Context Navigation

← Previous Changeset
Next Changeset →

Changeset 200102 in webkit

Timestamp:

Apr 26, 2016 11:40:41 AM (8 years ago)

Author:

gskachkov@gmail.com

Message:

calling super() a second time in a constructor should throw
https://bugs.webkit.org/show_bug.cgi?id=151113

Reviewed by Saam Barati and Keith Miller.

Source/JavaScriptCore:

Currently, our implementation checks if 'super()' was called in a constructor more
than once and raises a RuntimeError before the second call. According to the spec
we need to raise an error just after the second super() is finished and before
the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour.
To implement this behavior this patch adds a new op code, op_is_empty, that is used
to check if 'this' is empty.

bytecode/BytecodeList.json:
bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):

bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitIsEmpty):

bytecompiler/BytecodeGenerator.h:
bytecompiler/NodesCodegen.cpp:

(JSC::FunctionCallValueNode::emitBytecode):

dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

dfg/DFGNodeType.h:
dfg/DFGPredictionPropagationPhase.cpp:
dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):

jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):

jit/JIT.h:
jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_is_empty):

jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_is_empty):

llint/LowLevelInterpreter32_64.asm:
llint/LowLevelInterpreter64.asm:
tests/stress/class-syntax-double-constructor.js: Added.

LayoutTests:

js/class-syntax-super-expected.txt:
js/script-tests/class-syntax-super.js:

Location:

trunk

Files:

: 1 added
: 29 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/js/class-syntax-super-expected.txt (modified) (1 diff)
LayoutTests/js/script-tests/class-syntax-super.js (modified) (1 diff)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/bytecode/BytecodeList.json (modified) (1 diff)
Source/JavaScriptCore/bytecode/BytecodeUseDef.h (modified) (2 diffs)
Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (1 diff)
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (1 diff)
Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (3 diffs)
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGCapabilities.cpp (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
Source/JavaScriptCore/jit/JIT.cpp (modified) (1 diff)
Source/JavaScriptCore/jit/JIT.h (modified) (1 diff)
Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (1 diff)
Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (1 diff)
Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
Source/JavaScriptCore/tests/stress/class-syntax-double-constructor.js (added)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r200084
+                      r200102
+-04-26  Skachkov Oleksandr  <gskachkov@gmail.com>
+        calling super() a second time in a constructor should throw
+        https://bugs.webkit.org/show_bug.cgi?id=151113
+        Reviewed by Saam Barati and Keith Miller.
+        * js/class-syntax-super-expected.txt:
+        * js/script-tests/class-syntax-super.js:
 -04-26  Commit Queue  <commit-queue@webkit.org>

trunk/LayoutTests/js/class-syntax-super-expected.txt

r200084	r200102
50	50	PASS new (class { constructor() { (function () { eval("super()");})(); } }):::SyntaxError: super is not valid in this context.
51	51	PASS (new (class { method() { (function () { eval("super.method()");})(); }})).method():::SyntaxError: super is not valid in this context.
	52	PASS new (class extends Base { constructor() { super(); super();}}):::ReferenceError: 'super()' can't be called more than once in a constructor.
52	53	PASS successfullyParsed
53	54

trunk/LayoutTests/js/script-tests/class-syntax-super.js

r200084	r200102
136	136	shouldThrow('(new (class { method() { (function () { eval("super.method()");})(); }})).method()', '"SyntaxError: super is not valid in this context."');
137	137
	138	shouldThrow('new (class extends Base { constructor() { super(); super();}})', '"ReferenceError: \'super()\' can\'t be called more than once in a constructor."');
138	139	var successfullyParsed = true;

trunk/Source/JavaScriptCore/ChangeLog

-                      r200101
+                      r200102
+-04-26  Skachkov Oleksandr  <gskachkov@gmail.com>
+        calling super() a second time in a constructor should throw
+        https://bugs.webkit.org/show_bug.cgi?id=151113
+        Reviewed by Saam Barati.
+        Currently, our implementation checks if 'super()' was called in a constructor more
+        than once and raises a RuntimeError before the second call. According to the spec
+        we need to raise an error just after the second super() is finished and before
+        the new 'this' is assigned https://esdiscuss.org/topic/duplicate-super-call-behaviour.
+        To implement this behavior this patch adds a new op code, op_is_empty, that is used
+        to check if 'this' is empty.
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpBytecode):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitIsEmpty):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::FunctionCallValueNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileIsEmpty):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_is_empty):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_is_empty):
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * tests/stress/class-syntax-double-constructor.js: Added.
 -04-26  Mark Lam  <mark.lam@apple.com>

trunk/Source/JavaScriptCore/bytecode/BytecodeList.json

r200084	r200102
50	50	{ "name" : "op_instanceof_custom", "length" : 5 },
51	51	{ "name" : "op_typeof", "length" : 3 },
	52	{ "name" : "op_is_empty", "length" : 3 },
52	53	{ "name" : "op_is_undefined", "length" : 3 },
53	54	{ "name" : "op_is_boolean", "length" : 3 },

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h

-                      r200084
+                      r200102
     case op_get_array_length:
     case op_typeof:
+    case op_is_empty:
     case op_is_undefined:
     case op_is_boolean:
 …
     case op_get_by_val:
     case op_typeof:
+    case op_is_empty:
     case op_is_undefined:
     case op_is_boolean:

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

-                      r200084
+                      r200102
         case op_typeof: {
             printUnaryOp(out, exec, location, it, "typeof");
+            break;
+        }
+        case op_is_empty: {
+            printUnaryOp(out, exec, location, it, "is_empty");
             break;
+        }

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

-                      r200084
+                      r200102
+}
+RegisterID* BytecodeGenerator::emitIsEmpty(RegisterID* dst, RegisterID* src)
+{
+    emitOpcode(op_is_empty);
+    instructions().append(dst->index());
+    instructions().append(src->index());
+    return dst;
+}
 RegisterID* BytecodeGenerator::emitIteratorNext(RegisterID* dst, RegisterID* iterator, const ThrowableExpressionData* node)
+{

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

r200084	r200102
627	627	RegisterID* emitIsObject(RegisterID* dst, RegisterID* src);
628	628	RegisterID* emitIsUndefined(RegisterID* dst, RegisterID* src);
	629	RegisterID* emitIsEmpty(RegisterID* dst, RegisterID* src);
629	630	void emitRequireObjectCoercible(RegisterID* value, const String& error);
630	631

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

-                      r200084
+                      r200102
         generator.emitMove(callArguments.thisRegister(), generator.newTarget());
         RegisterID* ret = generator.emitConstruct(returnValue.get(), func.get(), NoExpectedFunction, callArguments, divot(), divotStart(), divotEnd());
+        bool isConstructorKindDerived = generator.constructorKind() == ConstructorKind::Derived;
+        bool doWeUseArrowFunctionInConstructor = isConstructorKindDerived && generator.needsToUpdateArrowFunctionContext();
+        if (generator.isDerivedConstructorContext() || (doWeUseArrowFunctionInConstructor && generator.isSuperCallUsedInInnerArrowFunction()))
+            generator.emitLoadThisFromArrowFunctionLexicalEnvironment();
+        RefPtr<Label> thisIsEmptyLabel = generator.newLabel();
+        generator.emitJumpIfTrue(generator.emitIsEmpty(generator.newTemporary(), generator.thisRegister()), thisIsEmptyLabel.get());
+        generator.emitThrowReferenceError(ASCIILiteral("'super()' can't be called more than once in a constructor."));
+        generator.emitLabel(thisIsEmptyLabel.get());
         generator.emitMove(generator.thisRegister(), ret);
+        bool isConstructorKindDerived = generator.constructorKind() == ConstructorKind::Derived;
+        if (generator.isDerivedConstructorContext() || (isConstructorKindDerived && generator.needsToUpdateArrowFunctionContext()))
+        if (generator.isDerivedConstructorContext() || doWeUseArrowFunctionInConstructor)
             generator.emitPutThisToArrowFunctionContextScope();

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

-                      r200096
+                      r200102
+    }
+    case IsEmpty:
     case IsArrayObject:
     case IsJSArray:
 …
                 setConstant(node, jsBoolean(child.value().isObject() && child.value().getObject()->type() == RegExpObjectType));
                 break;
+            case IsEmpty:
+                setConstant(node, jsBoolean(child.value().isEmpty()));
+                break;
             default:
                 constantWasSet = false;
 …
             break;
+        case IsEmpty: {
+            if (child.m_type && !(child.m_type & SpecEmpty)) {
+                setConstant(node, jsBoolean(false));
+                constantWasSet = true;
+                break;
+            }
+            if (child.m_type && !(child.m_type & ~SpecEmpty)) {
+                setConstant(node, jsBoolean(true));
+                constantWasSet = true;
+                break;
+            }
+            break;
+        }
         case IsUndefined:
             // FIXME: Use the masquerades-as-undefined watchpoint thingy.

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

-                      r200084
+                      r200102
             NEXT_OPCODE(op_instanceof_custom);
+        }
+        case op_is_empty: {
+            Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsEmpty, value));
+            NEXT_OPCODE(op_is_empty);
+        }
         case op_is_undefined: {
             Node* value = get(VirtualRegister(currentInstruction[2].u.operand));

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

r200084	r200102
133	133	case op_instanceof:
134	134	case op_instanceof_custom:
	135	case op_is_empty:
135	136	case op_is_undefined:
136	137	case op_is_boolean:

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

r200084	r200102
156	156	case IsJSArray:
157	157	case IsArrayConstructor:
	158	case IsEmpty:
158	159	case IsUndefined:
159	160	case IsBoolean:

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

r200084	r200102
157	157	case IsJSArray:
158	158	case IsArrayConstructor:
	159	case IsEmpty:
159	160	case IsUndefined:
160	161	case IsBoolean:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

r200084	r200102
1531	1531	case IsJSArray:
1532	1532	case IsArrayConstructor:
	1533	case IsEmpty:
1533	1534	case IsUndefined:
1534	1535	case IsBoolean:

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

r200084	r200102
308	308	macro(IsJSArray, NodeResultBoolean) \
309	309	macro(IsArrayConstructor, NodeResultBoolean) \
	310	macro(IsEmpty, NodeResultBoolean) \
310	311	macro(IsUndefined, NodeResultBoolean) \
311	312	macro(IsBoolean, NodeResultBoolean) \

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

r200034	r200102
765	765	case IsJSArray:
766	766	case IsArrayConstructor:
	767	case IsEmpty:
767	768	case IsUndefined:
768	769	case IsBoolean:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

r200084	r200102
257	257	case IsJSArray:
258	258	case IsArrayConstructor:
	259	case IsEmpty:
259	260	case IsUndefined:
260	261	case IsBoolean:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

-                      r200084
+                      r200102
+    }
+    case IsEmpty: {
+        JSValueOperand value(this, node->child1());
+        GPRTemporary result(this, Reuse, value, TagWord);
+        m_jit.comparePtr(JITCompiler::Equal, value.tagGPR(), TrustedImm32(JSValue::EmptyValueTag), result.gpr());
+        booleanResult(result.gpr(), node);
+        break;
+    }
     case IsUndefined: {
         JSValueOperand value(this, node->child1());

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

-                      r200084
+                      r200102
         break;
+    }
+    case IsEmpty: {
+        JSValueOperand value(this, node->child1());
+        GPRTemporary result(this, Reuse, value);
+        m_jit.comparePtr(JITCompiler::Equal, value.gpr(), TrustedImm32(JSValue::encode(JSValue())), result.gpr());
+        m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
+        jsValueResult(result.gpr(), node, DataFormatJSBoolean);
+        break;
+    }
     case IsUndefined: {

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

r200084	r200102
180	180	case IsJSArray:
181	181	case IsArrayConstructor:
	182	case IsEmpty:
182	183	case IsUndefined:
183	184	case IsBoolean:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

-                      r200096
+                      r200102
         case InvalidationPoint:
             compileInvalidationPoint();
+            break;
+        case IsEmpty:
+            compileIsEmpty();
             break;
         case IsUndefined:
 …
         // When this abruptly terminates, it could read any heap location.
         patchpoint->effects.reads = HeapRange::top();
+    }
+    void compileIsEmpty()
+    {
+        setBoolean(m_out.isZero64(lowJSValue(m_node->child1())));
+    }

trunk/Source/JavaScriptCore/jit/JIT.cpp

r200084	r200102
236	236	DEFINE_OP(op_instanceof)
237	237	DEFINE_OP(op_instanceof_custom)
	238	DEFINE_OP(op_is_empty)
238	239	DEFINE_OP(op_is_undefined)
239	240	DEFINE_OP(op_is_boolean)

trunk/Source/JavaScriptCore/jit/JIT.h

r200084	r200102
512	512	void emit_op_instanceof(Instruction*);
513	513	void emit_op_instanceof_custom(Instruction*);
	514	void emit_op_is_empty(Instruction*);
514	515	void emit_op_is_undefined(Instruction*);
515	516	void emit_op_is_boolean(Instruction*);

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

-                      r200084
+                      r200102
     addSlowCase(jump());
+}
+void JIT::emit_op_is_empty(Instruction* currentInstruction)
+{
+    int dst = currentInstruction[1].u.operand;
+    int value = currentInstruction[2].u.operand;
+    emitGetVirtualRegister(value, regT0);
+    compare64(Equal, regT0, TrustedImm32(JSValue::encode(JSValue())), regT0);
+    emitTagBool(regT0);
+    emitPutVirtualRegister(dst);
+}
 void JIT::emit_op_is_undefined(Instruction* currentInstruction)

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

-                      r200084
+                      r200102
     emitStoreBool(dst, returnValueGPR);
+}
+void JIT::emit_op_is_empty(Instruction* currentInstruction)
+{
+    int dst = currentInstruction[1].u.operand;
+    int value = currentInstruction[2].u.operand;
+    emitLoad(value, regT1, regT0);
+    compare32(Equal, regT1, TrustedImm32(JSValue::EmptyValueTag), regT0);
+    emitStoreBool(dst, regT0);
+}
 void JIT::emit_op_is_undefined(Instruction* currentInstruction)

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

-                      r200084
+                      r200102
     callSlowPath(_llint_slow_path_instanceof_custom)
     dispatch(5)
+_llint_op_is_empty:
+    traceExecution()
+    loadi 8[PC], t1
+    loadi 4[PC], t0
+    loadConstantOrVariable(t1, t2, t3)
+    cieq t2, EmptyValueTag, t3
+    storei BooleanTag, TagOffset[cfr, t0, 8]
+    storei t3, PayloadOffset[cfr, t0, 8]
+    dispatch(3)

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

-                      r200084
+                      r200102
     dispatch(5)
+_llint_op_is_empty:
+    traceExecution()
+    loadisFromInstruction(2, t1)
+    loadisFromInstruction(1, t2)
+    loadConstantOrVariable(t1, t0)
+    cqeq t0, ValueEmpty, t3
+    orq ValueFalse, t3
+    storeq t3, [cfr, t2, 8]
+    dispatch(3)
 _llint_op_is_undefined:
     traceExecution()

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 200102 in webkit

Legend:

Download in other formats: