Changeset 149527 in webkit

Timestamp:

May 3, 2013, 11:46:45 AM (13 years ago)

Author:

ggaren@apple.com

Message:

Rationalized 'this' value conversion
​https://bugs.webkit.org/show_bug.cgi?id=115542

Reviewed by Filip Pizlo.

Source/JavaScriptCore:

This fixes a bunch of Sputnik tests.

The new model is that the callee always performs 'this' value conversion.

My ultimate goal is to break up resolve_with_this into single-result
opcodes. This step avoids having to add a new kind of convert_this for
call sites.

• API/JSCallbackFunction.cpp:

(JSC::JSCallbackFunction::call): Perform 'this' value conversion for
our callee, since it may observe 'this'.

• API/JSCallbackObjectFunctions.h:

(JSC::::call): Ditto.

• API/JSContextRef.cpp:

(JSGlobalContextCreateInGroup): Use a proxy 'this' object in global scope
even when we're not in the browser. This eliminates some odd cases where
API clients used to be able to get a direct reference to an environment
record. Now, any reference to an environment record unambiguously means
that the VM resolved that record in the scope chain.

(JSContextGetGlobalObject): Removed an incorrect comment. Now that JSC
participates in the proxy 'this' object scheme, the behavior is not
WebCore-only.

• JavaScriptCore.order: Order!

• JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
• JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:

What are the chances that this will work?

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):
(JSC::CodeBlock::CodeBlock): Renamed convert_this to to_this, to match our
other conversion opcodes.

• bytecode/CodeOrigin.h:

(CodeOrigin):
(InlineCallFrame):
(JSC::CodeOrigin::codeOriginOwner): Use the more precise type for our
executable, so compilation can discover where we're in strict mode.

• bytecode/Opcode.h:

(JSC::padOpcodeName): Updated for rename.

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator): Always emit to_this when
'this' is in use -- strict mode still needs to convert environment
records to 'undefined'.

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.h:

(JSC::DFG::canCompileOpcode): Updated for renames.

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode): Tightened up this code to consider
strict mode (a new requirement) and to consider the global object (which
was always a requirement).

• dfg/DFGGraph.h:

(JSC::DFG::Graph::globalThisObjectFor):
(JSC::DFG::Graph::executableFor):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile): Ditto.

• interpreter/Interpreter.cpp:

(JSC::eval):
(JSC::Interpreter::execute):
(JSC::Interpreter::executeCall):

• interpreter/Interpreter.h: Don't ASSERT about 'this' -- it's our job

to fix it up if needed.

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:

(JIT):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_to_this):
(JSC::JIT::emitSlow_op_to_this):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_to_this):
(JSC::JIT::emitSlow_op_to_this):

• jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

• jit/JITStubs.h: Removed special case code for various kinds of

conversions. The baseline fast path is now only final objects. It hurt
my brain to think through how to keep the other fast paths working, and
our benchmarks do not object.

• llint/LLIntData.cpp:

(JSC::LLInt::Data::performAssertions):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• llint/LLIntSlowPaths.h:
• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• profiler/ProfileGenerator.cpp:

(JSC::ProfileGenerator::addParentForConsoleStart):

• runtime/CallData.cpp:

(JSC::call):

• runtime/ClassInfo.h:

(MethodTable):
(JSC):

• runtime/Completion.cpp:

(JSC::evaluate):

• runtime/DatePrototype.cpp:

(JSC::dateProtoFuncToJSON):

• runtime/JSActivation.cpp:

(JSC::JSActivation::toThis):

• runtime/JSActivation.h:

(JSActivation):

• runtime/JSCJSValue.cpp:

(JSC::JSValue::toThisSlowCase):

• runtime/JSCJSValue.h:

(JSValue):

• runtime/JSCJSValueInlines.h:

(JSC::JSValue::toThis):

• runtime/JSCell.cpp:

(JSC::JSCell::toThis):

• runtime/JSCell.h:

(JSCell):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::toThis):

• runtime/JSGlobalObject.h:

(JSGlobalObject):

• runtime/JSNameScope.cpp:

(JSC::JSNameScope::toThis):

• runtime/JSNameScope.h:

(JSNameScope):

• runtime/JSObject.cpp:

(JSC::JSObject::put):
(JSC::JSObject::toThis):

• runtime/JSObject.h:

(JSObject):

• runtime/JSScope.cpp:

(JSC::JSScope::resolveWithThis):

• runtime/JSString.cpp:

(JSC::JSString::toThis):

• runtime/JSString.h:

(JSString):

• runtime/PropertySlot.cpp:

(JSC::PropertySlot::functionGetter):

• runtime/SparseArrayValueMap.cpp:

(JSC::SparseArrayEntry::get):
(JSC::SparseArrayEntry::put):

• runtime/StrictEvalActivation.cpp:

(JSC::StrictEvalActivation::toThis):

• runtime/StrictEvalActivation.h:

(StrictEvalActivation): Filled out runtime support for converting 'this'
values as needed, according to the strictness of the caller.

Source/WebCore:

Updated to match JSC requirement that the callee performs 'this' value
conversion.

• WebCore.order:
• bindings/js/JSErrorHandler.cpp:

(WebCore::JSErrorHandler::handleEvent):

• bindings/js/JSInjectedScriptHostCustom.cpp:

(WebCore::JSInjectedScriptHost::internalConstructorName):

• bindings/js/JSMainThreadExecState.h:

(WebCore::JSMainThreadExecState::call):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateImplementation):

• bridge/NP_jsobject.cpp:

(_NPN_Invoke):

Source/WebKit/mac:

Updated to match JSC requirement that the callee performs 'this' value
conversion.

• Plugins/Hosted/NetscapePluginInstanceProxy.mm:

(WebKit::NetscapePluginInstanceProxy::invoke):
(WebKit::NetscapePluginInstanceProxy::invokeDefault):

Source/WebKit2:

Updated to match JSC requirement that the callee performs 'this' value
conversion.

• WebProcess/Plugins/Netscape/NPJSObject.cpp:

(WebKit::NPJSObject::invoke):

LayoutTests:

We pass these tests now:

• sputnik/Conformance/11_Expressions/11.1_Primary_Expressions/11.1.1_The_this_Keyword/S11.1.1_A2-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.11_String.prototype.replace/S15.5.4.11_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt:

Location:

branches/dfgFourthTier

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/sputnik/Conformance/11_Expressions/11.1_Primary_Expressions/11.1.1_The_this_Keyword/S11.1.1_A2-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.11_String.prototype.replace/S15.5.4.11_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt (modified) (1 diff)
• Source/JavaScriptCore/API/JSCallbackFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/API/JSCallbackObjectFunctions.h (modified) (1 diff)
• Source/JavaScriptCore/API/JSContextRef.cpp (modified) (2 diffs)
• Source/JavaScriptCore/API/JSObjectRef.cpp (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/CodeOrigin.h (modified) (4 diffs)
• Source/JavaScriptCore/bytecode/Opcode.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractState.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGCapabilities.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGGraph.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (4 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.h (modified) (1 diff)
• Source/JavaScriptCore/jit/JIT.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JIT.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITStubs.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITStubs.h (modified) (1 diff)
• Source/JavaScriptCore/llint/LLIntData.cpp (modified) (1 diff)
• Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/llint/LLIntSlowPaths.h (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
• Source/JavaScriptCore/profiler/ProfileGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/CallData.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ClassInfo.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Completion.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/DatePrototype.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSActivation.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSActivation.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCJSValue.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCJSValue.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSCJSValueInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCell.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCell.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSNameScope.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSNameScope.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSScope.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSString.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSString.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/PropertySlot.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/StrictEvalActivation.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/StrictEvalActivation.h (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/WebCore.order (modified) (1 diff)
• Source/WebCore/bindings/js/JSErrorHandler.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSInjectedScriptHostCustom.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSMainThreadExecState.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• Source/WebCore/bridge/NP_jsobject.cpp (modified) (1 diff)
• Source/WebKit/mac/ChangeLog (modified) (1 diff)
• Source/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm (modified) (2 diffs)
• Source/WebKit2/ChangeLog (modified) (1 diff)
• Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp (modified) (1 diff)

branches/dfgFourthTier/LayoutTests/ChangeLog

@@ +1 @@
+2013-05-03  Geoffrey Garen  <ggaren@apple.com>
+
+        Rationalized 'this' value conversion
+        https://bugs.webkit.org/show_bug.cgi?id=115542
+
+        Reviewed by Filip Pizlo.
+
+        We pass these tests now:
+
+        * sputnik/Conformance/11_Expressions/11.1_Primary_Expressions/11.1.1_The_this_Keyword/S11.1.1_A2-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.11_String.prototype.replace/S15.5.4.11_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt:
+
 2013-04-03  Filip Pizlo  <fpizlo@apple.com>
 

branches/dfgFourthTier/LayoutTests/sputnik/Conformance/11_Expressions/11.1_Primary_Expressions/11.1.1_The_this_Keyword/S11.1.1_A2-expected.txt

@@ -1 +1 @@
 S11.1.1_A2
 
-FAIL SputnikError: #1: this.toString() === toString(). Actual: [object Window]
+PASS 
 
 TEST COMPLETE

branches/dfgFourthTier/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.10_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

branches/dfgFourthTier/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.11_String.prototype.replace/S15.5.4.11_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.11_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

branches/dfgFourthTier/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.12_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

branches/dfgFourthTier/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.13_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

branches/dfgFourthTier/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.14_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

branches/dfgFourthTier/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.15_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

branches/dfgFourthTier/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.6_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

branches/dfgFourthTier/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.7_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

branches/dfgFourthTier/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.8_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

branches/dfgFourthTier/Source/JavaScriptCore/API/JSCallbackFunction.cpp

@@ -68 +68 @@
     JSContextRef execRef = toRef(exec);
     JSObjectRef functionRef = toRef(exec->callee());
-    JSObjectRef thisObjRef = toRef(exec->hostThisValue().toThisObject(exec));
+    JSObjectRef thisObjRef = toRef(jsCast<JSObject*>(exec->hostThisValue().toThis(exec, NotStrictMode)));
 
     int argumentCount = static_cast<int>(exec->argumentCount());

branches/dfgFourthTier/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h

@@ -431 +431 @@
     JSContextRef execRef = toRef(exec);
     JSObjectRef functionRef = toRef(exec->callee());
-    JSObjectRef thisObjRef = toRef(exec->hostThisValue().toThisObject(exec));
+    JSObjectRef thisObjRef = toRef(jsCast<JSObject*>(exec->hostThisValue().toThis(exec, NotStrictMode)));
     
     for (JSClassRef jsClass = jsCast<JSCallbackObject<Parent>*>(toJS(functionRef))->classRef(); jsClass; jsClass = jsClass->parentClass) {

branches/dfgFourthTier/Source/JavaScriptCore/API/JSContextRef.cpp

@@ -107 +107 @@
     if (!globalObjectClass) {
         JSGlobalObject* globalObject = JSGlobalObject::create(*vm, JSGlobalObject::createStructure(*vm, jsNull()));
+        globalObject->setGlobalThis(*vm, JSProxy::create(*vm, JSProxy::createStructure(*vm, globalObject, globalObject->prototype()), globalObject));
         return JSGlobalContextRetain(toGlobalRef(globalObject->globalExec()));
     }
@@ -154 +155 @@
     APIEntryShim entryShim(exec);
 
-    // It is necessary to call toThisObject to get the wrapper object when used with WebCore.
-    return toRef(exec->lexicalGlobalObject()->methodTable()->toThisObject(exec->lexicalGlobalObject(), exec));
+    return toRef(jsCast<JSObject*>(exec->lexicalGlobalObject()->methodTable()->toThis(exec->lexicalGlobalObject(), exec, NotStrictMode)));
 }
 

branches/dfgFourthTier/Source/JavaScriptCore/API/JSObjectRef.cpp

@@ -455 +455 @@
         jsThisObject = exec->globalThisValue();
 
-    jsThisObject = jsThisObject->methodTable()->toThisObject(jsThisObject, exec);
-    
     MarkedArgumentBuffer argList;
     for (size_t i = 0; i < argumentCount; i++)

branches/dfgFourthTier/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-05-03  Geoffrey Garen  <ggaren@apple.com>
+
+        Rationalized 'this' value conversion
+        https://bugs.webkit.org/show_bug.cgi?id=115542
+
+        Reviewed by Filip Pizlo.
+
+        This fixes a bunch of Sputnik tests.
+
+        The new model is that the callee always performs 'this' value conversion.
+
+        My ultimate goal is to break up resolve_with_this into single-result 
+        opcodes. This step avoids having to add a new kind of convert_this for 
+        call sites.
+
+        * API/JSCallbackFunction.cpp:
+        (JSC::JSCallbackFunction::call): Perform 'this' value conversion for
+        our callee, since it may observe 'this'.
+
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::::call): Ditto.
+
+        * API/JSContextRef.cpp:
+        (JSGlobalContextCreateInGroup): Use a proxy 'this' object in global scope
+        even when we're not in the browser. This eliminates some odd cases where
+        API clients used to be able to get a direct reference to an environment
+        record. Now, any reference to an environment record unambiguously means
+        that the VM resolved that record in the scope chain.
+
+        (JSContextGetGlobalObject): Removed an incorrect comment. Now that JSC
+        participates in the proxy 'this' object scheme, the behavior is not
+        WebCore-only.
+
+        * JavaScriptCore.order: Order!
+
+        * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+        * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+        What are the chances that this will work?
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpBytecode):
+        (JSC::CodeBlock::CodeBlock): Renamed convert_this to to_this, to match our
+        other conversion opcodes.
+
+        * bytecode/CodeOrigin.h:
+        (CodeOrigin):
+        (InlineCallFrame):
+        (JSC::CodeOrigin::codeOriginOwner): Use the more precise type for our
+        executable, so compilation can discover where we're in strict mode.
+
+        * bytecode/Opcode.h:
+        (JSC::padOpcodeName): Updated for rename.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator): Always emit to_this when
+        'this' is in use -- strict mode still needs to convert environment
+        records to 'undefined'.
+
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.h:
+        (JSC::DFG::canCompileOpcode): Updated for renames.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode): Tightened up this code to consider
+        strict mode (a new requirement) and to consider the global object (which
+        was always a requirement).
+
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::globalThisObjectFor):
+        (JSC::DFG::Graph::executableFor):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Ditto.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::eval):
+        (JSC::Interpreter::execute):
+        (JSC::Interpreter::executeCall):
+        * interpreter/Interpreter.h: Don't ASSERT about 'this' -- it's our job
+        to fix it up if needed.
+
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        (JIT):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_to_this):
+        (JSC::JIT::emitSlow_op_to_this):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_to_this):
+        (JSC::JIT::emitSlow_op_to_this):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * jit/JITStubs.h: Removed special case code for various kinds of
+        conversions. The baseline fast path is now only final objects. It hurt
+        my brain to think through how to keep the other fast paths working, and
+        our benchmarks do not object.
+
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * profiler/ProfileGenerator.cpp:
+        (JSC::ProfileGenerator::addParentForConsoleStart):
+        * runtime/CallData.cpp:
+        (JSC::call):
+        * runtime/ClassInfo.h:
+        (MethodTable):
+        (JSC):
+        * runtime/Completion.cpp:
+        (JSC::evaluate):
+        * runtime/DatePrototype.cpp:
+        (JSC::dateProtoFuncToJSON):
+        * runtime/JSActivation.cpp:
+        (JSC::JSActivation::toThis):
+        * runtime/JSActivation.h:
+        (JSActivation):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::toThisSlowCase):
+        * runtime/JSCJSValue.h:
+        (JSValue):
+        * runtime/JSCJSValueInlines.h:
+        (JSC::JSValue::toThis):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::toThis):
+        * runtime/JSCell.h:
+        (JSCell):
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::toThis):
+        * runtime/JSGlobalObject.h:
+        (JSGlobalObject):
+        * runtime/JSNameScope.cpp:
+        (JSC::JSNameScope::toThis):
+        * runtime/JSNameScope.h:
+        (JSNameScope):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::put):
+        (JSC::JSObject::toThis):
+        * runtime/JSObject.h:
+        (JSObject):
+        * runtime/JSScope.cpp:
+        (JSC::JSScope::resolveWithThis):
+        * runtime/JSString.cpp:
+        (JSC::JSString::toThis):
+        * runtime/JSString.h:
+        (JSString):
+        * runtime/PropertySlot.cpp:
+        (JSC::PropertySlot::functionGetter):
+        * runtime/SparseArrayValueMap.cpp:
+        (JSC::SparseArrayEntry::get):
+        (JSC::SparseArrayEntry::put):
+        * runtime/StrictEvalActivation.cpp:
+        (JSC::StrictEvalActivation::toThis):
+        * runtime/StrictEvalActivation.h:
+        (StrictEvalActivation): Filled out runtime support for converting 'this'
+        values as needed, according to the strictness of the caller.
+
 2013-05-02  Filip Pizlo  <fpizlo@apple.com>
 

branches/dfgFourthTier/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -718 +718 @@
             break;
         }
-        case op_convert_this: {
-            int r0 = (++it)->u.operand;
-            out.printf("[%4d] convert_this\t %s", location, registerName(r0).data());
+        case op_to_this: {
+            int r0 = (++it)->u.operand;
+            out.printf("[%4d] to_this\t %s", location, registerName(r0).data());
             ++it; // Skip value profile.
             break;
@@ -1831 +1831 @@
             // fallthrough
         }
-        case op_convert_this:
+        case op_to_this:
         case op_get_by_id:
         case op_call_put_result:

branches/dfgFourthTier/Source/JavaScriptCore/bytecode/CodeOrigin.h

@@ -40 +40 @@
 struct InlineCallFrame;
 class ExecState;
-class ExecutableBase;
+class ScriptExecutable;
 class JSFunction;
 
@@ -83 +83 @@
     // If the code origin corresponds to inlined code, gives you the heap object that
     // would have owned the code if it had not been inlined. Otherwise returns 0.
-    ExecutableBase* codeOriginOwner() const;
+    ScriptExecutable* codeOriginOwner() const;
     
     unsigned stackOffset() const;
@@ -101 +101 @@
 struct InlineCallFrame {
     Vector<ValueRecovery> arguments;
-    WriteBarrier<ExecutableBase> executable;
+    WriteBarrier<ScriptExecutable> executable;
     WriteBarrier<JSFunction> callee; // This may be null, indicating that this is a closure call and that the JSFunction and JSScope are already on the stack.
     CodeOrigin caller;
@@ -150 +150 @@
 }
 
-inline ExecutableBase* CodeOrigin::codeOriginOwner() const
+inline ScriptExecutable* CodeOrigin::codeOriginOwner() const
 {
     if (!inlineCallFrame)

branches/dfgFourthTier/Source/JavaScriptCore/bytecode/Opcode.h

@@ -47 +47 @@
     macro(op_create_this, 4) \
     macro(op_get_callee, 3) \
-    macro(op_convert_this, 3) \
+    macro(op_to_this, 3) \
     \
     macro(op_new_object, 4) \

branches/dfgFourthTier/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -470 +470 @@
     if (isConstructor()) {
         emitCreateThis(&m_thisRegister);
-    } else if (!codeBlock->isStrictMode() && (functionBody->usesThis() || codeBlock->usesEval() || m_shouldEmitDebugHooks)) {
-        UnlinkedValueProfile profile = emitProfiledOpcode(op_convert_this);
+    } else if (functionBody->usesThis() || codeBlock->usesEval() || m_shouldEmitDebugHooks) {
+        UnlinkedValueProfile profile = emitProfiledOpcode(op_to_this);
         instructions().append(kill(&m_thisRegister));
         instructions().append(profile);

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -1128 +1128 @@
         break;
             
-    case ConvertThis: {
+    case ToThis: {
         AbstractValue& source = forNode(node->child1());
         AbstractValue& destination = forNode(node);

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2018 +2018 @@
             NEXT_OPCODE(op_enter);
 
-        case op_convert_this: {
+        case op_to_this: {
             Node* op1 = getThis();
-            if (op1->op() != ConvertThis) {
+            if (op1->op() != ToThis) {
                 CodeBlockLocker locker(m_inlineStackTop->m_profiledBlock->m_lock);
                 ValueProfile* profile =
@@ -2034 +2034 @@
                     || !profile->m_singletonValue.isCell()
                     || profile->m_singletonValue.asCell()->classInfo() != &Structure::s_info)
-                    setThis(addToGraph(ConvertThis, op1));
+                    setThis(addToGraph(ToThis, op1));
                 else {
                     addToGraph(
@@ -2042 +2042 @@
                 }
             }
-            NEXT_OPCODE(op_convert_this);
+            NEXT_OPCODE(op_to_this);
         }
 

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGCapabilities.h

@@ -87 +87 @@
     switch (opcodeID) {
     case op_enter:
-    case op_convert_this:
+    case op_to_this:
     case op_create_this:
     case op_get_callee:

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -661 +661 @@
         }
             
-        case ConvertThis: {
+        case ToThis: {
+            ECMAMode ecmaMode = m_graph.executableFor(node->codeOrigin)->isStrictMode() ? StrictMode : NotStrictMode;
+
             if (isOtherSpeculation(node->child1()->prediction())) {
+                if (ecmaMode == StrictMode) {
+                    setUseKindAndUnboxIfProfitable<OtherUse>(node->child1());
+                    node->convertToIdentity();
+                    break;
+                }
+
                 m_insertionSet.insertNode(
                     m_indexInBlock, SpecNone, Phantom, node->codeOrigin,
@@ -671 +679 @@
             }
             
-            if (isObjectSpeculation(node->child1()->prediction())) {
+            if (isFinalObjectSpeculation(node->child1()->prediction())) {
                 setUseKindAndUnboxIfProfitable<ObjectUse>(node->child1());
                 node->convertToIdentity();

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -358 +358 @@
     {
         JSGlobalObject* object = globalObjectFor(codeOrigin);
-        return object->methodTable()->toThisObject(object, 0);
-    }
-    
-    ExecutableBase* executableFor(InlineCallFrame* inlineCallFrame)
+        return jsCast<JSObject*>(object->methodTable()->toThis(object, object->globalExec(), NotStrictMode));
+    }
+    
+    ScriptExecutable* executableFor(InlineCallFrame* inlineCallFrame)
     {
         if (!inlineCallFrame)
@@ -369 +369 @@
     }
     
-    ExecutableBase* executableFor(const CodeOrigin& codeOrigin)
+    ScriptExecutable* executableFor(const CodeOrigin& codeOrigin)
     {
         return executableFor(codeOrigin.inlineCallFrame);

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -50 +50 @@
     \
     /* Nodes for handling functions (both as call and as construct). */\
-    macro(ConvertThis, NodeResultJS) \
+    macro(ToThis, NodeResultJS) \
     macro(CreateThis, NodeResultJS) /* Note this is not MustGenerate since we're returning it anyway. */ \
     macro(GetCallee, NodeResultJS) \

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -341 +341 @@
 extern "C" {
 
-EncodedJSValue DFG_OPERATION operationConvertThis(ExecState* exec, EncodedJSValue encodedOp)
-{
-    VM* vm = &exec->vm();
-    NativeCallFrameTracer tracer(vm, exec);
-
-    return JSValue::encode(JSValue::decode(encodedOp).toThisObject(exec));
+EncodedJSValue DFG_OPERATION operationToThis(ExecState* exec, EncodedJSValue encodedOp)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    return JSValue::encode(JSValue::decode(encodedOp).toThis(exec, exec->codeBlock()->isStrictMode() ? StrictMode : NotStrictMode));
 }
 

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -129 +129 @@
 JSCell* DFG_OPERATION operationNewObject(ExecState*, Structure*) WTF_INTERNAL;
 JSCell* DFG_OPERATION operationCreateThis(ExecState*, JSObject* constructor, int32_t inlineCapacity) WTF_INTERNAL;
-EncodedJSValue DFG_OPERATION operationConvertThis(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
+EncodedJSValue DFG_OPERATION operationToThis(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
 EncodedJSValue DFG_OPERATION operationValueAdd(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue DFG_OPERATION operationValueAddNotNumber(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -370 +370 @@
         }
 
-        case ConvertThis: {
+        case ToThis: {
             SpeculatedType prediction = node->child1()->prediction();
             if (prediction) {

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3686 +3686 @@
     }
         
-    case ConvertThis: {
+    case ToThis: {
         ASSERT(node->child1().useKind() == UntypedUse);
 
@@ -3697 +3697 @@
         GPRResult2 resultTag(this);
         GPRResult resultPayload(this);
-        callOperation(operationConvertThis, resultTag.gpr(), resultPayload.gpr(), thisValueTagGPR, thisValuePayloadGPR);
+        callOperation(operationToThis, resultTag.gpr(), resultPayload.gpr(), thisValueTagGPR, thisValuePayloadGPR);
         
         cellResult(resultPayload.gpr(), node);

branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3599 +3599 @@
     }
         
-    case ConvertThis: {
+    case ToThis: {
         ASSERT(node->child1().useKind() == UntypedUse);
         JSValueOperand thisValue(this, node->child1());
@@ -3607 +3607 @@
         
         GPRResult result(this);
-        callOperation(operationConvertThis, result.gpr(), thisValueGPR);
+        callOperation(operationToThis, result.gpr(), thisValueGPR);
         
         cellResult(result.gpr(), node);

branches/dfgFourthTier/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -256 +256 @@
 
     JSValue thisValue = callerFrame->thisValue();
-    ASSERT(isValidThisObject(thisValue, callFrame));
     Interpreter* interpreter = callFrame->vm().interpreter;
     return interpreter->execute(eval, callFrame, thisValue, callerScopeChain);
@@ -838 +837 @@
     VM& vm = *scope->vm();
 
-    ASSERT(isValidThisObject(thisObj, callFrame));
     ASSERT(!vm.exception);
     ASSERT(!vm.isCollectorBusy());
@@ -1000 +998 @@
 {
     VM& vm = callFrame->vm();
-    ASSERT(isValidThisObject(thisValue, callFrame));
     ASSERT(!callFrame->hadException());
     ASSERT(!vm.isCollectorBusy());
@@ -1249 +1246 @@
     
     ASSERT(scope->vm() == &callFrame->vm());
-    ASSERT(isValidThisObject(thisValue, callFrame));
     ASSERT(!vm.exception);
     ASSERT(!vm.isCollectorBusy());

branches/dfgFourthTier/Source/JavaScriptCore/interpreter/Interpreter.h

@@ -284 +284 @@
     };
 
-    // This value must not be an object that would require this conversion (WebCore's global object).
-    inline bool isValidThisObject(JSValue thisValue, ExecState* exec)
-    {
-        return !thisValue.isObject() || thisValue.toThisObject(exec) == thisValue;
-    }
-
     JSValue eval(CallFrame*);
     CallFrame* loadVarargs(CallFrame*, JSStack*, JSValue thisValue, JSValue arguments, int firstFreeRegister);

branches/dfgFourthTier/Source/JavaScriptCore/jit/JIT.cpp

@@ -266 +266 @@
         DEFINE_OP(op_get_callee)
         DEFINE_OP(op_create_this)
-        DEFINE_OP(op_convert_this)
+        DEFINE_OP(op_to_this)
         DEFINE_OP(op_init_lazy_reg)
         DEFINE_OP(op_create_arguments)
@@ -480 +480 @@
         DEFINE_SLOWCASE_OP(op_call_varargs)
         DEFINE_SLOWCASE_OP(op_construct)
-        DEFINE_SLOWCASE_OP(op_convert_this)
+        DEFINE_SLOWCASE_OP(op_to_this)
         DEFINE_SLOWCASE_OP(op_create_this)
         DEFINE_SLOWCASE_OP(op_div)

branches/dfgFourthTier/Source/JavaScriptCore/jit/JIT.h

@@ -654 +654 @@
         void emit_op_get_callee(Instruction*);
         void emit_op_create_this(Instruction*);
-        void emit_op_convert_this(Instruction*);
+        void emit_op_to_this(Instruction*);
         void emit_op_create_arguments(Instruction*);
         void emit_op_debug(Instruction*);
@@ -768 +768 @@
         void emitSlow_op_call_varargs(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_construct(Instruction*, Vector<SlowCaseEntry>::iterator&);
-        void emitSlow_op_convert_this(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_to_this(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_create_this(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_div(Instruction*, Vector<SlowCaseEntry>::iterator&);

branches/dfgFourthTier/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -910 +910 @@
 }
 
-void JIT::emit_op_convert_this(Instruction* currentInstruction)
+void JIT::emit_op_to_this(Instruction* currentInstruction)
 {
     emitGetVirtualRegister(currentInstruction[1].u.operand, regT1);
 
     emitJumpSlowCaseIfNotJSCell(regT1);
-    if (shouldEmitProfiling()) {
-        loadPtr(Address(regT1, JSCell::structureOffset()), regT0);
+    loadPtr(Address(regT1, JSCell::structureOffset()), regT0);
+    if (shouldEmitProfiling())
         emitValueProfilingSite();
-    }
-    addSlowCase(branchPtr(Equal, Address(regT1, JSCell::structureOffset()), TrustedImmPtr(m_vm->stringStructure.get())));
+
+    addSlowCase(branch8(NotEqual, Address(regT0, Structure::typeInfoTypeOffset()), TrustedImm32(FinalObjectType)));
 }
 
@@ -975 +975 @@
 // Slow cases
 
-void JIT::emitSlow_op_convert_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
-    void* globalThis = m_codeBlock->globalObject()->globalThis();
-
-    linkSlowCase(iter);
-    if (shouldEmitProfiling())
-        move(TrustedImm64((JSValue::encode(jsUndefined()))), regT0);
-    Jump isNotUndefined = branch64(NotEqual, regT1, TrustedImm64(JSValue::encode(jsUndefined())));
-    emitValueProfilingSite();
-    move(TrustedImm64(JSValue::encode(JSValue(static_cast<JSCell*>(globalThis)))), regT0);
-    emitPutVirtualRegister(currentInstruction[1].u.operand, regT0);
-    emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_convert_this));
-
-    linkSlowCase(iter);
-    if (shouldEmitProfiling())
-        move(TrustedImm64(JSValue::encode(m_vm->stringStructure.get())), regT0);
-    isNotUndefined.link(this);
-    emitValueProfilingSite();
-    JITStubCall stubCall(this, cti_op_convert_this);
+void JIT::emitSlow_op_to_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkSlowCase(iter);
+    linkSlowCase(iter);
+    JITStubCall stubCall(this, cti_op_to_this);
     stubCall.addArgument(regT1);
     stubCall.call(currentInstruction[1].u.operand);

branches/dfgFourthTier/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -1197 +1197 @@
 }
 
-void JIT::emit_op_convert_this(Instruction* currentInstruction)
+void JIT::emit_op_to_this(Instruction* currentInstruction)
 {
     unsigned thisRegister = currentInstruction[1].u.operand;
@@ -1204 +1204 @@
 
     addSlowCase(branch32(NotEqual, regT3, TrustedImm32(JSValue::CellTag)));
+    loadPtr(Address(regT2, JSCell::structureOffset()), regT0);
     if (shouldEmitProfiling()) {
-        loadPtr(Address(regT2, JSCell::structureOffset()), regT0);
         move(regT3, regT1);
         emitValueProfilingSite();
     }
-    addSlowCase(branchPtr(Equal, Address(regT2, JSCell::structureOffset()), TrustedImmPtr(m_vm->stringStructure.get())));
-}
-
-void JIT::emitSlow_op_convert_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
-    void* globalThis = m_codeBlock->globalObject()->globalThis();
+    addSlowCase(branch8(NotEqual, Address(regT0, Structure::typeInfoTypeOffset()), TrustedImm32(FinalObjectType)));
+}
+
+void JIT::emitSlow_op_to_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
     unsigned thisRegister = currentInstruction[1].u.operand;
 
     linkSlowCase(iter);
-    if (shouldEmitProfiling()) {
-        move(TrustedImm32(JSValue::UndefinedTag), regT1);
-        move(TrustedImm32(0), regT0);
-    }
-    Jump isNotUndefined = branch32(NotEqual, regT3, TrustedImm32(JSValue::UndefinedTag));
-    emitValueProfilingSite();
-    move(TrustedImmPtr(globalThis), regT0);
-    move(TrustedImm32(JSValue::CellTag), regT1);
-    emitStore(thisRegister, regT1, regT0);
-    emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_convert_this));
-
-    linkSlowCase(iter);
-    if (shouldEmitProfiling()) {
-        move(TrustedImm32(JSValue::CellTag), regT1);
-        move(TrustedImmPtr(m_vm->stringStructure.get()), regT0);
-    }
-    isNotUndefined.link(this);
-    emitValueProfilingSite();
-    JITStubCall stubCall(this, cti_op_convert_this);
+    linkSlowCase(iter);
+    JITStubCall stubCall(this, cti_op_to_this);
     stubCall.addArgument(regT3, regT2);
     stubCall.call(thisRegister);

branches/dfgFourthTier/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -1327 +1327 @@
 }
 
-DEFINE_STUB_FUNCTION(EncodedJSValue, op_convert_this)
+DEFINE_STUB_FUNCTION(EncodedJSValue, op_to_this)
 {
     STUB_INIT_STACK_FRAME(stackFrame);
@@ -1334 +1334 @@
     CallFrame* callFrame = stackFrame.callFrame;
 
-    ASSERT(v1.isPrimitive());
-
-    JSObject* result = v1.toThisObject(callFrame);
+    JSValue result = v1.toThis(callFrame, callFrame->codeBlock()->isStrictMode() ? StrictMode : NotStrictMode);
     CHECK_FOR_EXCEPTION_AT_END();
     return JSValue::encode(result);

branches/dfgFourthTier/Source/JavaScriptCore/jit/JITStubs.h

@@ -331 +331 @@
 EncodedJSValue JIT_STUB cti_op_check_has_instance(STUB_ARGS_DECLARATION) WTF_INTERNAL;
 EncodedJSValue JIT_STUB cti_op_create_this(STUB_ARGS_DECLARATION) WTF_INTERNAL;
-EncodedJSValue JIT_STUB cti_op_convert_this(STUB_ARGS_DECLARATION) WTF_INTERNAL;
+EncodedJSValue JIT_STUB cti_op_to_this(STUB_ARGS_DECLARATION) WTF_INTERNAL;
 EncodedJSValue JIT_STUB cti_op_create_arguments(STUB_ARGS_DECLARATION) WTF_INTERNAL;
 EncodedJSValue JIT_STUB cti_op_del_by_id(STUB_ARGS_DECLARATION) WTF_INTERNAL;

branches/dfgFourthTier/Source/JavaScriptCore/llint/LLIntData.cpp

@@ -105 +105 @@
     ASSERT(StringType == 5);
     ASSERT(ObjectType == 17);
+    ASSERT(FinalObjectType == 18);
     ASSERT(MasqueradesAsUndefined == 1);
     ASSERT(ImplementsHasInstance == 2);

branches/dfgFourthTier/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -492 +492 @@
 }
 
-LLINT_SLOW_PATH_DECL(slow_path_convert_this)
+LLINT_SLOW_PATH_DECL(slow_path_to_this)
 {
     LLINT_BEGIN();
     JSValue v1 = LLINT_OP(1).jsValue();
-    ASSERT(v1.isPrimitive());
 #if ENABLE(VALUE_PROFILER)
-    pc[OPCODE_LENGTH(op_convert_this) - 1].u.profile->m_buckets[0] =
+    pc[OPCODE_LENGTH(op_to_this) - 1].u.profile->m_buckets[0] =
         JSValue::encode(v1.structureOrUndefined());
 #endif
-    LLINT_RETURN(v1.toThisObject(exec));
+    LLINT_RETURN(v1.toThis(exec, exec->codeBlock()->isStrictMode() ? StrictMode : NotStrictMode));
 }
 

branches/dfgFourthTier/Source/JavaScriptCore/llint/LLIntSlowPaths.h

@@ -119 +119 @@
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_create_arguments);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_create_this);
-LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_convert_this);
+LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_to_this);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_new_object);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_new_array);

branches/dfgFourthTier/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -101 +101 @@
 const StringType = 5
 const ObjectType = 17
+const FinalObjectType = 18
 
 # Type flags constants.

branches/dfgFourthTier/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -387 +387 @@
 
 
-_llint_op_convert_this:
-    traceExecution()
-    loadi 4[PC], t0
-    bineq TagOffset[cfr, t0, 8], CellTag, .opConvertThisSlow
+_llint_op_to_this:
+    traceExecution()
+    loadi 4[PC], t0
+    bineq TagOffset[cfr, t0, 8], CellTag, .opToThisSlow
     loadi PayloadOffset[cfr, t0, 8], t0
     loadp JSCell::m_structure[t0], t0
-    bbb Structure::m_typeInfo + TypeInfo::m_type[t0], ObjectType, .opConvertThisSlow
+    bbneq Structure::m_typeInfo + TypeInfo::m_type[t0], FinalObjectType, .opToThisSlow
     loadi 8[PC], t1
     valueProfile(CellTag, t0, t1)
     dispatch(3)
 
-.opConvertThisSlow:
-    callSlowPath(_llint_slow_path_convert_this)
+.opToThisSlow:
+    callSlowPath(_llint_slow_path_to_this)
     dispatch(3)
 

branches/dfgFourthTier/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -267 +267 @@
 
 
-_llint_op_convert_this:
+_llint_op_to_this:
     traceExecution()
     loadisFromInstruction(1, t0)
     loadq [cfr, t0, 8], t0
-    btqnz t0, tagMask, .opConvertThisSlow
+    btqnz t0, tagMask, .opToThisSlow
     loadp JSCell::m_structure[t0], t0
-    bbb Structure::m_typeInfo + TypeInfo::m_type[t0], ObjectType, .opConvertThisSlow
+    bbneq Structure::m_typeInfo + TypeInfo::m_type[t0], FinalObjectType, .opToThisSlow
     loadpFromInstruction(2, t1)
     valueProfile(t0, t1)
     dispatch(3)
 
-.opConvertThisSlow:
-    callSlowPath(_llint_slow_path_convert_this)
+.opToThisSlow:
+    callSlowPath(_llint_slow_path_to_this)
     dispatch(3)
 

branches/dfgFourthTier/Source/JavaScriptCore/profiler/ProfileGenerator.cpp

@@ -65 +65 @@
 
     exec->interpreter()->retrieveLastCaller(exec, lineNumber, sourceID, sourceURL, function);
-    m_currentNode = ProfileNode::create(exec, LegacyProfiler::createCallIdentifier(exec, function ? function.toThisObject(exec) : 0, sourceURL, lineNumber), m_head.get(), m_head.get());
+    m_currentNode = ProfileNode::create(exec, LegacyProfiler::createCallIdentifier(exec, function, sourceURL, lineNumber), m_head.get(), m_head.get());
     m_head->insertNode(m_currentNode.get());
 }

branches/dfgFourthTier/Source/JavaScriptCore/runtime/CallData.cpp

@@ -37 +37 @@
 {
     ASSERT(callType == CallTypeJS || callType == CallTypeHost);
-    ASSERT(isValidThisObject(thisValue, exec));
     return exec->interpreter()->executeCall(exec, asObject(functionObject), callType, callData, thisValue, args);
 }

branches/dfgFourthTier/Source/JavaScriptCore/runtime/ClassInfo.h

@@ -67 +67 @@
     GetOwnPropertySlotByIndexFunctionPtr getOwnPropertySlotByIndex;
 
-    typedef JSObject* (*ToThisObjectFunctionPtr)(JSCell*, ExecState*);
-    ToThisObjectFunctionPtr toThisObject;
+    typedef JSValue (*ToThisFunctionPtr)(JSCell*, ExecState*, ECMAMode);
+    ToThisFunctionPtr toThis;
 
     typedef JSValue (*DefaultValueFunctionPtr)(const JSObject*, ExecState*, PreferredPrimitiveType);
@@ -129 +129 @@
         &ClassName::getOwnPropertySlot, \
         &ClassName::getOwnPropertySlotByIndex, \
-        &ClassName::toThisObject, \
+        &ClassName::toThis, \
         &ClassName::defaultValue, \
         &ClassName::getOwnPropertyNames, \

branches/dfgFourthTier/Source/JavaScriptCore/runtime/Completion.cpp

@@ -72 +72 @@
     if (!thisValue || thisValue.isUndefinedOrNull())
         thisValue = exec->dynamicGlobalObject();
-    JSObject* thisObj = thisValue.toThisObject(exec);
+    JSObject* thisObj = jsCast<JSObject*>(thisValue.toThis(exec, NotStrictMode));
     JSValue result = exec->interpreter()->execute(program, exec, thisObj);
 

branches/dfgFourthTier/Source/JavaScriptCore/runtime/DatePrototype.cpp

@@ -1108 +1108 @@
 {
     JSValue thisValue = exec->hostThisValue();
-    JSObject* object = thisValue.toThisObject(exec);
+    JSObject* object = jsCast<JSObject*>(thisValue.toThis(exec, NotStrictMode));
     if (exec->hadException())
         return JSValue::encode(jsNull());

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSActivation.cpp

@@ -237 +237 @@
 }
 
-JSObject* JSActivation::toThisObject(JSCell*, ExecState* exec)
-{
+JSValue JSActivation::toThis(JSCell*, ExecState* exec, ECMAMode ecmaMode)
+{
+    if (ecmaMode == StrictMode)
+        return jsUndefined();
     return exec->globalThisValue();
 }

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSActivation.h

@@ -74 +74 @@
         static bool deleteProperty(JSCell*, ExecState*, PropertyName);
 
-        static JSObject* toThisObject(JSCell*, ExecState*);
+        static JSValue toThis(JSCell*, ExecState*, ECMAMode);
 
         void tearOff(VM&);

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSCJSValue.cpp

@@ -81 +81 @@
 }
 
-JSObject* JSValue::toThisObjectSlowCase(ExecState* exec) const
+JSValue JSValue::toThisSlowCase(ExecState* exec, ECMAMode ecmaMode) const
 {
     ASSERT(!isCell());
+
+    if (ecmaMode == StrictMode)
+        return *this;
 
     if (isInt32() || isDouble())

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSCJSValue.h

@@ -73 +73 @@
 
 enum PreferredPrimitiveType { NoPreference, PreferNumber, PreferString };
-
+enum ECMAMode { StrictMode, NotStrictMode };
 
 typedef int64_t EncodedJSValue;
@@ -246 +246 @@
     void putByIndex(ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
 
-    JSObject* toThisObject(ExecState*) const;
+    JSValue toThis(ExecState*, ECMAMode) const;
 
     static bool equal(ExecState*, JSValue v1, JSValue v2);
@@ -276 +276 @@
     JS_EXPORT_PRIVATE WTF::String toWTFStringSlowCase(ExecState*) const;
     JS_EXPORT_PRIVATE JSObject* toObjectSlowCase(ExecState*, JSGlobalObject*) const;
-    JS_EXPORT_PRIVATE JSObject* toThisObjectSlowCase(ExecState*) const;
+    JS_EXPORT_PRIVATE JSValue toThisSlowCase(ExecState*, ECMAMode) const;
 
 #if USE(JSVALUE32_64)

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSCJSValueInlines.h

@@ -615 +615 @@
 }
 
-inline JSObject* JSValue::toThisObject(ExecState* exec) const
-{
-    return isCell() ? asCell()->methodTable()->toThisObject(asCell(), exec) : toThisObjectSlowCase(exec);
+inline JSValue JSValue::toThis(ExecState* exec, ECMAMode ecmaMode) const
+{
+    return isCell() ? asCell()->methodTable()->toThis(asCell(), exec, ecmaMode) : toThisSlowCase(exec, ecmaMode);
 }
 

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSCell.cpp

@@ -134 +134 @@
 }
 
-JSObject* JSCell::toThisObject(JSCell* cell, ExecState* exec)
-{
+JSValue JSCell::toThis(JSCell* cell, ExecState* exec, ECMAMode ecmaMode)
+{
+    if (ecmaMode == StrictMode)
+        return cell;
     return cell->toObject(exec, exec->lexicalGlobalObject());
 }

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSCell.h

@@ -113 +113 @@
     static bool deletePropertyByIndex(JSCell*, ExecState*, unsigned propertyName);
 
-    static JSObject* toThisObject(JSCell*, ExecState*);
+    static JSValue toThis(JSCell*, ExecState*, ECMAMode);
 
     void zap() { *reinterpret_cast<uintptr_t**>(this) = 0; }

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -536 +536 @@
 }
 
-JSObject* JSGlobalObject::toThisObject(JSCell* cell, ExecState*)
-{
-    return jsCast<JSGlobalObject*>(cell)->globalThis();
+JSValue JSGlobalObject::toThis(JSCell*, ExecState* exec, ECMAMode ecmaMode)
+{
+    if (ecmaMode == StrictMode)
+        return jsUndefined();
+    return exec->globalThisValue();
 }
 

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -378 +378 @@
     VM& vm() const { return *Heap::heap(this)->vm(); }
     JSObject* globalThis() const;
+    JS_EXPORT_PRIVATE void setGlobalThis(VM&, JSObject* globalThis);
 
     static Structure* createStructure(VM& vm, JSValue prototype)
@@ -420 +421 @@
     JS_EXPORT_PRIVATE void addStaticGlobals(GlobalPropertyInfo*, int count);
 
-    JS_EXPORT_PRIVATE static JSC::JSObject* toThisObject(JSC::JSCell*, JSC::ExecState*);
-
-    JS_EXPORT_PRIVATE void setGlobalThis(VM&, JSObject* globalThis);
+    JS_EXPORT_PRIVATE static JSC::JSValue toThis(JSC::JSCell*, JSC::ExecState*, ECMAMode);
 
 private:

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSNameScope.cpp

@@ -45 +45 @@
 }
 
-JSObject* JSNameScope::toThisObject(JSCell*, ExecState* exec)
+JSValue JSNameScope::toThis(JSCell*, ExecState* exec, ECMAMode ecmaMode)
 {
+    if (ecmaMode == StrictMode)
+        return jsUndefined();
     return exec->globalThisValue();
 }

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSNameScope.h

@@ -53 +53 @@
     static void visitChildren(JSCell*, SlotVisitor&);
     bool isDynamicScope(bool& requiresDynamicChecks) const;
-    static JSObject* toThisObject(JSCell*, ExecState*);
+    static JSValue toThis(JSCell*, ExecState*, ECMAMode);
     static bool getOwnPropertySlot(JSCell*, ExecState*, PropertyName, PropertySlot&);
     static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -397 +397 @@
                 args.append(value);
 
-                // If this is WebCore's global object then we need to substitute the shell.
-                call(exec, setterFunc, callType, callData, thisObject->methodTable()->toThisObject(thisObject, exec), args);
+                call(exec, setterFunc, callType, callData, thisObject, args);
                 return;
             } else
@@ -1551 +1550 @@
 }
 
-JSObject* JSObject::toThisObject(JSCell* cell, ExecState*)
+JSValue JSObject::toThis(JSCell* cell, ExecState*, ECMAMode)
 {
     return jsCast<JSObject*>(cell);

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSObject.h

@@ -489 +489 @@
     // NOTE: JSObject and its subclasses must be able to gracefully handle ExecState* = 0,
     // because this call may come from inside the compiler.
-    JS_EXPORT_PRIVATE static JSObject* toThisObject(JSCell*, ExecState*);
+    JS_EXPORT_PRIVATE static JSValue toThis(JSCell*, ExecState*, ECMAMode);
 
     bool getPropertySpecificValue(ExecState*, PropertyName, JSCell*& specificFunction) const;

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSScope.cpp

@@ -537 +537 @@
             return JSValue();
         ASSERT(value);
-        *base = propertyBase->structure()->typeInfo().isEnvironmentRecord() ? jsUndefined() : JSValue(propertyBase);
+        *base = JSValue(propertyBase);
         return value;
     }

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSString.cpp

@@ -272 +272 @@
 }
 
-JSObject* JSString::toThisObject(JSCell* cell, ExecState* exec)
-{
+JSValue JSString::toThis(JSCell* cell, ExecState* exec, ECMAMode ecmaMode)
+{
+    if (ecmaMode == StrictMode)
+        return cell;
     return StringObject::create(exec, exec->lexicalGlobalObject(), jsCast<JSString*>(cell));
 }

branches/dfgFourthTier/Source/JavaScriptCore/runtime/JSString.h

@@ -201 +201 @@
         friend class LLIntOffsetsExtractor;
         
-        static JSObject* toThisObject(JSCell*, ExecState*);
+        static JSValue toThis(JSCell*, ExecState*, ECMAMode);
 
         // Actually getPropertySlot, not getOwnPropertySlot (see JSCell).

branches/dfgFourthTier/Source/JavaScriptCore/runtime/PropertySlot.cpp

@@ -36 +36 @@
     CallData callData;
     CallType callType = m_data.getterFunc->methodTable()->getCallData(m_data.getterFunc, callData);
-    return call(exec, m_data.getterFunc, callType, callData, m_thisValue.isObject() ? m_thisValue.toThisObject(exec) : m_thisValue, exec->emptyList());
+    return call(exec, m_data.getterFunc, callType, callData, m_thisValue, exec->emptyList());
 }
 

branches/dfgFourthTier/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp

@@ -161 +161 @@
     CallData callData;
     CallType callType = getter->methodTable()->getCallData(getter, callData);
-    return call(exec, getter, callType, callData, array->methodTable()->toThisObject(array, exec), exec->emptyList());
+    return call(exec, getter, callType, callData, array, exec->emptyList());
 }
 
@@ -191 +191 @@
     MarkedArgumentBuffer args;
     args.append(value);
-    if (thisValue.isObject())
-        thisValue = asObject(thisValue)->methodTable()->toThisObject(asObject(thisValue), exec);
     call(exec, setter, callType, callData, thisValue, args);
 }

branches/dfgFourthTier/Source/JavaScriptCore/runtime/StrictEvalActivation.cpp

@@ -50 +50 @@
 }
 
-JSObject* StrictEvalActivation::toThisObject(JSCell*, ExecState* exec)
+JSValue StrictEvalActivation::toThis(JSCell*, ExecState* exec, ECMAMode ecmaMode)
 {
+    if (ecmaMode == StrictMode)
+        return jsUndefined();
     return exec->globalThisValue();
 }

branches/dfgFourthTier/Source/JavaScriptCore/runtime/StrictEvalActivation.h

@@ -43 +43 @@
 
     static bool deleteProperty(JSCell*, ExecState*, PropertyName);
-    static JSObject* toThisObject(JSCell*, ExecState*);
+    static JSValue toThis(JSCell*, ExecState*, ECMAMode);
 
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)

branches/dfgFourthTier/Source/WebCore/ChangeLog

@@ +1 @@
+2013-05-03  Geoffrey Garen  <ggaren@apple.com>
+
+        Rationalized 'this' value conversion
+        https://bugs.webkit.org/show_bug.cgi?id=115542
+
+        Reviewed by Filip Pizlo.
+
+        Updated to match JSC requirement that the callee performs 'this' value
+        conversion.
+
+        * WebCore.order:
+        * bindings/js/JSErrorHandler.cpp:
+        (WebCore::JSErrorHandler::handleEvent):
+        * bindings/js/JSInjectedScriptHostCustom.cpp:
+        (WebCore::JSInjectedScriptHost::internalConstructorName):
+        * bindings/js/JSMainThreadExecState.h:
+        (WebCore::JSMainThreadExecState::call):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateImplementation):
+        * bridge/NP_jsobject.cpp:
+        (_NPN_Invoke):
+
 2013-04-29  Filip Pizlo  <fpizlo@apple.com>
 

branches/dfgFourthTier/Source/WebCore/WebCore.order

@@ -2803 +2803 @@
 __ZN7WebCore13ScriptElement13executeScriptERKNS_16ScriptSourceCodeE
 __ZNK7WebCore21ContentSecurityPolicy17allowInlineScriptEv
-__ZNK7WebCore15JSDOMWindowBase12toThisObjectEPN3JSC9ExecStateE
 __ZN7WebCore16JSDOMWindowShell18getOwnPropertySlotEPN3JSC9ExecStateERKNS1_10IdentifierERNS1_12PropertySlotE
 __ZN7WebCore16JSDOMWindowShell17putWithAttributesEPN3JSC9ExecStateERKNS1_10IdentifierENS1_7JSValueEj

branches/dfgFourthTier/Source/WebCore/bindings/js/JSErrorHandler.cpp

@@ -93 +93 @@
         DynamicGlobalObjectScope globalObjectScope(vm, vm.dynamicGlobalObject ? vm.dynamicGlobalObject : globalObject);
 
-        JSValue thisValue = globalObject->methodTable()->toThisObject(globalObject, exec);
-
         vm.timeoutChecker.start();
         JSValue returnValue = scriptExecutionContext->isDocument()
-            ? JSMainThreadExecState::call(exec, jsFunction, callType, callData, thisValue, args)
-            : JSC::call(exec, jsFunction, callType, callData, thisValue, args);
+            ? JSMainThreadExecState::call(exec, jsFunction, callType, callData, globalObject, args)
+            : JSC::call(exec, jsFunction, callType, callData, globalObject, args);
         vm.timeoutChecker.stop();
 

branches/dfgFourthTier/Source/WebCore/bindings/js/JSInjectedScriptHostCustom.cpp

@@ -113 +113 @@
         return jsUndefined();
 
-    JSObject* thisObject = exec->argument(0).toThisObject(exec);
+    JSObject* thisObject = jsCast<JSObject*>(exec->argument(0).toThis(exec, NotStrictMode));
     String result = thisObject->methodTable()->className(thisObject);
     return jsStringWithCache(exec, result);

branches/dfgFourthTier/Source/WebCore/bindings/js/JSMainThreadExecState.h

@@ -51 +51 @@
     {
         JSMainThreadExecState currentState(exec);
-        // Ensure DOM global object is unwrapped to the shell.
-        if (thisValue.isObject())
-            thisValue = thisValue.toThisObject(exec);
         return JSC::call(exec, functionObject, callType, callData, thisValue, args);
     };

branches/dfgFourthTier/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -2311 +2311 @@
             } else {
                 if ($interfaceName eq "DOMWindow") {
-                    push(@implContent, "    $className* castedThis = toJSDOMWindow(exec->hostThisValue().toThisObject(exec));\n");
+                    push(@implContent, "    $className* castedThis = toJSDOMWindow(exec->hostThisValue().toThis(exec, NotStrictMode));\n");
                     push(@implContent, "    if (!castedThis)\n");
                     push(@implContent, "        return throwVMTypeError(exec);\n");
                 } elsif ($interface->extendedAttributes->{"IsWorkerContext"}) {
-                    push(@implContent, "    $className* castedThis = to${className}(exec->hostThisValue().toThisObject(exec));\n");
+                    push(@implContent, "    $className* castedThis = to${className}(exec->hostThisValue().toThis(exec, NotStrictMode));\n");
                     push(@implContent, "    if (!castedThis)\n");
                     push(@implContent, "        return throwVMTypeError(exec);\n");

branches/dfgFourthTier/Source/WebCore/bridge/NP_jsobject.cpp

@@ -235 +235 @@
         MarkedArgumentBuffer argList;
         getListFromVariantArgs(exec, args, argCount, rootObject, argList);
-        JSValue resultV = JSC::call(exec, function, callType, callData, obj->imp->methodTable()->toThisObject(obj->imp, exec), argList);
+        JSValue resultV = JSC::call(exec, function, callType, callData, obj->imp, argList);
 
         // Convert and return the result of the function call.

branches/dfgFourthTier/Source/WebKit/mac/ChangeLog

@@ +1 @@
+2013-05-03  Geoffrey Garen  <ggaren@apple.com>
+
+        Rationalized 'this' value conversion
+        https://bugs.webkit.org/show_bug.cgi?id=115542
+
+        Reviewed by Filip Pizlo.
+
+        Updated to match JSC requirement that the callee performs 'this' value
+        conversion.
+
+        * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
+        (WebKit::NetscapePluginInstanceProxy::invoke):
+        (WebKit::NetscapePluginInstanceProxy::invokeDefault):
+
 2013-04-18  Geoffrey Garen  <ggaren@apple.com>
 

branches/dfgFourthTier/Source/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm

@@ -914 +914 @@
     demarshalValues(exec, argumentsData, argumentsLength, argList);
 
-    JSValue value = call(exec, function, callType, callData, object->methodTable()->toThisObject(object, exec), argList);
+    JSValue value = call(exec, function, callType, callData, object, argList);
         
     marshalValue(exec, value, resultData, resultLength);
@@ -946 +946 @@
     demarshalValues(exec, argumentsData, argumentsLength, argList);
 
-    JSValue value = call(exec, object, callType, callData, object->methodTable()->toThisObject(object, exec), argList);
+    JSValue value = call(exec, object, callType, callData, object, argList);
     
     marshalValue(exec, value, resultData, resultLength);

branches/dfgFourthTier/Source/WebKit2/ChangeLog

@@ +1 @@
+2013-05-03  Geoffrey Garen  <ggaren@apple.com>
+
+        Rationalized 'this' value conversion
+        https://bugs.webkit.org/show_bug.cgi?id=115542
+
+        Reviewed by Filip Pizlo.
+
+        Updated to match JSC requirement that the callee performs 'this' value
+        conversion.
+
+        * WebProcess/Plugins/Netscape/NPJSObject.cpp:
+        (WebKit::NPJSObject::invoke):
+
 2013-04-18  Geoffrey Garen  <ggaren@apple.com>
 

branches/dfgFourthTier/Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp

@@ -294 +294 @@
 
     exec->vm().timeoutChecker.start();
-    JSValue value = JSC::call(exec, function, callType, callData, m_jsObject->methodTable()->toThisObject(m_jsObject.get(), exec), argumentList);
+    JSValue value = JSC::call(exec, function, callType, callData, m_jsObject.get(), argumentList);
     exec->vm().timeoutChecker.stop();