Fix calls of strict mode function with an implicit receiver.

src/ia32/code-stubs-ia32.cc

 // Copyright 2011 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 3895 matching lines @@
 void StackCheckStub::Generate(MacroAssembler* masm) {
   __ TailCallRuntime(Runtime::kStackGuard, 0, 1);
 }
 
 
 void CallFunctionStub::Generate(MacroAssembler* masm) {
   Label slow;
 
   // If the receiver might be a value (string, number or boolean) check for this
   // and box it if it is.
-  if (ReceiverMightBeValue()) {
+  if (ReceiverMightBeValue() || NonValueReceiverMightBeImplicit()) {

[Kevin Millikin (Chromium), 2011/05/18 15:57:23]

I can't figure out if these are separate bits or if they are mutually exclusive.
 If they are separate bits, this should be written as:

if (NonValueReceiverMightBeImplicit()) {
}
if (ReceiverMightBeValue()) {
}

If mutually exclusive:

if (NonValueReceiverMightBeImplicit()) {
} else if (ReceiverMightBeValue()) {
}

[Mads Ager (chromium), 2011/05/23 16:31:34]

I can't actually hit the non-object case in the call function stub. I cannot see
how we can ever get in that situation. Certainly non of our tests hit that case
(I tested with an int3()). I'll just get rid of the receiver value check
completely.

Soren and I digged into it today. It was put in when we used CallFunctionStub
for keyed calls. We don't do that anymore (only for synthetic where we know it
is not a value) and therefore we cannot hit this case.

+    Label explicit_receiver, receiver_is_value, receiver_is_js_object;
+
     // Get the receiver from the stack.
     // +1 ~ return address
-    Label receiver_is_value, receiver_is_js_object;
     __ mov(eax, Operand(esp, (argc_ + 1) * kPointerSize));
+    // Implicit global receiver is indicated with the hole.
+    __ cmp(eax, masm->isolate()->factory()->the_hole_value());
+    __ j(not_equal, &explicit_receiver, Label::kNear);
+    // Patch the receiver on the stack with the global receiver object.
+    __ mov(ebx, GlobalObjectOperand());
+    __ mov(ebx, FieldOperand(ebx, GlobalObject::kGlobalReceiverOffset));

[Kevin Millikin (Chromium), 2011/05/18 15:57:23]

This should go in eax?  Otherwise the ReceiverMightBeValue TO_OBJECT case below
is going to still see the hole.

[Mads Ager (chromium), 2011/05/23 16:31:34]

Doesn't matter. We unconditionally jmp over the TO_OBJECT case if we see the
hole value here.

Will be dead code now.

+    __ mov(Operand(esp, (argc_ + 1) * kPointerSize), ebx);
+    // Mark as implicit receiver call.

[Kevin Millikin (Chromium), 2011/05/18 15:57:23]

We should be able to avoid setting ecx to check it below and see which
InvokeFunction to use (InvokeFunction will then set ecx again).  Instead we
could probably make use of the hole value/non-hole value we currently have in
eax if it were preserved.

[Mads Ager (chromium), 2011/05/23 16:31:34]

Done.

+    __ SetReceiverType(ecx, IMPLICIT_RECEIVER);
+    __ jmp(&receiver_is_js_object);
+    __ bind(&explicit_receiver);
+    __ SetReceiverType(ecx, EXPLICIT_RECEIVER);
 
-    // Check if receiver is a smi (which is a number value).
-    __ test(eax, Immediate(kSmiTagMask));
-    __ j(zero, &receiver_is_value);
+    if (ReceiverMightBeValue()) {
+      // Check if receiver is a smi (which is a number value).
+      __ test(eax, Immediate(kSmiTagMask));
+      __ j(zero, &receiver_is_value);
 
-    // Check if the receiver is a valid JS object.
-    __ CmpObjectType(eax, FIRST_JS_OBJECT_TYPE, edi);
-    __ j(above_equal, &receiver_is_js_object);
+      // Check if the receiver is a valid JS object.
+      __ CmpObjectType(eax, FIRST_JS_OBJECT_TYPE, edi);
+      __ j(above_equal, &receiver_is_js_object);
 
-    // Call the runtime to box the value.
-    __ bind(&receiver_is_value);
-    __ EnterInternalFrame();
-    __ push(eax);
-    __ InvokeBuiltin(Builtins::TO_OBJECT, CALL_FUNCTION);
-    __ LeaveInternalFrame();
-    __ mov(Operand(esp, (argc_ + 1) * kPointerSize), eax);
-
+      // Call the runtime to box the value.
+      __ bind(&receiver_is_value);
+      __ EnterInternalFrame();
+      // Save implicit receiver information.
+      __ push(ecx);
+      __ push(eax);
+      __ InvokeBuiltin(Builtins::TO_OBJECT, CALL_FUNCTION);
+      // Restore implicit receiver information.
+      __ pop(ecx);
+      __ LeaveInternalFrame();
+      __ mov(Operand(esp, (argc_ + 1) * kPointerSize), eax);
+    }
     __ bind(&receiver_is_js_object);
   }
 
   // Get the function to call from the stack.
   // +2 ~ receiver, return address
   __ mov(edi, Operand(esp, (argc_ + 2) * kPointerSize));
 
   // Check that the function really is a JavaScript function.
   __ test(edi, Immediate(kSmiTagMask));
   __ j(zero, &slow);
   // Goto slow case if we do not have a function.
-  __ CmpObjectType(edi, JS_FUNCTION_TYPE, ecx);
+  __ CmpObjectType(edi, JS_FUNCTION_TYPE, eax);
   __ j(not_equal, &slow);
 
   // Fast-case: Just invoke the function.
   ParameterCount actual(argc_);
-  __ InvokeFunction(edi, actual, JUMP_FUNCTION);
+
+  if (ReceiverMightBeValue() || NonValueReceiverMightBeImplicit()) {
+    Label implicit_receiver_call;
+    __ test(ecx, Operand(ecx));
+    __ j(not_zero, &implicit_receiver_call);
+    __ InvokeFunction(edi, actual, JUMP_FUNCTION);
+    __ bind(&implicit_receiver_call);
+  }
+  __ InvokeFunction(edi,
+                    actual,
+                    JUMP_FUNCTION,
+                    NullCallWrapper(),
+                    IMPLICIT_RECEIVER);
 
   // Slow-case: Non-function called.
   __ bind(&slow);
   // CALL_NON_FUNCTION expects the non-function callee as receiver (instead
   // of the original receiver from the call site).
   __ mov(Operand(esp, (argc_ + 1) * kPointerSize), edi);
   __ Set(eax, Immediate(argc_));
   __ Set(ebx, Immediate(0));
   __ GetBuiltinEntry(edx, Builtins::CALL_NON_FUNCTION);
   Handle<Code> adaptor =
@@ skipping 273 matching lines @@
         Builtins::kJSConstructEntryTrampoline,
         masm->isolate());
     __ mov(edx, Immediate(construct_entry));
   } else {
     ExternalReference entry(Builtins::kJSEntryTrampoline,
                             masm->isolate());
     __ mov(edx, Immediate(entry));
   }
   __ mov(edx, Operand(edx, 0));  // deref address
   __ lea(edx, FieldOperand(edx, Code::kHeaderSize));
+  __ SetReceiverType(ecx, EXPLICIT_RECEIVER);
   __ call(Operand(edx));
 
   // Unlink this frame from the handler chain.
   __ PopTryHandler();
 
   __ bind(&exit);
 #ifdef ENABLE_LOGGING_AND_PROFILING
   // Check if the current stack frame is marked as the outermost JS frame.
   __ pop(ebx);
   __ cmp(Operand(ebx),
@@ skipping 1894 matching lines @@
   __ Drop(1);
   __ ret(2 * kPointerSize);
 }
 
 
 #undef __
 
 } }  // namespace v8::internal
 
 #endif  // V8_TARGET_ARCH_IA32