Changeset 91095 in webkit

Timestamp:

Jul 15, 2011 12:51:49 PM (13 years ago)

Author:

barraclough@apple.com

Message:

​https://bugs.webkit.org/show_bug.cgi?id=64250
Global strict mode function leaking global object as "this".

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

The root problem here is that we pass the wrong values into
calls, and then try to fix them up in the callee. Correct
behaviour per the spec is to pass in the value undefined,
as this unless either (1) the function call is based on an
explicit property access or (2) the base of the call comes
directly from a 'with'.

This change does away with the need for this conversion of
objects (non strict code should only box primitives), and
does away with all this conversion for strict functions.

This patch may have web compatibility ramifications, and may
require some advocacy.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dump):

• Removed op_convert_this_strict, added op_resolve_with_this.

• bytecode/Opcode.h:
  • Removed op_convert_this_strict, added op_resolve_with_this.
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitResolveWithThis):

• Removed op_convert_this_strict, added op_resolve_with_this.

• bytecompiler/BytecodeGenerator.h:
  • Removed op_convert_this_strict, added op_resolve_with_this.
• bytecompiler/NodesCodegen.cpp:

(JSC::EvalFunctionCallNode::emitBytecode):
(JSC::FunctionCallResolveNode::emitBytecode):

• Removed op_convert_this_strict, added op_resolve_with_this.

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• Change NeedsThisConversion check to test for JSString's vptr (objects no longer need conversion).

• interpreter/Interpreter.cpp:

(JSC::Interpreter::resolveThisAndProperty):

• Based on resolveBaseAndProperty, but produce correct this value.

(JSC::Interpreter::privateExecute):

• Removed op_convert_this_strict, added op_resolve_with_this.

• interpreter/Interpreter.h:
• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

• Removed op_convert_this_strict, added op_resolve_with_this.

• jit/JIT.h:
• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_resolve_with_this):

• Removed op_convert_this_strict, added op_resolve_with_this.

(JSC::JIT::emit_op_convert_this):
(JSC::JIT::emitSlow_op_convert_this):

• Change NeedsThisConversion check to test for JSString's vptr (objects no longer need conversion).

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_resolve_with_this):

• Removed op_convert_this_strict, added op_resolve_with_this.

(JSC::JIT::emit_op_convert_this):
(JSC::JIT::emitSlow_op_convert_this):

• Change NeedsThisConversion check to test for JSString's vptr (objects no longer need conversion).

• jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

• Removed op_convert_this_strict, added op_resolve_with_this.

• jit/JITStubs.h:
  • Removed op_convert_this_strict, added op_resolve_with_this.
• runtime/JSActivation.h:
  • removed NeedsThisConversion flag, added IsEnvironmentRecord.
• runtime/JSStaticScopeObject.h:
  • removed NeedsThisConversion flag, added IsEnvironmentRecord.
• runtime/JSString.h:

(JSC::RopeBuilder::createStructure):

• removed NeedsThisConversion.

• runtime/JSTypeInfo.h:

(JSC::TypeInfo::isEnvironmentRecord):
(JSC::TypeInfo::overridesHasInstance):

• removed NeedsThisConversion flag, added IsEnvironmentRecord.

• runtime/JSValue.h:
  • removed NeedsThisConversion.
• runtime/JSVariableObject.h:
  • Corrected StructureFlags inheritance.
• runtime/StrictEvalActivation.h:

(JSC::StrictEvalActivation::createStructure):

• Added IsEnvironmentRecord to StructureFlags, addded createStructure.

• runtime/Structure.h:
  • removed NeedsThisConversion.
• tests/mozilla/ecma/String/15.5.4.6-2.js:

(getTestCases):

• Removed invalid test case.

Source/WebCore:

• bindings/js/JSMainThreadExecState.h:

(WebCore::JSMainThreadExecState::call):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):

• Change call to pass DOM Window shell, instead of the global varaible object.

Source/WebKit/mac:

• Plugins/Hosted/NetscapePluginInstanceProxy.mm:

(WebKit::NetscapePluginInstanceProxy::invoke):
(WebKit::NetscapePluginInstanceProxy::invokeDefault):

• Change call to pass DOM Window shell, instead of the global varaible object.

Source/WebKit2:

• WebProcess/Plugins/Netscape/NPJSObject.cpp:

(WebKit::NPJSObject::invoke):

• Change call to pass DOM Window shell, instead of the global varaible object.

LayoutTests:

Add test case / update test results.

• fast/js/call-base-resolution-expected.txt: Added.
• fast/js/call-base-resolution.html: Added.
  • Add test for ES5 correct this value resolution in calls.
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.4_String.prototype.charAt/S15.5.4.4_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.5_String.prototype.charCodeAt/S15.5.4.5_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt:
• sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt:
  • Check in failing results for these tests - these tests were asserting incorrect behaviour, and have since been fixed in test-262, see ​https://bugs.ecmascript.org/show_bug.cgi?id=117

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/call-base-resolution-expected.txt (added)
• LayoutTests/fast/js/call-base-resolution.html (added)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.4_String.prototype.charAt/S15.5.4.4_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.5_String.prototype.charCodeAt/S15.5.4.5_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt (modified) (1 diff)
• LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/Opcode.h (modified) (2 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (8 diffs)
• Source/JavaScriptCore/interpreter/Interpreter.h (modified) (4 diffs)
• Source/JavaScriptCore/jit/JIT.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JIT.h (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITStubs.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITStubs.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/CallData.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Completion.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSActivation.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSStaticScopeObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSString.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSTypeInfo.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSValue.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSVariableObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/PropertySlot.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/PropertySlot.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/StrictEvalActivation.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/Structure.h (modified) (1 diff)
• Source/JavaScriptCore/tests/mozilla/ecma/String/15.5.4.6-2.js (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/WebCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/WebCore/bindings/js/JSMainThreadExecState.h (modified) (1 diff)
• Source/WebCore/bindings/scripts/CodeGeneratorJS.pm (modified) (1 diff)
• Source/WebKit/mac/ChangeLog (modified) (1 diff)
• Source/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm (modified) (2 diffs)
• Source/WebKit2/ChangeLog (modified) (1 diff)
• Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-07-14  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=64250
+        Global strict mode function leaking global object as "this".
+
+        Reviewed by Oliver Hunt.
+
+        Add test case / update test results.
+
+        * fast/js/call-base-resolution-expected.txt: Added.
+        * fast/js/call-base-resolution.html: Added.
+            - Add test for ES5 correct this value resolution in calls.
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.4_String.prototype.charAt/S15.5.4.4_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.5_String.prototype.charCodeAt/S15.5.4.5_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt:
+        * sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt:
+            - Check in failing results for these tests - these tests were asserting incorrect behaviour,
+              and have since been fixed in test-262, see https://bugs.ecmascript.org/show_bug.cgi?id=117
+
 2011-07-15  Stephen White  <senorblanco@chromium.org>
 

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.10_String.prototype.match/S15.5.4.10_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.10_A1_T3
 
-PASS 
+FAIL TypeError: Type error
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.12_String.prototype.search/S15.5.4.12_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.12_A1_T3
 
-PASS 
+FAIL TypeError: Type error
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.13_String.prototype.slice/S15.5.4.13_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.13_A1_T3
 
-PASS 
+FAIL TypeError: Type error
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.14_String.prototype.split/S15.5.4.14_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.14_A1_T3
 
-PASS 
+FAIL TypeError: Type error
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.15_String.prototype.substring/S15.5.4.15_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.15_A1_T3
 
-PASS 
+FAIL TypeError: Type error
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.4_String.prototype.charAt/S15.5.4.4_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.4_A1_T3
 
-PASS 
+FAIL TypeError: Type error
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.5_String.prototype.charCodeAt/S15.5.4.5_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.5_A1_T3
 
-PASS 
+FAIL TypeError: Type error
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.6_String.prototype.concat/S15.5.4.6_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.6_A1_T3
 
-PASS 
+FAIL TypeError: Type error
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.7_String.prototype.indexOf/S15.5.4.7_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.7_A1_T3
 
-PASS 
+FAIL TypeError: Type error
 
 TEST COMPLETE

trunk/LayoutTests/sputnik/Conformance/15_Native_Objects/15.5_String/15.5.4/15.5.4.8_String.prototype.lastIndexOf/S15.5.4.8_A1_T3-expected.txt

@@ -1 +1 @@
 S15.5.4.8_A1_T3
 
-PASS 
+FAIL TypeError: Type error
 
 TEST COMPLETE

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-07-14  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=64250
+        Global strict mode function leaking global object as "this".
+
+        Reviewed by Oliver Hunt.
+
+        The root problem here is that we pass the wrong values into
+        calls, and then try to fix them up in the callee. Correct
+        behaviour per the spec is to pass in the value undefined,
+        as this unless either (1) the function call is based on an
+        explicit property access or (2) the base of the call comes
+        directly from a 'with'.
+
+        This change does away with the need for this conversion of
+        objects (non strict code should only box primitives), and
+        does away with all this conversion for strict functions.
+
+        This patch may have web compatibility ramifications, and may
+        require some advocacy.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dump):
+            - Removed op_convert_this_strict, added op_resolve_with_this.
+        * bytecode/Opcode.h:
+            - Removed op_convert_this_strict, added op_resolve_with_this.
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitResolveWithThis):
+            - Removed op_convert_this_strict, added op_resolve_with_this.
+        * bytecompiler/BytecodeGenerator.h:
+            - Removed op_convert_this_strict, added op_resolve_with_this.
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::EvalFunctionCallNode::emitBytecode):
+        (JSC::FunctionCallResolveNode::emitBytecode):
+            - Removed op_convert_this_strict, added op_resolve_with_this.
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+            - Change NeedsThisConversion check to test for JSString's vptr
+              (objects no longer need conversion).
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::resolveThisAndProperty):
+            - Based on resolveBaseAndProperty, but produce correct this value.
+        (JSC::Interpreter::privateExecute):
+            - Removed op_convert_this_strict, added op_resolve_with_this.
+        * interpreter/Interpreter.h:
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+            - Removed op_convert_this_strict, added op_resolve_with_this.
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_resolve_with_this):
+            - Removed op_convert_this_strict, added op_resolve_with_this.
+        (JSC::JIT::emit_op_convert_this):
+        (JSC::JIT::emitSlow_op_convert_this):
+            - Change NeedsThisConversion check to test for JSString's vptr
+              (objects no longer need conversion).
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_resolve_with_this):
+            - Removed op_convert_this_strict, added op_resolve_with_this.
+        (JSC::JIT::emit_op_convert_this):
+        (JSC::JIT::emitSlow_op_convert_this):
+            - Change NeedsThisConversion check to test for JSString's vptr
+              (objects no longer need conversion).
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+            - Removed op_convert_this_strict, added op_resolve_with_this.
+        * jit/JITStubs.h:
+            - Removed op_convert_this_strict, added op_resolve_with_this.
+        * runtime/JSActivation.h:
+            - removed NeedsThisConversion flag, added IsEnvironmentRecord.
+        * runtime/JSStaticScopeObject.h:
+            - removed NeedsThisConversion flag, added IsEnvironmentRecord.
+        * runtime/JSString.h:
+        (JSC::RopeBuilder::createStructure):
+            - removed NeedsThisConversion.
+        * runtime/JSTypeInfo.h:
+        (JSC::TypeInfo::isEnvironmentRecord):
+        (JSC::TypeInfo::overridesHasInstance):
+            - removed NeedsThisConversion flag, added IsEnvironmentRecord.
+        * runtime/JSValue.h:
+            - removed NeedsThisConversion.
+        * runtime/JSVariableObject.h:
+            - Corrected StructureFlags inheritance.
+        * runtime/StrictEvalActivation.h:
+        (JSC::StrictEvalActivation::createStructure):
+            - Added IsEnvironmentRecord to StructureFlags, addded createStructure.
+        * runtime/Structure.h:
+            - removed NeedsThisConversion.
+        * tests/mozilla/ecma/String/15.5.4.6-2.js:
+        (getTestCases):
+            - Removed invalid test case.
+
 2011-07-15  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -523 +523 @@
             break;
         }
-        case op_convert_this_strict: {
-            int r0 = (++it)->u.operand;
-            printf("[%4d] convert_this_strict %s\n", location, registerName(exec, r0).data());
-            break;
-        }
         case op_new_object: {
             int r0 = (++it)->u.operand;
@@ -802 +797 @@
             int id0 = (++it)->u.operand;
             printf("[%4d] resolve_with_base %s, %s, %s\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), idName(id0, m_identifiers[id0]).data());
+            break;
+        }
+        case op_resolve_with_this: {
+            int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            int id0 = (++it)->u.operand;
+            printf("[%4d] resolve_with_this %s, %s, %s\n", location, registerName(exec, r0).data(), registerName(exec, r1).data(), idName(id0, m_identifiers[id0]).data());
             break;
         }

trunk/Source/JavaScriptCore/bytecode/Opcode.h

@@ -46 +46 @@
         macro(op_get_callee, 2) \
         macro(op_convert_this, 2) \
-        macro(op_convert_this_strict, 2) \
         \
         macro(op_new_object, 2) \
@@ -108 +107 @@
         macro(op_ensure_property_exists, 3) \
         macro(op_resolve_with_base, 4) \
+        macro(op_resolve_with_this, 4) \
         macro(op_get_by_id, 8) \
         macro(op_get_by_id_self, 8) \

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -415 +415 @@
         instructions().append(funcProto->index());
     } else if (functionBody->usesThis() || m_shouldEmitDebugHooks) {
-        if (codeBlock->isStrictMode())
-            emitOpcode(op_convert_this_strict);
-        else
+        if (!codeBlock->isStrictMode()) {
             emitOpcode(op_convert_this);
-        instructions().append(m_thisRegister.index());
+            instructions().append(m_thisRegister.index());
+        }
     }
 }
@@ -1416 +1415 @@
 }
 
+RegisterID* BytecodeGenerator::emitResolveWithThis(RegisterID* baseDst, RegisterID* propDst, const Identifier& property)
+{
+    size_t depth = 0;
+    int index = 0;
+    JSObject* globalObject = 0;
+    bool requiresDynamicChecks = false;
+    if (!findScopedProperty(property, index, depth, false, requiresDynamicChecks, globalObject) || !globalObject || requiresDynamicChecks) {
+        // We can't optimise at all :-(
+        emitOpcode(op_resolve_with_this);
+        instructions().append(baseDst->index());
+        instructions().append(propDst->index());
+        instructions().append(addConstant(property));
+        return baseDst;
+    }
+
+    bool forceGlobalResolve = false;
+
+    // Global object is the base
+    emitLoad(baseDst, jsUndefined());
+
+    if (index != missingSymbolMarker() && !forceGlobalResolve) {
+        // Directly index the property lookup across multiple scopes.
+        emitGetScopedVar(propDst, depth, index, globalObject);
+        return baseDst;
+    }
+    if (shouldAvoidResolveGlobal()) {
+        emitOpcode(op_resolve);
+        instructions().append(propDst->index());
+        instructions().append(addConstant(property));
+        return baseDst;
+    }
+#if ENABLE(JIT)
+    m_codeBlock->addGlobalResolveInfo(instructions().size());
+#endif
+#if ENABLE(INTERPRETER)
+    m_codeBlock->addGlobalResolveInstruction(instructions().size());
+#endif
+    emitOpcode(requiresDynamicChecks ? op_resolve_global_dynamic : op_resolve_global);
+    instructions().append(propDst->index());
+    instructions().append(addConstant(property));
+    instructions().append(0);
+    instructions().append(0);
+    if (requiresDynamicChecks)
+        instructions().append(depth);
+    return baseDst;
+}
+
 void BytecodeGenerator::emitMethodCheck()
 {

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -314 +314 @@
         RegisterID* emitResolveBaseForPut(RegisterID* dst, const Identifier& property);
         RegisterID* emitResolveWithBase(RegisterID* baseDst, RegisterID* propDst, const Identifier& property);
+        RegisterID* emitResolveWithThis(RegisterID* baseDst, RegisterID* propDst, const Identifier& property);
 
         void emitMethodCheck();

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -336 +336 @@
     CallArguments callArguments(generator, m_args);
     generator.emitExpressionInfo(divot() - startOffset() + 4, 4, 0);
-    generator.emitResolveWithBase(callArguments.thisRegister(), func.get(), generator.propertyNames().eval);
+    generator.emitResolveWithThis(callArguments.thisRegister(), func.get(), generator.propertyNames().eval);
     return generator.emitCallEval(generator.finalDestination(dst, func.get()), func.get(), callArguments, divot(), startOffset(), endOffset());
 }
@@ -375 +375 @@
     int identifierStart = divot() - startOffset();
     generator.emitExpressionInfo(identifierStart + m_ident.length(), m_ident.length(), 0);
-    generator.emitResolveWithBase(callArguments.thisRegister(), func.get(), m_ident);
+    generator.emitResolveWithThis(callArguments.thisRegister(), func.get(), m_ident);
     return generator.emitCall(generator.finalDestinationOrIgnored(dst, func.get()), func.get(), callArguments, divot(), startOffset(), endOffset());
 }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -976 +976 @@
     case ConvertThis: {
         SpeculateCellOperand thisValue(this, node.child1());
-        GPRTemporary temp(this);
-
-        m_jit.loadPtr(JITCompiler::Address(thisValue.gpr(), JSCell::structureOffset()), temp.gpr());
-        speculationCheck(m_jit.branchTest8(JITCompiler::NonZero, JITCompiler::Address(temp.gpr(), Structure::typeInfoFlagsOffset()), JITCompiler::TrustedImm32(NeedsThisConversion)));
+
+        speculationCheck(m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(thisValue.gpr()), JITCompiler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
 
         cellResult(thisValue.gpr(), m_compileIndex);

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -322 +322 @@
 }
 
+NEVER_INLINE bool Interpreter::resolveThisAndProperty(CallFrame* callFrame, Instruction* vPC, JSValue& exceptionValue)
+{
+    int thisDst = vPC[1].u.operand;
+    int propDst = vPC[2].u.operand;
+    int property = vPC[3].u.operand;
+
+    ScopeChainNode* scopeChain = callFrame->scopeChain();
+    ScopeChainIterator iter = scopeChain->begin();
+    ScopeChainIterator end = scopeChain->end();
+
+    // FIXME: add scopeDepthIsZero optimization
+
+    ASSERT(iter != end);
+
+    CodeBlock* codeBlock = callFrame->codeBlock();
+    Identifier& ident = codeBlock->identifier(property);
+    JSObject* base;
+    do {
+        base = iter->get();
+        ++iter;
+        PropertySlot slot(base);
+        if (base->getPropertySlot(callFrame, ident, slot)) {
+            JSValue result = slot.getValue(callFrame, ident);
+            exceptionValue = callFrame->globalData().exception;
+            if (exceptionValue)
+                return false;
+            callFrame->uncheckedR(propDst) = JSValue(result);
+            // All entries on the scope chain should be EnvironmentRecords (activations etc),
+            // other then 'with' object, which are directly referenced from the scope chain,
+            // and the global object. If we hit either an EnvironmentRecord or a global
+            // object at the end of the scope chain, this is undefined. If we hit a non-
+            // EnvironmentRecord within the scope chain, pass the base as the this value.
+            if (iter == end || base->structure()->typeInfo().isEnvironmentRecord())
+                callFrame->uncheckedR(thisDst) = jsUndefined();
+            else
+                callFrame->uncheckedR(thisDst) = JSValue(base);
+            return true;
+        }
+    } while (iter != end);
+
+    exceptionValue = createUndefinedVariableError(callFrame, ident);
+    return false;
+}
+
 #endif // ENABLE(INTERPRETER)
 
@@ -410 +454 @@
         return throwError(callFrame, exceptionValue);
 
-    return callFrame->globalData().interpreter->execute(eval, callFrame, callFrame->uncheckedR(codeBlock->thisRegister()).jsValue().toThisObject(callFrame), callFrame->registers() - registerFile->begin() + registerOffset, scopeChain);
+    JSValue thisValue = callFrame->uncheckedR(codeBlock->thisRegister()).jsValue();
+    ASSERT(isValidThisObject(thisValue, callFrame));
+    return callFrame->globalData().interpreter->execute(eval, callFrame, thisValue, callFrame->registers() - registerFile->begin() + registerOffset, scopeChain);
 }
 
@@ -719 +765 @@
 JSValue Interpreter::execute(ProgramExecutable* program, CallFrame* callFrame, ScopeChainNode* scopeChain, JSObject* thisObj)
 {
+    ASSERT(isValidThisObject(thisObj, callFrame));
     ASSERT(!scopeChain->globalData->exception);
     ASSERT(!callFrame->globalData().isCollectorBusy());
@@ -844 +891 @@
 JSValue Interpreter::executeCall(CallFrame* callFrame, JSObject* function, CallType callType, const CallData& callData, JSValue thisValue, const ArgList& args)
 {
+    ASSERT(isValidThisObject(thisValue, callFrame));
     ASSERT(!callFrame->hadException());
     ASSERT(!callFrame->globalData().isCollectorBusy());
@@ -1119 +1167 @@
 }
 
-JSValue Interpreter::execute(EvalExecutable* eval, CallFrame* callFrame, JSObject* thisObj, ScopeChainNode* scopeChain)
+JSValue Interpreter::execute(EvalExecutable* eval, CallFrame* callFrame, JSValue thisValue, ScopeChainNode* scopeChain)
 {
     JSObject* compileError = eval->compile(callFrame, scopeChain);
     if (UNLIKELY(!!compileError))
         return checkedReturn(throwError(callFrame, compileError));
-    return execute(eval, callFrame, thisObj, m_registerFile.size() + eval->generatedBytecode().m_numParameters + RegisterFile::CallFrameHeaderSize, scopeChain);
+    return execute(eval, callFrame, thisValue, m_registerFile.size() + eval->generatedBytecode().m_numParameters + RegisterFile::CallFrameHeaderSize, scopeChain);
 }
 
-JSValue Interpreter::execute(EvalExecutable* eval, CallFrame* callFrame, JSObject* thisObj, int globalRegisterOffset, ScopeChainNode* scopeChain)
+JSValue Interpreter::execute(EvalExecutable* eval, CallFrame* callFrame, JSValue thisValue, int globalRegisterOffset, ScopeChainNode* scopeChain)
 {
+    ASSERT(isValidThisObject(thisValue, callFrame));
     ASSERT(!scopeChain->globalData->exception);
     ASSERT(!callFrame->globalData().isCollectorBusy());
@@ -1192 +1241 @@
     ASSERT(codeBlock->m_numParameters == 1); // 1 parameter for 'this'.
     newCallFrame->init(codeBlock, 0, scopeChain, callFrame->addHostCallFrameFlag(), codeBlock->m_numParameters, 0);
-    newCallFrame->uncheckedR(newCallFrame->hostThisRegister()) = JSValue(thisObj);
+    newCallFrame->uncheckedR(newCallFrame->hostThisRegister()) = thisValue.toThisObject(newCallFrame);
 
     Profiler** profiler = Profiler::enabledProfilerReference();
@@ -2603 +2652 @@
 
         vPC += OPCODE_LENGTH(op_resolve_with_base);
+        NEXT_INSTRUCTION();
+    }
+    DEFINE_OPCODE(op_resolve_with_this) {
+        /* resolve_with_this thisDst(r) propDst(r) property(id)
+
+           Searches the scope chain for an object containing
+           identifier property, and if one is found, writes the
+           retrieved property value to register propDst, and the
+           this object to pass in a call to thisDst.
+
+           If the property is not found, raises an exception.
+        */
+        if (UNLIKELY(!resolveThisAndProperty(callFrame, vPC, exceptionValue)))
+            goto vm_throw;
+
+        vPC += OPCODE_LENGTH(op_resolve_with_this);
         NEXT_INSTRUCTION();
     }
@@ -4557 +4622 @@
         int thisRegister = vPC[1].u.operand;
         JSValue thisVal = callFrame->r(thisRegister).jsValue();
-        if (thisVal.needsThisConversion())
+        if (!thisVal.isCell() || thisVal.isString())
             callFrame->uncheckedR(thisRegister) = JSValue(thisVal.toThisObject(callFrame));
 
         vPC += OPCODE_LENGTH(op_convert_this);
-        NEXT_INSTRUCTION();
-    }
-    DEFINE_OPCODE(op_convert_this_strict) {
-        /* convert_this_strict this(r)
-         
-         Takes the value in the 'this' register, and converts it to
-         its "this" form if (and only if) "this" is an object with a
-         custom this conversion
-         
-         This opcode should only be used at the beginning of a code
-         block.
-         */
-        
-        int thisRegister = vPC[1].u.operand;
-        JSValue thisVal = callFrame->r(thisRegister).jsValue();
-        if (thisVal.isObject() && thisVal.needsThisConversion())
-            callFrame->uncheckedR(thisRegister) = JSValue(thisVal.toStrictThisObject(callFrame));
-        
-        vPC += OPCODE_LENGTH(op_convert_this_strict);
         NEXT_INSTRUCTION();
     }

trunk/Source/JavaScriptCore/interpreter/Interpreter.h

@@ -98 +98 @@
         JSValue executeCall(CallFrame*, JSObject* function, CallType, const CallData&, JSValue thisValue, const ArgList&);
         JSObject* executeConstruct(CallFrame*, JSObject* function, ConstructType, const ConstructData&, const ArgList&);
-        JSValue execute(EvalExecutable* evalNode, CallFrame* exec, JSObject* thisObj, ScopeChainNode* scopeChain);
+        JSValue execute(EvalExecutable* evalNode, CallFrame*, JSValue thisValue, ScopeChainNode*);
 
         JSValue retrieveArguments(CallFrame*, JSFunction*) const;
@@ -122 +122 @@
         JSValue execute(CallFrameClosure&);
 
-        JSValue execute(EvalExecutable*, CallFrame*, JSObject* thisObject, int globalRegisterOffset, ScopeChainNode*);
+        JSValue execute(EvalExecutable*, CallFrame*, JSValue thisValue, int globalRegisterOffset, ScopeChainNode*);
 
 #if ENABLE(INTERPRETER)
@@ -131 +131 @@
         NEVER_INLINE void resolveBase(CallFrame*, Instruction* vPC);
         NEVER_INLINE bool resolveBaseAndProperty(CallFrame*, Instruction*, JSValue& exceptionValue);
+        NEVER_INLINE bool resolveThisAndProperty(CallFrame*, Instruction*, JSValue& exceptionValue);
         NEVER_INLINE ScopeChainNode* createExceptionScope(CallFrame*, const Instruction* vPC);
 
@@ -165 +166 @@
 #endif
     };
-    
+
+    // This value must not be an object that would require this conversion (WebCore's global object).
+    inline bool isValidThisObject(JSValue thisValue, ExecState* exec)
+    {
+        return !thisValue.isObject() || thisValue.toThisObject(exec) == thisValue;
+    }
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -224 +224 @@
         DEFINE_OP(op_create_this)
         DEFINE_OP(op_convert_this)
-        DEFINE_OP(op_convert_this_strict)
         DEFINE_OP(op_init_lazy_reg)
         DEFINE_OP(op_create_arguments)
@@ -311 +310 @@
         DEFINE_OP(op_resolve_skip)
         DEFINE_OP(op_resolve_with_base)
+        DEFINE_OP(op_resolve_with_this)
         DEFINE_OP(op_ret)
         DEFINE_OP(op_call_put_result)
@@ -402 +402 @@
         DEFINE_SLOWCASE_OP(op_construct)
         DEFINE_SLOWCASE_OP(op_convert_this)
-        DEFINE_SLOWCASE_OP(op_convert_this_strict)
         DEFINE_SLOWCASE_OP(op_div)
         DEFINE_SLOWCASE_OP(op_eq)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -737 +737 @@
         void emit_op_create_this(Instruction*);
         void emit_op_convert_this(Instruction*);
-        void emit_op_convert_this_strict(Instruction*);
         void emit_op_create_arguments(Instruction*);
         void emit_op_debug(Instruction*);
@@ -822 +821 @@
         void emit_op_resolve_skip(Instruction*);
         void emit_op_resolve_with_base(Instruction*);
+        void emit_op_resolve_with_this(Instruction*);
         void emit_op_ret(Instruction*);
         void emit_op_ret_object_or_this(Instruction*);
@@ -854 +854 @@
         void emitSlow_op_construct(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_convert_this(Instruction*, Vector<SlowCaseEntry>::iterator&);
-        void emitSlow_op_convert_this_strict(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_div(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_eq(Instruction*, Vector<SlowCaseEntry>::iterator&);

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -709 +709 @@
 }
 
+void JIT::emit_op_resolve_with_this(Instruction* currentInstruction)
+{
+    JITStubCall stubCall(this, cti_op_resolve_with_this);
+    stubCall.addArgument(TrustedImmPtr(&m_codeBlock->identifier(currentInstruction[3].u.operand)));
+    stubCall.addArgument(Imm32(currentInstruction[1].u.operand));
+    stubCall.call(currentInstruction[2].u.operand);
+}
+
 void JIT::emit_op_new_func_exp(Instruction* currentInstruction)
 {
@@ -1137 +1145 @@
 
     emitJumpSlowCaseIfNotJSCell(regT0);
-    loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
-    addSlowCase(branchTest8(NonZero, Address(regT1, Structure::typeInfoFlagsOffset()), TrustedImm32(NeedsThisConversion)));
-}
-
-void JIT::emit_op_convert_this_strict(Instruction* currentInstruction)
-{
-    emitGetVirtualRegister(currentInstruction[1].u.operand, regT0);
-    Jump notNull = branchTestPtr(NonZero, regT0);
-    move(TrustedImmPtr(JSValue::encode(jsNull())), regT0);
-    emitPutVirtualRegister(currentInstruction[1].u.operand, regT0);
-    Jump setThis = jump();
-    notNull.link(this);
-    Jump isImmediate = emitJumpIfNotJSCell(regT0);
-    loadPtr(Address(regT0, JSCell::structureOffset()), regT1);
-    Jump notAnObject = branch8(NotEqual, Address(regT1, Structure::typeInfoTypeOffset()), TrustedImm32(ObjectType));
-    addSlowCase(branchTest8(NonZero, Address(regT1, Structure::typeInfoFlagsOffset()), TrustedImm32(NeedsThisConversion)));
-    isImmediate.link(this);
-    notAnObject.link(this);
-    setThis.link(this);
+    addSlowCase(branchPtr(Equal, Address(regT0), TrustedImmPtr(m_globalData->jsStringVPtr)));
 }
 
@@ -1200 +1190 @@
 void JIT::emitSlow_op_convert_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
-    linkSlowCase(iter);
+    void* globalThis = m_codeBlock->globalObject()->globalScopeChain()->globalThis.get();
+
+    linkSlowCase(iter);
+    Jump isNotUndefined = branchPtr(NotEqual, regT0, TrustedImmPtr(JSValue::encode(jsUndefined())));
+    move(TrustedImmPtr(globalThis), regT0);
+    emitPutVirtualRegister(currentInstruction[1].u.operand, regT0);
+    emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_convert_this));
+
+    isNotUndefined.link(this);
     linkSlowCase(iter);
     JITStubCall stubCall(this, cti_op_convert_this);
-    stubCall.addArgument(regT0);
-    stubCall.call(currentInstruction[1].u.operand);
-}
-
-void JIT::emitSlow_op_convert_this_strict(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
-    linkSlowCase(iter);
-    JITStubCall stubCall(this, cti_op_convert_this_strict);
     stubCall.addArgument(regT0);
     stubCall.call(currentInstruction[1].u.operand);

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -1103 +1103 @@
 }
 
+void JIT::emit_op_resolve_with_this(Instruction* currentInstruction)
+{
+    JITStubCall stubCall(this, cti_op_resolve_with_this);
+    stubCall.addArgument(TrustedImmPtr(&m_codeBlock->identifier(currentInstruction[3].u.operand)));
+    stubCall.addArgument(Imm32(currentInstruction[1].u.operand));
+    stubCall.call(currentInstruction[2].u.operand);
+}
+
 void JIT::emit_op_new_func_exp(Instruction* currentInstruction)
 {
@@ -1445 +1453 @@
 
     addSlowCase(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)));
-
-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    addSlowCase(branchTest8(NonZero, Address(regT2, Structure::typeInfoFlagsOffset()), TrustedImm32(NeedsThisConversion)));
+    addSlowCase(branchPtr(Equal, Address(regT0), TrustedImmPtr(m_globalData->jsStringVPtr)));
 
     map(m_bytecodeOffset + OPCODE_LENGTH(op_convert_this), thisRegister, regT1, regT0);
 }
 
-void JIT::emit_op_convert_this_strict(Instruction* currentInstruction)
-{
+void JIT::emitSlow_op_convert_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    void* globalThis = m_codeBlock->globalObject()->globalScopeChain()->globalThis.get();
     unsigned thisRegister = currentInstruction[1].u.operand;
-    
-    emitLoad(thisRegister, regT1, regT0);
-    
-    Jump notNull = branch32(NotEqual, regT1, TrustedImm32(JSValue::EmptyValueTag));
-    emitStore(thisRegister, jsNull());
-    Jump setThis = jump();
-    notNull.link(this);
-    Jump isImmediate = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
-    loadPtr(Address(regT0, JSCell::structureOffset()), regT2);
-    Jump notAnObject = branch8(NotEqual, Address(regT2, Structure::typeInfoTypeOffset()), TrustedImm32(ObjectType));
-    addSlowCase(branchTest8(NonZero, Address(regT2, Structure::typeInfoFlagsOffset()), TrustedImm32(NeedsThisConversion)));
-    isImmediate.link(this);
-    notAnObject.link(this);
-    setThis.link(this);
-    map(m_bytecodeOffset + OPCODE_LENGTH(op_convert_this_strict), thisRegister, regT1, regT0);
-}
-
-void JIT::emitSlow_op_convert_this(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
-    unsigned thisRegister = currentInstruction[1].u.operand;
-
-    linkSlowCase(iter);
-    linkSlowCase(iter);
-
+
+    linkSlowCase(iter);
+    Jump isNotUndefined = branch32(NotEqual, regT1, TrustedImm32(JSValue::UndefinedTag));
+    move(TrustedImmPtr(globalThis), regT0);
+    move(TrustedImm32(JSValue::CellTag), regT1);
+    emitStore(thisRegister, regT1, regT0);
+    emitJumpSlowToHot(jump(), OPCODE_LENGTH(op_convert_this));
+
+    isNotUndefined.link(this);
+    linkSlowCase(iter);
     JITStubCall stubCall(this, cti_op_convert_this);
-    stubCall.addArgument(regT1, regT0);
-    stubCall.call(thisRegister);
-}
-
-void JIT::emitSlow_op_convert_this_strict(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
-    unsigned thisRegister = currentInstruction[1].u.operand;
-    
-    linkSlowCase(iter);
-    
-    JITStubCall stubCall(this, cti_op_convert_this_strict);
     stubCall.addArgument(regT1, regT0);
     stubCall.call(thisRegister);

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -1281 +1281 @@
     CallFrame* callFrame = stackFrame.callFrame;
 
+    ASSERT(!v1.isCell() || v1.isString());
+
     JSObject* result = v1.toThisObject(callFrame);
-    CHECK_FOR_EXCEPTION_AT_END();
-    return JSValue::encode(result);
-}
-
-DEFINE_STUB_FUNCTION(EncodedJSValue, op_convert_this_strict)
-{
-    STUB_INIT_STACK_FRAME(stackFrame);
-    
-    JSValue v1 = stackFrame.args[0].jsValue();
-    CallFrame* callFrame = stackFrame.callFrame;
-    ASSERT(v1.asCell()->structure()->typeInfo().needsThisConversion());
-    JSValue result = v1.toStrictThisObject(callFrame);
     CHECK_FOR_EXCEPTION_AT_END();
     return JSValue::encode(result);
@@ -3037 +3027 @@
 }
 
+DEFINE_STUB_FUNCTION(EncodedJSValue, op_resolve_with_this)
+{
+    STUB_INIT_STACK_FRAME(stackFrame);
+
+    CallFrame* callFrame = stackFrame.callFrame;
+    ScopeChainNode* scopeChain = callFrame->scopeChain();
+
+    ScopeChainIterator iter = scopeChain->begin();
+    ScopeChainIterator end = scopeChain->end();
+
+    // FIXME: add scopeDepthIsZero optimization
+
+    ASSERT(iter != end);
+
+    Identifier& ident = stackFrame.args[0].identifier();
+    JSObject* base;
+    do {
+        base = iter->get();
+        ++iter;
+        PropertySlot slot(base);
+        if (base->getPropertySlot(callFrame, ident, slot)) {
+            JSValue result = slot.getValue(callFrame, ident);
+            CHECK_FOR_EXCEPTION_AT_END();
+
+            // All entries on the scope chain should be EnvironmentRecords (activations etc),
+            // other then 'with' object, which are directly referenced from the scope chain,
+            // and the global object. If we hit either an EnvironmentRecord or a global
+            // object at the end of the scope chain, this is undefined. If we hit a non-
+            // EnvironmentRecord within the scope chain, pass the base as the this value.
+            if (iter == end || base->structure()->typeInfo().isEnvironmentRecord())
+                callFrame->registers()[stackFrame.args[1].int32()] = jsUndefined();
+            else
+                callFrame->registers()[stackFrame.args[1].int32()] = JSValue(base);
+            return JSValue::encode(result);
+        }
+    } while (iter != end);
+
+    stackFrame.globalData->exception = createUndefinedVariableError(callFrame, ident);
+    VM_THROW_EXCEPTION_AT_END();
+    return JSValue::encode(JSValue());
+}
+
 DEFINE_STUB_FUNCTION(JSObject*, op_new_func_exp)
 {

trunk/Source/JavaScriptCore/jit/JITStubs.h

@@ -323 +323 @@
     EncodedJSValue JIT_STUB cti_op_create_this(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_convert_this(STUB_ARGS_DECLARATION);
-    EncodedJSValue JIT_STUB cti_op_convert_this_strict(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_create_arguments(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_create_arguments_no_params(STUB_ARGS_DECLARATION);
@@ -373 +372 @@
     EncodedJSValue JIT_STUB cti_op_resolve_skip(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_resolve_with_base(STUB_ARGS_DECLARATION);
+    EncodedJSValue JIT_STUB cti_op_resolve_with_this(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_rshift(STUB_ARGS_DECLARATION);
     EncodedJSValue JIT_STUB cti_op_strcat(STUB_ARGS_DECLARATION);

trunk/Source/JavaScriptCore/runtime/CallData.cpp

@@ -36 +36 @@
 {
     ASSERT(callType == CallTypeJS || callType == CallTypeHost);
+    ASSERT(isValidThisObject(thisValue, exec));
     return exec->interpreter()->executeCall(exec, asObject(functionObject), callType, callData, thisValue, args);
 }

trunk/Source/JavaScriptCore/runtime/Completion.cpp

@@ -60 +60 @@
     }
 
-    JSObject* thisObj = (!thisValue || thisValue.isUndefinedOrNull()) ? exec->dynamicGlobalObject() : thisValue.toObject(exec);
+    if (!thisValue || thisValue.isUndefinedOrNull())
+        thisValue = exec->dynamicGlobalObject();
+    JSObject* thisObj = thisValue.toThisObject(exec);
 
     JSValue result = exec->interpreter()->execute(program, exec, scopeChain, thisObj);

trunk/Source/JavaScriptCore/runtime/JSActivation.h

@@ -70 +70 @@
 
     protected:
-        static const unsigned StructureFlags = OverridesGetOwnPropertySlot | NeedsThisConversion | OverridesVisitChildren | OverridesGetPropertyNames | JSVariableObject::StructureFlags;
+        static const unsigned StructureFlags = IsEnvironmentRecord | OverridesGetOwnPropertySlot | OverridesVisitChildren | OverridesGetPropertyNames | JSVariableObject::StructureFlags;
 
     private:

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -148 +148 @@
                 MarkedArgumentBuffer args;
                 args.append(value);
-                call(exec, setterFunc, callType, callData, this, args);
+
+                // If this is WebCore's global object then we need to substitute the shell.
+                call(exec, setterFunc, callType, callData, this->toThisObject(exec), args);
                 return;
             }

trunk/Source/JavaScriptCore/runtime/JSStaticScopeObject.h

@@ -51 +51 @@
 
     protected:
-        static const unsigned StructureFlags = OverridesGetOwnPropertySlot | NeedsThisConversion | OverridesVisitChildren | OverridesGetPropertyNames | JSVariableObject::StructureFlags;
+        static const unsigned StructureFlags = IsEnvironmentRecord | OverridesGetOwnPropertySlot | OverridesVisitChildren | OverridesGetPropertyNames | JSVariableObject::StructureFlags;
 
     private:

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -329 +329 @@
         static Structure* createStructure(JSGlobalData& globalData, JSValue proto)
         {
-            return Structure::create(globalData, proto, TypeInfo(StringType, OverridesGetOwnPropertySlot | NeedsThisConversion), AnonymousSlotCount, &s_info);
+            return Structure::create(globalData, proto, TypeInfo(StringType, OverridesGetOwnPropertySlot), AnonymousSlotCount, &s_info);
         }
         

trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h

@@ -39 +39 @@
     static const unsigned OverridesHasInstance = 1 << 2;
     static const unsigned ImplementsDefaultHasInstance = 1 << 3;
-    static const unsigned NeedsThisConversion = 1 << 4;
+    static const unsigned IsEnvironmentRecord = 1 << 4;
     static const unsigned OverridesGetOwnPropertySlot = 1 << 5;
     static const unsigned OverridesVisitChildren = 1 << 6;
@@ -65 +65 @@
         bool masqueradesAsUndefined() const { return m_flags & MasqueradesAsUndefined; }
         bool implementsHasInstance() const { return m_flags & ImplementsHasInstance; }
+        bool isEnvironmentRecord() const { return m_flags & IsEnvironmentRecord; }
         bool overridesHasInstance() const { return m_flags & OverridesHasInstance; }
-        bool needsThisConversion() const { return m_flags & NeedsThisConversion; }
         bool overridesGetOwnPropertySlot() const { return m_flags & OverridesGetOwnPropertySlot; }
         bool overridesVisitChildren() const { return m_flags & OverridesVisitChildren; }

trunk/Source/JavaScriptCore/runtime/JSValue.h

@@ -207 +207 @@
         void put(ExecState*, unsigned propertyName, JSValue);
 
-        bool needsThisConversion() const;
         JSObject* toThisObject(ExecState*) const;
         JSValue toStrictThisObject(ExecState*) const;

trunk/Source/JavaScriptCore/runtime/JSVariableObject.h

@@ -66 +66 @@
         
     protected:
-        static const unsigned StructureFlags = OverridesGetPropertyNames | JSObject::StructureFlags;
+        static const unsigned StructureFlags = OverridesGetPropertyNames | JSNonFinalObject::StructureFlags;
 
         JSVariableObject(JSGlobalData& globalData, Structure* structure, SymbolTable* symbolTable, Register* registers)

trunk/Source/JavaScriptCore/runtime/PropertySlot.cpp

@@ -35 +35 @@
     CallData callData;
     CallType callType = m_data.getterFunc->getCallData(callData);
-    return call(exec, m_data.getterFunc, callType, callData, thisValue(), exec->emptyList());
+    
+    // Only objects can have accessor properties.
+    // If the base is WebCore's global object then we need to substitute the shell.
+    ASSERT(m_slotBase.isObject());
+    return call(exec, m_data.getterFunc, callType, callData, m_thisValue.toThisObject(exec), exec->emptyList());
 }
 

trunk/Source/JavaScriptCore/runtime/PropertySlot.h

@@ -213 +213 @@
         unsigned index() const { return m_data.index; }
 
-        JSValue thisValue() const { return m_thisValue; }
-
         GetValueFunc customGetter() const
         {

trunk/Source/JavaScriptCore/runtime/StrictEvalActivation.h

@@ -37 +37 @@
     virtual JSObject* toThisObject(ExecState*) const;
     virtual JSValue toStrictThisObject(ExecState*) const;
+
+    static Structure* createStructure(JSGlobalData& globalData, JSValue prototype)
+    {
+        return Structure::create(globalData, prototype, TypeInfo(ObjectType, StructureFlags), AnonymousSlotCount, &s_info);
+    }
+    
+protected:
+    static const unsigned StructureFlags = IsEnvironmentRecord | JSNonFinalObject::StructureFlags;
 };
 

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -290 +290 @@
     }
 
-    inline bool JSValue::needsThisConversion() const
-    {
-        if (UNLIKELY(!isCell()))
-            return true;
-        return asCell()->structure()->typeInfo().needsThisConversion();
-    }
-
     ALWAYS_INLINE void MarkStack::internalAppend(JSCell* cell)
     {

trunk/Source/JavaScriptCore/tests/mozilla/ecma/String/15.5.4.6-2.js

@@ -185 +185 @@
                                   eval("var obj = new Object(); obj.indexOf = String.prototype.indexOf; obj.indexOf('bject')") );
 
-    array[item++] = new TestCase( SECTION,
-                                  "var f = new Object( String.prototype.indexOf ); f('"+GLOBAL+"')",
-                                  0,
-                                  eval("var f = new Object( String.prototype.indexOf ); f('"+GLOBAL+"')") );
+// This correctly throws, due to ES5 15.5.4.7 step 1
+//    array[item++] = new TestCase( SECTION,
+//                                  "var f = new Object( String.prototype.indexOf ); f('"+GLOBAL+"')",
+//                                  0,
+//                                  eval("var f = new Object( String.prototype.indexOf ); f('"+GLOBAL+"')") );
 
     array[item++] = new TestCase( SECTION,

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-07-14  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=64250
+        Global strict mode function leaking global object as "this".
+
+        Reviewed by Oliver Hunt.
+
+        * bindings/js/JSMainThreadExecState.h:
+        (WebCore::JSMainThreadExecState::call):
+        * bindings/scripts/CodeGeneratorJS.pm:
+        (GenerateHeader):
+            - Change call to pass DOM Window shell, instead of the global varaible object.
+
 2011-07-15  Brian Salomon  <bsalomon@google.com>
 

trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj

@@ -46 +46 @@
 
 /* Begin PBXBuildFile section */
+                00022E6913CE1BBA00282D5B /* CharacterReferenceParserInlineMethods.h in Headers */ = {isa = PBXBuildFile; fileRef = 00022E6813CE1BBA00282D5B /* CharacterReferenceParserInlineMethods.h */; };
                 0014628A103CD1DE000B20DB /* OriginAccessEntry.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 00146288103CD1DE000B20DB /* OriginAccessEntry.cpp */; };
                 0014628B103CD1DE000B20DB /* OriginAccessEntry.h in Headers */ = {isa = PBXBuildFile; fileRef = 00146289103CD1DE000B20DB /* OriginAccessEntry.h */; };
@@ -58 +59 @@
                 00D0464A13C4D14500326FCC /* XMLCharacterReferenceParser.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 00D0464813C4D14500326FCC /* XMLCharacterReferenceParser.cpp */; };
                 00D0464B13C4D14500326FCC /* XMLCharacterReferenceParser.h in Headers */ = {isa = PBXBuildFile; fileRef = 00D0464913C4D14500326FCC /* XMLCharacterReferenceParser.h */; };
-                00022E6913CE1BBA00282D5B /* CharacterReferenceParserInlineMethods.h in Headers */ = {isa = PBXBuildFile; fileRef = 00022E6813CE1BBA00282D5B /* CharacterReferenceParserInlineMethods.h */; };
                 052BFCE9128ABF1500FD338D /* GeolocationClientMock.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 052BFCE8128ABF1500FD338D /* GeolocationClientMock.cpp */; };
                 052BFCEB128ABF2100FD338D /* GeolocationClientMock.h in Headers */ = {isa = PBXBuildFile; fileRef = 052BFCEA128ABF2100FD338D /* GeolocationClientMock.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -6406 +6406 @@
 
 /* Begin PBXFileReference section */
+                00022E6813CE1BBA00282D5B /* CharacterReferenceParserInlineMethods.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CharacterReferenceParserInlineMethods.h; sourceTree = "<group>"; };
                 00146288103CD1DE000B20DB /* OriginAccessEntry.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = OriginAccessEntry.cpp; sourceTree = "<group>"; };
                 00146289103CD1DE000B20DB /* OriginAccessEntry.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OriginAccessEntry.h; sourceTree = "<group>"; };
@@ -6418 +6419 @@
                 00D0464813C4D14500326FCC /* XMLCharacterReferenceParser.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = XMLCharacterReferenceParser.cpp; sourceTree = "<group>"; };
                 00D0464913C4D14500326FCC /* XMLCharacterReferenceParser.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = XMLCharacterReferenceParser.h; sourceTree = "<group>"; };
-                00022E6813CE1BBA00282D5B /* CharacterReferenceParserInlineMethods.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CharacterReferenceParserInlineMethods.h; sourceTree = "<group>"; };
                 052BFCE8128ABF1500FD338D /* GeolocationClientMock.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = GeolocationClientMock.cpp; path = mock/GeolocationClientMock.cpp; sourceTree = "<group>"; };
                 052BFCEA128ABF2100FD338D /* GeolocationClientMock.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = GeolocationClientMock.h; path = mock/GeolocationClientMock.h; sourceTree = "<group>"; };

trunk/Source/WebCore/bindings/js/JSMainThreadExecState.h

@@ -46 +46 @@
     {
         JSMainThreadExecState currentState(exec);
+        // Ensure DOM global object is unwrapped to the shell.
+        if (thisValue.isObject())
+            thisValue = thisValue.toThisObject(exec);
         return JSC::call(exec, functionObject, callType, callData, thisValue, args);
     };

trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

@@ -746 +746 @@
     if ($interfaceName eq "DOMWindow") {
         $structureFlags{"JSC::ImplementsHasInstance"} = 1;
-        $structureFlags{"JSC::NeedsThisConversion"} = 1;
     }
     push(@headerContent,

trunk/Source/WebKit/mac/ChangeLog

@@ +1 @@
+2011-07-14  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=64250
+        Global strict mode function leaking global object as "this".
+
+        Reviewed by Oliver Hunt.
+
+        * Plugins/Hosted/NetscapePluginInstanceProxy.mm:
+        (WebKit::NetscapePluginInstanceProxy::invoke):
+        (WebKit::NetscapePluginInstanceProxy::invokeDefault):
+            - Change call to pass DOM Window shell, instead of the global varaible object.
+
 2011-07-13  Joseph Pecoraro  <joepeck@webkit.org>
 

trunk/Source/WebKit/mac/Plugins/Hosted/NetscapePluginInstanceProxy.mm

@@ -922 +922 @@
     RefPtr<JSGlobalData> globalData = pluginWorld()->globalData();
     globalData->timeoutChecker.start();
-    JSValue value = call(exec, function, callType, callData, object, argList);
+    JSValue value = call(exec, function, callType, callData, object->toThisObject(exec), argList);
     globalData->timeoutChecker.stop();
         
@@ -957 +957 @@
     RefPtr<JSGlobalData> globalData = pluginWorld()->globalData();
     globalData->timeoutChecker.start();
-    JSValue value = call(exec, object, callType, callData, object, argList);
+    JSValue value = call(exec, object, callType, callData, object->toThisObject(exec), argList);
     globalData->timeoutChecker.stop();
     

trunk/Source/WebKit2/ChangeLog

@@ +1 @@
+2011-07-14  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=64250
+        Global strict mode function leaking global object as "this".
+
+        Reviewed by Oliver Hunt.
+
+        * WebProcess/Plugins/Netscape/NPJSObject.cpp:
+        (WebKit::NPJSObject::invoke):
+            - Change call to pass DOM Window shell, instead of the global varaible object.
+
 2011-07-15  Anders Carlsson  <andersca@apple.com>
 

trunk/Source/WebKit2/WebProcess/Plugins/Netscape/NPJSObject.cpp

@@ -292 +292 @@
 
     exec->globalData().timeoutChecker.start();
-    JSValue value = JSC::call(exec, function, callType, callData, m_jsObject.get(), argumentList);
+    JSValue value = JSC::call(exec, function, callType, callData, m_jsObject->toThisObject(exec), argumentList);
     exec->globalData().timeoutChecker.stop();