Changeset 178894 in webkit for trunk/Source/JavaScriptCore

Timestamp:

Jan 22, 2015, 12:54:52 AM (10 years ago)

Author:

Yusuke Suzuki

Message:

put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
​https://bugs.webkit.org/show_bug.cgi?id=140426

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

In the put_by_val_direct operation, we use JSObject::putDirect.
However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
This patch changes Identifier::asIndex() to return Optional<uint32_t>.
It forces callers to check the value is index or not explicitly.
Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.

• bytecode/GetByIdStatus.cpp:

(JSC::GetByIdStatus::computeFor):

• bytecode/PutByIdStatus.cpp:

(JSC::PutByIdStatus::computeFor):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitDirectPutById):

• dfg/DFGOperations.cpp:

(JSC::DFG::operationPutByValInternal):

• jit/JITOperations.cpp:
• jit/Repatch.cpp:

(JSC::emitPutTransitionStubAndGetOldStructure):

• jsc.cpp:
• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• runtime/Arguments.cpp:

(JSC::Arguments::getOwnPropertySlot):
(JSC::Arguments::put):
(JSC::Arguments::deleteProperty):
(JSC::Arguments::defineOwnProperty):

• runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncSort):

• runtime/JSArray.cpp:

(JSC::JSArray::defineOwnProperty):

• runtime/JSCJSValue.cpp:

(JSC::JSValue::putToPrimitive):

• runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
(JSC::JSGenericTypedArrayView<Adaptor>::put):
(JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
(JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):

• runtime/JSObject.cpp:

(JSC::JSObject::put):
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::putDirectCustomAccessor):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::putDirectMayBeIndex):
(JSC::JSObject::defineOwnProperty):

• runtime/JSObject.h:

(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::putDirectInternal):

• runtime/JSString.cpp:

(JSC::JSString::getStringPropertyDescriptor):

• runtime/JSString.h:

(JSC::JSString::getStringPropertySlot):

• runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::parse):

• runtime/PropertyName.h:

(JSC::toUInt32FromCharacters):
(JSC::toUInt32FromStringImpl):
(JSC::PropertyName::asIndex):

• runtime/PropertyNameArray.cpp:

(JSC::PropertyNameArray::add):

• runtime/StringObject.cpp:

(JSC::StringObject::deleteProperty):

• runtime/Structure.cpp:

(JSC::Structure::prototypeChainMayInterceptStoreTo):

Source/WebCore:

Test: js/dfg-put-by-val-direct-with-edge-numbers.html

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::getOwnPropertySlot):

• bindings/js/JSHTMLAllCollectionCustom.cpp:

(WebCore::callHTMLAllCollection):
(WebCore::JSHTMLAllCollection::item):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateGetOwnPropertySlotBody):
(GenerateImplementation):

• bindings/scripts/test/JS/JSFloat64Array.cpp:

(WebCore::JSFloat64Array::getOwnPropertySlot):
(WebCore::JSFloat64Array::getOwnPropertyDescriptor):
(WebCore::JSFloat64Array::put):

• bindings/scripts/test/JS/JSTestEventTarget.cpp:

(WebCore::JSTestEventTarget::getOwnPropertySlot):

• bridge/runtime_array.cpp:

(JSC::RuntimeArray::getOwnPropertySlot):
(JSC::RuntimeArray::put):

LayoutTests:

• js/dfg-put-by-val-direct-with-edge-numbers-expected.txt: Added.
• js/dfg-put-by-val-direct-with-edge-numbers.html: Added.
• js/script-tests/dfg-put-by-val-direct-with-edge-numbers.js: Added.

(lookupWithKey):
(dfgShouldThrow):
(lookupWithKey2):
(toStringThrowsError.toString):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecode/GetByIdStatus.cpp (modified) (1 diff)
• bytecode/PutByIdStatus.cpp (modified) (1 diff)
• bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• dfg/DFGOperations.cpp (modified) (3 diffs)
• jit/JITOperations.cpp (modified) (2 diffs)
• jit/Repatch.cpp (modified) (1 diff)
• jsc.cpp (modified) (1 diff)
• llint/LLIntSlowPaths.cpp (modified) (1 diff)
• runtime/Arguments.cpp (modified) (5 diffs)
• runtime/ArrayPrototype.cpp (modified) (1 diff)
• runtime/JSArray.cpp (modified) (1 diff)
• runtime/JSCJSValue.cpp (modified) (1 diff)
• runtime/JSGenericTypedArrayViewInlines.h (modified) (4 diffs)
• runtime/JSObject.cpp (modified) (7 diffs)
• runtime/JSObject.h (modified) (3 diffs)
• runtime/JSString.cpp (modified) (1 diff)
• runtime/JSString.h (modified) (1 diff)
• runtime/LiteralParser.cpp (modified) (1 diff)
• runtime/PropertyName.h (modified) (3 diffs)
• runtime/PropertyNameArray.cpp (modified) (1 diff)
• runtime/StringObject.cpp (modified) (1 diff)
• runtime/Structure.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-01-22  Yusuke Suzuki  <[email protected]>
+
+        put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
+        https://bugs.webkit.org/show_bug.cgi?id=140426
+
+        Reviewed by Geoffrey Garen.
+
+        In the put_by_val_direct operation, we use JSObject::putDirect.
+        However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
+        This patch changes Identifier::asIndex() to return Optional<uint32_t>.
+        It forces callers to check the value is index or not explicitly.
+        Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.
+
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeFor):
+        * bytecode/PutByIdStatus.cpp:
+        (JSC::PutByIdStatus::computeFor):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitDirectPutById):
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::operationPutByValInternal):
+        * jit/JITOperations.cpp:
+        * jit/Repatch.cpp:
+        (JSC::emitPutTransitionStubAndGetOldStructure):
+        * jsc.cpp:
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/Arguments.cpp:
+        (JSC::Arguments::getOwnPropertySlot):
+        (JSC::Arguments::put):
+        (JSC::Arguments::deleteProperty):
+        (JSC::Arguments::defineOwnProperty):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::arrayProtoFuncSort):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::defineOwnProperty):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::putToPrimitive):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
+        (JSC::JSGenericTypedArrayView<Adaptor>::put):
+        (JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
+        (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::put):
+        (JSC::JSObject::putDirectAccessor):
+        (JSC::JSObject::putDirectCustomAccessor):
+        (JSC::JSObject::deleteProperty):
+        (JSC::JSObject::putDirectMayBeIndex):
+        (JSC::JSObject::defineOwnProperty):
+        * runtime/JSObject.h:
+        (JSC::JSObject::getOwnPropertySlot):
+        (JSC::JSObject::getPropertySlot):
+        (JSC::JSObject::putDirectInternal):
+        * runtime/JSString.cpp:
+        (JSC::JSString::getStringPropertyDescriptor):
+        * runtime/JSString.h:
+        (JSC::JSString::getStringPropertySlot):
+        * runtime/LiteralParser.cpp:
+        (JSC::LiteralParser<CharType>::parse):
+        * runtime/PropertyName.h:
+        (JSC::toUInt32FromCharacters):
+        (JSC::toUInt32FromStringImpl):
+        (JSC::PropertyName::asIndex):
+        * runtime/PropertyNameArray.cpp:
+        (JSC::PropertyNameArray::add):
+        * runtime/StringObject.cpp:
+        (JSC::StringObject::deleteProperty):
+        * runtime/Structure.cpp:
+        (JSC::Structure::prototypeChainMayInterceptStoreTo):
+
 2015-01-21  Ryosuke Niwa  <[email protected]>
 

trunk/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp

@@ -271 +271 @@
         return GetByIdStatus();
 
-    if (toUInt32FromStringImpl(uid) != PropertyName::NotAnIndex)
+    if (toUInt32FromStringImpl(uid))
         return GetByIdStatus(TakesSlowPath);
     

trunk/Source/JavaScriptCore/bytecode/PutByIdStatus.cpp

@@ -311 +311 @@
 PutByIdStatus PutByIdStatus::computeFor(JSGlobalObject* globalObject, const StructureSet& set, AtomicStringImpl* uid, bool isDirect)
 {
-    if (toUInt32FromStringImpl(uid) != PropertyName::NotAnIndex)
+    if (toUInt32FromStringImpl(uid))
         return PutByIdStatus(TakesSlowPath);
 

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -1489 +1489 @@
     instructions().append(0);
     instructions().append(0);
-    instructions().append(
-        property != m_vm->propertyNames->underscoreProto
-        && PropertyName(property).asIndex() == PropertyName::NotAnIndex);
+    instructions().append(property != m_vm->propertyNames->underscoreProto && !PropertyName(property).asIndex());
     return value;
 }

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -98 +98 @@
 
     if (LIKELY(property.isUInt32())) {
-        putByVal<strict, direct>(exec, baseValue, property.asUInt32(), value);
+        uint32_t index = property.asUInt32();
+        ASSERT_WITH_MESSAGE(index != PropertyName::NotAnIndex, "Since JSValue::isUInt32 returns true only when the boxed value is int32_t and positive, it doesn't return true for uint32_t max value that is PropertyName::NotAnIndex.");
+        putByVal<strict, direct>(exec, baseValue, index, value);
         return;
     }
@@ -105 +107 @@
         double propertyAsDouble = property.asDouble();
         uint32_t propertyAsUInt32 = static_cast<uint32_t>(propertyAsDouble);
-        if (propertyAsDouble == propertyAsUInt32) {
+        if (propertyAsDouble == propertyAsUInt32 && propertyAsUInt32 != PropertyName::NotAnIndex) {
             putByVal<strict, direct>(exec, baseValue, propertyAsUInt32, value);
             return;
@@ -123 +125 @@
     // Don't put to an object if toString throws an exception.
     Identifier ident = property.toString(exec)->toIdentifier(exec);
-    if (!vm->exception()) {
-        PutPropertySlot slot(baseValue, strict);
-        if (direct) {
-            RELEASE_ASSERT(baseValue.isObject());
-            asObject(baseValue)->putDirect(*vm, ident, value, slot);
-        } else
-            baseValue.put(exec, ident, value, slot);
-    }
+    if (vm->exception())
+        return;
+
+    PutPropertySlot slot(baseValue, strict);
+    if (direct) {
+        PropertyName propertyName(ident);
+        RELEASE_ASSERT(baseValue.isObject());
+        if (Optional<uint32_t> index = propertyName.asIndex())
+            asObject(baseValue)->putDirectIndex(exec, index.value(), value, 0, strict ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
+        else
+            asObject(baseValue)->putDirect(*vm, propertyName, value, slot);
+    } else
+        baseValue.put(exec, ident, value, slot);
 }
 

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -52 +52 @@
 #include "LegacyProfiler.h"
 #include "ObjectConstructor.h"
+#include "PropertyName.h"
 #include "Repatch.h"
 #include "RepatchBuffer.h"
@@ -481 +482 @@
 static void directPutByVal(CallFrame* callFrame, JSObject* baseObject, JSValue subscript, JSValue value)
 {
+    bool isStrictMode = callFrame->codeBlock()->isStrictMode();
     if (LIKELY(subscript.isUInt32())) {
-        uint32_t i = subscript.asUInt32();
-        baseObject->putDirectIndex(callFrame, i, value);
-    } else if (isName(subscript)) {
-        PutPropertySlot slot(baseObject, callFrame->codeBlock()->isStrictMode());
+        uint32_t index = subscript.asUInt32();
+        ASSERT_WITH_MESSAGE(index != PropertyName::NotAnIndex, "Since JSValue::isUInt32 returns true only when the boxed value is int32_t and positive, it doesn't return true for uint32_t max value that is PropertyName::NotAnIndex.");
+        baseObject->putDirectIndex(callFrame, index, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
+        return;
+    }
+
+    if (subscript.isDouble()) {
+        double subscriptAsDouble = subscript.asDouble();
+        uint32_t subscriptAsUInt32 = static_cast<uint32_t>(subscriptAsDouble);
+        if (subscriptAsDouble == subscriptAsUInt32 && subscriptAsUInt32 != PropertyName::NotAnIndex) {
+            baseObject->putDirectIndex(callFrame, subscriptAsUInt32, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
+            return;
+        }
+    }
+
+    if (isName(subscript)) {
+        PutPropertySlot slot(baseObject, isStrictMode);
         baseObject->putDirect(callFrame->vm(), jsCast<NameInstance*>(subscript.asCell())->privateName(), value, slot);
-    } else {
-        Identifier property = subscript.toString(callFrame)->toIdentifier(callFrame);
-        if (!callFrame->vm().exception()) { // Don't put to an object if toString threw an exception.
-            PutPropertySlot slot(baseObject, callFrame->codeBlock()->isStrictMode());
-            baseObject->putDirect(callFrame->vm(), property, value, slot);
-        }
+        return;
+    }
+
+    // Don't put to an object if toString throws an exception.
+    Identifier property = subscript.toString(callFrame)->toIdentifier(callFrame);
+    if (callFrame->vm().exception())
+        return;
+
+    PropertyName propertyName(property);
+    if (Optional<uint32_t> index = propertyName.asIndex())
+        baseObject->putDirectIndex(callFrame, index.value(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
+    else {
+        PutPropertySlot slot(baseObject, isStrictMode);
+        baseObject->putDirect(callFrame->vm(), propertyName, value, slot);
     }
 }

trunk/Source/JavaScriptCore/jit/Repatch.cpp

@@ -983 +983 @@
     PropertyName pname(ident);
     Structure* oldStructure = structure;
-    if (!oldStructure->isObject() || oldStructure->isDictionary() || pname.asIndex() != PropertyName::NotAnIndex)
+    if (!oldStructure->isObject() || oldStructure->isDictionary() || pname.asIndex())
         return nullptr;
 

trunk/Source/JavaScriptCore/jsc.cpp

@@ -335 +335 @@
         }
 
-        unsigned index = propertyName.asIndex();
-        if (index < thisObject->getLength()) {
-            ASSERT(index != PropertyName::NotAnIndex);
-            slot.setValue(thisObject, DontDelete | DontEnum, jsNumber(thisObject->m_vector[index]));
+        Optional<uint32_t> index = propertyName.asIndex();
+        if (index && index.value() < thisObject->getLength()) {
+            slot.setValue(thisObject, DontDelete | DontEnum, jsNumber(thisObject->m_vector[index.value()]));
             return true;
         }

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -820 +820 @@
     RELEASE_ASSERT(baseValue.isObject());
     JSObject* baseObject = asObject(baseValue);
+    bool isStrictMode = exec->codeBlock()->isStrictMode();
     if (LIKELY(subscript.isUInt32())) {
-        uint32_t i = subscript.asUInt32();
-        baseObject->putDirectIndex(exec, i, value);
-    } else if (isName(subscript)) {
-        PutPropertySlot slot(baseObject, exec->codeBlock()->isStrictMode());
+        uint32_t index = subscript.asUInt32();
+        ASSERT_WITH_MESSAGE(index != PropertyName::NotAnIndex, "Since JSValue::isUInt32 returns true only when the boxed value is int32_t and positive, it doesn't return true for uint32_t max value that is PropertyName::NotAnIndex.");
+        baseObject->putDirectIndex(exec, index, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
+        LLINT_END();
+    }
+
+
+    if (subscript.isDouble()) {
+        double subscriptAsDouble = subscript.asDouble();
+        uint32_t subscriptAsUInt32 = static_cast<uint32_t>(subscriptAsDouble);
+        if (subscriptAsDouble == subscriptAsUInt32 && subscriptAsUInt32 != PropertyName::NotAnIndex) {
+            baseObject->putDirectIndex(exec, subscriptAsUInt32, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
+            LLINT_END();
+        }
+    }
+
+    if (isName(subscript)) {
+        PutPropertySlot slot(baseObject, isStrictMode);
         baseObject->putDirect(exec->vm(), jsCast<NameInstance*>(subscript.asCell())->privateName(), value, slot);
-    } else {
-        Identifier property = subscript.toString(exec)->toIdentifier(exec);
-        if (!exec->vm().exception()) { // Don't put to an object if toString threw an exception.
-            PutPropertySlot slot(baseObject, exec->codeBlock()->isStrictMode());
-            baseObject->putDirect(exec->vm(), property, value, slot);
-        }
+        LLINT_END();
+    }
+
+    // Don't put to an object if toString throws an exception.
+    Identifier property = subscript.toString(exec)->toIdentifier(exec);
+    if (exec->vm().exception())
+        LLINT_END();
+
+    PropertyName propertyName(property);
+    if (Optional<uint32_t> index = propertyName.asIndex())
+        baseObject->putDirectIndex(exec, index.value(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
+    else {
+        PutPropertySlot slot(baseObject, isStrictMode);
+        baseObject->putDirect(exec->vm(), propertyName, value, slot);
     }
     LLINT_END();

trunk/Source/JavaScriptCore/runtime/Arguments.cpp

@@ -162 +162 @@
 {
     Arguments* thisObject = jsCast<Arguments*>(object);
-    unsigned i = propertyName.asIndex();
-    if (JSValue value = thisObject->tryGetArgument(i)) {
-        RELEASE_ASSERT(i < PropertyName::NotAnIndex);
-        slot.setValue(thisObject, None, value);
-        return true;
+    if (Optional<uint32_t> index = propertyName.asIndex()) {
+        if (JSValue value = thisObject->tryGetArgument(index.value())) {
+            slot.setValue(thisObject, None, value);
+            return true;
+        }
     }
 
@@ -225 +225 @@
 {
     Arguments* thisObject = jsCast<Arguments*>(cell);
-    unsigned i = propertyName.asIndex();
-    if (thisObject->trySetArgument(exec->vm(), i, value))
+    Optional<uint32_t> index = propertyName.asIndex();
+    if (index && thisObject->trySetArgument(exec->vm(), index.value(), value))
         return;
 
@@ -268 +268 @@
 
     Arguments* thisObject = jsCast<Arguments*>(cell);
-    unsigned i = propertyName.asIndex();
-    if (i < thisObject->m_numArguments) {
-        RELEASE_ASSERT(i < PropertyName::NotAnIndex);
+    Optional<uint32_t> index = propertyName.asIndex();
+    if (index && index.value() < thisObject->m_numArguments) {
         if (!Base::deleteProperty(cell, exec, propertyName))
             return false;
-        if (thisObject->tryDeleteArgument(exec->vm(), i))
+        if (thisObject->tryDeleteArgument(exec->vm(), index.value()))
             return true;
     }
@@ -299 +298 @@
 {
     Arguments* thisObject = jsCast<Arguments*>(object);
-    unsigned i = propertyName.asIndex();
-    if (i < thisObject->m_numArguments) {
-        RELEASE_ASSERT(i < PropertyName::NotAnIndex);
+    Optional<uint32_t> optionalIndex = propertyName.asIndex();
+    if (optionalIndex && optionalIndex.value() < thisObject->m_numArguments) {
         // If the property is not yet present on the object, and is not yet marked as deleted, then add it now.
+        uint32_t index = optionalIndex.value();
         PropertySlot slot(thisObject);
-        if (!thisObject->isDeletedArgument(i) && !JSObject::getOwnPropertySlot(thisObject, exec, propertyName, slot)) {
-            JSValue value = thisObject->tryGetArgument(i);
+        if (!thisObject->isDeletedArgument(index) && !JSObject::getOwnPropertySlot(thisObject, exec, propertyName, slot)) {
+            JSValue value = thisObject->tryGetArgument(index);
             ASSERT(value);
             object->putDirectMayBeIndex(exec, propertyName, value);
@@ -314 +313 @@
         // From ES 5.1, 10.6 Arguments Object
         // 5. If the value of isMapped is not undefined, then
-        if (thisObject->isArgument(i)) {
+        if (thisObject->isArgument(index)) {
             // a. If IsAccessorDescriptor(Desc) is true, then
             if (descriptor.isAccessorDescriptor()) {
                 // i. Call the [[Delete]] internal method of map passing P, and false as the arguments.
-                thisObject->tryDeleteArgument(exec->vm(), i);
+                thisObject->tryDeleteArgument(exec->vm(), index);
             } else { // b. Else
                 // i. If Desc.[[Value]] is present, then
                 // 1. Call the [[Put]] internal method of map passing P, Desc.[[Value]], and Throw as the arguments.
                 if (descriptor.value())
-                    thisObject->trySetArgument(exec->vm(), i, descriptor.value());
+                    thisObject->trySetArgument(exec->vm(), index, descriptor.value());
                 // ii. If Desc.[[Writable]] is present and its value is false, then
                 // 1. Call the [[Delete]] internal method of map passing P and false as arguments.
                 if (descriptor.writablePresent() && !descriptor.writable())
-                    thisObject->tryDeleteArgument(exec->vm(), i);
+                    thisObject->tryDeleteArgument(exec->vm(), index);
             }
         }

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

@@ -743 +743 @@
     for (size_t i = 0; i < nameArray.size(); ++i) {
         PropertyName name = nameArray[i];
-        uint32_t index = name.asIndex();
-        if (index == PropertyName::NotAnIndex)
+        Optional<uint32_t> optionalIndex = name.asIndex();
+        if (!optionalIndex)
             continue;
-        
+
+        uint32_t index = optionalIndex.value();
         JSValue value = getOrHole(thisObj, exec, index);
         if (exec->hadException())

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

@@ -159 +159 @@
     // 4. Else if P is an array index (15.4), then
     // a. Let index be ToUint32(P).
-    unsigned index = propertyName.asIndex();
-    if (index != PropertyName::NotAnIndex) {
+    if (Optional<uint32_t> optionalIndex = propertyName.asIndex()) {
         // b. Reject if index >= oldLen and oldLenDesc.[[Writable]] is false.
+        uint32_t index = optionalIndex.value();
         if (index >= array->length() && !array->isLengthWritable())
             return reject(exec, throwException, "Attempting to define numeric property on array with non-writable length property.");

trunk/Source/JavaScriptCore/runtime/JSCJSValue.cpp

@@ -120 +120 @@
     VM& vm = exec->vm();
 
-    unsigned index = propertyName.asIndex();
-    if (index != PropertyName::NotAnIndex) {
-        putToPrimitiveByIndex(exec, index, value, slot.isStrictMode());
+    if (Optional<uint32_t> index = propertyName.asIndex()) {
+        putToPrimitiveByIndex(exec, index.value(), value, slot.isStrictMode());
         return;
     }

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

@@ -303 +303 @@
     }
     
-    unsigned index = propertyName.asIndex();
-    if (index != PropertyName::NotAnIndex && thisObject->canGetIndexQuickly(index)) {
-        slot.setValue(thisObject, DontDelete | ReadOnly, thisObject->getIndexQuickly(index));
+    Optional<uint32_t> index = propertyName.asIndex();
+    if (index && thisObject->canGetIndexQuickly(index.value())) {
+        slot.setValue(thisObject, DontDelete | ReadOnly, thisObject->getIndexQuickly(index.value()));
         return true;
     }
@@ -325 +325 @@
     }
     
-    unsigned index = propertyName.asIndex();
-    if (index != PropertyName::NotAnIndex) {
-        putByIndex(thisObject, exec, index, value, slot.isStrictMode());
+    if (Optional<uint32_t> index = propertyName.asIndex()) {
+        putByIndex(thisObject, exec, index.value(), value, slot.isStrictMode());
         return;
     }
@@ -344 +343 @@
     // defineOwnProperty for indexed properties on typed arrays, even if they're out
     // of bounds.
-    if (propertyName == exec->propertyNames().length
-        || propertyName.asIndex() != PropertyName::NotAnIndex)
+    if (propertyName == exec->propertyNames().length || propertyName.asIndex())
         return reject(exec, shouldThrow, "Attempting to write to a read-only typed array property.");
     
@@ -357 +355 @@
     JSGenericTypedArrayView* thisObject = jsCast<JSGenericTypedArrayView*>(cell);
     
-    if (propertyName == exec->propertyNames().length
-        || propertyName.asIndex() != PropertyName::NotAnIndex)
+    if (propertyName == exec->propertyNames().length || propertyName.asIndex())
         return false;
     

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -340 +340 @@
     // Try indexed put first. This is required for correctness, since loads on property names that appear like
     // valid indices will never look in the named property storage.
-    unsigned i = propertyName.asIndex();
-    if (i != PropertyName::NotAnIndex) {
-        putByIndex(thisObject, exec, i, value, slot.isStrictMode());
+    if (Optional<uint32_t> index = propertyName.asIndex()) {
+        putByIndex(thisObject, exec, index.value(), value, slot.isStrictMode());
         return;
     }
@@ -1199 +1198 @@
     ASSERT(value.isGetterSetter() && (attributes & Accessor));
 
-    unsigned index = propertyName.asIndex();
-    if (index != PropertyName::NotAnIndex) {
-        putDirectIndex(exec, index, value, attributes, PutDirectIndexLikePutDirect);
+    if (Optional<uint32_t> index = propertyName.asIndex()) {
+        putDirectIndex(exec, index.value(), value, attributes, PutDirectIndexLikePutDirect);
         return;
     }
@@ -1210 +1208 @@
 void JSObject::putDirectCustomAccessor(VM& vm, PropertyName propertyName, JSValue value, unsigned attributes)
 {
-    ASSERT(propertyName.asIndex() == PropertyName::NotAnIndex);
+    ASSERT(!propertyName.asIndex());
 
     PutPropertySlot slot(this);
@@ -1258 +1256 @@
     JSObject* thisObject = jsCast<JSObject*>(cell);
     
-    unsigned i = propertyName.asIndex();
-    if (i != PropertyName::NotAnIndex)
-        return thisObject->methodTable(exec->vm())->deletePropertyByIndex(thisObject, exec, i);
+    if (Optional<uint32_t> index = propertyName.asIndex())
+        return thisObject->methodTable(exec->vm())->deletePropertyByIndex(thisObject, exec, index.value());
 
     if (!thisObject->staticFunctionsReified())
@@ -2503 +2500 @@
 void JSObject::putDirectMayBeIndex(ExecState* exec, PropertyName propertyName, JSValue value)
 {
-    unsigned asIndex = propertyName.asIndex();
-    if (asIndex == PropertyName::NotAnIndex)
+    if (Optional<uint32_t> index = propertyName.asIndex())
+        putDirectIndex(exec, index.value(), value);
+    else
         putDirect(exec->vm(), propertyName, value);
-    else
-        putDirectIndex(exec, asIndex, value);
 }
 
@@ -2660 +2656 @@
 {
     // If it's an array index, then use the indexed property storage.
-    unsigned index = propertyName.asIndex();
-    if (index != PropertyName::NotAnIndex) {
+    if (Optional<uint32_t> index = propertyName.asIndex()) {
         // c. Let succeeded be the result of calling the default [[DefineOwnProperty]] internal method (8.12.9) on A passing P, Desc, and false as arguments.
         // d. Reject if succeeded is false.
@@ -2668 +2663 @@
         // e.ii. Call the default [[DefineOwnProperty]] internal method (8.12.9) on A passing "length", oldLenDesc, and false as arguments. This call will always return true.
         // f. Return true.
-        return object->defineOwnIndexedProperty(exec, index, descriptor, throwException);
+        return object->defineOwnIndexedProperty(exec, index.value(), descriptor, throwException);
     }
     

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -1245 +1245 @@
     if (object->inlineGetOwnPropertySlot(vm, structure, propertyName, slot))
         return true;
-    unsigned index = propertyName.asIndex();
-    if (index != PropertyName::NotAnIndex)
-        return getOwnPropertySlotByIndex(object, exec, index, slot);
+    if (Optional<uint32_t> index = propertyName.asIndex())
+        return getOwnPropertySlotByIndex(object, exec, index.value(), slot);
     return false;
 }
@@ -1275 +1274 @@
     }
 
-    unsigned index = propertyName.asIndex();
-    if (index != PropertyName::NotAnIndex)
-        return getPropertySlot(exec, index, slot);
+    if (Optional<uint32_t> index = propertyName.asIndex())
+        return getPropertySlot(exec, index.value(), slot);
     return false;
 }
@@ -1321 +1319 @@
     ASSERT(value.isGetterSetter() == !!(attributes & Accessor));
     ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this));
-    ASSERT(propertyName.asIndex() == PropertyName::NotAnIndex);
+    ASSERT(!propertyName.asIndex());
 
     Structure* structure = this->structure(vm);

trunk/Source/JavaScriptCore/runtime/JSString.cpp

@@ -426 +426 @@
     }
     
-    unsigned i = propertyName.asIndex();
-    if (i < m_length) {
-        ASSERT(i != PropertyName::NotAnIndex); // No need for an explicit check, the above test would always fail!
-        descriptor.setDescriptor(getIndex(exec, i), DontDelete | ReadOnly);
+    Optional<uint32_t> index = propertyName.asIndex();
+    if (index && index.value() < m_length) {
+        descriptor.setDescriptor(getIndex(exec, index.value()), DontDelete | ReadOnly);
         return true;
     }

trunk/Source/JavaScriptCore/runtime/JSString.h

@@ -627 +627 @@
     }
 
-    unsigned i = propertyName.asIndex();
-    if (i < m_length) {
-        ASSERT(i != PropertyName::NotAnIndex); // No need for an explicit check, the above test would always fail!
-        slot.setValue(this, DontDelete | ReadOnly, getIndex(exec, i));
+    Optional<uint32_t> index = propertyName.asIndex();
+    if (index && index.value() < m_length) {
+        slot.setValue(this, DontDelete | ReadOnly, getIndex(exec, index.value()));
         return true;
     }

trunk/Source/JavaScriptCore/runtime/LiteralParser.cpp

@@ -650 +650 @@
                 JSObject* object = asObject(objectStack.last());
                 PropertyName ident = identifierStack.last();
-                unsigned i = ident.asIndex();
-                if (i != PropertyName::NotAnIndex)
-                    object->putDirectIndex(m_exec, i, lastValue);
+                if (Optional<uint32_t> index = ident.asIndex())
+                    object->putDirectIndex(m_exec, index.value(), lastValue);
                 else
                     object->putDirect(m_exec->vm(), ident, lastValue);

trunk/Source/JavaScriptCore/runtime/PropertyName.h

@@ -29 +29 @@
 #include "Identifier.h"
 #include "PrivateName.h"
+#include <wtf/Optional.h>
 
 namespace JSC {
 
 template <typename CharType>
-ALWAYS_INLINE uint32_t toUInt32FromCharacters(const CharType* characters, unsigned length)
+ALWAYS_INLINE Optional<uint32_t> toUInt32FromCharacters(const CharType* characters, unsigned length)
 {
     // An empty string is not a number.
     if (!length)
-        return UINT_MAX;
+        return Nullopt;
 
     // Get the first character, turning it into a digit.
     uint32_t value = characters[0] - '0';
     if (value > 9)
-        return UINT_MAX;
+        return Nullopt;
     
     // Check for leading zeros. If the first characher is 0, then the
     // length of the string must be one - e.g. "042" is not equal to "42".
     if (!value && length > 1)
-        return UINT_MAX;
+        return Nullopt;
     
     while (--length) {
         // Multiply value by 10, checking for overflow out of 32 bits.
         if (value > 0xFFFFFFFFU / 10)
-            return UINT_MAX;
+            return Nullopt;
         value *= 10;
         
@@ -58 +59 @@
         uint32_t newValue = *(++characters) - '0';
         if (newValue > 9)
-            return UINT_MAX;
+            return Nullopt;
         
         // Add in the old value, checking for overflow out of 32 bits.
         newValue += value;
         if (newValue < value)
-            return UINT_MAX;
+            return Nullopt;
         value = newValue;
     }
-    
+
+    if (value == UINT_MAX)
+        return Nullopt;
     return value;
 }
 
-ALWAYS_INLINE uint32_t toUInt32FromStringImpl(StringImpl* impl)
+ALWAYS_INLINE Optional<uint32_t> toUInt32FromStringImpl(StringImpl* impl)
 {
     if (impl->is8Bit())
@@ -110 +113 @@
     static const uint32_t NotAnIndex = UINT_MAX;
 
-    uint32_t asIndex()
+    Optional<uint32_t> asIndex()
     {
-        return m_impl ? toUInt32FromStringImpl(m_impl) : NotAnIndex;
+        return m_impl ? toUInt32FromStringImpl(m_impl) : Nullopt;
     }
-    
+
     void dump(PrintStream& out) const
     {

trunk/Source/JavaScriptCore/runtime/PropertyNameArray.cpp

@@ -34 +34 @@
     ASSERT(!identifier || identifier == StringImpl::empty() || identifier->isAtomic());
     if (!ASSERT_DISABLED) {
-        uint32_t index = PropertyName(Identifier(m_vm, identifier)).asIndex();
-        ASSERT_UNUSED(index, index == PropertyName::NotAnIndex || index >= m_previouslyEnumeratedLength);
+        Optional<uint32_t> index = PropertyName(Identifier(m_vm, identifier)).asIndex();
+        ASSERT_UNUSED(index, !index || index.value() >= m_previouslyEnumeratedLength);
     }
 

trunk/Source/JavaScriptCore/runtime/StringObject.cpp

@@ -129 +129 @@
     if (propertyName == exec->propertyNames().length)
         return false;
-    unsigned i = propertyName.asIndex();
-    if (thisObject->internalValue()->canGetIndex(i)) {
-        ASSERT(i != PropertyName::NotAnIndex); // No need for an explicit check, the above test would always fail!
+    Optional<uint32_t> index = propertyName.asIndex();
+    if (index && thisObject->internalValue()->canGetIndex(index.value())) {
         return false;
     }

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -1011 +1011 @@
 bool Structure::prototypeChainMayInterceptStoreTo(VM& vm, PropertyName propertyName)
 {
-    unsigned i = propertyName.asIndex();
-    if (i != PropertyName::NotAnIndex)
+    if (propertyName.asIndex())
         return anyObjectInChainMayInterceptIndexedAccesses();