Changeset 180595 in webkit

Timestamp:

Feb 24, 2015 4:41:35 PM (9 years ago)

Author:

rniwa@webkit.org

Message:

Use "this" instead of "callee" to get the constructor
​https://bugs.webkit.org/show_bug.cgi?id=141019

Reviewed by Filip Pizlo.

This patch uses "this" register to pass the constructor (newTarget) to op_create_this from
op_construct or op_construct_varargs. This will allow future patches that implement ES6 class
to pass in the most derived class' constructor through "this" argument.

BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like
regular calls and emitCreateThis passes in this register to op_create_this as constructor.

The rest of the code change removes the code for special casing "this" register not being used
in call to construct.

• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitCreateThis):
(JSC::BytecodeGenerator::emitConstructVarargs):
(JSC::BytecodeGenerator::emitConstruct):

• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp:

(JSC::NewExprNode::emitBytecode):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
(JSC::DFG::ByteCodeParser::handleVarargsCall):
(JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
(JSC::DFG::ByteCodeParser::attemptToInlineCall):
(JSC::DFG::ByteCodeParser::handleInlining):
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGJITCode.cpp:

(JSC::DFG::JITCode::reconstruct):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::emitCall):

• ftl/FTLJSCallVarargs.cpp:

(JSC::FTL::JSCallVarargs::emit):

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
(JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
(JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):

• interpreter/Interpreter.cpp:

(JSC::Interpreter::executeConstruct):

• jit/JITOperations.cpp:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/BytecodeUseDef.h (modified) (1 diff)
• bytecompiler/BytecodeGenerator.cpp (modified) (4 diffs)
• bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• bytecompiler/NodesCodegen.cpp (modified) (1 diff)
• dfg/DFGByteCodeParser.cpp (modified) (11 diffs)
• dfg/DFGJITCode.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (4 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (4 diffs)
• ftl/FTLJSCallVarargs.cpp (modified) (6 diffs)
• ftl/FTLLowerDFGToLLVM.cpp (modified) (6 diffs)
• interpreter/Interpreter.cpp (modified) (1 diff)
• jit/JITOperations.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-02-24  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Use "this" instead of "callee" to get the constructor
+        https://bugs.webkit.org/show_bug.cgi?id=141019
+
+        Reviewed by Filip Pizlo.
+
+        This patch uses "this" register to pass the constructor (newTarget) to op_create_this from
+        op_construct or op_construct_varargs. This will allow future patches that implement ES6 class
+        to pass in the most derived class' constructor through "this" argument.
+
+        BytecodeGenerator's emitConstruct and emitConstructVarargs now passes thisRegister like
+        regular calls and emitCreateThis passes in this register to op_create_this as constructor.
+
+        The rest of the code change removes the code for special casing "this" register not being used
+        in call to construct.
+
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitCreateThis):
+        (JSC::BytecodeGenerator::emitConstructVarargs):
+        (JSC::BytecodeGenerator::emitConstruct):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::NewExprNode::emitBytecode):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addCallWithoutSettingResult):
+        (JSC::DFG::ByteCodeParser::handleVarargsCall):
+        (JSC::DFG::ByteCodeParser::emitArgumentPhantoms):
+        (JSC::DFG::ByteCodeParser::attemptToInlineCall):
+        (JSC::DFG::ByteCodeParser::handleInlining):
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGJITCode.cpp:
+        (JSC::DFG::JITCode::reconstruct):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::emitCall):
+        * ftl/FTLJSCallVarargs.cpp:
+        (JSC::FTL::JSCallVarargs::emit):
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::LowerDFGToLLVM::compileNativeCallOrConstruct):
+        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstruct):
+        (JSC::FTL::LowerDFGToLLVM::compileCallOrConstructVarargs):
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::executeConstruct):
+        * jit/JITOperations.cpp:
+
 2015-02-24  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h

@@ -219 +219 @@
         int registerOffset = -instruction[4].u.operand;
         int lastArg = registerOffset + CallFrame::thisArgumentOffset();
-        for (int i = opcodeID == op_construct ? 1 : 0; i < argCount; i++)
+        for (int i = 0; i < argCount; i++)
             functor(codeBlock, instruction, opcodeID, lastArg + i);
         return;

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -1565 +1565 @@
 RegisterID* BytecodeGenerator::emitCreateThis(RegisterID* dst)
 {
-    RefPtr<RegisterID> func = newTemporary(); 
-
-    m_codeBlock->addPropertyAccessInstruction(instructions().size());
-    emitOpcode(op_get_callee);
-    instructions().append(func->index());
-    instructions().append(0);
-
     size_t begin = instructions().size();
     m_staticPropertyAnalyzer.createThis(m_thisRegister.index(), begin + 3);
@@ -1577 +1570 @@
     emitOpcode(op_create_this); 
     instructions().append(m_thisRegister.index()); 
-    instructions().append(func->index()); 
+    instructions().append(m_thisRegister.index()); 
     instructions().append(0);
     return dst;
@@ -1882 +1875 @@
 }
 
-RegisterID* BytecodeGenerator::emitConstructVarargs(RegisterID* dst, RegisterID* func, RegisterID* arguments, RegisterID* firstFreeRegister, int32_t firstVarArgOffset, RegisterID* profileHookRegister, const JSTextPosition& divot, const JSTextPosition& divotStart, const JSTextPosition& divotEnd)
-{
-    return emitCallVarargs(op_construct_varargs, dst, func, 0, arguments, firstFreeRegister, firstVarArgOffset, profileHookRegister, divot, divotStart, divotEnd);
+RegisterID* BytecodeGenerator::emitConstructVarargs(RegisterID* dst, RegisterID* func, RegisterID* thisRegister, RegisterID* arguments, RegisterID* firstFreeRegister, int32_t firstVarArgOffset, RegisterID* profileHookRegister, const JSTextPosition& divot, const JSTextPosition& divotStart, const JSTextPosition& divotEnd)
+{
+    return emitCallVarargs(op_construct_varargs, dst, func, thisRegister, arguments, firstFreeRegister, firstVarArgOffset, profileHookRegister, divot, divotStart, divotEnd);
 }
     
@@ -1980 +1973 @@
             else
                 argumentRegister = expression->emitBytecode(*this, callArguments.argumentRegister(0));
-            return emitConstructVarargs(dst, func, argumentRegister.get(), newTemporary(), 0, callArguments.profileHookRegister(), divot, divotStart, divotEnd);
+            return emitConstructVarargs(dst, func, callArguments.thisRegister(), argumentRegister.get(), newTemporary(), 0, callArguments.profileHookRegister(), divot, divotStart, divotEnd);
         }
         

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -668 +668 @@
         RegisterID* emitInitLazyRegister(RegisterID*);
         
-        RegisterID* emitConstructVarargs(RegisterID* dst, RegisterID* func, RegisterID* arguments, RegisterID* firstFreeRegister, int32_t firstVarArgOffset, RegisterID* profileHookRegister, const JSTextPosition& divot, const JSTextPosition& divotStart, const JSTextPosition& divotEnd);
+        RegisterID* emitConstructVarargs(RegisterID* dst, RegisterID* func, RegisterID* thisRegister, RegisterID* arguments, RegisterID* firstFreeRegister, int32_t firstVarArgOffset, RegisterID* profileHookRegister, const JSTextPosition& divot, const JSTextPosition& divotStart, const JSTextPosition& divotEnd);
         RegisterID* emitCallVarargs(OpcodeID, RegisterID* dst, RegisterID* func, RegisterID* thisRegister, RegisterID* arguments, RegisterID* firstFreeRegister, int32_t firstVarArgOffset, RegisterID* profileHookRegister, const JSTextPosition& divot, const JSTextPosition& divotStart, const JSTextPosition& divotEnd);
         RegisterID* initializeCapturedVariable(RegisterID* dst, const Identifier&, RegisterID*);

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -454 +454 @@
     RefPtr<RegisterID> returnValue = generator.finalDestination(dst, func.get());
     CallArguments callArguments(generator, m_args);
+    generator.emitMove(callArguments.thisRegister(), func.get());
     return generator.emitConstruct(returnValue.get(), func.get(), expectedFunction, callArguments, divot(), divotStart(), divotEnd());
 }

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -186 +186 @@
     void handleVarargsCall(Instruction* pc, NodeType op, CodeSpecializationKind);
     void emitFunctionChecks(CallVariant, Node* callTarget, VirtualRegister thisArgumnt);
-    void emitArgumentPhantoms(int registerOffset, int argumentCountIncludingThis, CodeSpecializationKind);
+    void emitArgumentPhantoms(int registerOffset, int argumentCountIncludingThis);
     unsigned inliningCost(CallVariant, int argumentCountIncludingThis, CodeSpecializationKind); // Return UINT_MAX if it's not an inlining candidate. By convention, intrinsics have a cost of 1.
     // Handle inlining. Return true if it succeeded, false if we need to plant a call.
@@ -695 +695 @@
             m_parameterSlots = parameterSlots;
 
-        int dummyThisArgument = op == Call || op == NativeCall ? 0 : 1;
-        for (int i = 0 + dummyThisArgument; i < argCount; ++i)
+        for (int i = 0; i < argCount; ++i)
             addVarArgChild(get(virtualRegisterForArgument(i, registerOffset)));
 
@@ -1142 +1141 @@
     data->firstVarArgOffset = firstVarArgOffset;
     
-    Node* thisChild;
-    if (kind == CodeForCall)
-        thisChild = get(VirtualRegister(thisReg));
-    else
-        thisChild = nullptr;
+    Node* thisChild = get(VirtualRegister(thisReg));
     
     Node* call = addToGraph(op, OpInfo(data), OpInfo(prediction), callTarget, get(VirtualRegister(arguments)), thisChild);
@@ -1176 +1171 @@
 }
 
-void ByteCodeParser::emitArgumentPhantoms(int registerOffset, int argumentCountIncludingThis, CodeSpecializationKind kind)
+void ByteCodeParser::emitArgumentPhantoms(int registerOffset, int argumentCountIncludingThis)
 {
-    for (int i = kind == CodeForCall ? 0 : 1; i < argumentCountIncludingThis; ++i)
+    for (int i = 0; i < argumentCountIncludingThis; ++i)
         addToGraph(Phantom, get(virtualRegisterForArgument(i, registerOffset)));
 }
@@ -1448 +1443 @@
             RELEASE_ASSERT(didInsertChecks);
             addToGraph(Phantom, callTargetNode);
-            emitArgumentPhantoms(registerOffset, argumentCountIncludingThis, specializationKind);
+            emitArgumentPhantoms(registerOffset, argumentCountIncludingThis);
             inliningBalance--;
             return true;
@@ -1461 +1456 @@
             RELEASE_ASSERT(didInsertChecks);
             addToGraph(Phantom, callTargetNode);
-            emitArgumentPhantoms(registerOffset, argumentCountIncludingThis, specializationKind);
+            emitArgumentPhantoms(registerOffset, argumentCountIncludingThis);
             inliningBalance--;
             return true;
@@ -1546 +1541 @@
             argumentCountIncludingThis, nextOffset, kind, CallerDoesNormalLinking, prediction,
             inliningBalance, [&] (CodeBlock* codeBlock) {
-                emitFunctionChecks(callLinkStatus[0], callTargetNode, specializationKind == CodeForCall ? thisArgument : VirtualRegister());
+                emitFunctionChecks(callLinkStatus[0], callTargetNode, thisArgument);
 
                 // If we have a varargs call, we want to extract the arguments right now.
@@ -1580 +1575 @@
                     Node* setArgumentCount = addToGraph(SetArgument, OpInfo(countVariable));
                     m_currentBlock->variablesAtTail.setOperand(countVariable->local(), setArgumentCount);
-            
-                    if (specializationKind == CodeForCall)
-                        set(VirtualRegister(argumentStart), get(thisArgument), ImmediateNakedSet);
+
+                    set(VirtualRegister(argumentStart), get(thisArgument), ImmediateNakedSet);
                     for (unsigned argument = 1; argument < maxNumArguments; ++argument) {
                         VariableAccessData* variable = newVariableAccessData(
@@ -1763 +1757 @@
         addToGraph(CheckBadCell);
         addToGraph(Phantom, myCallTargetNode);
-        emitArgumentPhantoms(registerOffset, argumentCountIncludingThis, specializationKind);
+        emitArgumentPhantoms(registerOffset, argumentCountIncludingThis);
         
         set(VirtualRegister(resultOperand), addToGraph(BottomValue));
@@ -2151 +2145 @@
         }
         
+        // FIXME: Array constructor should use "this" as newTarget.
         for (int i = 1; i < argumentCountIncludingThis; ++i)
             addVarArgChild(get(virtualRegisterForArgument(i, registerOffset)));
@@ -2589 +2584 @@
             for (int i = 0; i < m_inlineStackTop->m_codeBlock->m_numVars; ++i)
                 set(virtualRegisterForLocal(i), undefined, ImmediateNakedSet);
-            if (m_inlineStackTop->m_codeBlock->specializationKind() == CodeForConstruct)
-                set(virtualRegisterForArgument(0), undefined, ImmediateNakedSet);
             NEXT_OPCODE(op_enter);
         }

trunk/Source/JavaScriptCore/dfg/DFGJITCode.cpp

@@ -83 +83 @@
     
     result = Operands<JSValue>(OperandsLike, recoveries);
-    for (size_t i = result.size(); i--;) {
-        int operand = result.operandForIndex(i);
-        
-        if (codeOrigin == CodeOrigin(0)
-            && operandIsArgument(operand)
-            && !VirtualRegister(operand).toArgument()
-            && codeBlock->codeType() == FunctionCode
-            && codeBlock->specializationKind() == CodeForConstruct) {
-            // Ugh. If we're in a constructor, the 'this' argument may hold garbage. It will
-            // also never be used. It doesn't matter what we put into the value for this,
-            // but it has to be an actual value that can be grokked by subsequent DFG passes,
-            // so we sanitize it here by turning it into Undefined.
-            result[i] = jsUndefined();
-            continue;
-        }
-        
+    for (size_t i = result.size(); i--;)
         result[i] = recoveries[i].recover(exec);
-    }
 }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -641 +641 @@
 {
     CallLinkInfo::CallType callType;
-    bool isCall;
     bool isVarargs;
     switch (node->op()) {
     case Call:
         callType = CallLinkInfo::Call;
-        isCall = true;
         isVarargs = false;
         break;
     case Construct:
         callType = CallLinkInfo::Construct;
-        isCall = false;
         isVarargs = false;
         break;
@@ -657 +654 @@
     case CallForwardVarargs:
         callType = CallLinkInfo::CallVarargs;
-        isCall = true;
         isVarargs = true;
         break;
     case ConstructVarargs:
         callType = CallLinkInfo::ConstructVarargs;
-        isCall = false;
         isVarargs = true;
         break;
@@ -771 +766 @@
         if (node->op() != CallForwardVarargs)
             use(node->child2());
-        
-        if (isCall) {
-            // Now set up the "this" argument.
-            JSValueOperand thisArgument(this, node->op() == CallForwardVarargs ? node->child2() : node->child3());
-            GPRReg thisArgumentTagGPR = thisArgument.tagGPR();
-            GPRReg thisArgumentPayloadGPR = thisArgument.payloadGPR();
-            thisArgument.use();
-            
-            m_jit.store32(thisArgumentTagGPR, JITCompiler::calleeArgumentTagSlot(0));
-            m_jit.store32(thisArgumentPayloadGPR, JITCompiler::calleeArgumentPayloadSlot(0));
-        }
-    } else {
-        // For constructors, the this argument is not passed but we have to make space
-        // for it.
-        int dummyThisArgument = isCall ? 0 : 1;
-        
+
+        // Now set up the "this" argument.
+        JSValueOperand thisArgument(this, node->op() == CallForwardVarargs ? node->child2() : node->child3());
+        GPRReg thisArgumentTagGPR = thisArgument.tagGPR();
+        GPRReg thisArgumentPayloadGPR = thisArgument.payloadGPR();
+        thisArgument.use();
+        
+        m_jit.store32(thisArgumentTagGPR, JITCompiler::calleeArgumentTagSlot(0));
+        m_jit.store32(thisArgumentPayloadGPR, JITCompiler::calleeArgumentPayloadSlot(0));
+    } else {        
         // The call instruction's first child is either the function (normal call) or the
         // receiver (method call). subsequent children are the arguments.
         int numPassedArgs = node->numChildren() - 1;
-        
-        int numArgs = numPassedArgs + dummyThisArgument;
-        
-        m_jit.store32(MacroAssembler::TrustedImm32(numArgs), m_jit.calleeFramePayloadSlot(JSStack::ArgumentCount));
+
+        m_jit.store32(MacroAssembler::TrustedImm32(numPassedArgs), m_jit.calleeFramePayloadSlot(JSStack::ArgumentCount));
         
         for (int i = 0; i < numPassedArgs; i++) {
@@ -802 +789 @@
             use(argEdge);
             
-            m_jit.store32(argTagGPR, m_jit.calleeArgumentTagSlot(i + dummyThisArgument));
-            m_jit.store32(argPayloadGPR, m_jit.calleeArgumentPayloadSlot(i + dummyThisArgument));
+            m_jit.store32(argTagGPR, m_jit.calleeArgumentTagSlot(i));
+            m_jit.store32(argPayloadGPR, m_jit.calleeArgumentPayloadSlot(i));
         }
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -627 +627 @@
 {
     CallLinkInfo::CallType callType;
-    bool isCall;
     bool isVarargs;
     switch (node->op()) {
     case Call:
         callType = CallLinkInfo::Call;
-        isCall = true;
         isVarargs = false;
         break;
     case Construct:
         callType = CallLinkInfo::Construct;
-        isCall = false;
         isVarargs = false;
         break;
@@ -643 +640 @@
     case CallForwardVarargs:
         callType = CallLinkInfo::CallVarargs;
-        isCall = true;
         isVarargs = true;
         break;
     case ConstructVarargs:
         callType = CallLinkInfo::ConstructVarargs;
-        isCall = false;
         isVarargs = true;
         break;
@@ -747 +742 @@
         if (node->op() != CallForwardVarargs)
             use(node->child2());
-        
-        if (isCall) {
-            // Now set up the "this" argument.
-            JSValueOperand thisArgument(this, node->op() == CallForwardVarargs ? node->child2() : node->child3());
-            GPRReg thisArgumentGPR = thisArgument.gpr();
-            thisArgument.use();
-            
-            m_jit.store64(thisArgumentGPR, JITCompiler::calleeArgumentSlot(0));
-        }
+
+        // Now set up the "this" argument.
+        JSValueOperand thisArgument(this, node->op() == CallForwardVarargs ? node->child2() : node->child3());
+        GPRReg thisArgumentGPR = thisArgument.gpr();
+        thisArgument.use();
+        
+        m_jit.store64(thisArgumentGPR, JITCompiler::calleeArgumentSlot(0));
     } else {
-        // For constructors, the this argument is not passed but we have to make space
-        // for it.
-        int dummyThisArgument = isCall ? 0 : 1;
-    
         // The call instruction's first child is the function; the subsequent children are the
         // arguments.
         int numPassedArgs = node->numChildren() - 1;
-    
-        int numArgs = numPassedArgs + dummyThisArgument;
-    
-        m_jit.store32(MacroAssembler::TrustedImm32(numArgs), JITCompiler::calleeFramePayloadSlot(JSStack::ArgumentCount));
+
+        m_jit.store32(MacroAssembler::TrustedImm32(numPassedArgs), JITCompiler::calleeFramePayloadSlot(JSStack::ArgumentCount));
     
         for (int i = 0; i < numPassedArgs; i++) {
@@ -775 +762 @@
             use(argEdge);
         
-            m_jit.store64(argGPR, JITCompiler::calleeArgumentSlot(i + dummyThisArgument));
+            m_jit.store64(argGPR, JITCompiler::calleeArgumentSlot(i));
         }
     }

trunk/Source/JavaScriptCore/ftl/FTLJSCallVarargs.cpp

@@ -70 +70 @@
     // - The arguments object.
     // - The "this" value, if it's a constructor call.
-    
-    bool isCall = m_node->op() != ConstructVarargs;
-    
+
     CallVarargsData* data = m_node->callVarargsData();
     
@@ -92 +90 @@
     case ConstructVarargs:
         argumentsGPR = GPRInfo::argumentGPR1;
+        thisGPR = GPRInfo::argumentGPR2;
         break;
     default:
@@ -111 +110 @@
     if (argumentsGPR != InvalidGPRReg)
         usedRegisters.set(argumentsGPR);
-    if (thisGPR != InvalidGPRReg)
-        usedRegisters.set(thisGPR);
+    ASSERT(thisGPR);
+    usedRegisters.set(thisGPR);
     ScratchRegisterAllocator allocator(usedRegisters);
     GPRReg scratchGPR1 = allocator.allocateScratchGPR();
@@ -183 +182 @@
     if (!argumentsOnStack)
         jit.store64(argumentsGPR, CCallHelpers::addressFor(spillSlotsOffset + argumentsSpillSlot));
-    if (isCall)
-        jit.store64(thisGPR, CCallHelpers::addressFor(spillSlotsOffset + thisSpillSlot));
+    jit.store64(thisGPR, CCallHelpers::addressFor(spillSlotsOffset + thisSpillSlot));
     
     unsigned extraStack = sizeof(CallerFrameAndPC) +
@@ -202 +200 @@
     
     jit.move(GPRInfo::returnValueGPR, scratchGPR2);
-    
-    if (isCall)
-        jit.load64(CCallHelpers::addressFor(spillSlotsOffset + thisSpillSlot), thisGPR);
+
+    jit.load64(CCallHelpers::addressFor(spillSlotsOffset + thisSpillSlot), thisGPR);
     jit.load64(CCallHelpers::addressFor(spillSlotsOffset + calleeSpillSlot), GPRInfo::regT0);
     
@@ -211 +208 @@
     
     jit.addPtr(CCallHelpers::TrustedImm32(sizeof(CallerFrameAndPC)), scratchGPR2, CCallHelpers::stackPointerRegister);
-    
-    if (isCall)
-        jit.store64(thisGPR, CCallHelpers::calleeArgumentSlot(0));
+
+    jit.store64(thisGPR, CCallHelpers::calleeArgumentSlot(0));
     
     // Henceforth we make the call. The base FTL call machinery expects the callee in regT0 and for the

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -3767 +3767 @@
     void compileNativeCallOrConstruct() 
     {
-        int dummyThisArgument = m_node->op() == NativeCall ? 0 : 1;
         int numPassedArgs = m_node->numChildren() - 1;
-        int numArgs = numPassedArgs + dummyThisArgument;
+        int numArgs = numPassedArgs;
 
         JSFunction* knownFunction = jsCast<JSFunction*>(m_node->cellOperand()->value().asCell());
@@ -3790 +3789 @@
         m_out.store64(m_out.constInt64(numArgs), addressFor(m_execStorage, JSStack::ArgumentCount));
 
-        if (dummyThisArgument) 
-            m_out.storePtr(getUndef(m_out.int64), addressFor(m_execStorage, JSStack::ThisArgument));
-        
         for (int i = 0; i < numPassedArgs; ++i) {
             m_out.storePtr(lowJSValue(m_graph.varArgChild(m_node, 1 + i)),
-                addressFor(m_execStorage, dummyThisArgument ? JSStack::FirstArgument : JSStack::ThisArgument, i * sizeof(Register)));
+                addressFor(m_execStorage, JSStack::ThisArgument, i * sizeof(Register)));
         }
 
@@ -3818 +3814 @@
     void compileCallOrConstruct()
     {
-        int dummyThisArgument = m_node->op() == Call ? 0 : 1;
         int numPassedArgs = m_node->numChildren() - 1;
-        int numArgs = numPassedArgs + dummyThisArgument;
+        int numArgs = numPassedArgs;
 
         LValue jsCallee = lowJSValue(m_graph.varArgChild(m_node, 0));
@@ -3835 +3830 @@
         arguments.append(jsCallee); // callee -> stack
         arguments.append(m_out.constInt64(numArgs)); // argument count and zeros for the tag
-        if (dummyThisArgument)
-            arguments.append(getUndef(m_out.int64));
         for (int i = 0; i < numPassedArgs; ++i)
             arguments.append(lowJSValue(m_graph.varArgChild(m_node, 1 + i)));
@@ -3867 +3860 @@
         case ConstructVarargs:
             jsArguments = lowJSValue(m_node->child2());
+            thisArg = lowJSValue(m_node->child3());
             break;
         default:
@@ -3879 +3873 @@
         arguments.append(m_out.constInt32(sizeOfICFor(m_node)));
         arguments.append(constNull(m_out.ref8));
-        arguments.append(m_out.constInt32(1 + !!jsArguments + !!thisArg));
+        arguments.append(m_out.constInt32(2 + !!jsArguments));
         arguments.append(jsCallee);
         if (jsArguments)
             arguments.append(jsArguments);
-        if (thisArg)
-            arguments.append(thisArg);
+        ASSERT(thisArg);
+        arguments.append(thisArg);
         
         callPreflight();

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -976 +976 @@
 
     ProtoCallFrame protoCallFrame;
-    protoCallFrame.init(newCodeBlock, constructor, jsUndefined(), argsCount, args.data());
+    protoCallFrame.init(newCodeBlock, constructor, constructor, argsCount, args.data());
 
     if (LegacyProfiler* profiler = vm.enabledProfiler())

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -1160 +1160 @@
         for (size_t i = 0; i < mustHandleValues.size(); ++i) {
             int operand = mustHandleValues.operandForIndex(i);
-            if (operandIsArgument(operand)
-                && !VirtualRegister(operand).toArgument()
-                && codeBlock->codeType() == FunctionCode
-                && codeBlock->specializationKind() == CodeForConstruct) {
-                // Ugh. If we're in a constructor, the 'this' argument may hold garbage. It will
-                // also never be used. It doesn't matter what we put into the value for this,
-                // but it has to be an actual value that can be grokked by subsequent DFG passes,
-                // so we sanitize it here by turning it into Undefined.
-                mustHandleValues[i] = jsUndefined();
-            } else
-                mustHandleValues[i] = exec->uncheckedR(operand).jsValue();
+            mustHandleValues[i] = exec->uncheckedR(operand).jsValue();
         }