Changeset 128111 in webkit

Timestamp:

Sep 10, 2012 2:49:25 PM (12 years ago)

Author:

ggaren@apple.com

Message:

DFG misses arguments tear-off for function.arguments if 'arguments' is used
​https://bugs.webkit.org/show_bug.cgi?id=96227

Reviewed by Gavin Barraclough.

Source/JavaScriptCore:

We've decided not to allow function.arguments to alias the local
'arguments' object, or a local var or function named 'arguments'.
Aliasing complicates the implementation (cf, this bug) and can produce
surprising behavior for web programmers.

Eliminating the aliasing has the side-effect of fixing this bug.

The compatibilty story: function.arguments is deprecated, was never
specified, and throws an exception in strict mode, so we expect it to
disappear over time. Firefox does not alias to 'arguments'; Chrome
does, but not if you use eval or with; IE does; Safari did.

• dfg/DFGByteCodeParser.cpp: Noticed a little cleanup while verifying

this code. Use the CodeBlock method for better encapsulation.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::retrieveArgumentsFromVMCode): Behavior change: don't
alias.

• tests/mozilla/js1_4/Functions/function-001.js:

(TestFunction_4): Updated test expectations for changed behavior.

LayoutTests:

New test, and updated expectations.

• fast/js/script-tests/function-dot-arguments.js:
• fast/js/function-dot-arguments-expected.txt: Updated for new behavior.

• fast/js/dfg-tear-off-function-dot-arguments.html:
• fast/js/script-tests/dfg-tear-off-function-dot-arguments.js: Added. New test for bug cited here.

• fast/js/function-dot-arguments-identity-expected.txt:
• fast/js/function-dot-arguments-identity.html: Added. New test for new behavior.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/dfg-tear-off-function-dot-arguments-expected.txt (added)
• LayoutTests/fast/js/dfg-tear-off-function-dot-arguments.html (added)
• LayoutTests/fast/js/function-dot-arguments-expected.txt (modified) (3 diffs)
• LayoutTests/fast/js/function-dot-arguments-identity-expected.txt (added)
• LayoutTests/fast/js/function-dot-arguments-identity.html (added)
• LayoutTests/fast/js/script-tests/dfg-tear-off-function-dot-arguments.js (added)
• LayoutTests/fast/js/script-tests/function-dot-arguments.js (modified) (12 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)
• Source/JavaScriptCore/tests/mozilla/js1_4/Functions/function-001.js (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-09-10  Geoffrey Garen  <ggaren@apple.com>
+
+        DFG misses arguments tear-off for function.arguments if 'arguments' is used
+        https://bugs.webkit.org/show_bug.cgi?id=96227
+
+        Reviewed by Gavin Barraclough.
+
+        New test, and updated expectations.
+ 
+        * fast/js/script-tests/function-dot-arguments.js:
+        * fast/js/function-dot-arguments-expected.txt: Updated for new behavior.
+
+        * fast/js/dfg-tear-off-function-dot-arguments.html:
+        * fast/js/script-tests/dfg-tear-off-function-dot-arguments.js: Added. New test for bug cited here.
+
+        * fast/js/function-dot-arguments-identity-expected.txt:
+        * fast/js/function-dot-arguments-identity.html: Added. New test for new behavior.
+
 2012-09-10  Fady Samuel  <fsamuel@chromium.org>
 

trunk/LayoutTests/fast/js/function-dot-arguments-expected.txt

@@ -9 +9 @@
 PASS lengthTest() is '0'
 PASS lengthTest('From', '%E5%8C%97%E4%BA%AC', 360, '/', 'webkit.org') is '5'
-PASS assignTest() is true
+PASS assignTest().toString() is '[object Arguments]'
 PASS assignVarUndefinedTest().toString() is '[object Arguments]'
 PASS assignVarUndefinedTest2().toString() is '[object Arguments]'
-PASS assignVarInitTest() is true
-PASS assignVarInitTest2() is true
+PASS assignVarInitTest().toString() is '[object Arguments]'
+PASS assignVarInitTest2().toString() is '[object Arguments]'
 PASS assignConstUndefinedTest().toString() is '[object Arguments]'
 PASS assignConstUndefinedTest2().toString() is '[object Arguments]'
-PASS assignConstInitTest() is true
-PASS assignConstInitTest2() is true
-PASS assignForInitTest() is true
-PASS assignForInitTest2() is true
-PASS assignForInInitTest() is true
+PASS assignConstInitTest().toString() is '[object Arguments]'
+PASS assignConstInitTest2().toString() is '[object Arguments]'
+PASS assignForInitTest().toString() is '[object Arguments]'
+PASS assignForInitTest2().toString() is '[object Arguments]'
+PASS assignForInInitTest().toString() is '[object Arguments]'
 PASS paramInitTest(true).toString() is '[object Arguments]'
 PASS paramFunctionConstructorInitTest(true).toString() is '[object Arguments]'
@@ -28 +28 @@
 PASS lexicalArgumentsLiveRead2(1, 0, 3) is 2
 PASS lexicalArgumentsLiveRead3(1, 2, 0) is 3
-PASS lexicalArgumentsLiveWrite1(0, 2, 3) is 1
-PASS lexicalArgumentsLiveWrite2(1, 0, 3) is 2
-PASS lexicalArgumentsLiveWrite3(1, 2, 0) is 3
+PASS lexicalArgumentsLiveWrite1(0, 2, 3) is 0
+PASS lexicalArgumentsLiveWrite2(1, 0, 3) is 0
+PASS lexicalArgumentsLiveWrite3(1, 2, 0) is 0
 PASS argumentsNotLiveRead1(0, 2, 3) is 0
 PASS argumentsNotLiveRead2(1, 0, 3) is 0
@@ -40 +40 @@
 PASS overwroteArgumentsInDynamicScope1() is true
 PASS overwroteArgumentsInDynamicScope2() is true
-PASS overwroteArgumentsInDynamicScope3() is true
+PASS overwroteArgumentsInDynamicScope3().toString() is '[object Arguments]'
 PASS successfullyParsed is true
 

trunk/LayoutTests/fast/js/script-tests/function-dot-arguments.js

@@ -28 +28 @@
     return g();
 }
-shouldBeTrue("assignTest()");
+shouldBe("assignTest().toString()", "'[object Arguments]'");
 
 function assignVarUndefinedTest()
@@ -64 +64 @@
     return g();
 }
-shouldBeTrue("assignVarInitTest()");
+shouldBe("assignVarInitTest().toString()", "'[object Arguments]'");
 
 function assignVarInitTest2()
@@ -76 +76 @@
     return g();
 }
-shouldBeTrue("assignVarInitTest2()");
+shouldBe("assignVarInitTest2().toString()", "'[object Arguments]'");
 
 function assignConstUndefinedTest()
@@ -112 +112 @@
     return g();
 }
-shouldBeTrue("assignConstInitTest()");
+shouldBe("assignConstInitTest().toString()", "'[object Arguments]'");
 
 function assignConstInitTest2()
@@ -124 +124 @@
     return g();
 }
-shouldBeTrue("assignConstInitTest2()");
+shouldBe("assignConstInitTest2().toString()", "'[object Arguments]'");
 
 function assignForInitTest()
@@ -136 +136 @@
     return g();
 }
-shouldBeTrue("assignForInitTest()");
+shouldBe("assignForInitTest().toString()", "'[object Arguments]'");
 
 function assignForInitTest2()
@@ -148 +148 @@
     return g();
 }
-shouldBeTrue("assignForInitTest2()");
+shouldBe("assignForInitTest2().toString()", "'[object Arguments]'");
 
 function assignForInInitTest()
@@ -160 +160 @@
     return g();
 }
-shouldBeTrue("assignForInInitTest()");
+shouldBe("assignForInInitTest().toString()", "'[object Arguments]'");
 
 function paramInitTest(arguments)
@@ -237 +237 @@
     return a;
 }
-shouldBe("lexicalArgumentsLiveWrite1(0, 2, 3)", "1");
+shouldBe("lexicalArgumentsLiveWrite1(0, 2, 3)", "0");
 
 function lexicalArgumentsLiveWrite2(a, b, c)
@@ -245 +245 @@
     return b;
 }
-shouldBe("lexicalArgumentsLiveWrite2(1, 0, 3)", "2");
+shouldBe("lexicalArgumentsLiveWrite2(1, 0, 3)", "0");
 
 function lexicalArgumentsLiveWrite3(a, b, c)
@@ -253 +253 @@
     return c;
 }
-shouldBe("lexicalArgumentsLiveWrite3(1, 2, 0)", "3");
+shouldBe("lexicalArgumentsLiveWrite3(1, 2, 0)", "0");
 
 function argumentsNotLiveRead1(a, b, c)
@@ -322 +322 @@
 shouldBeTrue("overwroteArgumentsInDynamicScope1()");
 shouldBeTrue("overwroteArgumentsInDynamicScope2()");
-shouldBeTrue("overwroteArgumentsInDynamicScope3()");
+shouldBe("overwroteArgumentsInDynamicScope3().toString()", "'[object Arguments]'");

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-09-10  Geoffrey Garen  <ggaren@apple.com>
+
+        DFG misses arguments tear-off for function.arguments if 'arguments' is used
+        https://bugs.webkit.org/show_bug.cgi?id=96227
+
+        Reviewed by Gavin Barraclough.
+
+        We've decided not to allow function.arguments to alias the local
+        'arguments' object, or a local var or function named 'arguments'.
+        Aliasing complicates the implementation (cf, this bug) and can produce
+        surprising behavior for web programmers.
+
+        Eliminating the aliasing has the side-effect of fixing this bug.
+
+        The compatibilty story: function.arguments is deprecated, was never
+        specified, and throws an exception in strict mode, so we expect it to
+        disappear over time. Firefox does not alias to 'arguments'; Chrome
+        does, but not if you use eval or with; IE does; Safari did.
+
+        * dfg/DFGByteCodeParser.cpp: Noticed a little cleanup while verifying
+        this code. Use the CodeBlock method for better encapsulation.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::retrieveArgumentsFromVMCode): Behavior change: don't
+        alias.
+
+        * tests/mozilla/js1_4/Functions/function-001.js:
+        (TestFunction_4): Updated test expectations for changed behavior.
+
 2012-09-10  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -3192 +3192 @@
         }
         
-        if (codeBlock->usesArguments() || codeBlock->needsActivation()) {
+        if (codeBlock->argumentsAreCaptured()) {
             for (int i = argumentCountIncludingThis; i--;)
                 inlineCallFrame.capturedVars.set(argumentToOperand(i) + inlineCallFrame.stackOffset);

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -5106 +5106 @@
         return jsNull();
 
-    CodeBlock* codeBlock = functionCallFrame->someCodeBlockForPossiblyInlinedCode();
-    if (codeBlock->usesArguments()) {
-        ASSERT(codeBlock->codeType() == FunctionCode);
-        int argumentsRegister = codeBlock->argumentsRegister();
-        int realArgumentsRegister = unmodifiedArgumentsRegister(argumentsRegister);
-        if (JSValue arguments = functionCallFrame->uncheckedR(argumentsRegister).jsValue())
-            return arguments;
-        JSValue arguments = JSValue(Arguments::create(callFrame->globalData(), functionCallFrame));
-        functionCallFrame->r(argumentsRegister) = arguments;
-        functionCallFrame->r(realArgumentsRegister) = arguments;
-        return arguments;
-    }
-
     Arguments* arguments = Arguments::create(functionCallFrame->globalData(), functionCallFrame);
     arguments->tearOff(functionCallFrame);

trunk/Source/JavaScriptCore/tests/mozilla/js1_4/Functions/function-001.js

@@ -83 +83 @@
         "return function.arguments when function contains an arguments property",
         "PASS",
-        TestFunction_4( "F", "A", "I", "L" ) +"");
+        TestFunction_4( "P", "A", "S", "S" ) +"");
 
     test();
@@ -101 +101 @@
 
     function TestFunction_4( a, b, c, d, e ) {
-        var arguments = "PASS";
-        return TestFunction_4.arguments;
+        var arguments = "FAIL";
+        return Array.prototype.join.call(TestFunction_4.arguments, "");
     }