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL): Throws a reference error for op_check_tdz. Shared by LLint and Baseline JIT.
+        * runtime/CommonSlowPaths.h:
+        * tests/stress/class-syntax-no-loop-tdz.js: Added.
+        * tests/stress/class-syntax-no-tdz-in-catch.js: Added.
+        * tests/stress/class-syntax-no-tdz-in-conditional.js: Added.
+        * tests/stress/class-syntax-no-tdz-in-loop-no-inline-super.js: Added.
+        * tests/stress/class-syntax-no-tdz-in-loop.js: Added.
+        * tests/stress/class-syntax-no-tdz.js: Added.
+        * tests/stress/class-syntax-tdz-in-catch.js: Added.
+        * tests/stress/class-syntax-tdz-in-conditional.js: Added.
+        * tests/stress/class-syntax-tdz-in-loop.js: Added.
+        * tests/stress/class-syntax-tdz.js: Added.
+
 2015-03-12  Yusuke Suzuki  <utatane.tea@gmail.com>
 

trunk/Source/JavaScriptCore/bytecode/BytecodeList.json

@@ -12 +12 @@
             { "name" : "op_create_this", "length" : 4 },
             { "name" : "op_to_this", "length" : 4 },
+            { "name" : "op_check_tdz", "length" : 2 },
             { "name" : "op_new_object", "length" : 4 },
             { "name" : "op_new_array", "length" : 5 },

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h

@@ -57 +57 @@
     case op_get_scope:
     case op_to_this:
+    case op_check_tdz:
     case op_pop_scope:
     case op_profile_will_call:
@@ -365 +366 @@
     case op_new_object:
     case op_to_this:
+    case op_check_tdz:
     case op_init_lazy_reg:
     case op_get_scope:

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -788 +788 @@
                 out.print(" cache(struct = ", RawPointer(structure), ")");
             out.print(" ", (++it)->u.toThisStatus);
+            break;
+        }
+        case op_check_tdz: {
+            int r0 = (++it)->u.operand;
+            printLocationOpAndRegisterOperand(out, exec, location, it, "op_check_tdz", r0);
             break;
         }

trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp

@@ -71 +71 @@
     case VarargsOverflow:
         return "VarargsOverflow";
+    case TDZFailure:
+        return "TDZFailure";
     case Uncountable:
         return "Uncountable";

trunk/Source/JavaScriptCore/bytecode/ExitKind.h

@@ -48 +48 @@
     NotStringObject, // We exited because we shouldn't have attempted to optimize string object access.
     VarargsOverflow, // We exited because a varargs call passed more arguments than we expected.
+    TDZFailure, // We exited because we were in the TDZ and accessed the variable.
     Uncountable, // We exited for none of the above reasons, and we should not count it. Most uses of this should be viewed as a FIXME.
     UncountableInvalidation, // We exited because the code block was invalidated; this means that we've already counted the reasons why the code block was invalidated.

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -405 +405 @@
             m_newTargetRegister = addVar();
             emitMove(m_newTargetRegister, &m_thisRegister);
-            emitLoad(&m_thisRegister, jsNull());
+            emitMove(&m_thisRegister, addConstantEmptyValue());
         } else
             emitCreateThis(&m_thisRegister);
@@ -1557 +1557 @@
 }
 
+void BytecodeGenerator::emitTDZCheck(RegisterID* target)
+{
+    emitOpcode(op_check_tdz);
+    instructions().append(target->index());
+}
+
 RegisterID* BytecodeGenerator::emitNewObject(RegisterID* dst)
 {
@@ -1908 +1914 @@
 
     bool thisMightBeUninitialized = constructorKindIsDerived();
-    if (isConstructor() && (src->index() != m_thisRegister.index() || thisMightBeUninitialized)) {
+    bool srcIsThis = src->index() == m_thisRegister.index();
+    if (isConstructor() && (!srcIsThis || thisMightBeUninitialized)) {
         RefPtr<Label> isObjectOrUndefinedLabel = newLabel();
 
+        if (srcIsThis && thisMightBeUninitialized)
+            emitTDZCheck(src);
+
         emitJumpIfTrue(emitIsObject(newTemporary(), src), isObjectOrUndefinedLabel.get());
 
-        if (constructorKindIsDerived()) {
+        if (thisMightBeUninitialized) {
             emitJumpIfTrue(emitIsUndefined(newTemporary(), src), isObjectOrUndefinedLabel.get());
             emitThrowTypeError("Cannot return a non-object type in the constructor of a derived class.");

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -459 +459 @@
 
         RegisterID* emitCreateThis(RegisterID* dst);
+        void emitTDZCheck(RegisterID* target);
         RegisterID* emitNewObject(RegisterID* dst);
         RegisterID* emitNewArray(RegisterID* dst, ElementNode*, unsigned length); // stops at first elision

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -145 +145 @@
 RegisterID* ThisNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
 {
+    if (generator.constructorKindIsDerived())
+        generator.emitTDZCheck(generator.thisRegister());
+
     if (dst == generator.ignoredResult())
         return 0;

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -144 +144 @@
         
     case ExtractOSREntryLocal: {
-        if (!(node->unlinkedLocal().isArgument())
-            && m_graph.m_lazyVars.get(node->unlinkedLocal().toLocal())) {
-            // This is kind of pessimistic - we could know in some cases that the
-            // DFG code at the point of the OSR had already initialized the lazy
-            // variable. But maybe this is fine, since we're inserting OSR
-            // entrypoints very early in the pipeline - so any lazy initializations
-            // ought to be hoisted out anyway.
-            forNode(node).makeBytecodeTop();
-        } else
-            forNode(node).makeHeapTop();
+        forNode(node).makeBytecodeTop();
         break;
     }
@@ -1866 +1857 @@
             break;
         }
-        
         filterByValue(node->child1(), *node->cellOperand());
         break;
     }
-        
+
+    case CheckNotEmpty: {
+        AbstractValue& value = forNode(node->child1());
+        if (!(value.m_type & SpecEmpty)) {
+            m_state.setFoundConstants(true);
+            break;
+        }
+        
+        filter(value, ~SpecEmpty);
+        break;
+    }
+
     case CheckInBounds: {
         JSValue left = forNode(node->child1()).value();

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2821 +2821 @@
             set(VirtualRegister(currentInstruction[1].u.operand), op);
             NEXT_OPCODE(op_mov);
+        }
+
+        case op_check_tdz: {
+            Node* op = get(VirtualRegister(currentInstruction[1].u.operand));
+            addToGraph(CheckNotEmpty, op);
+            NEXT_OPCODE(op_check_tdz);
         }
 

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

@@ -100 +100 @@
     case op_touch_entry:
     case op_to_this:
+    case op_check_tdz:
     case op_create_this:
     case op_bitand:

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -255 +255 @@
         def(PureValue(CheckCell, AdjacencyList(AdjacencyList::Fixed, node->child1()), node->cellOperand()));
         return;
-        
+
+    case CheckNotEmpty:
+        def(PureValue(CheckNotEmpty, AdjacencyList(AdjacencyList::Fixed, node->child1())));
+        return;
+
     case ConstantStoragePointer:
         def(PureValue(node, node->storagePointer()));

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -186 +186 @@
                 break;
             }
-                
+
+            case CheckNotEmpty: {
+                if (m_state.forNode(node->child1()).m_type & SpecEmpty)
+                    break;
+                node->convertToPhantom();
+                eliminated = true;
+                break;
+            }
+
             case CheckInBounds: {
                 JSValue left = m_state.forNode(node->child1()).value();

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -106 +106 @@
     case VarInjectionWatchpoint:
     case CheckCell:
+    case CheckNotEmpty:
     case AllocationProfileWatchpoint:
     case RegExpExec:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1270 +1270 @@
         case ForceOSRExit:
         case CheckBadCell:
+        case CheckNotEmpty:
         case CheckWatchdogTimer:
         case Unreachable:

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -192 +192 @@
     macro(VarInjectionWatchpoint, NodeMustGenerate) \
     macro(CheckCell, NodeMustGenerate) \
+    macro(CheckNotEmpty, NodeMustGenerate) \
     macro(CheckBadCell, NodeMustGenerate) \
     macro(AllocationProfileWatchpoint, NodeMustGenerate) \

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -627 +627 @@
         case CheckStructure:
         case CheckCell:
+        case CheckNotEmpty:
         case CheckBadCell:
         case PutStructure:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -179 +179 @@
     case CheckCell:
     case CheckBadCell:
+    case CheckNotEmpty:
     case AllocationProfileWatchpoint:
     case RegExpExec:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3759 +3759 @@
     }
 
+    case CheckNotEmpty: {
+        JSValueOperand operand(this, node->child1());
+        GPRReg tagGPR = operand.tagGPR();
+        speculationCheck(TDZFailure, JSValueSource(), nullptr, m_jit.branch32(JITCompiler::Equal, tagGPR, TrustedImm32(JSValue::EmptyValueTag)));
+        noResult(node);
+        break;
+    }
+
     case GetExecutable: {
         SpeculateCellOperand function(this, node->child1());

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3843 +3843 @@
         break;
     }
-        
+
+    case CheckNotEmpty: {
+        JSValueOperand operand(this, node->child1());
+        GPRReg gpr = operand.gpr();
+        speculationCheck(TDZFailure, JSValueSource(), nullptr, m_jit.branchTest64(JITCompiler::Zero, gpr));
+        noResult(node);
+        break;
+    }
+
     case GetExecutable: {
         SpeculateCellOperand function(this, node->child1());

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -111 +111 @@
     case CheckCell:
     case CheckBadCell:
+    case CheckNotEmpty:
     case StringCharCodeAt:
     case AllocatePropertyStorage:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -547 +547 @@
             compileCheckCell();
             break;
+        case CheckNotEmpty:
+            compileCheckNotEmpty();
+            break;
         case CheckBadCell:
             compileCheckBadCell();
@@ -1863 +1866 @@
         terminate(BadCell);
     }
-    
+
+    void compileCheckNotEmpty()
+    {
+        speculate(TDZFailure, noValue(), nullptr, m_out.isZero64(lowJSValue(m_node->child1())));
+    }
+
     void compileGetExecutable()
     {

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -202 +202 @@
         DEFINE_OP(op_create_this)
         DEFINE_OP(op_to_this)
+        DEFINE_OP(op_check_tdz)
         DEFINE_OP(op_init_lazy_reg)
         DEFINE_OP(op_create_arguments)
@@ -376 +377 @@
         DEFINE_SLOWCASE_OP(op_construct)
         DEFINE_SLOWCASE_OP(op_to_this)
+        DEFINE_SLOWCASE_OP(op_check_tdz)
         DEFINE_SLOWCASE_OP(op_create_this)
         DEFINE_SLOWCASE_OP(op_div)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -469 +469 @@
         void emit_op_create_this(Instruction*);
         void emit_op_to_this(Instruction*);
+        void emit_op_check_tdz(Instruction*);
         void emit_op_create_arguments(Instruction*);
         void emit_op_debug(Instruction*);
@@ -573 +574 @@
         void emitSlow_op_to_this(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_create_this(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_check_tdz(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_div(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_eq(Instruction*, Vector<SlowCaseEntry>::iterator&);

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -757 +757 @@
 }
 
+void JIT::emit_op_check_tdz(Instruction* currentInstruction)
+{
+    emitGetVirtualRegister(currentInstruction[1].u.operand, regT0);
+    addSlowCase(branchTest64(Zero, regT0));
+}
+
+void JIT::emitSlow_op_check_tdz(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkSlowCase(iter);
+    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_throw_tdz_error);
+    slowPathCall.call();
+}
+
 void JIT::emit_op_profile_will_call(Instruction* currentInstruction)
 {

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -998 +998 @@
 }
 
+void JIT::emit_op_check_tdz(Instruction* currentInstruction)
+{
+    emitLoadTag(currentInstruction[1].u.operand, regT0);
+    addSlowCase(branch32(Equal, regT0, TrustedImm32(JSValue::EmptyValueTag)));
+}
+
+void JIT::emitSlow_op_check_tdz(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkSlowCase(iter);
+    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_throw_tdz_error);
+    slowPathCall.call();
+}
+
 void JIT::emit_op_profile_will_call(Instruction* currentInstruction)
 {

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -802 +802 @@
     callSlowPath(_llint_slow_path_new_object)
     dispatch(4)
+
+
+_llint_op_check_tdz:
+    traceExecution()
+    loadpFromInstruction(1, t0)
+    bineq TagOffset[cfr, t0, 8], EmptyValueTag, .opNotTDZ
+    callSlowPath(_slow_path_throw_tdz_error)
+
+.opNotTDZ:
+    dispatch(2)
 
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -686 +686 @@
     callSlowPath(_llint_slow_path_new_object)
     dispatch(4)
+
+
+_llint_op_check_tdz:
+    traceExecution()
+    loadpFromInstruction(1, t0)
+    loadq [cfr, t0, 8], t0
+    bqneq t0, ValueEmpty, .opNotTDZ
+    callSlowPath(_slow_path_throw_tdz_error)
+
+.opNotTDZ:
+    dispatch(2)
 
 

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -258 +258 @@
 }
 
+SLOW_PATH_DECL(slow_path_throw_tdz_error)
+{
+    BEGIN();
+    THROW(createReferenceError(exec, "Cannot access uninitialized variable."));
+}
+
 SLOW_PATH_DECL(slow_path_not)
 {

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h

@@ -188 +188 @@
 SLOW_PATH_HIDDEN_DECL(slow_path_get_callee);
 SLOW_PATH_HIDDEN_DECL(slow_path_to_this);
+SLOW_PATH_HIDDEN_DECL(slow_path_throw_tdz_error);
 SLOW_PATH_HIDDEN_DECL(slow_path_not);
 SLOW_PATH_HIDDEN_DECL(slow_path_eq);