Changeset 38322 in webkit for trunk/JavaScriptCore

Timestamp:

Nov 11, 2008, 4:32:38 PM (17 years ago)

Author:

[email protected]

Message:

2008-11-11 Geoffrey Garen <​[email protected]>

Reviewed by Darin Adler.

Fixed ​https://bugs.webkit.org/show_bug.cgi?id=22174
Simplified op_call by nixing its responsibility for moving the value of
"this" into the first argument slot.

Instead, the caller emits an explicit load or mov instruction, or relies
on implicit knowledge that "this" is already in the first argument slot.
As a result, two operands to op_call are gone: firstArg and thisVal.

SunSpider and v8 tests show no change in bytecode or CTI.

• VM/CTI.cpp: (JSC::CTI::compileOpCallSetupArgs): (JSC::CTI::compileOpCallEvalSetupArgs): (JSC::CTI::compileOpConstructSetupArgs): Split apart these three versions of setting up arguments to op_call, because they're more different than they are the same -- even more so with this patch.

(JSC::CTI::compileOpCall): Updated for the fact that op_construct doesn't
match op_call anymore.

(JSC::CTI::privateCompileMainPass):
(JSC::CTI::privateCompileSlowCases): Merged a few call cases. Updated
for changes mentioned above.

• VM/CTI.h:

• VM/CodeBlock.cpp: (JSC::CodeBlock::dump): Updated for new bytecode format of call / construct.

• VM/Machine.cpp: (JSC::Machine::callEval): Updated for new bytecode format of call / construct.

(JSC::Machine::dumpCallFrame):
(JSC::Machine::dumpRegisters): Simplified these debugging functions,
taking advantage of the new call frame layout.

(JSC::Machine::execute): Fixed up the eval version of execute to be
friendlier to calls in the new format.

(JSC::Machine::privateExecute): Implemented the new call format in
bytecode.

(JSC::Machine::cti_op_call_NotJSFunction):
(JSC::Machine::cti_op_construct_JSConstruct):
(JSC::Machine::cti_op_construct_NotJSConstruct):
(JSC::Machine::cti_op_call_eval): Updated CTI helpers to match the new
call format.

Fixed a latent bug in stack overflow checking that is now hit because
the register layout has changed a bit -- namely: when throwing a stack
overflow exception inside an op_call helper, we need to account for the
fact that the current call frame is only half-constructed, and use the
parent call frame instead.

• VM/Machine.h:

• bytecompiler/CodeGenerator.cpp: (JSC::CodeGenerator::emitCall): (JSC::CodeGenerator::emitCallEval): (JSC::CodeGenerator::emitConstruct):
• bytecompiler/CodeGenerator.h: Updated codegen to match the new call format.

• parser/Nodes.cpp: (JSC::EvalFunctionCallNode::emitCode): (JSC::FunctionCallValueNode::emitCode): (JSC::FunctionCallResolveNode::emitCode): (JSC::FunctionCallBracketNode::emitCode): (JSC::FunctionCallDotNode::emitCode):
• parser/Nodes.h: (JSC::ScopeNode::neededConstants): ditto

2008-11-10 Geoffrey Garen <​[email protected]>

Reviewed by Darin Adler.

Updated a test after fixing ​https://bugs.webkit.org/show_bug.cgi?id=22174
Simplified op_call by nixing its responsibility for moving the value of
"this" into the first argument slot.

• fast/js/global-recursion-on-full-stack-expected.txt: This test passes a little differently now, because the register layout has changed. Specifically, the stack overflow now happens in the call to f() instead of the initiation of the <script> tag, so it is caught, and it does not log an exception to the console.

Location:

trunk/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• VM/CTI.cpp (modified) (12 diffs)
• VM/CTI.h (modified) (1 diff)
• VM/CodeBlock.cpp (modified) (2 diffs)
• VM/Machine.cpp (modified) (31 diffs)
• VM/Machine.h (modified) (3 diffs)
• bytecompiler/CodeGenerator.cpp (modified) (3 diffs)
• bytecompiler/CodeGenerator.h (modified) (2 diffs)
• parser/Nodes.cpp (modified) (6 diffs)
• parser/Nodes.h (modified) (1 diff)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2008-11-11  Geoffrey Garen  <[email protected]>
+
+        Reviewed by Darin Adler.
+        
+        Fixed https://bugs.webkit.org/show_bug.cgi?id=22174
+        Simplified op_call by nixing its responsibility for moving the value of
+        "this" into the first argument slot.
+
+        Instead, the caller emits an explicit load or mov instruction, or relies
+        on implicit knowledge that "this" is already in the first argument slot.
+        As a result, two operands to op_call are gone: firstArg and thisVal.
+        
+        SunSpider and v8 tests show no change in bytecode or CTI.
+
+        * VM/CTI.cpp:
+        (JSC::CTI::compileOpCallSetupArgs):
+        (JSC::CTI::compileOpCallEvalSetupArgs):
+        (JSC::CTI::compileOpConstructSetupArgs): Split apart these three versions
+        of setting up arguments to op_call, because they're more different than
+        they are the same -- even more so with this patch.
+
+        (JSC::CTI::compileOpCall): Updated for the fact that op_construct doesn't
+        match op_call anymore.
+
+        (JSC::CTI::privateCompileMainPass):
+        (JSC::CTI::privateCompileSlowCases): Merged a few call cases. Updated
+        for changes mentioned above.
+
+        * VM/CTI.h:
+
+        * VM/CodeBlock.cpp:
+        (JSC::CodeBlock::dump): Updated for new bytecode format of call / construct.
+
+        * VM/Machine.cpp:
+        (JSC::Machine::callEval): Updated for new bytecode format of call / construct.
+
+        (JSC::Machine::dumpCallFrame):
+        (JSC::Machine::dumpRegisters): Simplified these debugging functions, 
+        taking advantage of the new call frame layout.
+
+        (JSC::Machine::execute): Fixed up the eval version of execute to be
+        friendlier to calls in the new format.
+
+        (JSC::Machine::privateExecute): Implemented the new call format in
+        bytecode.
+
+        (JSC::Machine::cti_op_call_NotJSFunction):
+        (JSC::Machine::cti_op_construct_JSConstruct):
+        (JSC::Machine::cti_op_construct_NotJSConstruct):
+        (JSC::Machine::cti_op_call_eval): Updated CTI helpers to match the new
+        call format.
+        
+        Fixed a latent bug in stack overflow checking that is now hit because
+        the register layout has changed a bit -- namely: when throwing a stack
+        overflow exception inside an op_call helper, we need to account for the
+        fact that the current call frame is only half-constructed, and use the
+        parent call frame instead.
+
+        * VM/Machine.h:
+
+        * bytecompiler/CodeGenerator.cpp:
+        (JSC::CodeGenerator::emitCall):
+        (JSC::CodeGenerator::emitCallEval):
+        (JSC::CodeGenerator::emitConstruct):
+        * bytecompiler/CodeGenerator.h: Updated codegen to match the new call
+        format.
+
+        * parser/Nodes.cpp:
+        (JSC::EvalFunctionCallNode::emitCode):
+        (JSC::FunctionCallValueNode::emitCode):
+        (JSC::FunctionCallResolveNode::emitCode):
+        (JSC::FunctionCallBracketNode::emitCode):
+        (JSC::FunctionCallDotNode::emitCode):
+        * parser/Nodes.h:
+        (JSC::ScopeNode::neededConstants): ditto
+
 2008-11-11  Cameron Zwarich  <[email protected]>
 

trunk/JavaScriptCore/VM/CTI.cpp

@@ -588 +588 @@
 }
 
-void CTI::compileOpCallSetupArgs(Instruction* instruction, bool isConstruct, bool isEval)
-{
-    int firstArg = instruction[4].u.operand;
-    int argCount = instruction[5].u.operand;
-    int registerOffset = instruction[6].u.operand;
-
+void CTI::compileOpCallSetupArgs(Instruction* instruction)
+{
+    int argCount = instruction[3].u.operand;
+    int registerOffset = instruction[4].u.operand;
+
+    // ecx holds func
     emitPutArg(X86::ecx, 0);
     emitPutArgConstant(registerOffset, 4);
     emitPutArgConstant(argCount, 8);
     emitPutArgConstant(reinterpret_cast<unsigned>(instruction), 12);
-    if (isConstruct) {
-        emitGetPutArg(instruction[3].u.operand, 16, X86::eax);
-        emitPutArgConstant(firstArg, 20);
-    } else if (isEval)
-        emitGetPutArg(instruction[3].u.operand, 16, X86::eax);
+}
+
+void CTI::compileOpCallEvalSetupArgs(Instruction* instruction)
+{
+    int argCount = instruction[3].u.operand;
+    int registerOffset = instruction[4].u.operand;
+
+    // ecx holds func
+    emitPutArg(X86::ecx, 0);
+    emitPutArgConstant(registerOffset, 4);
+    emitPutArgConstant(argCount, 8);
+    emitPutArgConstant(reinterpret_cast<unsigned>(instruction), 12);
+}
+
+void CTI::compileOpConstructSetupArgs(Instruction* instruction)
+{
+    int argCount = instruction[3].u.operand;
+    int registerOffset = instruction[4].u.operand;
+    int proto = instruction[5].u.operand;
+    int thisRegister = instruction[6].u.operand;
+
+    // ecx holds func
+    emitPutArg(X86::ecx, 0);
+    emitPutArgConstant(registerOffset, 4);
+    emitPutArgConstant(argCount, 8);
+    emitGetPutArg(proto, 12, X86::eax);
+    emitPutArgConstant(thisRegister, 16);
+    emitPutArgConstant(reinterpret_cast<unsigned>(instruction), 20);
 }
 
@@ -609 +632 @@
     int dst = instruction[1].u.operand;
     int callee = instruction[2].u.operand;
-    int firstArg = instruction[4].u.operand;
-    int argCount = instruction[5].u.operand;
-    int registerOffset = instruction[6].u.operand;
-
-    // Setup this value as the first argument (does not apply to constructors)
-    if (opcodeID != op_construct) {
-        int thisVal = instruction[3].u.operand;
-        if (thisVal == missingThisObjectMarker())
-            m_jit.movl_i32m(asInteger(jsNull()), firstArg * sizeof(Register), X86::edi);
-        else {
-            emitGetArg(thisVal, X86::eax);
-            emitPutResult(firstArg);
-        }
-    }
+    int argCount = instruction[3].u.operand;
+    int registerOffset = instruction[4].u.operand;
 
     // Handle eval
@@ -628 +639 @@
     if (opcodeID == op_call_eval) {
         emitGetArg(callee, X86::ecx);
-        compileOpCallSetupArgs(instruction, false, true);
+        compileOpCallEvalSetupArgs(instruction);
 
         emitCTICall(instruction, i, Machine::cti_op_call_eval);
@@ -648 +659 @@
     // In the case of OpConstruct, call out to a cti_ function to create the new object.
     if (opcodeID == op_construct) {
+        int proto = instruction[5].u.operand;
+        int thisRegister = instruction[6].u.operand;
+
         emitPutArg(X86::ecx, 0);
-        emitGetPutArg(instruction[3].u.operand, 16, X86::eax);
+        emitGetPutArg(proto, 12, X86::eax);
         emitCTICall(instruction, i, Machine::cti_op_construct_JSConstruct);
-        emitPutResult(firstArg);
+        emitPutResult(thisRegister);
         emitGetArg(callee, X86::ecx);
     }
@@ -1286 +1300 @@
             break;
         }
-        case op_call: {
+        case op_call:
+        case op_call_eval:
+        case op_construct: {
             compileOpCall(opcodeID, instruction + i, i, callLinkInfoIndex++);
-            i += 7;
+            i += (opcodeID == op_construct ? 7 : 5);
             break;
         }
@@ -1380 +1396 @@
             emitPutResult(instruction[i + 1].u.operand);
             i += 3;
-            break;
-        }
-        case op_construct: {
-            compileOpCall(opcodeID, instruction + i, i, callLinkInfoIndex++);
-            i += 7;
             break;
         }
@@ -1912 +1923 @@
             emitPutResult(instruction[i + 1].u.operand);
             i += 5;
-            break;
-        }
-        case op_call_eval: {
-            compileOpCall(opcodeID, instruction + i, i, callLinkInfoIndex++);
-            i += 7;
             break;
         }
@@ -2768 +2774 @@
             int dst = instruction[i + 1].u.operand;
             int callee = instruction[i + 2].u.operand;
-            int firstArg = instruction[i + 4].u.operand;
-            int argCount = instruction[i + 5].u.operand;
-            int registerOffset = instruction[i + 6].u.operand;
+            int argCount = instruction[i + 3].u.operand;
+            int registerOffset = instruction[i + 4].u.operand;
 
             m_jit.link(iter->from, m_jit.label());
 
             // The arguments have been set up on the hot path for op_call_eval
-            if (opcodeID != op_call_eval)
-                compileOpCallSetupArgs(instruction + i, (opcodeID == op_construct), false);
+            if (opcodeID == op_call)
+                compileOpCallSetupArgs(instruction + i);
+            else if (opcodeID == op_construct)
+                compileOpConstructSetupArgs(instruction + i);
 
             // Fast check for JS function.
@@ -2784 +2791 @@
             X86Assembler::JmpSrc callLinkFailNotJSFunction = m_jit.emitUnlinkedJne();
 
-            // First, in the cale of a construct, allocate the new object.
+            // First, in the case of a construct, allocate the new object.
             if (opcodeID == op_construct) {
                 emitCTICall(instruction, i, Machine::cti_op_construct_JSConstruct);
-                emitPutResult(firstArg);
+                emitPutResult(registerOffset - RegisterFile::CallFrameHeaderSize - argCount);
                 emitGetArg(callee, X86::ecx);
             }
@@ -2828 +2835 @@
 
             // The arguments have been set up on the hot path for op_call_eval
-            if (opcodeID != op_call_eval)
-                compileOpCallSetupArgs(instruction + i, (opcodeID == op_construct), false);
+            if (opcodeID == op_call)
+                compileOpCallSetupArgs(instruction + i);
+            else if (opcodeID == op_construct)
+                compileOpConstructSetupArgs(instruction + i);
 
             // Check for JSFunctions.
@@ -2848 +2857 @@
             m_jit.link(isJSFunction, m_jit.label());
 
-            // First, in the cale of a construct, allocate the new object.
+            // First, in the case of a construct, allocate the new object.
             if (opcodeID == op_construct) {
                 emitCTICall(instruction, i, Machine::cti_op_construct_JSConstruct);
-                emitPutResult(firstArg);
+                emitPutResult(registerOffset - RegisterFile::CallFrameHeaderSize - argCount);
                 emitGetArg(callee, X86::ecx);
             }
@@ -2896 +2905 @@
             ++callLinkInfoIndex;
 
-            i += 7;
+            i += (opcodeID == op_construct ? 7 : 5);
             break;
         }

trunk/JavaScriptCore/VM/CTI.h

@@ -366 +366 @@
         void compileOpCall(OpcodeID, Instruction* instruction, unsigned i, unsigned callLinkInfoIndex);
         void compileOpCallInitializeCallFrame(unsigned callee, unsigned argCount);
-        void compileOpCallSetupArgs(Instruction* instruction, bool isConstruct, bool isEval);
+        void compileOpCallSetupArgs(Instruction*);
+        void compileOpCallEvalSetupArgs(Instruction*);
+        void compileOpConstructSetupArgs(Instruction*);
         enum CompileOpStrictEqType { OpStrictEq, OpNStrictEq };
         void compileOpStrictEq(Instruction* instruction, unsigned i, CompileOpStrictEqType type);

trunk/JavaScriptCore/VM/CodeBlock.cpp

@@ -813 +813 @@
         }
         case op_call: {
-            int r0 = (++it)->u.operand;
-            int r1 = (++it)->u.operand;
-            int r2 = (++it)->u.operand;
-            int tempCount = (++it)->u.operand;
+            int dst = (++it)->u.operand;
+            int func = (++it)->u.operand;
             int argCount = (++it)->u.operand;
             int registerOffset = (++it)->u.operand;
-            printf("[%4d] call\t\t %s, %s, %s, %d, %d, %d\n", location, registerName(r0).c_str(), registerName(r1).c_str(), registerName(r2).c_str(), tempCount, argCount, registerOffset);
+            printf("[%4d] call\t\t %s, %s, %d, %d\n", location, registerName(dst).c_str(), registerName(func).c_str(), argCount, registerOffset);
             break;
         }
         case op_call_eval: {
-            int r0 = (++it)->u.operand;
-            int r1 = (++it)->u.operand;
-            int r2 = (++it)->u.operand;
-            int tempCount = (++it)->u.operand;
+            int dst = (++it)->u.operand;
+            int func = (++it)->u.operand;
             int argCount = (++it)->u.operand;
             int registerOffset = (++it)->u.operand;
-            printf("[%4d] call_eval\t\t %s, %s, %s, %d, %d, %d\n", location, registerName(r0).c_str(), registerName(r1).c_str(), registerName(r2).c_str(), tempCount, argCount, registerOffset);
+            printf("[%4d] call_eval\t %s, %s, %d, %d\n", location, registerName(dst).c_str(), registerName(func).c_str(), argCount, registerOffset);
             break;
         }
@@ -847 +843 @@
         }
         case op_construct: {
-            int r0 = (++it)->u.operand;
-            int r1 = (++it)->u.operand;
-            int r2 = (++it)->u.operand;
-            int tempCount = (++it)->u.operand;
+            int dst = (++it)->u.operand;
+            int func = (++it)->u.operand;
             int argCount = (++it)->u.operand;
             int registerOffset = (++it)->u.operand;
-            printf("[%4d] construct\t %s, %s, %s, %d, %d, %d\n", location, registerName(r0).c_str(), registerName(r1).c_str(), registerName(r2).c_str(), tempCount, argCount, registerOffset);
+            int proto = (++it)->u.operand;
+            int thisRegister = (++it)->u.operand;
+            printf("[%4d] construct\t %s, %s, %d, %d, %s, %s\n", location, registerName(dst).c_str(), registerName(func).c_str(), argCount, registerOffset, registerName(proto).c_str(), registerName(thisRegister).c_str());
             break;
         }

trunk/JavaScriptCore/VM/Machine.cpp

@@ -581 +581 @@
 }
 
-NEVER_INLINE JSValue* Machine::callEval(CallFrame* callFrame, JSObject* thisObj, ScopeChainNode* scopeChain, RegisterFile* registerFile, int argv, int argc, JSValue*& exceptionValue)
+NEVER_INLINE JSValue* Machine::callEval(CallFrame* callFrame, RegisterFile* registerFile, Register* argv, int argc, int registerOffset, JSValue*& exceptionValue)
 {
     if (argc < 2)
         return jsUndefined();
 
-    JSValue* program = callFrame[argv + 1].jsValue(callFrame);
+    JSValue* program = argv[1].jsValue(callFrame);
 
     if (!program->isString())
@@ -593 +593 @@
     UString programSource = asString(program)->value();
 
+    ScopeChainNode* scopeChain = callFrame->scopeChain();
     CodeBlock* codeBlock = callFrame->codeBlock();
     RefPtr<EvalNode> evalNode = codeBlock->evalCodeCache.get(callFrame, programSource, scopeChain, exceptionValue);
@@ -598 +599 @@
     JSValue* result = jsUndefined();
     if (evalNode)
-        result = callFrame->globalData().machine->execute(evalNode.get(), callFrame, thisObj, callFrame->registers() - registerFile->start() + argv + 1 + RegisterFile::CallFrameHeaderSize, scopeChain, &exceptionValue);
+        result = callFrame->globalData().machine->execute(evalNode.get(), callFrame, callFrame->thisValue()->toThisObject(callFrame), callFrame->registers() - registerFile->start() + registerOffset, scopeChain, &exceptionValue);
 
     return result;
@@ -656 +657 @@
 #ifndef NDEBUG
 
-void Machine::dumpCallFrame(const RegisterFile* registerFile, CallFrame* callFrame)
-{
-    JSGlobalObject* globalObject = callFrame->scopeChain()->globalObject();
-
-    CodeBlock* codeBlock = callFrame->codeBlock();
-    codeBlock->dump(globalObject->globalExec());
-
-    dumpRegisters(registerFile, callFrame);
-}
-
-void Machine::dumpRegisters(const RegisterFile* registerFile, CallFrame* callFrame)
+void Machine::dumpCallFrame(CallFrame* callFrame)
+{
+    callFrame->codeBlock()->dump(callFrame);
+    dumpRegisters(callFrame);
+}
+
+void Machine::dumpRegisters(CallFrame* callFrame)
 {
     printf("Register frame: \n\n");
@@ -674 +671 @@
 
     CodeBlock* codeBlock = callFrame->codeBlock();
+    RegisterFile* registerFile = &callFrame->scopeChain()->globalObject()->globalData()->machine->registerFile();
     const Register* it;
     const Register* end;
@@ -1024 +1022 @@
 }
 
-JSValue* Machine::execute(EvalNode* evalNode, CallFrame* callFrame, JSObject* thisObj, int registerOffset, ScopeChainNode* scopeChain, JSValue** exception)
+JSValue* Machine::execute(EvalNode* evalNode, CallFrame* callFrame, JSObject* thisObj, int globalRegisterOffset, ScopeChainNode* scopeChain, JSValue** exception)
 {
     ASSERT(!scopeChain->globalData->exception);
@@ -1070 +1068 @@
 
     Register* oldEnd = m_registerFile.end();
-    Register* newEnd = m_registerFile.start() + registerOffset + codeBlock->numCalleeRegisters;
+    Register* newEnd = m_registerFile.start() + globalRegisterOffset + codeBlock->numCalleeRegisters;
     if (!m_registerFile.grow(newEnd)) {
         *exception = createStackOverflowError(callFrame);
@@ -1076 +1074 @@
     }
 
-    CallFrame* newCallFrame = CallFrame::create(m_registerFile.start() + registerOffset);
+    CallFrame* newCallFrame = CallFrame::create(m_registerFile.start() + globalRegisterOffset);
 
     // a 0 codeBlock indicates a built-in caller
@@ -3265 +3263 @@
     }
     BEGIN_OPCODE(op_call_eval) {
-        /* call_eval dst(r) func(r) thisVal(r) firstArg(r) argCount(n)
+        /* call_eval dst(r) func(r) argCount(n) registerOffset(n)
 
            Call a function named "eval" with no explicit "this" value
@@ -3278 +3276 @@
         int dst = vPC[1].u.operand;
         int func = vPC[2].u.operand;
-        int thisVal = vPC[3].u.operand;
-        int firstArg = vPC[4].u.operand;
-        int argCount = vPC[5].u.operand;
+        int argCount = vPC[3].u.operand;
+        int registerOffset = vPC[4].u.operand;
 
         JSValue* funcVal = callFrame[func].jsValue(callFrame);
-        JSValue* baseVal = callFrame[thisVal].jsValue(callFrame);
-
-        ScopeChainNode* scopeChain = callFrame->scopeChain();
-        if (baseVal == scopeChain->globalObject() && funcVal == scopeChain->globalObject()->evalFunction()) {
-            JSObject* thisObject = asObject(callFrame[callFrame->codeBlock()->thisRegister].jsValue(callFrame));
-            JSValue* result = callEval(callFrame, thisObject, scopeChain, registerFile, firstArg, argCount, exceptionValue);
+
+        Register* newCallFrame = callFrame->registers() + registerOffset;
+        Register* argv = newCallFrame - RegisterFile::CallFrameHeaderSize - argCount;
+        JSValue* thisValue = argv[0].jsValue(callFrame);
+        JSGlobalObject* globalObject = callFrame->scopeChain()->globalObject();
+
+        if (thisValue == globalObject && funcVal == globalObject->evalFunction()) {
+            JSValue* result = callEval(callFrame, registerFile, argv, argCount, registerOffset, exceptionValue);
             if (exceptionValue)
                 goto vm_throw;
-
             callFrame[dst] = result;
 
-            vPC += 7;
+            vPC += 5;
             NEXT_OPCODE;
         }
 
-        // We didn't find the blessed version of eval, so reset vPC and process
-        // this instruction as a normal function call, supplying the proper 'this'
-        // value.
-        callFrame[thisVal] = baseVal->toThisObject(callFrame);
+        // We didn't find the blessed version of eval, so process this
+        // instruction as a normal function call.
 
 #if HAVE(COMPUTED_GOTO)
@@ -3312 +3308 @@
     }
     BEGIN_OPCODE(op_call) {
-        /* call dst(r) func(r) thisVal(r) firstArg(r) argCount(n) registerOffset(n)
-
-           Perform a function call. Specifically, call register func
-           with a "this" value of register thisVal, and put the result
-           in register dst.
-
-           The arguments start at register firstArg and go up to
-           argCount, but the "this" value is considered an implicit
-           first argument, so the argCount should be one greater than
-           the number of explicit arguments passed, and the register
-           after firstArg should contain the actual first
-           argument. This opcode will copy from the thisVal register
-           to the firstArg register, unless the register index of
-           thisVal is the special missing this object marker, which is
-           2^31-1; in that case, the global object will be used as the
-           "this" value.
-
-           If func is a native code function, then this opcode calls
-           it and returns the value immediately. 
-
-           But if it is a JS function, then the current scope chain
-           and code block is set to the function's, and we slide the
-           register window so that the arguments would form the first
-           few local registers of the called function's register
-           window. In addition, a call frame header is written
-           immediately before the arguments; see the call frame
-           documentation for an explanation of how many registers a
-           call frame takes and what they contain. That many registers
-           before the firstArg register will be overwritten by the
-           call. In addition, any registers higher than firstArg +
-           argCount may be overwritten. Once this setup is complete,
-           execution continues from the called function's first
-           argument, and does not return until a "ret" opcode is
-           encountered.
+        /* call dst(r) func(r) argCount(n) registerOffset(n)
+
+           Perform a function call.
+           
+           registerOffset is the distance the callFrame pointer should move
+           before the VM initializes the new call frame's header.
+           
+           dst is where op_ret should store its result.
          */
 
         int dst = vPC[1].u.operand;
         int func = vPC[2].u.operand;
-        int thisVal = vPC[3].u.operand;
-        int firstArg = vPC[4].u.operand;
-        int argCount = vPC[5].u.operand;
-        int registerOffset = vPC[6].u.operand;
+        int argCount = vPC[3].u.operand;
+        int registerOffset = vPC[4].u.operand;
 
         JSValue* v = callFrame[func].jsValue(callFrame);
@@ -3365 +3333 @@
             CodeBlock* newCodeBlock = &functionBodyNode->byteCode(callDataScopeChain);
 
-            callFrame[firstArg] = thisVal == missingThisObjectMarker() ? callFrame->globalThisValue() : callFrame[thisVal].jsValue(callFrame);
-            
             CallFrame* previousCallFrame = callFrame;
 
@@ -3376 +3342 @@
             }
 
-            callFrame->init(newCodeBlock, vPC + 7, callDataScopeChain, previousCallFrame, dst, argCount, asFunction(v));
+            callFrame->init(newCodeBlock, vPC + 5, callDataScopeChain, previousCallFrame, dst, argCount, asFunction(v));
             vPC = newCodeBlock->instructions.begin();
 
@@ -3387 +3353 @@
 
         if (callType == CallTypeHost) {
-            JSValue* thisValue = thisVal == missingThisObjectMarker() ? callFrame->globalThisValue() : callFrame[thisVal].jsValue(callFrame);
-            ArgList args(callFrame->registers() + firstArg + 1, argCount - 1);
-
             ScopeChainNode* scopeChain = callFrame->scopeChain();
             CallFrame* newCallFrame = CallFrame::create(callFrame->registers() + registerOffset);
-            newCallFrame->init(0, vPC + 7, scopeChain, callFrame, dst, argCount, 0);
+            newCallFrame->init(0, vPC + 5, scopeChain, callFrame, dst, argCount, 0);
+
+            Register* thisRegister = newCallFrame->registers() - RegisterFile::CallFrameHeaderSize - argCount;
+            ArgList args(thisRegister + 1, argCount - 1);
+
+            // FIXME: All host methods should be calling toThisObject, but this is not presently the case.
+            JSValue* thisValue = thisRegister->jsValue(callFrame);
+            if (thisValue == jsNull())
+                thisValue = callFrame->globalThisValue();
 
             JSValue* returnValue;
@@ -3403 +3374 @@
             callFrame[dst] = returnValue;
 
-            vPC += 7;
+            vPC += 5;
             NEXT_OPCODE;
         }
@@ -3573 +3544 @@
     }
     BEGIN_OPCODE(op_construct) {
-        /* construct dst(r) constr(r) constrProto(r) firstArg(r) argCount(n) registerOffset(n)
-
-           Invoke register "constr" as a constructor. For JS
+        /* construct dst(r) func(r) argCount(n) registerOffset(n) proto(r) thisRegister(r)
+
+           Invoke register "func" as a constructor. For JS
            functions, the calling convention is exactly as for the
            "call" opcode, except that the "this" value is a newly
-           created Object. For native constructors, a null "this"
-           value is passed. In either case, the firstArg and argCount
+           created Object. For native constructors, no "this"
+           value is passed. In either case, the argCount and registerOffset
            registers are interpreted as for the "call" opcode.
 
-           Register constrProto must contain the prototype property of
-           register constsr. This is to enable polymorphic inline
+           Register proto must contain the prototype property of
+           register func. This is to enable polymorphic inline
            caching of this lookup.
         */
 
         int dst = vPC[1].u.operand;
-        int constr = vPC[2].u.operand;
-        int constrProto = vPC[3].u.operand;
-        int firstArg = vPC[4].u.operand;
-        int argCount = vPC[5].u.operand;
-        int registerOffset = vPC[6].u.operand;
-
-        JSValue* v = callFrame[constr].jsValue(callFrame);
+        int func = vPC[2].u.operand;
+        int argCount = vPC[3].u.operand;
+        int registerOffset = vPC[4].u.operand;
+        int proto = vPC[5].u.operand;
+        int thisRegister = vPC[6].u.operand;
+
+        JSValue* v = callFrame[func].jsValue(callFrame);
 
         ConstructData constructData;
@@ -3605 +3576 @@
 
             StructureID* structure;
-            JSValue* prototype = callFrame[constrProto].jsValue(callFrame);
+            JSValue* prototype = callFrame[proto].jsValue(callFrame);
             if (prototype->isObject())
                 structure = asObject(prototype)->inheritorID();
@@ -3612 +3583 @@
             JSObject* newObject = new (globalData) JSObject(structure);
 
-            callFrame[firstArg] = newObject; // "this" value
+            callFrame[thisRegister] = newObject; // "this" value
 
             CallFrame* previousCallFrame = callFrame;
@@ -3634 +3605 @@
 
         if (constructType == ConstructTypeHost) {
-            ArgList args(callFrame->registers() + firstArg + 1, argCount - 1);
+            ArgList args(callFrame->registers() + thisRegister + 1, argCount - 1);
 
             ScopeChainNode* scopeChain = callFrame->scopeChain();
@@ -4365 +4336 @@
     } while (0)
 
+// This macro rewinds to the previous call frame because CTI functions that
+// throw stack overflow exceptions execute after the call frame has
+// optimistically moved forward.
+#define CTI_THROW_STACK_OVERFLOW() do { \
+    CallFrame* oldCallFrame = ARG_callFrame->callerFrame(); \
+    JSGlobalData* globalData = ARG_globalData; \
+    globalData->exception = createStackOverflowError(oldCallFrame); \
+    globalData->throwReturnAddress = CTI_RETURN_ADDRESS; \
+    ARG_setCallFrame(oldCallFrame); \
+    CTI_SET_RETURN_ADDRESS(reinterpret_cast<void*>(ctiVMThrowTrampoline)); \
+} while (0);
+
 JSObject* Machine::cti_op_convert_this(CTI_ARGS)
 {
@@ -4453 +4436 @@
 }
 
-NEVER_INLINE void Machine::throwStackOverflowPreviousFrame(CallFrame* callFrame, JSGlobalData* globalData, void*& returnAddress)
-{
-    globalData->exception = createStackOverflowError(callFrame->callerFrame());
-    globalData->throwReturnAddress = callFrame->returnPC();
-    ctiSetReturnAddress(&returnAddress, reinterpret_cast<void*>(ctiVMThrowTrampoline));
-}
-
 void Machine::cti_register_file_check(CTI_ARGS)
 {
@@ -4467 +4443 @@
         return;
 
-    ARG_setCallFrame(ARG_callFrame->callerFrame());
-    throwStackOverflowPreviousFrame(ARG_callFrame, ARG_globalData, CTI_RETURN_ADDRESS);
+    CTI_THROW_STACK_OVERFLOW();
 }
 
@@ -4745 +4720 @@
         Register* newEnd = r + newCodeBlock->numCalleeRegisters;
         if (!ARG_registerFile->grow(newEnd)) {
-            ARG_globalData->exception = createStackOverflowError(oldCallFrame);
-            VM_THROW_EXCEPTION_2();
+            CTI_THROW_STACK_OVERFLOW();
+            VoidPtrPairValue pair = {{ 0, 0 }};
+            return pair.i;
         }
 
@@ -4811 +4787 @@
             SamplingTool::HostCallRecord callRecord(CTI_SAMPLER);
 
-            // All host methods should be calling toThisObject, but this is not presently the case.
+            // FIXME: All host methods should be calling toThisObject, but this is not presently the case.
             JSValue* thisValue = argv[0].jsValue(callFrame);
             if (thisValue == jsNull())
@@ -4935 +4911 @@
 
     StructureID* structure;
-    if (ARG_src5->isObject())
-        structure = asObject(ARG_src5)->inheritorID();
+    if (ARG_src4->isObject())
+        structure = asObject(ARG_src4)->inheritorID();
     else
         structure = asFunction(ARG_src1)->m_scopeChain.node()->globalObject()->emptyObjectStructure();
@@ -4950 +4926 @@
     JSValue* constrVal = ARG_src1;
     int argCount = ARG_int3;
-    int firstArg = ARG_int6;
+    int thisRegister = ARG_int5;
 
     ConstructData constructData;
@@ -4956 +4932 @@
 
     if (constructType == ConstructTypeHost) {
-        ArgList argList(callFrame->registers() + firstArg + 1, argCount - 1);
+        ArgList argList(callFrame->registers() + thisRegister + 1, argCount - 1);
 
         JSValue* returnValue;
@@ -4970 +4946 @@
     ASSERT(constructType == ConstructTypeNone);
 
-    ARG_globalData->exception = createNotAConstructorError(callFrame, constrVal, ARG_instr4, callFrame->codeBlock());
+    ARG_globalData->exception = createNotAConstructorError(callFrame, constrVal, ARG_instr6, callFrame->codeBlock());
     VM_THROW_EXCEPTION();
 }
@@ -5569 +5545 @@
     CallFrame* callFrame = ARG_callFrame;
     RegisterFile* registerFile = ARG_registerFile;
-    CodeBlock* codeBlock = callFrame->codeBlock();
-    ScopeChainNode* scopeChain = callFrame->scopeChain();
 
     Machine* machine = ARG_globalData->machine;
@@ -5577 +5551 @@
     int registerOffset = ARG_int2;
     int argCount = ARG_int3;
-    JSValue* baseVal = ARG_src5;
-
-    if (baseVal == scopeChain->globalObject() && funcVal == scopeChain->globalObject()->evalFunction()) {
-        JSObject* thisObject = callFrame[codeBlock->thisRegister].jsValue(callFrame)->toThisObject(callFrame);
+
+    Register* newCallFrame = callFrame->registers() + registerOffset;
+    Register* argv = newCallFrame - RegisterFile::CallFrameHeaderSize - argCount;
+    JSValue* thisValue = argv[0].jsValue(callFrame);
+    JSGlobalObject* globalObject = callFrame->scopeChain()->globalObject();
+
+    if (thisValue == globalObject && funcVal == globalObject->evalFunction()) {
         JSValue* exceptionValue = noValue();
-        JSValue* result = machine->callEval(callFrame, thisObject, scopeChain, registerFile, registerOffset - RegisterFile::CallFrameHeaderSize - argCount, argCount, exceptionValue);
+        JSValue* result = machine->callEval(callFrame, registerFile, argv, argCount, registerOffset, exceptionValue);
         if (UNLIKELY(exceptionValue != noValue())) {
             ARG_globalData->exception = exceptionValue;
@@ -5945 +5922 @@
     CallFrame* callFrame = ARG_callFrame;
     CodeBlock* codeBlock = callFrame->codeBlock();
-
-    ASSERT(codeBlock->ctiReturnAddressVPCMap.contains(ARG_globalData->throwReturnAddress));
-    unsigned vPCIndex = codeBlock->ctiReturnAddressVPCMap.get(ARG_globalData->throwReturnAddress);
-
-    JSValue* exceptionValue = ARG_globalData->exception;
+    JSGlobalData* globalData = ARG_globalData;
+
+    ASSERT(codeBlock->ctiReturnAddressVPCMap.contains(globalData->throwReturnAddress));
+    unsigned vPCIndex = codeBlock->ctiReturnAddressVPCMap.get(globalData->throwReturnAddress);
+
+    JSValue* exceptionValue = globalData->exception;
     ASSERT(exceptionValue);
-    ARG_globalData->exception = noValue();
-
-    Instruction* handlerVPC = ARG_globalData->machine->throwException(callFrame, exceptionValue, codeBlock->instructions.begin() + vPCIndex, false);
+    globalData->exception = noValue();
+
+    Instruction* handlerVPC = globalData->machine->throwException(callFrame, exceptionValue, codeBlock->instructions.begin() + vPCIndex, false);
 
     if (!handlerVPC) {

trunk/JavaScriptCore/VM/Machine.h

@@ -285 +285 @@
         enum ExecutionFlag { Normal, InitializeAndReturn };
 
-        NEVER_INLINE JSValue* callEval(CallFrame*, JSObject* thisObject, ScopeChainNode*, RegisterFile*, int argv, int argc, JSValue*& exceptionValue);
-        JSValue* execute(EvalNode*, CallFrame*, JSObject* thisObject, int registerOffset, ScopeChainNode*, JSValue** exception);
+        NEVER_INLINE JSValue* callEval(CallFrame*, RegisterFile*, Register* argv, int argc, int registerOffset, JSValue*& exceptionValue);
+        JSValue* execute(EvalNode*, CallFrame*, JSObject* thisObject, int globalRegisterOffset, ScopeChainNode*, JSValue** exception);
 
         NEVER_INLINE void debug(CallFrame*, DebugHookID, int firstLine, int lastLine);
@@ -307 +307 @@
         JSValue* privateExecute(ExecutionFlag, RegisterFile*, CallFrame*, JSValue** exception);
 
-        void dumpCallFrame(const RegisterFile*, CallFrame*);
-        void dumpRegisters(const RegisterFile*, CallFrame*);
+        void dumpCallFrame(CallFrame*);
+        void dumpRegisters(CallFrame*);
 
         JSValue* checkTimeout(JSGlobalObject*);
@@ -321 +321 @@
 
 #if ENABLE(CTI)
-        static void throwStackOverflowPreviousFrame(CallFrame*, JSGlobalData*, void*& returnAddress);
+        static void throwStackOverflowPreviousFrame(CallFrame**, JSGlobalData*, void*& returnAddress);
 
         void tryCTICacheGetByID(CallFrame*, CodeBlock*, void* returnAddress, JSValue* baseValue, const Identifier& propertyName, const PropertySlot&);

trunk/JavaScriptCore/bytecompiler/CodeGenerator.cpp

@@ -1220 +1220 @@
 }
 
-RegisterID* CodeGenerator::emitCall(RegisterID* dst, RegisterID* func, RegisterID* base, ArgumentsNode* argumentsNode, unsigned divot, unsigned startOffset, unsigned endOffset)
-{
-    return emitCall(op_call, dst, func, base, argumentsNode, divot, startOffset, endOffset);
-}
-
-RegisterID* CodeGenerator::emitCallEval(RegisterID* dst, RegisterID* func, RegisterID* base, ArgumentsNode* argumentsNode, unsigned divot, unsigned startOffset, unsigned endOffset)
-{
-    return emitCall(op_call_eval, dst, func, base, argumentsNode, divot, startOffset, endOffset);
-}
-
-RegisterID* CodeGenerator::emitCall(OpcodeID opcodeID, RegisterID* dst, RegisterID* func, RegisterID* base, ArgumentsNode* argumentsNode, unsigned divot, unsigned startOffset, unsigned endOffset)
+RegisterID* CodeGenerator::emitCall(RegisterID* dst, RegisterID* func, RegisterID* thisRegister, ArgumentsNode* argumentsNode, unsigned divot, unsigned startOffset, unsigned endOffset)
+{
+    return emitCall(op_call, dst, func, thisRegister, argumentsNode, divot, startOffset, endOffset);
+}
+
+RegisterID* CodeGenerator::emitCallEval(RegisterID* dst, RegisterID* func, RegisterID* thisRegister, ArgumentsNode* argumentsNode, unsigned divot, unsigned startOffset, unsigned endOffset)
+{
+    return emitCall(op_call_eval, dst, func, thisRegister, argumentsNode, divot, startOffset, endOffset);
+}
+
+RegisterID* CodeGenerator::emitCall(OpcodeID opcodeID, RegisterID* dst, RegisterID* func, RegisterID* thisRegister, ArgumentsNode* argumentsNode, unsigned divot, unsigned startOffset, unsigned endOffset)
 {
     ASSERT(opcodeID == op_call || opcodeID == op_call_eval);
     ASSERT(func->refCount());
-    ASSERT(!base || base->refCount());
     
     // Generate code for arguments.
     Vector<RefPtr<RegisterID>, 16> argv;
-    argv.append(newTemporary()); // reserve space for "this"
+    argv.append(thisRegister);
     for (ArgumentListNode* n = argumentsNode->m_listNode.get(); n; n = n->m_next.get()) {
         argv.append(newTemporary());
@@ -1256 +1255 @@
     emitExpressionInfo(divot, startOffset, endOffset);
     m_codeBlock->callLinkInfos.append(CallLinkInfo());
+
+    // Emit call.
     emitOpcode(opcodeID);
-    instructions().append(dst->index());
-    instructions().append(func->index());
-    instructions().append(base ? base->index() : missingThisObjectMarker()); // We encode the "this" value in the instruction stream, to avoid an explicit instruction for copying or loading it.
-    instructions().append(argv[0]->index()); // argv
-    instructions().append(argv.size()); // argc
+    instructions().append(dst->index()); // dst
+    instructions().append(func->index()); // func
+    instructions().append(argv.size()); // argCount
     instructions().append(argv[0]->index() + argv.size() + RegisterFile::CallFrameHeaderSize); // registerOffset
 
@@ -1320 +1319 @@
     emitExpressionInfo(divot, startOffset, endOffset);
     m_codeBlock->callLinkInfos.append(CallLinkInfo());
+
     emitOpcode(op_construct);
-    instructions().append(dst->index());
-    instructions().append(func->index());
-    instructions().append(funcProto->index());
-    instructions().append(argv[0]->index()); // argv
-    instructions().append(argv.size()); // argc
+    instructions().append(dst->index()); // dst
+    instructions().append(func->index()); // func
+    instructions().append(argv.size()); // argCount
     instructions().append(argv[0]->index() + argv.size() + RegisterFile::CallFrameHeaderSize); // registerOffset
+    instructions().append(funcProto->index()); // proto
+    instructions().append(argv[0]->index()); // thisRegister
 
     emitOpcode(op_construct_verify);

trunk/JavaScriptCore/bytecompiler/CodeGenerator.h

@@ -274 +274 @@
         RegisterID* emitPutSetter(RegisterID* base, const Identifier& property, RegisterID* value);
 
-        RegisterID* emitCall(RegisterID* dst, RegisterID* func, RegisterID* base, ArgumentsNode*, unsigned divot, unsigned startOffset, unsigned endOffset);
-        RegisterID* emitCallEval(RegisterID* dst, RegisterID* func, RegisterID* base, ArgumentsNode*, unsigned divot, unsigned startOffset, unsigned endOffset);
+        RegisterID* emitCall(RegisterID* dst, RegisterID* func, RegisterID* thisRegister, ArgumentsNode*, unsigned divot, unsigned startOffset, unsigned endOffset);
+        RegisterID* emitCallEval(RegisterID* dst, RegisterID* func, RegisterID* thisRegister, ArgumentsNode*, unsigned divot, unsigned startOffset, unsigned endOffset);
 
         RegisterID* emitReturn(RegisterID* src);
@@ -346 +346 @@
         typedef HashMap<UString::Rep*, JSString*, IdentifierRepHash> IdentifierStringMap;
 
-        RegisterID* emitCall(OpcodeID, RegisterID*, RegisterID*, RegisterID*, ArgumentsNode*, unsigned divot, unsigned startOffset, unsigned endOffset);
+        RegisterID* emitCall(OpcodeID, RegisterID* dst, RegisterID* func, RegisterID* thisRegister, ArgumentsNode*, unsigned divot, unsigned startOffset, unsigned endOffset);
         
         RegisterID* newRegister();

trunk/JavaScriptCore/parser/Nodes.cpp

@@ -586 +586 @@
 RegisterID* EvalFunctionCallNode::emitCode(CodeGenerator& generator, RegisterID* dst)
 {
-    RefPtr<RegisterID> base = generator.tempDestination(dst);
-    RefPtr<RegisterID> func = generator.newTemporary();
-    generator.emitResolveWithBase(base.get(), func.get(), generator.propertyNames().eval);
-    return generator.emitCallEval(generator.finalDestination(dst, base.get()), func.get(), base.get(), m_args.get(), divot(), startOffset(), endOffset());
+    RefPtr<RegisterID> func = generator.tempDestination(dst);
+    RefPtr<RegisterID> thisRegister = generator.newTemporary();
+    generator.emitResolveWithBase(thisRegister.get(), func.get(), generator.propertyNames().eval);
+    return generator.emitCallEval(generator.finalDestination(dst, func.get()), func.get(), thisRegister.get(), m_args.get(), divot(), startOffset(), endOffset());
 }
 
@@ -608 +608 @@
 {
     RefPtr<RegisterID> func = generator.emitNode(m_expr.get());
-    return generator.emitCall(generator.finalDestination(dst), func.get(), 0, m_args.get(), divot(), startOffset(), endOffset());
+    RefPtr<RegisterID> thisRegister = generator.emitLoad(generator.newTemporary(), jsNull());
+    return generator.emitCall(generator.finalDestination(dst, func.get()), func.get(), thisRegister.get(), m_args.get(), divot(), startOffset(), endOffset());
 }
 
@@ -625 +626 @@
 RegisterID* FunctionCallResolveNode::emitCode(CodeGenerator& generator, RegisterID* dst)
 {
-    if (RefPtr<RegisterID> local = generator.registerFor(m_ident))
-        return generator.emitCall(generator.finalDestination(dst), local.get(), 0, m_args.get(), divot(), startOffset(), endOffset());
+    if (RefPtr<RegisterID> local = generator.registerFor(m_ident)) {
+        RefPtr<RegisterID> thisRegister = generator.emitLoad(generator.newTemporary(), jsNull());
+        return generator.emitCall(generator.finalDestination(dst, thisRegister.get()), local.get(), thisRegister.get(), m_args.get(), divot(), startOffset(), endOffset());
+    }
 
     int index = 0;
@@ -633 +636 @@
     if (generator.findScopedProperty(m_ident, index, depth, false, globalObject) && index != missingSymbolMarker()) {
         RefPtr<RegisterID> func = generator.emitGetScopedVar(generator.newTemporary(), depth, index, globalObject);
-        return generator.emitCall(generator.finalDestination(dst), func.get(), 0, m_args.get(), divot(), startOffset(), endOffset());
-    }
-
-    RefPtr<RegisterID> base = generator.tempDestination(dst);
-    RefPtr<RegisterID> func = generator.newTemporary();
+        RefPtr<RegisterID> thisRegister = generator.emitLoad(generator.newTemporary(), jsNull());
+        return generator.emitCall(generator.finalDestination(dst, func.get()), func.get(), thisRegister.get(), m_args.get(), divot(), startOffset(), endOffset());
+    }
+
+    RefPtr<RegisterID> func = generator.tempDestination(dst);
+    RefPtr<RegisterID> thisRegister = generator.newTemporary();
     int identifierStart = divot() - startOffset();
     generator.emitExpressionInfo(identifierStart + m_ident.size(), m_ident.size(), 0);
-    generator.emitResolveFunction(base.get(), func.get(), m_ident);
-    return generator.emitCall(generator.finalDestination(dst, base.get()), func.get(), base.get(), m_args.get(), divot(), startOffset(), endOffset());
+    generator.emitResolveFunction(thisRegister.get(), func.get(), m_ident);
+    return generator.emitCall(generator.finalDestination(dst, func.get()), func.get(), thisRegister.get(), m_args.get(), divot(), startOffset(), endOffset());
 }
 
@@ -663 +667 @@
     RegisterID* property = generator.emitNode(m_subscript.get());
     generator.emitExpressionInfo(divot() - m_subexpressionDivotOffset, startOffset() - m_subexpressionDivotOffset, m_subexpressionEndOffset);
-    RefPtr<RegisterID> function = generator.emitGetByVal(generator.newTemporary(), base.get(), property);
-    return generator.emitCall(generator.finalDestination(dst, base.get()), function.get(), base.get(), m_args.get(), divot(), startOffset(), endOffset());
+    RefPtr<RegisterID> function = generator.emitGetByVal(generator.tempDestination(dst), base.get(), property);
+    RefPtr<RegisterID> thisRegister = generator.emitMove(generator.newTemporary(), base.get());
+    return generator.emitCall(generator.finalDestination(dst, function.get()), function.get(), thisRegister.get(), m_args.get(), divot(), startOffset(), endOffset());
 }
 
@@ -684 +689 @@
     RefPtr<RegisterID> base = generator.emitNode(m_base.get());
     generator.emitExpressionInfo(divot() - m_subexpressionDivotOffset, startOffset() - m_subexpressionDivotOffset, m_subexpressionEndOffset);
-    RefPtr<RegisterID> function = generator.emitGetById(generator.newTemporary(), base.get(), m_ident);
-    return generator.emitCall(generator.finalDestination(dst, base.get()), function.get(), base.get(), m_args.get(), divot(), startOffset(), endOffset());
+    RefPtr<RegisterID> function = generator.emitGetById(generator.tempDestination(dst), base.get(), m_ident);
+    RefPtr<RegisterID> thisRegister = generator.emitMove(generator.newTemporary(), base.get());
+    return generator.emitCall(generator.finalDestination(dst, function.get()), function.get(), thisRegister.get(), m_args.get(), divot(), startOffset(), endOffset());
 }
 

trunk/JavaScriptCore/parser/Nodes.h

@@ -2079 +2079 @@
         int neededConstants()
         {
-            // We may need 1 more constant than the count given by the parser,
-            // because of the various uses of jsUndefined().
-            return m_numConstants + 1;
+            // We may need 2 more constants than the count given by the parser,
+            // because of the various uses of jsUndefined() and jsNull().
+            return m_numConstants + 2;
         }