Changeset 128111 in webkit for trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

Timestamp:

Sep 10, 2012, 2:49:25 PM (13 years ago)

Author:

[email protected]

Message:

DFG misses arguments tear-off for function.arguments if 'arguments' is used
​https://bugs.webkit.org/show_bug.cgi?id=96227

Reviewed by Gavin Barraclough.

Source/JavaScriptCore:

We've decided not to allow function.arguments to alias the local
'arguments' object, or a local var or function named 'arguments'.
Aliasing complicates the implementation (cf, this bug) and can produce
surprising behavior for web programmers.

Eliminating the aliasing has the side-effect of fixing this bug.

The compatibilty story: function.arguments is deprecated, was never
specified, and throws an exception in strict mode, so we expect it to
disappear over time. Firefox does not alias to 'arguments'; Chrome
does, but not if you use eval or with; IE does; Safari did.

• dfg/DFGByteCodeParser.cpp: Noticed a little cleanup while verifying

this code. Use the CodeBlock method for better encapsulation.

• interpreter/Interpreter.cpp:

(JSC::Interpreter::retrieveArgumentsFromVMCode): Behavior change: don't
alias.

• tests/mozilla/js1_4/Functions/function-001.js:

(TestFunction_4): Updated test expectations for changed behavior.

LayoutTests:

New test, and updated expectations.

• fast/js/script-tests/function-dot-arguments.js:
• fast/js/function-dot-arguments-expected.txt: Updated for new behavior.

• fast/js/dfg-tear-off-function-dot-arguments.html:
• fast/js/script-tests/dfg-tear-off-function-dot-arguments.js: Added. New test for bug cited here.

• fast/js/function-dot-arguments-identity-expected.txt:
• fast/js/function-dot-arguments-identity.html: Added. New test for new behavior.

File:

• trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -5106 +5106 @@
         return jsNull();
 
-    CodeBlock* codeBlock = functionCallFrame->someCodeBlockForPossiblyInlinedCode();
-    if (codeBlock->usesArguments()) {
-        ASSERT(codeBlock->codeType() == FunctionCode);
-        int argumentsRegister = codeBlock->argumentsRegister();
-        int realArgumentsRegister = unmodifiedArgumentsRegister(argumentsRegister);
-        if (JSValue arguments = functionCallFrame->uncheckedR(argumentsRegister).jsValue())
-            return arguments;
-        JSValue arguments = JSValue(Arguments::create(callFrame->globalData(), functionCallFrame));
-        functionCallFrame->r(argumentsRegister) = arguments;
-        functionCallFrame->r(realArgumentsRegister) = arguments;
-        return arguments;
-    }
-
     Arguments* arguments = Arguments::create(functionCallFrame->globalData(), functionCallFrame);
     arguments->tearOff(functionCallFrame);