Changeset 153145 in webkit

Timestamp:

Jul 24, 2013 8:59:41 PM (11 years ago)

Author:

oliver@apple.com

Message:

fourthTier: Rationalized 'this' conversion, includes subsequent FTL branch fixes

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

Rationalized 'this' value conversion
​https://bugs.webkit.org/show_bug.cgi?id=115542

This fixes a bunch of Sputnik tests, and some bad pointer access.

The new model is that the callee always performs 'this' value conversion.

My ultimate goal is to break up resolve_with_this into single-result
opcodes. This step avoids having to add a special form of convert_this
that distinguishes callers vs callees.

Only the callee knows whether it uses 'this' and/or whether 'this'
conversion should use StrictMode, so it's most natural to perform
convert_this in the callee.

• API/JSCallbackFunction.cpp: (JSC::JSCallbackFunction::call): Perform 'this' value conversion for our callee, since it may observe 'this'.

• API/JSCallbackObjectFunctions.h: (JSC::::call): Ditto.

• API/JSContextRef.cpp: (JSGlobalContextCreateInGroup): Use a proxy 'this' object in global scope even when we're not in the browser. This eliminates some odd cases where API clients used to be able to get a direct reference to an environment record. Now, any reference to an environment record unambiguously means that the VM resolved that record in the scope chain.

(JSContextGetGlobalObject): Removed an incorrect comment. Now that JSC
participates in the proxy 'this' object scheme, the behavior is not
WebCore-only.

• API/JSObjectRef.cpp: (JSObjectSetPrototype): (JSObjectCallAsFunction): Don't perform 'this' value conversion in the caller; the callee will do it if needed.

• JavaScriptCore.order: Order!

• JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
• JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in: What are the chances that this will work?

• bytecode/CodeBlock.cpp: (JSC::CodeBlock::dumpBytecode): (JSC::CodeBlock::CodeBlock): Renamed convert_this to to_this, to match our other conversion opcodes.

• bytecode/CodeOrigin.h: (CodeOrigin): (InlineCallFrame): (JSC::CodeOrigin::codeOriginOwner): Use the more precise type for our executable, so compilation can discover where we're in strict mode.

• bytecode/Opcode.h: (JSC::padOpcodeName): Updated for rename.

• bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): Always emit to_this when 'this' is in use -- strict mode still needs to convert environment records to 'undefined'.

• dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::executeEffects):
• dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock):
• dfg/DFGCapabilities.h: (JSC::DFG::canCompileOpcode): Updated for renames.

• dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): Tightened up this code to consider strict mode (a new requirement) and to consider the global object (which was always a requirement).

• dfg/DFGGraph.h: (JSC::DFG::Graph::globalThisObjectFor): (JSC::DFG::Graph::executableFor):
• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate):
• dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile):
• dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): Ditto.

• interpreter/Interpreter.cpp: (JSC::eval): (JSC::Interpreter::execute): (JSC::Interpreter::executeCall):
• interpreter/Interpreter.h: Don't ASSERT about 'this' -- it's our job to fix it up if needed.

• jit/JIT.cpp: (JSC::JIT::privateCompileMainPass): (JSC::JIT::privateCompileSlowCases):
• jit/JIT.h: (JIT):
• jit/JITOpcodes.cpp: (JSC::JIT::emit_op_to_this): (JSC::JIT::emitSlow_op_to_this):
• jit/JITOpcodes32_64.cpp: (JSC::JIT::emit_op_to_this): (JSC::JIT::emitSlow_op_to_this):
• jit/JITStubs.cpp: (JSC::DEFINE_STUB_FUNCTION):
• jit/JITStubs.h: Removed special-case code for various kinds of conversions. The baseline fast path is now final objects only. It hurt my brain to think through how to keep the other fast paths working, and our benchmarks do not object.

• llint/LLIntData.cpp: (JSC::LLInt::Data::performAssertions):
• llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL):
• llint/LLIntSlowPaths.h: (LLInt):
• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm: Updated for renames. Removed some special case code, as in the JIT above.

• profiler/ProfileGenerator.cpp: (JSC::ProfileGenerator::addParentForConsoleStart):
• runtime/CallData.cpp: (JSC::call):
• runtime/ClassInfo.h: (MethodTable):
• runtime/Completion.cpp: (JSC::evaluate):
• runtime/DatePrototype.cpp: (JSC::dateProtoFuncToJSON): The callee performs 'this' conversion, not the caller.

• runtime/GetterSetter.cpp: (JSC::callGetter): (JSC::callSetter):
• runtime/GetterSetter.h: Added helper functions for invoking getters and setters from C++ code, since this was duplicated in a bunch of places.

• runtime/JSActivation.cpp: (JSC::JSActivation::toThis):
• runtime/JSActivation.h: (JSActivation):
• runtime/JSCJSValue.cpp: (JSC::JSValue::toThisSlowCase): (JSC::JSValue::putToPrimitive):
• runtime/JSCJSValue.h: (JSValue):
• runtime/JSCJSValueInlines.h: (JSC::JSValue::toThis):
• runtime/JSCell.cpp: (JSC::JSCell::toThis):
• runtime/JSCell.h: (JSCell):
• runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::toThis):
• runtime/JSGlobalObject.h: (JSGlobalObject): Filled out runtime support for converting 'this' values as needed, according to the appropriate strictness, using helper functions where getter/setter code was duplicated.

• runtime/JSGlobalObjectFunctions.cpp: (JSC::globalFuncProtoGetter): (JSC::globalFuncProtoSetter): Perform 'this' value conversion, since we observe 'this'.

• runtime/JSNameScope.cpp: (JSC::JSNameScope::toThis):
• runtime/JSNameScope.h: (JSNameScope): Same as JSActivation.

• runtime/JSObject.cpp: (JSC::JSObject::put): (JSC::JSObject::setPrototypeWithCycleCheck): Bug fix. Don't peform 'this' value conversion in this helper function. The proto setter does this for us, since it's the function that logically observes 'this' -- and we can ASSERT so. Also, the previous code used "globalExec()->thisValue()", which is a read past the beginning of a buffer! I don't think this ever worked on purpose.

(JSC::JSObject::toThis):
(JSC::JSObject::fillGetterPropertySlot):

• runtime/JSObject.h: (JSC::JSObject::inlineGetOwnPropertySlot):
• runtime/JSScope.cpp: (JSC::JSScope::resolveWithThis):
• runtime/JSString.cpp: (JSC::JSString::toThis):
• runtime/JSString.h: (JSString):
• runtime/PropertySlot.cpp: (JSC::PropertySlot::functionGetter):
• runtime/PropertySlot.h: (JSC): (JSC::PropertySlot::setGetterSlot): (JSC::PropertySlot::setCacheableGetterSlot):
• runtime/SparseArrayValueMap.cpp: (JSC::SparseArrayEntry::get): (JSC::SparseArrayEntry::put):
• runtime/StrictEvalActivation.cpp: (JSC::StrictEvalActivation::toThis):
• runtime/StrictEvalActivation.h: (StrictEvalActivation): Ditto.

Source/WebCore:

Rationalized 'this' value conversion
​https://bugs.webkit.org/show_bug.cgi?id=115542

Source/WebKit/mac:

Rationalized 'this' value conversion
​https://bugs.webkit.org/show_bug.cgi?id=115542

Source/WebKit2:

Rationalized 'this' value conversion
​https://bugs.webkit.org/show_bug.cgi?id=115542

LayoutTests:

Rationalized 'this' value conversion
​https://bugs.webkit.org/show_bug.cgi?id=115542

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/Object-defineProperty-expected.txt (modified) (2 diffs)
• LayoutTests/sputnik/Conformance/11_Expressions/11.1_Primary_Expressions/11.1.1_The_this_Keyword/S11.1.1_A2-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.11_String.prototype.replace/S15.5.4.11_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt (modified) (1 diff)
• Source/JavaScriptCore/API/JSCallbackFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/API/JSCallbackObjectFunctions.h (modified) (1 diff)
• Source/JavaScriptCore/API/JSContextRef.cpp (modified) (2 diffs)
• Source/JavaScriptCore/API/JSObjectRef.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.order (modified) (8 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/CodeOrigin.h (modified) (4 diffs)
• Source/JavaScriptCore/bytecode/Opcode.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractState.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGCapabilities.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGGraph.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (4 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.h (modified) (1 diff)
• Source/JavaScriptCore/jit/JIT.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JIT.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITStubs.cpp (modified) (5 diffs)
• Source/JavaScriptCore/jit/JITStubs.h (modified) (1 diff)
• Source/JavaScriptCore/llint/LLIntData.cpp (modified) (1 diff)
• Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/llint/LLIntSlowPaths.h (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
• Source/JavaScriptCore/profiler/ProfileGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/CallData.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ClassInfo.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Completion.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/DatePrototype.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/GetterSetter.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/GetterSetter.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSActivation.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSActivation.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCJSValue.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSCJSValue.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSCJSValueInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCell.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSCell.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSNameScope.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSNameScope.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSScope.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSString.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSString.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/PropertySlot.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/PropertySlot.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/StrictEvalActivation.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/StrictEvalActivation.h (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/WebCore.order (modified) (1 diff)
• Source/WebCore/bindings/js/JSErrorHandler.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSInjectedScriptHostCustom.cpp (modified) (1 diff)
• Source/WebCore/bindings/js/JSMainThreadExecState.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• Source/WebCore/bridge/NP_jsobject.cpp (modified) (1 diff)
• Source/WebCore/html/HTMLPlugInImageElement.cpp (modified) (1 diff)
• Source/WebKit/mac/ChangeLog (modified) (1 diff)
• Source/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm (modified) (2 diffs)
• Source/WebKit2/ChangeLog (modified) (1 diff)
• Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2013-05-05  Geoffrey Garen  <ggaren@apple.com>
+
+        Rolled back in r149527 with crash fixed.
+
+        Reviewed by Oliver Hunt.
+
+            Rationalized 'this' value conversion
+            https://bugs.webkit.org/show_bug.cgi?id=115542
+
 2013-04-03  Filip Pizlo  <fpizlo@apple.com>
 

trunk/LayoutTests/fast/js/Object-defineProperty-expected.txt

@@ -100 +100 @@
 PASS 'use strict'; var o = Object.defineProperty({}, 'foo', {set:function(x){this.result = x;}}); o.foo = 42; o.result; is 42
 PASS 'use strict'; var o = Object.defineProperty({}, 'foo', {get:function(){return 42;}, set:undefined}); o.foo is 42
-PASS 'use strict'; var o = Object.defineProperty({}, 'foo', {get:function(){return 42;}, set:undefined}); o.foo = 42; o.result; threw exception TypeError: setting a property that has only a getter.
+PASS 'use strict'; var o = Object.defineProperty({}, 'foo', {get:function(){return 42;}, set:undefined}); o.foo = 42; o.result; threw exception TypeError: Attempted to assign to readonly property..
 PASS 'use strict'; var o = Object.defineProperty({}, 'foo', {get:function(){return 42;}}); o.foo is 42
-PASS 'use strict'; var o = Object.defineProperty({}, 'foo', {get:function(){return 42;}}); o.foo = 42; o.result; threw exception TypeError: setting a property that has only a getter.
+PASS 'use strict'; var o = Object.defineProperty({}, 'foo', {get:function(){return 42;}}); o.foo = 42; o.result; threw exception TypeError: Attempted to assign to readonly property..
 PASS 'use strict'; var o = Object.defineProperty({}, 'foo', {get:undefined, set:undefined}); o.foo is undefined
-PASS 'use strict'; var o = Object.defineProperty({}, 'foo', {get:undefined, set:undefined}); o.foo = 42; o.result; threw exception TypeError: setting a property that has only a getter.
+PASS 'use strict'; var o = Object.defineProperty({}, 'foo', {get:undefined, set:undefined}); o.foo = 42; o.result; threw exception TypeError: Attempted to assign to readonly property..
 PASS 'use strict'; var o = Object.defineProperty(Object.defineProperty({foo:1}, 'foo', {get:function(){return 42;}, set:function(x){this.result = x;}}), 'foo', {get:function(){return 13;}}); o.foo is 13
 PASS 'use strict'; var o = Object.defineProperty(Object.defineProperty({foo:1}, 'foo', {get:function(){return 42;}, set:function(x){this.result = x;}}), 'foo', {get:function(){return 13;}}); o.foo = 42; o.result; is 42
@@ -112 +112 @@
 PASS 'use strict'; var o = Object.defineProperty(Object.defineProperty({foo:1}, 'foo', {get:function(){return 42;}, set:function(x){this.result = x;}}), 'foo', {set:function(){this.result = 13;}}); o.foo = 42; o.result; is 13
 PASS 'use strict'; var o = Object.defineProperty(Object.defineProperty({foo:1}, 'foo', {get:function(){return 42;}, set:function(x){this.result = x;}}), 'foo', {set:undefined}); o.foo is 42
-PASS 'use strict'; var o = Object.defineProperty(Object.defineProperty({foo:1}, 'foo', {get:function(){return 42;}, set:function(x){this.result = x;}}), 'foo', {set:undefined}); o.foo = 42; o.result; threw exception TypeError: setting a property that has only a getter.
+PASS 'use strict'; var o = Object.defineProperty(Object.defineProperty({foo:1}, 'foo', {get:function(){return 42;}, set:function(x){this.result = x;}}), 'foo', {set:undefined}); o.foo = 42; o.result; threw exception TypeError: Attempted to assign to readonly property..
 PASS 0 in Object.prototype is true
 PASS '0' in Object.prototype is true

trunk/LayoutTests/sputnik/Conformance/11_Expressions/11.1_Primary_Expressions/11.1.1_The_this_Keyword/S11.1.1_A2-expected.txt

@@ -1 +1 @@
 S11.1.1_A2
 
-FAIL SputnikError: #1: this.toString() === toString(). Actual: [object Window]
+PASS 
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.10_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.11_String.prototype.replace/S15.5.4.11_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.11_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.12_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.13_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.14_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.15_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.6_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.7_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.8_A1_T3
 
-FAIL TypeError: Type error
+PASS 
 
 TEST COMPLETE

trunk/Source/JavaScriptCore/API/JSCallbackFunction.cpp

@@ -68 +68 @@
     JSContextRef execRef = toRef(exec);
     JSObjectRef functionRef = toRef(exec->callee());
-    JSObjectRef thisObjRef = toRef(exec->hostThisValue().toThisObject(exec));
+    JSObjectRef thisObjRef = toRef(jsCast<JSObject*>(exec->hostThisValue().toThis(exec, NotStrictMode)));
 
     size_t argumentCount = exec->argumentCount();

trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h

@@ -491 +491 @@
     JSContextRef execRef = toRef(exec);
     JSObjectRef functionRef = toRef(exec->callee());
-    JSObjectRef thisObjRef = toRef(exec->hostThisValue().toThisObject(exec));
+    JSObjectRef thisObjRef = toRef(jsCast<JSObject*>(exec->hostThisValue().toThis(exec, NotStrictMode)));
     
     for (JSClassRef jsClass = jsCast<JSCallbackObject<Parent>*>(toJS(functionRef))->classRef(); jsClass; jsClass = jsClass->parentClass) {

trunk/Source/JavaScriptCore/API/JSContextRef.cpp

@@ -136 +136 @@
     if (!globalObjectClass) {
         JSGlobalObject* globalObject = JSGlobalObject::create(*vm, JSGlobalObject::createStructure(*vm, jsNull()));
+        globalObject->setGlobalThis(*vm, JSProxy::create(*vm, JSProxy::createStructure(*vm, globalObject, globalObject->prototype()), globalObject));
         return JSGlobalContextRetain(toGlobalRef(globalObject->globalExec()));
     }
@@ -187 +188 @@
     APIEntryShim entryShim(exec);
 
-    // It is necessary to call toThisObject to get the wrapper object when used with WebCore.
-    return toRef(exec->lexicalGlobalObject()->methodTable()->toThisObject(exec->lexicalGlobalObject(), exec));
+    return toRef(jsCast<JSObject*>(exec->lexicalGlobalObject()->methodTable()->toThis(exec->lexicalGlobalObject(), exec, NotStrictMode)));
 }
 

trunk/Source/JavaScriptCore/API/JSObjectRef.cpp

@@ -278 +278 @@
     JSValue jsValue = toJS(exec, value);
 
-    jsObject->setPrototypeWithCycleCheck(exec->vm(), jsValue.isObject() ? jsValue : jsNull());
+    jsObject->setPrototypeWithCycleCheck(exec, jsValue.isObject() ? jsValue : jsNull());
 }
 
@@ -529 +529 @@
         jsThisObject = exec->globalThisValue();
 
-    jsThisObject = jsThisObject->methodTable()->toThisObject(jsThisObject, exec);
-    
     MarkedArgumentBuffer argList;
     for (size_t i = 0; i < argumentCount; i++)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-05-06  Mark Lam  <mark.lam@apple.com>
+
+        Fix broken 32-bit build + some clean up in JITStubs.cpp.
+        https://bugs.webkit.org/show_bug.cgi?id=115684.
+
+        Reviewed by Geoffrey Garen.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * jit/JITStubs.cpp:
+        - removed unneeded stubs for CPU(X86_64) && USE(JSVALUE32_64).
+        - added some line breaks to more clearly delineate between
+          ports/configurations of stub code.
+
+2013-05-05  Geoffrey Garen  <ggaren@apple.com>
+
+        Rolled back in r149527 with crash fixed.
+
+        Reviewed by Oliver Hunt.
+
+            Rationalized 'this' value conversion
+            https://bugs.webkit.org/show_bug.cgi?id=115542
+
+            This fixes a bunch of Sputnik tests, and some bad pointer access.
+
+            The new model is that the callee always performs 'this' value conversion.
+
+            My ultimate goal is to break up resolve_with_this into single-result 
+            opcodes. This step avoids having to add a special form of convert_this
+            that distinguishes callers vs callees.
+
+            Only the callee knows whether it uses 'this' and/or whether 'this'
+            conversion should use StrictMode, so it's most natural to perform
+            convert_this in the callee. 
+
+            * API/JSCallbackFunction.cpp:
+            (JSC::JSCallbackFunction::call): Perform 'this' value conversion for
+            our callee, since it may observe 'this'.
+
+            * API/JSCallbackObjectFunctions.h:
+            (JSC::::call): Ditto.
+
+            * API/JSContextRef.cpp:
+            (JSGlobalContextCreateInGroup): Use a proxy 'this' object in global scope
+            even when we're not in the browser. This eliminates some odd cases where
+            API clients used to be able to get a direct reference to an environment
+            record. Now, any reference to an environment record unambiguously means
+            that the VM resolved that record in the scope chain.
+
+            (JSContextGetGlobalObject): Removed an incorrect comment. Now that JSC
+            participates in the proxy 'this' object scheme, the behavior is not
+            WebCore-only.
+
+            * API/JSObjectRef.cpp:
+            (JSObjectSetPrototype):
+            (JSObjectCallAsFunction): Don't perform 'this' value conversion in the
+            caller; the callee will do it if needed.
+
+            * JavaScriptCore.order: Order!
+
+            * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
+            * JavaScriptCore.vcxproj/JavaScriptCoreExportGenerator/JavaScriptCoreExports.def.in:
+            What are the chances that this will work?
+
+            * bytecode/CodeBlock.cpp:
+            (JSC::CodeBlock::dumpBytecode):
+            (JSC::CodeBlock::CodeBlock): Renamed convert_this to to_this, to match our
+            other conversion opcodes.
+
+            * bytecode/CodeOrigin.h:
+            (CodeOrigin):
+            (InlineCallFrame):
+            (JSC::CodeOrigin::codeOriginOwner): Use the more precise type for our
+            executable, so compilation can discover where we're in strict mode.
+
+            * bytecode/Opcode.h:
+            (JSC::padOpcodeName): Updated for rename.
+
+            * bytecompiler/BytecodeGenerator.cpp:
+            (JSC::BytecodeGenerator::BytecodeGenerator): Always emit to_this when
+            'this' is in use -- strict mode still needs to convert environment
+            records to 'undefined'.
+
+            * dfg/DFGAbstractState.cpp:
+            (JSC::DFG::AbstractState::executeEffects):
+            * dfg/DFGByteCodeParser.cpp:
+            (JSC::DFG::ByteCodeParser::parseBlock):
+            * dfg/DFGCapabilities.h:
+            (JSC::DFG::canCompileOpcode): Updated for renames.
+
+            * dfg/DFGFixupPhase.cpp:
+            (JSC::DFG::FixupPhase::fixupNode): Tightened up this code to consider
+            strict mode (a new requirement) and to consider the global object (which
+            was always a requirement).
+
+            * dfg/DFGGraph.h:
+            (JSC::DFG::Graph::globalThisObjectFor):
+            (JSC::DFG::Graph::executableFor):
+            * dfg/DFGNodeType.h:
+            * dfg/DFGOperations.cpp:
+            * dfg/DFGOperations.h:
+            * dfg/DFGPredictionPropagationPhase.cpp:
+            (JSC::DFG::PredictionPropagationPhase::propagate):
+            * dfg/DFGSpeculativeJIT32_64.cpp:
+            (JSC::DFG::SpeculativeJIT::compile):
+            * dfg/DFGSpeculativeJIT64.cpp:
+            (JSC::DFG::SpeculativeJIT::compile): Ditto.
+
+            * interpreter/Interpreter.cpp:
+            (JSC::eval):
+            (JSC::Interpreter::execute):
+            (JSC::Interpreter::executeCall):
+            * interpreter/Interpreter.h: Don't ASSERT about 'this' -- it's our job
+            to fix it up if needed.
+
+            * jit/JIT.cpp:
+            (JSC::JIT::privateCompileMainPass):
+            (JSC::JIT::privateCompileSlowCases):
+            * jit/JIT.h:
+            (JIT):
+            * jit/JITOpcodes.cpp:
+            (JSC::JIT::emit_op_to_this):
+            (JSC::JIT::emitSlow_op_to_this):
+            * jit/JITOpcodes32_64.cpp:
+            (JSC::JIT::emit_op_to_this):
+            (JSC::JIT::emitSlow_op_to_this):
+            * jit/JITStubs.cpp:
+            (JSC::DEFINE_STUB_FUNCTION):
+            * jit/JITStubs.h: Removed special-case code for various kinds of
+            conversions. The baseline fast path is now final objects only. It hurt
+            my brain to think through how to keep the other fast paths working, and
+            our benchmarks do not object.
+
+            * llint/LLIntData.cpp:
+            (JSC::LLInt::Data::performAssertions):
+            * llint/LLIntSlowPaths.cpp:
+            (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+            * llint/LLIntSlowPaths.h:
+            (LLInt):
+            * llint/LowLevelInterpreter.asm:
+            * llint/LowLevelInterpreter32_64.asm:
+            * llint/LowLevelInterpreter64.asm: Updated for renames. Removed some
+            special case code, as in the JIT above.
+
+            * profiler/ProfileGenerator.cpp:
+            (JSC::ProfileGenerator::addParentForConsoleStart):
+            * runtime/CallData.cpp:
+            (JSC::call):
+            * runtime/ClassInfo.h:
+            (MethodTable):
+            * runtime/Completion.cpp:
+            (JSC::evaluate):
+            * runtime/DatePrototype.cpp:
+            (JSC::dateProtoFuncToJSON): The callee performs 'this' conversion, not
+            the caller.
+
+            * runtime/GetterSetter.cpp:
+            (JSC::callGetter):
+            (JSC::callSetter):
+            * runtime/GetterSetter.h: Added helper functions for invoking getters
+            and setters from C++ code, since this was duplicated in a bunch of
+            places.
+
+            * runtime/JSActivation.cpp:
+            (JSC::JSActivation::toThis):
+            * runtime/JSActivation.h:
+            (JSActivation):
+            * runtime/JSCJSValue.cpp:
+            (JSC::JSValue::toThisSlowCase):
+            (JSC::JSValue::putToPrimitive):
+            * runtime/JSCJSValue.h:
+            (JSValue):
+            * runtime/JSCJSValueInlines.h:
+            (JSC::JSValue::toThis):
+            * runtime/JSCell.cpp:
+            (JSC::JSCell::toThis):
+            * runtime/JSCell.h:
+            (JSCell):
+            * runtime/JSGlobalObject.cpp:
+            (JSC::JSGlobalObject::toThis):
+            * runtime/JSGlobalObject.h:
+            (JSGlobalObject): Filled out runtime support for converting 'this'
+            values as needed, according to the appropriate strictness, using
+            helper functions where getter/setter code was duplicated.
+
+            * runtime/JSGlobalObjectFunctions.cpp:
+            (JSC::globalFuncProtoGetter):
+            (JSC::globalFuncProtoSetter): Perform 'this' value conversion, since we
+            observe 'this'.
+
+            * runtime/JSNameScope.cpp:
+            (JSC::JSNameScope::toThis):
+            * runtime/JSNameScope.h:
+            (JSNameScope): Same as JSActivation.
+
+            * runtime/JSObject.cpp:
+            (JSC::JSObject::put):
+            (JSC::JSObject::setPrototypeWithCycleCheck): Bug fix. Don't peform
+            'this' value conversion in this helper function. The __proto__
+            setter does this for us, since it's the function that logically observes
+            'this' -- and we can ASSERT so. Also, the previous code used
+            "globalExec()->thisValue()", which is a read past the beginning of a
+            buffer! I don't think this ever worked on purpose.
+
+            (JSC::JSObject::toThis):
+            (JSC::JSObject::fillGetterPropertySlot):
+            * runtime/JSObject.h:
+            (JSC::JSObject::inlineGetOwnPropertySlot):
+            * runtime/JSScope.cpp:
+            (JSC::JSScope::resolveWithThis):
+            * runtime/JSString.cpp:
+            (JSC::JSString::toThis):
+            * runtime/JSString.h:
+            (JSString):
+            * runtime/PropertySlot.cpp:
+            (JSC::PropertySlot::functionGetter):
+            * runtime/PropertySlot.h:
+            (JSC):
+            (JSC::PropertySlot::setGetterSlot):
+            (JSC::PropertySlot::setCacheableGetterSlot):
+            * runtime/SparseArrayValueMap.cpp:
+            (JSC::SparseArrayEntry::get):
+            (JSC::SparseArrayEntry::put):
+            * runtime/StrictEvalActivation.cpp:
+            (JSC::StrictEvalActivation::toThis):
+            * runtime/StrictEvalActivation.h:
+            (StrictEvalActivation): Ditto.
+
 2013-05-03  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.order

@@ -338 +338 @@
 __ZNK3JSC8JSObject8toObjectEPNS_9ExecStateEPNS_14JSGlobalObjectE
 _JSContextGetGlobalObject
-__ZNK3JSC8JSObject12toThisObjectEPNS_9ExecStateE
 _JSStringCreateWithUTF8CString
 _JSObjectGetProperty
@@ -813 +812 @@
 _JSValueMakeString
 __ZN3JSC8ThisNode12emitBytecodeERNS_17BytecodeGeneratorEPNS_10RegisterIDE
-__ZN3JSC3JIT20emit_op_convert_thisEPNS_11InstructionE
 __ZN3JSC23MacroAssemblerX86Common11branchTest8ENS0_15ResultConditionENS_22AbstractMacroAssemblerINS_12X86AssemblerEE7AddressENS4_12TrustedImm32E
-__ZN3JSC3JIT24emitSlow_op_convert_thisEPNS_11InstructionERPNS_13SlowCaseEntryE
 __ZN3JSC8JSObject13visitChildrenERNS_9MarkStackE
 __ZN3JSC14JSGlobalObject13visitChildrenERNS_9MarkStackE
@@ -990 +987 @@
 __ZN3WTF7HashMapINS_6RefPtrINS_10StringImplEEEN3JSC12WriteBarrierINS4_14EvalExecutableEEENS_10StringHashENS_10HashTraitsIS3_EENS9_IS7_EEE3setEPS2_RKS7_
 __ZN3WTF9HashTableINS_6RefPtrINS_10StringImplEEESt4pairIS3_N3JSC12WriteBarrierINS5_14EvalExecutableEEEENS_18PairFirstExtractorIS9_EENS_10StringHashENS_14PairHashTraitsINS_10HashTraitsIS3_EENSE_IS8_EEEESF_E6expandEv
-__ZNK3JSC7JSValue20toThisObjectSlowCaseEPNS_9ExecStateE
 __ZN3JSC11Interpreter7executeEPNS_14EvalExecutableEPNS_9ExecStateEPNS_8JSObjectEiPNS_14ScopeChainNodeE
 _cti_op_resolve
@@ -1437 +1433 @@
 __ZNK3JSC8NullNode6isNullEv
 __ZN3JSC3JIT17emit_op_jneq_nullEPNS_11InstructionE
-_cti_op_convert_this
 _cti_vm_lazyLinkConstruct
 __ZN3JSC18FunctionExecutable27compileForConstructInternalEPNS_9ExecStateEPNS_14ScopeChainNodeE
@@ -1559 +1554 @@
 __ZN3JSC3JIT27emit_op_get_argument_by_valEPNS_11InstructionE
 __ZN3JSC3JIT31emitSlow_op_get_argument_by_valEPNS_11InstructionERPNS_13SlowCaseEntryE
-__ZNK3JSC8JSString12toThisObjectEPNS_9ExecStateE
 __ZN3JSCL20arrayProtoFuncSpliceEPNS_9ExecStateE
 __ZN3JSC7JSArray9setLengthEj
@@ -2023 +2017 @@
 __ZN3JSCL26stringFromCharCodeSlowCaseEPNS_9ExecStateE
 __ZN3JSCL25stringProtoFuncCharCodeAtEPNS_9ExecStateE
-__ZNK3JSC12JSActivation12toThisObjectEPNS_9ExecStateE
 __ZN3JSC12StringObject19getOwnPropertyNamesEPNS_9ExecStateERNS_17PropertyNameArrayENS_15EnumerationModeE
 __ZN3JSC9ExecState11stringTableEPS0_
@@ -2270 +2263 @@
 __ZN3JSCL20arrayProtoFuncReduceEPNS_9ExecStateE
 __ZN3JSCL25arrayProtoFuncReduceRightEPNS_9ExecStateE
-__ZN3JSC3JIT27emit_op_convert_this_strictEPNS_11InstructionE
-__ZN3JSC3JIT31emitSlow_op_convert_this_strictEPNS_11InstructionERPNS_13SlowCaseEntryE
 __ZN3JSC9Arguments33createStrictModeCalleeIfNecessaryEPNS_9ExecStateE
 __ZN3JSC23createTypeErrorFunctionEPNS_9ExecStateERKNS_7UStringE
@@ -2340 +2331 @@
 __ZN3JSCL29objectConstructorIsExtensibleEPNS_9ExecStateE
 __ZN3JSC4Yarr25CharacterClassConstructor9addSortedERN3WTF6VectorItLm0EEEt
-__ZNK3JSC19JSStaticScopeObject12toThisObjectEPNS_9ExecStateE
 __ZN3JSCL23stringProtoFuncTrimLeftEPNS_9ExecStateE
 __ZN3JSCL24stringProtoFuncTrimRightEPNS_9ExecStateE

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -717 +717 @@
             break;
         }
-        case op_convert_this: {
-            int r0 = (++it)->u.operand;
-            out.printf("[%4d] convert_this\t %s", location, registerName(r0).data());
+        case op_to_this: {
+            int r0 = (++it)->u.operand;
+            out.printf("[%4d] to_this\t %s", location, registerName(r0).data());
             ++it; // Skip value profile.
             break;
@@ -1775 +1775 @@
             // fallthrough
         }
-        case op_convert_this:
+        case op_to_this:
         case op_get_by_id:
         case op_call_put_result:

trunk/Source/JavaScriptCore/bytecode/CodeOrigin.h

@@ -40 +40 @@
 struct InlineCallFrame;
 class ExecState;
-class ExecutableBase;
+class ScriptExecutable;
 class JSFunction;
 
@@ -83 +83 @@
     // If the code origin corresponds to inlined code, gives you the heap object that
     // would have owned the code if it had not been inlined. Otherwise returns 0.
-    ExecutableBase* codeOriginOwner() const;
+    ScriptExecutable* codeOriginOwner() const;
     
     unsigned stackOffset() const;
@@ -101 +101 @@
 struct InlineCallFrame {
     Vector<ValueRecovery> arguments;
-    WriteBarrier<ExecutableBase> executable;
+    WriteBarrier<ScriptExecutable> executable;
     WriteBarrier<JSFunction> callee; // This may be null, indicating that this is a closure call and that the JSFunction and JSScope are already on the stack.
     CodeOrigin caller;
@@ -150 +150 @@
 }
 
-inline ExecutableBase* CodeOrigin::codeOriginOwner() const
+inline ScriptExecutable* CodeOrigin::codeOriginOwner() const
 {
     if (!inlineCallFrame)

trunk/Source/JavaScriptCore/bytecode/Opcode.h

@@ -47 +47 @@
     macro(op_create_this, 4) \
     macro(op_get_callee, 3) \
-    macro(op_convert_this, 3) \
+    macro(op_to_this, 3) \
     \
     macro(op_new_object, 4) \

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -396 +396 @@
     if (isConstructor()) {
         emitCreateThis(&m_thisRegister);
-    } else if (!codeBlock->isStrictMode() && (functionBody->usesThis() || codeBlock->usesEval() || m_shouldEmitDebugHooks)) {
-        UnlinkedValueProfile profile = emitProfiledOpcode(op_convert_this);
+    } else if (functionBody->usesThis() || codeBlock->usesEval() || m_shouldEmitDebugHooks) {
+        UnlinkedValueProfile profile = emitProfiledOpcode(op_to_this);
         instructions().append(kill(&m_thisRegister));
         instructions().append(profile);

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -1140 +1140 @@
         break;
             
-    case ConvertThis: {
+    case ToThis: {
         AbstractValue& source = forNode(node->child1());
         AbstractValue& destination = forNode(node);

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -2026 +2026 @@
             NEXT_OPCODE(op_enter);
 
-        case op_convert_this: {
+        case op_to_this: {
             Node* op1 = getThis();
-            if (op1->op() != ConvertThis) {
+            if (op1->op() != ToThis) {
                 CodeBlockLocker locker(m_inlineStackTop->m_profiledBlock->m_lock);
                 ValueProfile* profile =
@@ -2042 +2042 @@
                     || !profile->m_singletonValue.isCell()
                     || profile->m_singletonValue.asCell()->classInfo() != &Structure::s_info)
-                    setThis(addToGraph(ConvertThis, op1));
+                    setThis(addToGraph(ToThis, op1));
                 else {
                     addToGraph(
@@ -2050 +2050 @@
                 }
             }
-            NEXT_OPCODE(op_convert_this);
+            NEXT_OPCODE(op_to_this);
         }
 

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.h

@@ -87 +87 @@
     switch (opcodeID) {
     case op_enter:
-    case op_convert_this:
+    case op_to_this:
     case op_create_this:
     case op_get_callee:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -636 +636 @@
         }
             
-        case ConvertThis: {
+        case ToThis: {
+            ECMAMode ecmaMode = m_graph.executableFor(node->codeOrigin)->isStrictMode() ? StrictMode : NotStrictMode;
+
             if (isOtherSpeculation(node->child1()->prediction())) {
+                if (ecmaMode == StrictMode) {
+                    setUseKindAndUnboxIfProfitable<OtherUse>(node->child1());
+                    node->convertToIdentity();
+                    break;
+                }
+
                 m_insertionSet.insertNode(
                     m_indexInBlock, SpecNone, Phantom, node->codeOrigin,
@@ -646 +654 @@
             }
             
-            if (isObjectSpeculation(node->child1()->prediction())) {
+            if (isFinalObjectSpeculation(node->child1()->prediction())) {
                 setUseKindAndUnboxIfProfitable<ObjectUse>(node->child1());
                 node->convertToIdentity();

trunk/Source/JavaScriptCore/dfg/DFGGraph.h

@@ -358 +358 @@
     {
         JSGlobalObject* object = globalObjectFor(codeOrigin);
-        return object->methodTable()->toThisObject(object, 0);
-    }
-    
-    ExecutableBase* executableFor(InlineCallFrame* inlineCallFrame)
+        return jsCast<JSObject*>(object->methodTable()->toThis(object, object->globalExec(), NotStrictMode));
+    }
+    
+    ScriptExecutable* executableFor(InlineCallFrame* inlineCallFrame)
     {
         if (!inlineCallFrame)
@@ -369 +369 @@
     }
     
-    ExecutableBase* executableFor(const CodeOrigin& codeOrigin)
+    ScriptExecutable* executableFor(const CodeOrigin& codeOrigin)
     {
         return executableFor(codeOrigin.inlineCallFrame);

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -50 +50 @@
     \
     /* Nodes for handling functions (both as call and as construct). */\
-    macro(ConvertThis, NodeResultJS) \
+    macro(ToThis, NodeResultJS) \
     macro(CreateThis, NodeResultJS) /* Note this is not MustGenerate since we're returning it anyway. */ \
     macro(GetCallee, NodeResultJS) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -342 +342 @@
 extern "C" {
 
-EncodedJSValue DFG_OPERATION operationConvertThis(ExecState* exec, EncodedJSValue encodedOp)
-{
-    VM* vm = &exec->vm();
-    NativeCallFrameTracer tracer(vm, exec);
-
-    return JSValue::encode(JSValue::decode(encodedOp).toThisObject(exec));
+EncodedJSValue DFG_OPERATION operationToThis(ExecState* exec, EncodedJSValue encodedOp)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    return JSValue::encode(JSValue::decode(encodedOp).toThis(exec, exec->codeBlock()->isStrictMode() ? StrictMode : NotStrictMode));
 }
 
@@ -571 +571 @@
 }
 
-EncodedJSValue DFG_OPERATION operationCallGetter(ExecState* exec, JSCell* base, JSCell* value)
-{
-    VM* vm = &exec->vm();
-    NativeCallFrameTracer tracer(vm, exec);
-    
-    GetterSetter* getterSetter = asGetterSetter(value);
-    JSObject* getter = getterSetter->getter();
-    if (!getter)
-        return JSValue::encode(jsUndefined());
-    CallData callData;
-    CallType callType = getter->methodTable()->getCallData(getter, callData);
-    return JSValue::encode(call(exec, getter, callType, callData, asObject(base), ArgList()));
+EncodedJSValue DFG_OPERATION operationCallGetter(ExecState* exec, JSCell* base, JSCell* getterSetter)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+
+    return JSValue::encode(callGetter(exec, base, getterSetter));
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -133 +133 @@
 JSCell* DFG_OPERATION operationNewObject(ExecState*, Structure*) WTF_INTERNAL;
 JSCell* DFG_OPERATION operationCreateThis(ExecState*, JSObject* constructor, int32_t inlineCapacity) WTF_INTERNAL;
-EncodedJSValue DFG_OPERATION operationConvertThis(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
+EncodedJSValue DFG_OPERATION operationToThis(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
 EncodedJSValue DFG_OPERATION operationValueAdd(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue DFG_OPERATION operationValueAddNotNumber(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -382 +382 @@
         }
 
-        case ConvertThis: {
+        case ToThis: {
             SpeculatedType prediction = node->child1()->prediction();
             if (prediction) {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3695 +3695 @@
     }
         
-    case ConvertThis: {
+    case ToThis: {
         ASSERT(node->child1().useKind() == UntypedUse);
 
@@ -3706 +3706 @@
         GPRResult2 resultTag(this);
         GPRResult resultPayload(this);
-        callOperation(operationConvertThis, resultTag.gpr(), resultPayload.gpr(), thisValueTagGPR, thisValuePayloadGPR);
+        callOperation(operationToThis, resultTag.gpr(), resultPayload.gpr(), thisValueTagGPR, thisValuePayloadGPR);
         
         cellResult(resultPayload.gpr(), node);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -3608 +3608 @@
     }
         
-    case ConvertThis: {
+    case ToThis: {
         ASSERT(node->child1().useKind() == UntypedUse);
         JSValueOperand thisValue(this, node->child1());
@@ -3616 +3616 @@
         
         GPRResult result(this);
-        callOperation(operationConvertThis, result.gpr(), thisValueGPR);
+        callOperation(operationToThis, result.gpr(), thisValueGPR);
         
         cellResult(result.gpr(), node);

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -156 +156 @@
 
     JSValue thisValue = callerFrame->thisValue();
-    ASSERT(isValidThisObject(thisValue, callFrame));
     Interpreter* interpreter = callFrame->vm().interpreter;
     return interpreter->execute(eval, callFrame, thisValue, callerScopeChain);
@@ -799 +798 @@
     VM& vm = *scope->vm();
 
-    ASSERT(isValidThisObject(thisObj, callFrame));
     ASSERT(!vm.exception);
     ASSERT(!vm.isCollectorBusy());
@@ -964 +962 @@
 {
     VM& vm = callFrame->vm();
-    ASSERT(isValidThisObject(thisValue, callFrame));
     ASSERT(!callFrame->hadException());
     ASSERT(!vm.isCollectorBusy());
@@ -1221 +1218 @@
     
     ASSERT(scope->vm() == &callFrame->vm());
-    ASSERT(isValidThisObject(thisValue, callFrame));
     ASSERT(!vm.exception);
     ASSERT(!vm.isCollectorBusy());

trunk/Source/JavaScriptCore/interpreter/Interpreter.h

@@ -265 +265 @@
     };
 
-    // This value must not be an object that would require this conversion (WebCore's global object).
-    inline bool isValidThisObject(JSValue thisValue, ExecState* exec)
-    {
-        return !thisValue.isObject() || thisValue.toThisObject(exec) == thisValue;
-    }
-
     JSValue eval(CallFrame*);
     CallFrame* loadVarargs(CallFrame*, JSStack*, JSValue thisValue, JSValue arguments, int firstFreeRegister);

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -229 +229 @@
         DEFINE_OP(op_get_callee)
         DEFINE_OP(op_create_this)
-        DEFINE_OP(op_convert_this)
+        DEFINE_OP(op_to_this)
         DEFINE_OP(op_init_lazy_reg)
         DEFINE_OP(op_create_arguments)
@@ -432 +432 @@
         DEFINE_SLOWCASE_OP(op_call_varargs)
         DEFINE_SLOWCASE_OP(op_construct)
-        DEFINE_SLOWCASE_OP(op_convert_this)
+        DEFINE_SLOWCASE_OP(op_to_this)
         DEFINE_SLOWCASE_OP(op_create_this)
         DEFINE_SLOWCASE_OP(op_div)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -654 +654 @@
         void emit_op_get_callee(Instruction*);
         void emit_op_create_this(Instruction*);
-        void emit_op_convert_this(Instruction*);
+        void emit_op_to_this(Instruction*);
         void emit_op_create_arguments(Instruction*);
         void emit_op_debug(Instruction*);
@@ -757 +757 @@
         void emitSlow_op_call_varargs(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_construct(Instruction*, Vector<SlowCaseEntry>::iterator&);
-        void emitSlow_op_convert_this(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_to_this(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_create_this(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_div(Instruction*, Vector<SlowCaseEntry>::iterator&);

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -888 +888 @@
 }
 
-void JIT::emit_op_convert_this(Instruction* currentInstruction)
+void JIT::emit_op_to_this(Instruction* currentInstruction)
 {
     emitGetVirtualRegister(currentInstruction[1].u.operand, regT1);
 
     emitJumpSlowCaseIfNotJSCell(regT1);
-    if (shouldEmitProfiling()) {
-        loadPtr(Address(regT1, JSCell::structureOffset()), regT0);
+    loadPtr(Address(regT1, JSCell::structureOffset()), regT0);
+    if (shouldEmitProfiling())
         emitValueProfilingSite();
-    }
-    addSlowCase(branchPtr(Equal, Address(regT1, JSCell::structureOffset()), TrustedImmPtr(m_vm->stringStructure.get())));
+
+    addSlowCase(branch8(NotEqual, Address(regT0, Structure::typeInfoTypeOffset()), TrustedImm32(FinalObjectType)));
 }
 
@@ -953 +953 @@
 // Slow cases
 
-void JIT::emitSlow_op_convert_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
-    void* globalThis = m_codeBlock->globalObject()->globalThis();
-
-    linkSlowCase(iter);
-    if (shouldEmitProfiling())
-        move(TrustedImm64((JSValue::encode(jsUndefined()))), regT0);
-    Jump isNotUndefined = branch64(NotEqual, regT1, TrustedImm64(JSValue::encode(jsUndefined())));
-    emitValueProfilingSite();
-    move(TrustedImm64(JSValue::encode(JSValue(static_cast<JSCell*>(globalThis)))), regT0);
-    emitPutVirtualRegister(currentInstruction[1].u.operand, regT0);
-    emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_convert_this));
-
-    linkSlowCase(iter);
-    if (shouldEmitProfiling())
-        move(TrustedImm64(JSValue::encode(m_vm->stringStructure.get())), regT0);
-    isNotUndefined.link(this);
-    emitValueProfilingSite();
-    JITStubCall stubCall(this, cti_op_convert_this);
+void JIT::emitSlow_op_to_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkSlowCase(iter);
+    linkSlowCase(iter);
+    JITStubCall stubCall(this, cti_op_to_this);
     stubCall.addArgument(regT1);
     stubCall.call(currentInstruction[1].u.operand);

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -1181 +1181 @@
 }
 
-void JIT::emit_op_convert_this(Instruction* currentInstruction)
+void JIT::emit_op_to_this(Instruction* currentInstruction)
 {
     unsigned thisRegister = currentInstruction[1].u.operand;
@@ -1188 +1188 @@
 
     addSlowCase(branch32(NotEqual, regT3, TrustedImm32(JSValue::CellTag)));
+    loadPtr(Address(regT2, JSCell::structureOffset()), regT0);
     if (shouldEmitProfiling()) {
-        loadPtr(Address(regT2, JSCell::structureOffset()), regT0);
         move(regT3, regT1);
         emitValueProfilingSite();
     }
-    addSlowCase(branchPtr(Equal, Address(regT2, JSCell::structureOffset()), TrustedImmPtr(m_vm->stringStructure.get())));
-}
-
-void JIT::emitSlow_op_convert_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
-    void* globalThis = m_codeBlock->globalObject()->globalThis();
+    addSlowCase(branch8(NotEqual, Address(regT0, Structure::typeInfoTypeOffset()), TrustedImm32(FinalObjectType)));
+}
+
+void JIT::emitSlow_op_to_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
     unsigned thisRegister = currentInstruction[1].u.operand;
 
     linkSlowCase(iter);
-    if (shouldEmitProfiling()) {
-        move(TrustedImm32(JSValue::UndefinedTag), regT1);
-        move(TrustedImm32(0), regT0);
-    }
-    Jump isNotUndefined = branch32(NotEqual, regT3, TrustedImm32(JSValue::UndefinedTag));
-    emitValueProfilingSite();
-    move(TrustedImmPtr(globalThis), regT0);
-    move(TrustedImm32(JSValue::CellTag), regT1);
-    emitStore(thisRegister, regT1, regT0);
-    emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_convert_this));
-
-    linkSlowCase(iter);
-    if (shouldEmitProfiling()) {
-        move(TrustedImm32(JSValue::CellTag), regT1);
-        move(TrustedImmPtr(m_vm->stringStructure.get()), regT0);
-    }
-    isNotUndefined.link(this);
-    emitValueProfilingSite();
-    JITStubCall stubCall(this, cti_op_convert_this);
+    linkSlowCase(iter);
+    JITStubCall stubCall(this, cti_op_to_this);
     stubCall.addArgument(regT3, regT2);
     stubCall.call(thisRegister);

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -138 +138 @@
 );
     
-#elif COMPILER(GCC) && CPU(X86_64)
-
-// These ASSERTs remind you that, if you change the layout of JITStackFrame, you
-// need to change the assembly trampolines below to match.
-COMPILE_ASSERT(offsetof(struct JITStackFrame, code) % 32 == 0x0, JITStackFrame_maintains_32byte_stack_alignment);
-COMPILE_ASSERT(offsetof(struct JITStackFrame, savedRBX) == 0x48, JITStackFrame_stub_argument_space_matches_ctiTrampoline);
-COMPILE_ASSERT(offsetof(struct JITStackFrame, callFrame) == 0x90, JITStackFrame_callFrame_offset_matches_ctiTrampoline);
-COMPILE_ASSERT(offsetof(struct JITStackFrame, code) == 0x80, JITStackFrame_code_offset_matches_ctiTrampoline);
-
-asm (
-".globl " SYMBOL_STRING(ctiTrampoline) "\n"
-HIDE_SYMBOL(ctiTrampoline) "\n"
-SYMBOL_STRING(ctiTrampoline) ":" "\n"
-    "pushq %rbp" "\n"
-    "movq %rsp, %rbp" "\n"
-    "pushq %r12" "\n"
-    "pushq %r13" "\n"
-    "pushq %r14" "\n"
-    "pushq %r15" "\n"
-    "pushq %rbx" "\n"
-    "subq $0x48, %rsp" "\n"
-    "movq $512, %r12" "\n"
-    "movq $0xFFFF000000000000, %r14" "\n"
-    "movq $0xFFFF000000000002, %r15" "\n"
-    "movq 0x90(%rsp), %r13" "\n"
-    "call *0x80(%rsp)" "\n"
-    "addq $0x48, %rsp" "\n"
-    "popq %rbx" "\n"
-    "popq %r15" "\n"
-    "popq %r14" "\n"
-    "popq %r13" "\n"
-    "popq %r12" "\n"
-    "popq %rbp" "\n"
-    "ret" "\n"
-".globl " SYMBOL_STRING(ctiTrampolineEnd) "\n"
-HIDE_SYMBOL(ctiTrampolineEnd) "\n"
-SYMBOL_STRING(ctiTrampolineEnd) ":" "\n"
-);
-
-asm (
-".globl " SYMBOL_STRING(ctiVMThrowTrampoline) "\n"
-HIDE_SYMBOL(ctiVMThrowTrampoline) "\n"
-SYMBOL_STRING(ctiVMThrowTrampoline) ":" "\n"
-    "movq %rsp, %rdi" "\n"
-    "call " LOCAL_REFERENCE(cti_vm_throw) "\n"
-    "int3" "\n"
-);
-
-asm (
-".globl " SYMBOL_STRING(ctiOpThrowNotCaught) "\n"
-HIDE_SYMBOL(ctiOpThrowNotCaught) "\n"
-SYMBOL_STRING(ctiOpThrowNotCaught) ":" "\n"
-    "addq $0x48, %rsp" "\n"
-    "popq %rbx" "\n"
-    "popq %r15" "\n"
-    "popq %r14" "\n"
-    "popq %r13" "\n"
-    "popq %r12" "\n"
-    "popq %rbp" "\n"
-    "ret" "\n"
-);
-
 #elif (COMPILER(GCC) || COMPILER(RVCT)) && CPU(ARM_THUMB2)
 
@@ -294 +232 @@
 #define GLOBAL_DATA_OFFSET         108
 #define STACK_LENGTH               112
+
 #elif CPU(SH4)
+
 #define SYMBOL_STRING(name) #name
 /* code (r4), JSStack* (r5), CallFrame* (r6), void* unused1 (r7), void* unused2(sp), VM (sp)*/
@@ -1457 +1397 @@
 }
 
-DEFINE_STUB_FUNCTION(EncodedJSValue, op_convert_this)
+DEFINE_STUB_FUNCTION(EncodedJSValue, op_to_this)
 {
     STUB_INIT_STACK_FRAME(stackFrame);
@@ -1464 +1404 @@
     CallFrame* callFrame = stackFrame.callFrame;
 
-    ASSERT(v1.isPrimitive());
-
-    JSObject* result = v1.toThisObject(callFrame);
+    JSValue result = v1.toThis(callFrame, callFrame->codeBlock()->isStrictMode() ? StrictMode : NotStrictMode);
     CHECK_FOR_EXCEPTION_AT_END();
     return JSValue::encode(result);
@@ -1782 +1720 @@
     STUB_INIT_STACK_FRAME(stackFrame);
     CallFrame* callFrame = stackFrame.callFrame;
-    GetterSetter* getterSetter = asGetterSetter(stackFrame.args[0].jsObject());
-    if (!getterSetter->getter())
-        return JSValue::encode(jsUndefined());
-    JSObject* getter = asObject(getterSetter->getter());
-    CallData callData;
-    CallType callType = getter->methodTable()->getCallData(getter, callData);
-    JSValue result = call(callFrame, getter, callType, callData, stackFrame.args[1].jsObject(), ArgList());
+    JSValue result = callGetter(callFrame, stackFrame.args[1].jsObject(), stackFrame.args[0].jsObject());
     if (callFrame->hadException())
         returnToThrowTrampoline(&callFrame->vm(), stackFrame.args[2].returnAddress(), STUB_RETURN_ADDRESS);

trunk/Source/JavaScriptCore/jit/JITStubs.h

@@ -330 +330 @@
 EncodedJSValue JIT_STUB cti_op_check_has_instance(STUB_ARGS_DECLARATION) WTF_INTERNAL;
 EncodedJSValue JIT_STUB cti_op_create_this(STUB_ARGS_DECLARATION) WTF_INTERNAL;
-EncodedJSValue JIT_STUB cti_op_convert_this(STUB_ARGS_DECLARATION) WTF_INTERNAL;
+EncodedJSValue JIT_STUB cti_op_to_this(STUB_ARGS_DECLARATION) WTF_INTERNAL;
 EncodedJSValue JIT_STUB cti_op_create_arguments(STUB_ARGS_DECLARATION) WTF_INTERNAL;
 EncodedJSValue JIT_STUB cti_op_del_by_id(STUB_ARGS_DECLARATION) WTF_INTERNAL;

trunk/Source/JavaScriptCore/llint/LLIntData.cpp

@@ -105 +105 @@
     ASSERT(StringType == 5);
     ASSERT(ObjectType == 17);
+    ASSERT(FinalObjectType == 18);
     ASSERT(MasqueradesAsUndefined == 1);
     ASSERT(ImplementsHasInstance == 2);

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -492 +492 @@
 }
 
-LLINT_SLOW_PATH_DECL(slow_path_convert_this)
+LLINT_SLOW_PATH_DECL(slow_path_to_this)
 {
     LLINT_BEGIN();
     JSValue v1 = LLINT_OP(1).jsValue();
-    ASSERT(v1.isPrimitive());
 #if ENABLE(VALUE_PROFILER)
-    pc[OPCODE_LENGTH(op_convert_this) - 1].u.profile->m_buckets[0] =
+    pc[OPCODE_LENGTH(op_to_this) - 1].u.profile->m_buckets[0] =
         JSValue::encode(v1.structureOrUndefined());
 #endif
-    LLINT_RETURN(v1.toThisObject(exec));
+    LLINT_RETURN(v1.toThis(exec, exec->codeBlock()->isStrictMode() ? StrictMode : NotStrictMode));
 }
 

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h

@@ -119 +119 @@
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_create_arguments);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_create_this);
-LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_convert_this);
+LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_to_this);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_new_object);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_new_array);

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -101 +101 @@
 const StringType = 5
 const ObjectType = 17
+const FinalObjectType = 18
 
 # Type flags constants.

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -397 +397 @@
 
 
-_llint_op_convert_this:
-    traceExecution()
-    loadi 4[PC], t0
-    bineq TagOffset[cfr, t0, 8], CellTag, .opConvertThisSlow
+_llint_op_to_this:
+    traceExecution()
+    loadi 4[PC], t0
+    bineq TagOffset[cfr, t0, 8], CellTag, .opToThisSlow
     loadi PayloadOffset[cfr, t0, 8], t0
     loadp JSCell::m_structure[t0], t0
-    bbb Structure::m_typeInfo + TypeInfo::m_type[t0], ObjectType, .opConvertThisSlow
+    bbneq Structure::m_typeInfo + TypeInfo::m_type[t0], FinalObjectType, .opToThisSlow
     loadi 8[PC], t1
     valueProfile(CellTag, t0, t1)
     dispatch(3)
 
-.opConvertThisSlow:
-    callSlowPath(_llint_slow_path_convert_this)
+.opToThisSlow:
+    callSlowPath(_llint_slow_path_to_this)
     dispatch(3)
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -280 +280 @@
 
 
-_llint_op_convert_this:
+_llint_op_to_this:
     traceExecution()
     loadisFromInstruction(1, t0)
     loadq [cfr, t0, 8], t0
-    btqnz t0, tagMask, .opConvertThisSlow
+    btqnz t0, tagMask, .opToThisSlow
     loadp JSCell::m_structure[t0], t0
-    bbb Structure::m_typeInfo + TypeInfo::m_type[t0], ObjectType, .opConvertThisSlow
+    bbneq Structure::m_typeInfo + TypeInfo::m_type[t0], FinalObjectType, .opToThisSlow
     loadpFromInstruction(2, t1)
     valueProfile(t0, t1)
     dispatch(3)
 
-.opConvertThisSlow:
-    callSlowPath(_llint_slow_path_convert_this)
+.opToThisSlow:
+    callSlowPath(_llint_slow_path_to_this)
     dispatch(3)
 

trunk/Source/JavaScriptCore/profiler/ProfileGenerator.cpp

@@ -65 +65 @@
 
     exec->interpreter()->retrieveLastCaller(exec, lineNumber, sourceID, sourceURL, function);
-    m_currentNode = ProfileNode::create(exec, LegacyProfiler::createCallIdentifier(exec, function ? function.toThisObject(exec) : 0, sourceURL, lineNumber), m_head.get(), m_head.get());
+    m_currentNode = ProfileNode::create(exec, LegacyProfiler::createCallIdentifier(exec, function, sourceURL, lineNumber), m_head.get(), m_head.get());
     m_head->insertNode(m_currentNode.get());
 }

trunk/Source/JavaScriptCore/runtime/CallData.cpp

@@ -37 +37 @@
 {
     ASSERT(callType == CallTypeJS || callType == CallTypeHost);
-    ASSERT(isValidThisObject(thisValue, exec));
     return exec->interpreter()->executeCall(exec, asObject(functionObject), callType, callData, thisValue, args);
 }

trunk/Source/JavaScriptCore/runtime/ClassInfo.h

@@ -67 +67 @@
     GetOwnPropertySlotByIndexFunctionPtr getOwnPropertySlotByIndex;
 
-    typedef JSObject* (*ToThisObjectFunctionPtr)(JSCell*, ExecState*);
-    ToThisObjectFunctionPtr toThisObject;
+    typedef JSValue (*ToThisFunctionPtr)(JSCell*, ExecState*, ECMAMode);
+    ToThisFunctionPtr toThis;
 
     typedef JSValue (*DefaultValueFunctionPtr)(const JSObject*, ExecState*, PreferredPrimitiveType);
@@ -129 +129 @@
         &ClassName::getOwnPropertySlot, \
         &ClassName::getOwnPropertySlotByIndex, \
-        &ClassName::toThisObject, \
+        &ClassName::toThis, \
         &ClassName::defaultValue, \
         &ClassName::getOwnPropertyNames, \

trunk/Source/JavaScriptCore/runtime/Completion.cpp

@@ -80 +80 @@
     if (!thisValue || thisValue.isUndefinedOrNull())
         thisValue = exec->dynamicGlobalObject();
-    JSObject* thisObj = thisValue.toThisObject(exec);
+    JSObject* thisObj = jsCast<JSObject*>(thisValue.toThis(exec, NotStrictMode));
     JSValue result = exec->interpreter()->execute(program, exec, thisObj);
 

trunk/Source/JavaScriptCore/runtime/DatePrototype.cpp

@@ -1107 +1107 @@
 {
     JSValue thisValue = exec->hostThisValue();
-    JSObject* object = thisValue.toThisObject(exec);
+    JSObject* object = jsCast<JSObject*>(thisValue.toThis(exec, NotStrictMode));
     if (exec->hadException())
         return JSValue::encode(jsNull());

trunk/Source/JavaScriptCore/runtime/GetterSetter.cpp

@@ -24 +24 @@
 #include "GetterSetter.h"
 
+#include "Error.h"
 #include "JSObject.h"
 #include "Operations.h"
@@ -45 +46 @@
 }
 
+JSValue callGetter(ExecState* exec, JSValue base, JSValue getterSetter)
+{
+    // FIXME: Some callers may invoke get() without checking for an exception first.
+    // We work around that by checking here.
+    if (exec->hadException())
+        return exec->exception();
+
+    JSObject* getter = jsCast<GetterSetter*>(getterSetter)->getter();
+    if (!getter)
+        return jsUndefined();
+
+    CallData callData;
+    CallType callType = getter->methodTable()->getCallData(getter, callData);
+    return call(exec, getter, callType, callData, base, ArgList());
+}
+
+void callSetter(ExecState* exec, JSValue base, JSValue getterSetter, JSValue value, ECMAMode ecmaMode)
+{
+    JSObject* setter = jsCast<GetterSetter*>(getterSetter)->setter();
+    if (!setter) {
+        if (ecmaMode == StrictMode)
+            throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
+        return;
+    }
+
+    MarkedArgumentBuffer args;
+    args.append(value);
+
+    CallData callData;
+    CallType callType = setter->methodTable()->getCallData(setter, callData);
+    call(exec, setter, callType, callData, base, args);
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/GetterSetter.h

@@ -80 +80 @@
     }
 
+    JSValue callGetter(ExecState*, JSValue base, JSValue getterSetter);
+    void callSetter(ExecState*, JSValue base, JSValue getterSetter, JSValue value, ECMAMode);
 
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSActivation.cpp

@@ -237 +237 @@
 }
 
-JSObject* JSActivation::toThisObject(JSCell*, ExecState* exec)
-{
+JSValue JSActivation::toThis(JSCell*, ExecState* exec, ECMAMode ecmaMode)
+{
+    if (ecmaMode == StrictMode)
+        return jsUndefined();
     return exec->globalThisValue();
 }

trunk/Source/JavaScriptCore/runtime/JSActivation.h

@@ -74 +74 @@
         static bool deleteProperty(JSCell*, ExecState*, PropertyName);
 
-        static JSObject* toThisObject(JSCell*, ExecState*);
+        static JSValue toThis(JSCell*, ExecState*, ECMAMode);
 
         void tearOff(VM&);

trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp

@@ -81 +81 @@
 }
 
-JSObject* JSValue::toThisObjectSlowCase(ExecState* exec) const
+JSValue JSValue::toThisSlowCase(ExecState* exec, ECMAMode ecmaMode) const
 {
     ASSERT(!isCell());
+
+    if (ecmaMode == StrictMode)
+        return *this;
 
     if (isInt32() || isDouble())
@@ -148 +151 @@
             JSValue gs = obj->getDirect(offset);
             if (gs.isGetterSetter()) {
-                JSObject* setterFunc = asGetterSetter(gs)->setter();        
-                if (!setterFunc) {
-                    if (slot.isStrictMode())
-                        throwError(exec, createTypeError(exec, ASCIILiteral("setting a property that has only a getter")));
-                    return;
-                }
-                
-                CallData callData;
-                CallType callType = setterFunc->methodTable()->getCallData(setterFunc, callData);
-                MarkedArgumentBuffer args;
-                args.append(value);
-
-                // If this is WebCore's global object then we need to substitute the shell.
-                call(exec, setterFunc, callType, callData, *this, args);
+                callSetter(exec, *this, gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode);
                 return;
             }

trunk/Source/JavaScriptCore/runtime/JSCJSValue.h

@@ -73 +73 @@
 
 enum PreferredPrimitiveType { NoPreference, PreferNumber, PreferString };
-
+enum ECMAMode { StrictMode, NotStrictMode };
 
 typedef int64_t EncodedJSValue;
@@ -246 +246 @@
     void putByIndex(ExecState*, unsigned propertyName, JSValue, bool shouldThrow);
 
-    JSObject* toThisObject(ExecState*) const;
+    JSValue toThis(ExecState*, ECMAMode) const;
 
     static bool equal(ExecState*, JSValue v1, JSValue v2);
@@ -276 +276 @@
     JS_EXPORT_PRIVATE WTF::String toWTFStringSlowCase(ExecState*) const;
     JS_EXPORT_PRIVATE JSObject* toObjectSlowCase(ExecState*, JSGlobalObject*) const;
-    JS_EXPORT_PRIVATE JSObject* toThisObjectSlowCase(ExecState*) const;
+    JS_EXPORT_PRIVATE JSValue toThisSlowCase(ExecState*, ECMAMode) const;
 
 #if USE(JSVALUE32_64)

trunk/Source/JavaScriptCore/runtime/JSCJSValueInlines.h

@@ -615 +615 @@
 }
 
-inline JSObject* JSValue::toThisObject(ExecState* exec) const
-{
-    return isCell() ? asCell()->methodTable()->toThisObject(asCell(), exec) : toThisObjectSlowCase(exec);
+inline JSValue JSValue::toThis(ExecState* exec, ECMAMode ecmaMode) const
+{
+    return isCell() ? asCell()->methodTable()->toThis(asCell(), exec, ecmaMode) : toThisSlowCase(exec, ecmaMode);
 }
 

trunk/Source/JavaScriptCore/runtime/JSCell.cpp

@@ -140 +140 @@
 }
 
-JSObject* JSCell::toThisObject(JSCell* cell, ExecState* exec)
-{
+JSValue JSCell::toThis(JSCell* cell, ExecState* exec, ECMAMode ecmaMode)
+{
+    if (ecmaMode == StrictMode)
+        return cell;
     return cell->toObject(exec, exec->lexicalGlobalObject());
 }

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -114 +114 @@
     static bool deletePropertyByIndex(JSCell*, ExecState*, unsigned propertyName);
 
-    static JSObject* toThisObject(JSCell*, ExecState*);
+    static JSValue toThis(JSCell*, ExecState*, ECMAMode);
 
     void zap() { *reinterpret_cast<uintptr_t**>(this) = 0; }

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -530 +530 @@
 }
 
-JSObject* JSGlobalObject::toThisObject(JSCell* cell, ExecState*)
-{
-    return jsCast<JSGlobalObject*>(cell)->globalThis();
+JSValue JSGlobalObject::toThis(JSCell*, ExecState* exec, ECMAMode ecmaMode)
+{
+    if (ecmaMode == StrictMode)
+        return jsUndefined();
+    return exec->globalThisValue();
 }
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -385 +385 @@
     VM& vm() const { return *Heap::heap(this)->vm(); }
     JSObject* globalThis() const;
+    JS_EXPORT_PRIVATE void setGlobalThis(VM&, JSObject* globalThis);
 
     static Structure* createStructure(VM& vm, JSValue prototype)
@@ -433 +434 @@
     JS_EXPORT_PRIVATE void addStaticGlobals(GlobalPropertyInfo*, int count);
 
-    JS_EXPORT_PRIVATE static JSC::JSObject* toThisObject(JSC::JSCell*, JSC::ExecState*);
-
-    JS_EXPORT_PRIVATE void setGlobalThis(VM&, JSObject* globalThis);
+    JS_EXPORT_PRIVATE static JSC::JSValue toThis(JSC::JSCell*, JSC::ExecState*, ECMAMode);
 
 private:

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -708 +708 @@
 EncodedJSValue JSC_HOST_CALL globalFuncProtoGetter(ExecState* exec)
 {
-    if (!exec->thisValue().isObject())
+    JSObject* thisObject = jsDynamicCast<JSObject*>(exec->thisValue().toThis(exec, NotStrictMode));
+
+    if (!thisObject)
         return JSValue::encode(exec->thisValue().synthesizePrototype(exec));
 
-    JSObject* thisObject = asObject(exec->thisValue());
     if (!thisObject->allowsAccessFrom(exec->trueCallerFrame()))
         return JSValue::encode(jsUndefined());
@@ -722 +723 @@
     JSValue value = exec->argument(0);
 
+    JSObject* thisObject = jsDynamicCast<JSObject*>(exec->thisValue().toThis(exec, NotStrictMode));
+
     // Setting __proto__ of a primitive should have no effect.
-    if (!exec->thisValue().isObject())
+    if (!thisObject)
         return JSValue::encode(jsUndefined());
 
-    JSObject* thisObject = asObject(exec->thisValue());
     if (!thisObject->allowsAccessFrom(exec->trueCallerFrame()))
         return JSValue::encode(jsUndefined());
@@ -737 +739 @@
         return throwVMError(exec, createTypeError(exec, StrictModeReadonlyPropertyWriteError));
 
-    if (!thisObject->setPrototypeWithCycleCheck(exec->vm(), value))
+    if (!thisObject->setPrototypeWithCycleCheck(exec, value))
         throwError(exec, createError(exec, "cyclic __proto__ value"));
     return JSValue::encode(jsUndefined());

trunk/Source/JavaScriptCore/runtime/JSNameScope.cpp

@@ -45 +45 @@
 }
 
-JSObject* JSNameScope::toThisObject(JSCell*, ExecState* exec)
+JSValue JSNameScope::toThis(JSCell*, ExecState* exec, ECMAMode ecmaMode)
 {
+    if (ecmaMode == StrictMode)
+        return jsUndefined();
     return exec->globalThisValue();
 }

trunk/Source/JavaScriptCore/runtime/JSNameScope.h

@@ -53 +53 @@
     static void visitChildren(JSCell*, SlotVisitor&);
     bool isDynamicScope(bool& requiresDynamicChecks) const;
-    static JSObject* toThisObject(JSCell*, ExecState*);
+    static JSValue toThis(JSCell*, ExecState*, ECMAMode);
     static bool getOwnPropertySlot(JSCell*, ExecState*, PropertyName, PropertySlot&);
     static void put(JSCell*, ExecState*, PropertyName, JSValue, PutPropertySlot&);

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -383 +383 @@
             JSValue gs = obj->getDirect(offset);
             if (gs.isGetterSetter()) {
-                ASSERT(attributes & Accessor);
-                ASSERT(thisObject->structure()->prototypeChainMayInterceptStoreTo(exec->vm(), propertyName) || obj == thisObject);
-                JSObject* setterFunc = asGetterSetter(gs)->setter();        
-                if (!setterFunc) {
-                    if (slot.isStrictMode())
-                        throwError(exec, createTypeError(exec, ASCIILiteral("setting a property that has only a getter")));
-                    return;
-                }
-                
-                CallData callData;
-                CallType callType = setterFunc->methodTable()->getCallData(setterFunc, callData);
-                MarkedArgumentBuffer args;
-                args.append(value);
-
-                // If this is WebCore's global object then we need to substitute the shell.
-                call(exec, setterFunc, callType, callData, thisObject->methodTable()->toThisObject(thisObject, exec), args);
+                callSetter(exec, cell, gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode);
                 return;
             } else
@@ -1173 +1158 @@
 }
 
-bool JSObject::setPrototypeWithCycleCheck(VM& vm, JSValue prototype)
-{
-    JSValue checkFor = this;
-    if (this->isGlobalObject())
-        checkFor = jsCast<JSGlobalObject*>(this)->globalExec()->thisValue();
-
+bool JSObject::setPrototypeWithCycleCheck(ExecState* exec, JSValue prototype)
+{
+    ASSERT(methodTable()->toThis(this, exec, NotStrictMode) == this);
     JSValue nextPrototype = prototype;
     while (nextPrototype && nextPrototype.isObject()) {
-        if (nextPrototype == checkFor)
+        if (nextPrototype == this)
             return false;
         nextPrototype = asObject(nextPrototype)->prototype();
     }
-    setPrototype(vm, prototype);
+    setPrototype(exec->vm(), prototype);
     return true;
 }
@@ -1561 +1543 @@
 }
 
-JSObject* JSObject::toThisObject(JSCell* cell, ExecState*)
+JSValue JSObject::toThis(JSCell* cell, ExecState*, ECMAMode)
 {
     return jsCast<JSObject*>(cell);
@@ -1641 +1623 @@
 }
 
-NEVER_INLINE void JSObject::fillGetterPropertySlot(PropertySlot& slot, PropertyOffset offset)
-{
-    if (JSObject* getterFunction = asGetterSetter(getDirect(offset))->getter()) {
-        if (!structure()->isDictionary())
-            slot.setCacheableGetterSlot(this, getterFunction, offset);
-        else
-            slot.setGetterSlot(getterFunction);
-    } else
-        slot.setUndefined();
+NEVER_INLINE void JSObject::fillGetterPropertySlot(PropertySlot& slot, JSValue getterSetter, PropertyOffset offset)
+{
+    if (structure()->isDictionary()) {
+        slot.setGetterSlot(jsCast<GetterSetter*>(getterSetter));
+        return;
+    }
+
+    slot.setCacheableGetterSlot(this, jsCast<GetterSetter*>(getterSetter), offset);
 }
 

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -123 +123 @@
     JSValue prototype() const;
     void setPrototype(VM&, JSValue prototype);
-    bool setPrototypeWithCycleCheck(VM&, JSValue prototype);
+    bool setPrototypeWithCycleCheck(ExecState*, JSValue prototype);
         
     bool mayInterceptIndexedAccesses()
@@ -487 +487 @@
     JS_EXPORT_PRIVATE JSString* toString(ExecState*) const;
 
-    // NOTE: JSObject and its subclasses must be able to gracefully handle ExecState* = 0,
-    // because this call may come from inside the compiler.
-    JS_EXPORT_PRIVATE static JSObject* toThisObject(JSCell*, ExecState*);
+    JS_EXPORT_PRIVATE static JSValue toThis(JSCell*, ExecState*, ECMAMode);
 
     bool getPropertySpecificValue(ExecState*, PropertyName, JSCell*& specificFunction) const;
@@ -926 +924 @@
 
     bool inlineGetOwnPropertySlot(ExecState*, PropertyName, PropertySlot&);
-    JS_EXPORT_PRIVATE void fillGetterPropertySlot(PropertySlot&, PropertyOffset);
+    JS_EXPORT_PRIVATE void fillGetterPropertySlot(PropertySlot&, JSValue, PropertyOffset);
 
     const HashEntry* findPropertyHashEntry(ExecState*, PropertyName) const;
@@ -1161 +1159 @@
         JSValue value = getDirect(offset);
         if (structure()->hasGetterSetterProperties() && value.isGetterSetter())
-            fillGetterPropertySlot(slot, offset);
+            fillGetterPropertySlot(slot, value, offset);
         else
             slot.setValue(this, value, offset);

trunk/Source/JavaScriptCore/runtime/JSScope.cpp

@@ -537 +537 @@
             return JSValue();
         ASSERT(value);
-        *base = propertyBase->structure()->typeInfo().isEnvironmentRecord() ? jsUndefined() : JSValue(propertyBase);
+        *base = JSValue(propertyBase);
         return value;
     }

trunk/Source/JavaScriptCore/runtime/JSString.cpp

@@ -272 +272 @@
 }
 
-JSObject* JSString::toThisObject(JSCell* cell, ExecState* exec)
-{
+JSValue JSString::toThis(JSCell* cell, ExecState* exec, ECMAMode ecmaMode)
+{
+    if (ecmaMode == StrictMode)
+        return cell;
     return StringObject::create(exec, exec->lexicalGlobalObject(), jsCast<JSString*>(cell));
 }

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -201 +201 @@
     friend class LLIntOffsetsExtractor;
         
-    static JSObject* toThisObject(JSCell*, ExecState*);
+    static JSValue toThis(JSCell*, ExecState*, ECMAMode);
 
     // Actually getPropertySlot, not getOwnPropertySlot (see JSCell).

trunk/Source/JavaScriptCore/runtime/PropertySlot.cpp

@@ -22 +22 @@
 #include "PropertySlot.h"
 
-#include "JSFunction.h"
-#include "JSGlobalObject.h"
-#include "Operations.h"
+#include "GetterSetter.h"
+#include "JSCJSValueInlines.h"
 
 namespace JSC {
@@ -30 +29 @@
 JSValue PropertySlot::functionGetter(ExecState* exec) const
 {
-    // Prevent getter functions from observing execution if an exception is pending.
-    if (exec->hadException())
-        return exec->exception();
-
-    CallData callData;
-    CallType callType = m_data.getterFunc->methodTable()->getCallData(m_data.getterFunc, callData);
-    return call(exec, m_data.getterFunc, callType, callData, m_thisValue.isObject() ? m_thisValue.toThisObject(exec) : m_thisValue, exec->emptyList());
+    return callGetter(exec, m_thisValue, m_data.getterSetter);
 }
 

trunk/Source/JavaScriptCore/runtime/PropertySlot.h

@@ -32 +32 @@
 
     class ExecState;
-    class JSObject;
+    class GetterSetter;
 
 #define JSC_VALUE_MARKER 0
@@ -154 +154 @@
         }
 
-        void setGetterSlot(JSObject* getterFunc)
-        {
-            ASSERT(getterFunc);
+        void setGetterSlot(GetterSetter* getterSetter)
+        {
+            ASSERT(getterSetter);
             m_thisValue = m_slotBase;
             m_getValue = GETTER_FUNCTION_MARKER;
-            m_data.getterFunc = getterFunc;
-        }
-
-        void setCacheableGetterSlot(JSValue slotBase, JSObject* getterFunc, PropertyOffset offset)
-        {
-            ASSERT(getterFunc);
+            m_data.getterSetter = getterSetter;
+        }
+
+        void setCacheableGetterSlot(JSValue slotBase, GetterSetter* getterSetter, PropertyOffset offset)
+        {
+            ASSERT(getterSetter);
             m_getValue = GETTER_FUNCTION_MARKER;
             m_thisValue = m_slotBase;
             m_slotBase = slotBase;
-            m_data.getterFunc = getterFunc;
+            m_data.getterSetter = getterSetter;
             m_offset = offset;
             m_cachedPropertyType = Getter;
@@ -227 +227 @@
         JSValue m_slotBase;
         union {
-            JSObject* getterFunc;
+            GetterSetter* getterSetter;
             unsigned index;
         } m_data;

trunk/Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp

@@ -133 +133 @@
     }
 
-    JSObject* getter = asGetterSetter(value)->getter();
-    if (!getter) {
-        slot.setUndefined();
-        return;
-    }
-
-    slot.setGetterSlot(getter);
+    slot.setGetterSlot(jsCast<GetterSetter*>(value));
 }
 
@@ -149 +143 @@
 JSValue SparseArrayEntry::get(ExecState* exec, JSObject* array) const
 {
-    JSValue result = Base::get();
-    ASSERT(result);
+    JSValue value = Base::get();
+    ASSERT(value);
 
-    if (LIKELY(!result.isGetterSetter()))
-        return result;
+    if (LIKELY(!value.isGetterSetter()))
+        return value;
 
-    JSObject* getter = asGetterSetter(result)->getter();
-    if (!getter)
-        return jsUndefined();
-
-    CallData callData;
-    CallType callType = getter->methodTable()->getCallData(getter, callData);
-    return call(exec, getter, callType, callData, array->methodTable()->toThisObject(array, exec), exec->emptyList());
+    return callGetter(exec, array, jsCast<GetterSetter*>(value));
 }
 
@@ -177 +165 @@
     }
 
-    JSValue accessor = Base::get();
-    ASSERT(accessor.isGetterSetter());
-    JSObject* setter = asGetterSetter(accessor)->setter();
-    
-    if (!setter) {
-        if (shouldThrow)
-            throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
-        return;
-    }
-
-    CallData callData;
-    CallType callType = setter->methodTable()->getCallData(setter, callData);
-    MarkedArgumentBuffer args;
-    args.append(value);
-    if (thisValue.isObject())
-        thisValue = asObject(thisValue)->methodTable()->toThisObject(asObject(thisValue), exec);
-    call(exec, setter, callType, callData, thisValue, args);
+    callSetter(exec, thisValue, Base::get(), value, shouldThrow ? StrictMode : NotStrictMode);
 }
 

trunk/Source/JavaScriptCore/runtime/StrictEvalActivation.cpp

@@ -50 +50 @@
 }
 
-JSObject* StrictEvalActivation::toThisObject(JSCell*, ExecState* exec)
+JSValue StrictEvalActivation::toThis(JSCell*, ExecState* exec, ECMAMode ecmaMode)
 {
+    if (ecmaMode == StrictMode)
+        return jsUndefined();
     return exec->globalThisValue();
 }

trunk/Source/JavaScriptCore/runtime/StrictEvalActivation.h

@@ -43 +43 @@
 
     static bool deleteProperty(JSCell*, ExecState*, PropertyName);
-    static JSObject* toThisObject(JSCell*, ExecState*);
+    static JSValue toThis(JSCell*, ExecState*, ECMAMode);
 
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-05-05  Geoffrey Garen  <ggaren@apple.com>
+
+        Rolled back in r149527 with crash fixed.
+
+        Reviewed by Oliver Hunt.
+
+            Rationalized 'this' value conversion
+            https://bugs.webkit.org/show_bug.cgi?id=115542
+
 2013-04-29  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/WebCore/WebCore.order

@@ -2802 +2802 @@
 __ZN7WebCore13ScriptElement13executeScriptERKNS_16ScriptSourceCodeE
 __ZNK7WebCore21ContentSecurityPolicy17allowInlineScriptEv
-__ZNK7WebCore15JSDOMWindowBase12toThisObjectEPN3JSC9ExecStateE
 __ZN7WebCore16JSDOMWindowShell18getOwnPropertySlotEPN3JSC9ExecStateERKNS1_10IdentifierERNS1_12PropertySlotE
 __ZN7WebCore16JSDOMWindowShell17putWithAttributesEPN3JSC9ExecStateERKNS1_10IdentifierENS1_7JSValueEj

trunk/Source/WebCore/bindings/js/JSErrorHandler.cpp

@@ -93 +93 @@
         DynamicGlobalObjectScope globalObjectScope(vm, vm.dynamicGlobalObject ? vm.dynamicGlobalObject : globalObject);
 
-        JSValue thisValue = globalObject->methodTable()->toThisObject(globalObject, exec);
-
         JSValue returnValue = scriptExecutionContext->isDocument()
-            ? JSMainThreadExecState::call(exec, jsFunction, callType, callData, thisValue, args)
-            : JSC::call(exec, jsFunction, callType, callData, thisValue, args);
+            ? JSMainThreadExecState::call(exec, jsFunction, callType, callData, globalObject, args)
+            : JSC::call(exec, jsFunction, callType, callData, globalObject, args);
 
         globalObject->setCurrentEvent(savedEvent);

trunk/Source/WebCore/bindings/js/JSInjectedScriptHostCustom.cpp

@@ -113 +113 @@
         return jsUndefined();
 
-    JSObject* thisObject = exec->argument(0).toThisObject(exec);
+    JSObject* thisObject = jsCast<JSObject*>(exec->argument(0).toThis(exec, NotStrictMode));
     String result = thisObject->methodTable()->className(thisObject);
     return jsStringWithCache(exec, result);

trunk/Source/WebCore/bindings/js/JSMainThreadExecState.h

@@ -51 +51 @@
     {
         JSMainThreadExecState currentState(exec);
-        // Ensure DOM global object is unwrapped to the shell.
-        if (thisValue.isObject())
-            thisValue = thisValue.toThisObject(exec);
         return JSC::call(exec, functionObject, callType, callData, thisValue, args);
     };

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -2498 +2498 @@
             } else {
                 if ($interfaceName eq "DOMWindow") {
-                    push(@implContent, "    $className* castedThis = toJSDOMWindow(exec->hostThisValue().toThisObject(exec));\n");
+                    push(@implContent, "    $className* castedThis = toJSDOMWindow(exec->hostThisValue().toThis(exec, NotStrictMode));\n");
                     push(@implContent, "    if (!castedThis)\n");
                     push(@implContent, "        return throwVMTypeError(exec);\n");
-                } elsif ($codeGenerator->InheritsInterface($interface, "WorkerGlobalScope")) {
-                    push(@implContent, "    $className* castedThis = to${className}(exec->hostThisValue().toThisObject(exec));\n");
+                } elsif ($interface->extendedAttributes->{"WorkerGlobalScope"}) {
+                    push(@implContent, "    $className* castedThis = to${className}(exec->hostThisValue().toThis(exec, NotStrictMode));\n");
                     push(@implContent, "    if (!castedThis)\n");
                     push(@implContent, "        return throwVMTypeError(exec);\n");

trunk/Source/WebCore/bridge/NP_jsobject.cpp

@@ -235 +235 @@
         MarkedArgumentBuffer argList;
         getListFromVariantArgs(exec, args, argCount, rootObject, argList);
-        JSValue resultV = JSC::call(exec, function, callType, callData, obj->imp->methodTable()->toThisObject(obj->imp, exec), argList);
+        JSValue resultV = JSC::call(exec, function, callType, callData, obj->imp, argList);
 
         // Convert and return the result of the function call.

trunk/Source/WebCore/html/HTMLPlugInImageElement.cpp

@@ -398 +398 @@
         return;
 
-    JSC::JSObject* thisObj = globalObject->methodTable()->toThisObject(globalObject, exec);
-
-    JSC::call(exec, overlay, callType, callData, thisObj, argList);
+    JSC::call(exec, overlay, callType, callData, globalObject, argList);
 }
 

trunk/Source/WebKit/mac/ChangeLog

@@ +1 @@
+2013-05-05  Geoffrey Garen  <ggaren@apple.com>
+
+        Rolled back in r149527 with crash fixed.
+
+        Reviewed by Oliver Hunt.
+
+            Rationalized 'this' value conversion
+            https://bugs.webkit.org/show_bug.cgi?id=115542
+
 2013-07-17  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm

@@ -912 +912 @@
     demarshalValues(exec, argumentsData, argumentsLength, argList);
 
-    JSValue value = call(exec, function, callType, callData, object->methodTable()->toThisObject(object, exec), argList);
+    JSValue value = call(exec, function, callType, callData, object, argList);
         
     marshalValue(exec, value, resultData, resultLength);
@@ -944 +944 @@
     demarshalValues(exec, argumentsData, argumentsLength, argList);
 
-    JSValue value = call(exec, object, callType, callData, object->methodTable()->toThisObject(object, exec), argList);
+    JSValue value = call(exec, object, callType, callData, object, argList);
     
     marshalValue(exec, value, resultData, resultLength);

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2013-05-05  Geoffrey Garen  <ggaren@apple.com>
+
+        Rolled back in r149527 with crash fixed.
+
+        Reviewed by Oliver Hunt.
+
+            Rationalized 'this' value conversion
+            https://bugs.webkit.org/show_bug.cgi?id=115542
+
 2013-07-24  Ruth Fong  <ruth_fong@apple.com>
 

trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp

@@ -294 +294 @@
         argumentList.append(m_objectMap->convertNPVariantToJSValue(exec, globalObject, arguments[i]));
 
-    JSValue value = JSC::call(exec, function, callType, callData, m_jsObject->methodTable()->toThisObject(m_jsObject.get(), exec), argumentList);
+    JSValue value = JSC::call(exec, function, callType, callData, m_jsObject.get(), argumentList);
 
     // Convert and return the result of the function call.