Document (and assert) some of the safe-but-brittle implicit assumptions...

src/codegen-ia32.cc

 // Copyright 2006-2008 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 40 matching lines @@
 
 // A reference is a C++ stack-allocated object that keeps an ECMA
 // reference on the execution stack while in scope. For variables
 // the reference is empty, indicating that it isn't necessary to
 // store state on the stack for keeping track of references to those.
 // For properties, we keep either one (named) or two (indexed) values
 // on the execution stack to represent the reference.
 
 class Reference BASE_EMBEDDED {
  public:
-  enum Type { ILLEGAL = -1, EMPTY = 0, NAMED = 1, KEYED = 2 };
+  // The values of the types is important, see size().
+  enum Type { ILLEGAL = -1, SLOT = 0, NAMED = 1, KEYED = 2 };
   Reference(Ia32CodeGenerator* cgen, Expression* expression);
   ~Reference();
 
-  Expression* expression() const  { return expression_; }
-  Type type() const  { return type_; }
+  Expression* expression() const { return expression_; }
+  Type type() const { return type_; }
   void set_type(Type value) {
     ASSERT(type_ == ILLEGAL);
     type_ = value;
   }
-  int size() const  { return type_; }
 
-  bool is_illegal() const  { return type_ == ILLEGAL; }
+  // The size of the reference or -1 if the reference is illegal.
+  int size() const { return type_; }
+
+  bool is_illegal() const { return type_ == ILLEGAL; }
+  bool is_slot() const { return type_ == SLOT; }
+  bool is_property() const { return type_ == NAMED || type_ == KEYED; }
 
  private:
   Ia32CodeGenerator* cgen_;
   Expression* expression_;
   Type type_;
 };
 
 
 // -------------------------------------------------------------------------
 // Code generation state
@@ skipping 562 matching lines @@
     // saved to TOS, we push ecx onto the stack.
 
     // Store the arguments object.
     // This must happen after context initialization because
     // the arguments object may be stored in the context
     if (arguments_object_allocated) {
       ASSERT(scope->arguments() != NULL);
       ASSERT(scope->arguments_shadow() != NULL);
       Comment cmnt(masm_, "[ store arguments object");
       { Reference shadow_ref(this, scope->arguments_shadow());
+        ASSERT(shadow_ref.is_slot());
         { Reference arguments_ref(this, scope->arguments());
+          ASSERT(arguments_ref.is_slot());
           // If the newly-allocated arguments object is already on the
-          // stack, we make use of the property that references representing
-          // variables take up no space on the expression stack (ie, it
-          // doesn't matter that the stored value is actually below the
-          // reference).
-          ASSERT(arguments_ref.size() == 0);
-          ASSERT(shadow_ref.size() == 0);
-
-          // If the newly-allocated argument object is not already on the
-          // stack, we rely on the property that loading a
-          // (zero-sized) reference will not clobber the ecx register.
+          // stack, we make use of the convenient property that references
+          // representing slots take up no space on the expression stack
+          // (ie, it doesn't matter that the stored value is actually below
+          // the reference).
+          //
+          // If the newly-allocated argument object is not already on
+          // the stack, we rely on the property that loading a
+          // zero-sized reference will not clobber the ecx register.
           if (!arguments_object_saved) {
             __ push(ecx);
           }
           SetValue(&arguments_ref);
         }
         SetValue(&shadow_ref);
       }
       __ pop(eax);  // Value is no longer needed.
     }
 
@@ skipping 160 matching lines @@
   cgen_->UnloadReference(this);
 }
 
 
 void Ia32CodeGenerator::LoadReference(Reference* ref) {
   Expression* e = ref->expression();
   Property* property = e->AsProperty();
   Variable* var = e->AsVariableProxy()->AsVariable();
 
   if (property != NULL) {
+    // The expression is either a property or a variable proxy that rewrites
+    // to a property.
     Load(property->obj());
-    // Used a named reference if the key is a literal symbol.
-    // We don't use a named reference if they key is a string that can be
-    // legally parsed as an integer.  This is because, otherwise we don't
-    // get into the slow case code that handles [] on String objects.
+    // We use a named reference if the key is a literal symbol, unless it is
+    // a string that can be legally parsed as an integer.  This is because
+    // otherwise we will not get into the slow case code that handles [] on
+    // String objects.
     Literal* literal = property->key()->AsLiteral();
     uint32_t dummy;
-    if (literal != NULL && literal->handle()->IsSymbol() &&
-      !String::cast(*(literal->handle()))->AsArrayIndex(&dummy)) {
+    if (literal != NULL &&
+        literal->handle()->IsSymbol() &&
+        !String::cast(*(literal->handle()))->AsArrayIndex(&dummy)) {
       ref->set_type(Reference::NAMED);
     } else {
       Load(property->key());
       ref->set_type(Reference::KEYED);
     }
   } else if (var != NULL) {
+    // The expression is a variable proxy that does not rewrite to a
+    // property.  Global variables are treated as named property references.
     if (var->is_global()) {
-      // global variable
       LoadGlobal();
       ref->set_type(Reference::NAMED);
     } else {
-      // local variable
-      ref->set_type(Reference::EMPTY);
+      ASSERT(var->slot() != NULL);
+      ref->set_type(Reference::SLOT);
     }
   } else {
+    // Anything else is a runtime error.
     Load(e);
     __ CallRuntime(Runtime::kThrowReferenceError, 1);
-    __ push(eax);
   }
 }
 
 
 void Ia32CodeGenerator::UnloadReference(Reference* ref) {
   // Pop n references on the stack while preserving TOS
   Comment cmnt(masm_, "[ UnloadReference");
   int size = ref->size();
   if (size <= 0) {
     // Do nothing. No popping is necessary.
@@ skipping 67 matching lines @@
   // Convert result (eax) to condition code.
   __ test(eax, Operand(eax));
 
   ASSERT(not_equal == not_zero);
   cc_reg_ = not_equal;
 }
 
 
 void Ia32CodeGenerator::GetReferenceProperty(Expression* key) {
   ASSERT(!ref()->is_illegal());
-  Reference::Type type = ref()->type();
 
   // TODO(1241834): Make sure that this it is safe to ignore the distinction
   // between access types LOAD and LOAD_TYPEOF_EXPR. If there is a chance
   // that reference errors can be thrown below, we must distinguish between
   // the two kinds of loads (typeof expression loads must not throw a
   // reference error).
-  if (type == Reference::NAMED) {
+  if (ref()->type() == Reference::NAMED) {
     // Compute the name of the property.
     Literal* literal = key->AsLiteral();
     Handle<String> name(String::cast(*literal->handle()));
 
     Handle<Code> ic(Builtins::builtin(Builtins::LoadIC_Initialize));
     Variable* var = ref()->expression()->AsVariableProxy()->AsVariable();
     // Setup the name register.
     __ Set(ecx, Immediate(name));
     if (var != NULL) {
       ASSERT(var->is_global());
       __ call(ic, RelocInfo::CODE_TARGET_CONTEXT);
     } else {
       __ call(ic, RelocInfo::CODE_TARGET);
     }
   } else {
     // Access keyed property.
-    ASSERT(type == Reference::KEYED);
+    ASSERT(ref()->type() == Reference::KEYED);
 
     // Call IC code.
     Handle<Code> ic(Builtins::builtin(Builtins::KeyedLoadIC_Initialize));
     Variable* var = ref()->expression()->AsVariableProxy()->AsVariable();
     if (var != NULL) {
       ASSERT(var->is_global());
       __ call(ic, RelocInfo::CODE_TARGET_CONTEXT);
     } else {
       __ call(ic, RelocInfo::CODE_TARGET);
     }
@@ skipping 749 matching lines @@
   Expression* val = NULL;
   if (node->mode() == Variable::CONST) {
     val = new Literal(Factory::the_hole_value());
   } else {
     val = node->fun();  // NULL if we don't have a function
   }
 
   if (val != NULL) {
     // Set initial value.
     Reference target(this, node->proxy());
+    ASSERT(target.is_slot());
     Load(val);
     SetValue(&target);
-    // Get rid of the assigned value (declarations are statements).
+    // Get rid of the assigned value (declarations are statements).  It's
+    // safe to pop the value lying on top of the reference before unloading
+    // the reference itself (which preserves the top of stack) because we
+    // know that it is a zero-sized reference.
     __ pop(eax);  // Pop(no_reg);
   }
 }
 
 
 void Ia32CodeGenerator::VisitExpressionStatement(ExpressionStatement* node) {
   Comment cmnt(masm_, "[ ExpressionStatement");
   RecordStatementPosition(node);
   Expression* expression = node->expression();
   expression->MarkAsStatement();
@@ skipping 493 matching lines @@
 
   // If the property has been removed while iterating, we just skip it.
   __ cmp(ebx, Factory::null_value());
   __ j(equal, &next);
 
 
   __ bind(&end_del_check);
 
   // Store the entry in the 'each' expression and take another spin in the loop.
   // edx: i'th entry of the enum cache (or string there of)
-  __ push(Operand(ebx));
+  __ push(ebx);
   { Reference each(this, node->each());
     if (!each.is_illegal()) {
       if (each.size() > 0) {
         __ push(Operand(esp, kPointerSize * each.size()));
       }
+      // If the reference was to a slot we rely on the convenient property
+      // that it doesn't matter whether a value (eg, ebx pushed above) is
+      // right on top of or right underneath a zero-sized reference.
       SetValue(&each);
       if (each.size() > 0) {
+        // It's safe to pop the value lying on top of the reference before
+        // unloading the reference itself (which preserves the top of stack,
+        // ie, now the topmost value of the non-zero sized reference), since
+        // we will discard the top of stack after unloading the reference
+        // anyway.
         __ pop(eax);
       }
     }
   }
-  __ pop(eax);  // pop the i'th entry pushed above
+  // Discard the i'th entry pushed above or else the remainder of the
+  // reference, whichever is currently on top of the stack.
+  __ pop(eax);
   CheckStack();  // TODO(1222600): ignore if body contains calls.
   __ jmp(&loop);
 
   // Cleanup.
   __ bind(&cleanup);
   __ bind(node->break_target());
   __ add(Operand(esp), Immediate(5 * kPointerSize));
 
   // Exit.
   __ bind(&exit);
 
   break_stack_height_ -= kForInStackSize;
 }
 
 
 void Ia32CodeGenerator::VisitTryCatch(TryCatch* node) {
   Comment cmnt(masm_, "[ TryCatch");
 
   Label try_block, exit;
 
   __ call(&try_block);
   // --- Catch block ---
   __ push(eax);
 
   // Store the caught exception in the catch variable.
   { Reference ref(this, node->catch_var());
-    // Load the exception to the top of the stack.
-    __ push(Operand(esp, ref.size() * kPointerSize));
+    ASSERT(ref.is_slot());
+    // Load the exception to the top of the stack.  Here we make use of the
+    // convenient property that it doesn't matter whether a value is
+    // immediately on top of or underneath a zero-sized reference.
     SetValue(&ref);
-    __ pop(eax);  // pop the pushed exception
   }
 
   // Remove the exception from the stack.
   __ pop(edx);
 
   VisitStatements(node->catch_block()->statements());
   __ jmp(&exit);
 
 
   // --- Try block ---
@@ skipping 719 matching lines @@
     } else {
       // -------------------------------------------
       // JavaScript example: 'array[index](1, 2, 3)'
       // -------------------------------------------
 
       // Load the function to call from the property through a reference.
       Reference ref(this, property);
       GetValue(&ref);
 
       // Pass receiver to called function.
+      // The reference's size is non-negative.
       __ push(Operand(esp, ref.size() * kPointerSize));
 
       // Call the function.
       CallWithArguments(args, node->position());
     }
 
   } else {
     // ----------------------------------
     // JavaScript example: 'foo(1, 2, 3)'  // foo is not global
     // ----------------------------------
@@ skipping 2282 matching lines @@
                                      bool is_eval) {
   Handle<Code> code = Ia32CodeGenerator::MakeCode(fun, script, is_eval);
   if (!code.is_null()) {
     Counters::total_compiled_code_size.Increment(code->instruction_size());
   }
   return code;
 }
 
 
 } }  // namespace v8::internal