diff options
Diffstat (limited to 'Source/JavaScriptCore')
19 files changed, 142 insertions, 66 deletions
diff --git a/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h b/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h index 42ac400fc..4afdac681 100644 --- a/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h +++ b/Source/JavaScriptCore/assembler/MacroAssemblerARM64.h @@ -1092,12 +1092,12 @@ public: void zeroExtend16To32(RegisterID src, RegisterID dest) { - m_assembler.uxth<64>(dest, src); + m_assembler.uxth<32>(dest, src); } void signExtend16To32(RegisterID src, RegisterID dest) { - m_assembler.sxth<64>(dest, src); + m_assembler.sxth<32>(dest, src); } void load8(ImplicitAddress address, RegisterID dest) @@ -1152,12 +1152,12 @@ public: void zeroExtend8To32(RegisterID src, RegisterID dest) { - m_assembler.uxtb<64>(dest, src); + m_assembler.uxtb<32>(dest, src); } void signExtend8To32(RegisterID src, RegisterID dest) { - m_assembler.sxtb<64>(dest, src); + m_assembler.sxtb<32>(dest, src); } void store64(RegisterID src, ImplicitAddress address) diff --git a/Source/JavaScriptCore/b3/B3LowerMacros.cpp b/Source/JavaScriptCore/b3/B3LowerMacros.cpp index f71ca62ab..2e5693b01 100644 --- a/Source/JavaScriptCore/b3/B3LowerMacros.cpp +++ b/Source/JavaScriptCore/b3/B3LowerMacros.cpp @@ -138,6 +138,7 @@ private: normalResult->setPhi(phi); zeroResult->setPhi(phi); m_value->replaceWithIdentity(phi); + before->updatePredecessorsAfter(); m_changed = true; } else makeDivisionChill(Mod); diff --git a/Source/JavaScriptCore/bytecode/ByValInfo.h b/Source/JavaScriptCore/bytecode/ByValInfo.h index 20518300c..c61898fa8 100644 --- a/Source/JavaScriptCore/bytecode/ByValInfo.h +++ b/Source/JavaScriptCore/bytecode/ByValInfo.h @@ -204,10 +204,11 @@ inline JITArrayMode jitArrayModeForStructure(Structure* structure) struct ByValInfo { ByValInfo() { } - ByValInfo(unsigned bytecodeIndex, CodeLocationJump notIndexJump, CodeLocationJump badTypeJump, JITArrayMode arrayMode, ArrayProfile* arrayProfile, int16_t badTypeJumpToDone, int16_t badTypeJumpToNextHotPath, int16_t returnAddressToSlowPath) + ByValInfo(unsigned bytecodeIndex, CodeLocationJump notIndexJump, CodeLocationJump badTypeJump, CodeLocationLabel exceptionHandler, JITArrayMode arrayMode, ArrayProfile* arrayProfile, int16_t badTypeJumpToDone, int16_t badTypeJumpToNextHotPath, int16_t returnAddressToSlowPath) : bytecodeIndex(bytecodeIndex) , notIndexJump(notIndexJump) , badTypeJump(badTypeJump) + , exceptionHandler(exceptionHandler) , arrayMode(arrayMode) , arrayProfile(arrayProfile) , badTypeJumpToDone(badTypeJumpToDone) @@ -223,6 +224,7 @@ struct ByValInfo { unsigned bytecodeIndex; CodeLocationJump notIndexJump; CodeLocationJump badTypeJump; + CodeLocationLabel exceptionHandler; JITArrayMode arrayMode; // The array mode that was baked into the inline JIT code. ArrayProfile* arrayProfile; int16_t badTypeJumpToDone; diff --git a/Source/JavaScriptCore/bytecompiler/SetForScope.h b/Source/JavaScriptCore/bytecompiler/SetForScope.h index eef76aef4..95a9777a4 100644 --- a/Source/JavaScriptCore/bytecompiler/SetForScope.h +++ b/Source/JavaScriptCore/bytecompiler/SetForScope.h @@ -59,4 +59,6 @@ private: }; // namespace JSC +using JSC::SetForScope; + #endif // SetForScope_h diff --git a/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp b/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp index 698cc75db..e26b650bd 100644 --- a/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp @@ -148,7 +148,6 @@ private: for (Node* node : *block) { switch (node->op()) { case GetFromArguments: - DFG_ASSERT(m_graph, node, node->child1()->op() == CreateDirectArguments); break; case GetByVal: diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp index 6aefe61e3..8e93a7e95 100644 --- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp +++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp @@ -562,9 +562,15 @@ private: { flushDirect(operand, findArgumentPosition(operand)); } - + void flushDirect(VirtualRegister operand, ArgumentPosition* argumentPosition) { + addFlushOrPhantomLocal<Flush>(operand, argumentPosition); + } + + template<NodeType nodeType> + void addFlushOrPhantomLocal(VirtualRegister operand, ArgumentPosition* argumentPosition) + { ASSERT(!operand.isConstant()); Node* node = m_currentBlock->variablesAtTail.operand(operand); @@ -576,12 +582,17 @@ private: else variable = newVariableAccessData(operand); - node = addToGraph(Flush, OpInfo(variable)); + node = addToGraph(nodeType, OpInfo(variable)); m_currentBlock->variablesAtTail.operand(operand) = node; if (argumentPosition) argumentPosition->addVariable(variable); } - + + void phantomLocalDirect(VirtualRegister operand) + { + addFlushOrPhantomLocal<PhantomLocal>(operand, findArgumentPosition(operand)); + } + void flush(InlineStackEntry* inlineStackEntry) { int numArguments; @@ -602,8 +613,32 @@ private: void flushForTerminal() { - for (InlineStackEntry* inlineStackEntry = m_inlineStackTop; inlineStackEntry; inlineStackEntry = inlineStackEntry->m_caller) + CodeOrigin origin = currentCodeOrigin(); + unsigned bytecodeIndex = origin.bytecodeIndex; + + for (InlineStackEntry* inlineStackEntry = m_inlineStackTop; inlineStackEntry; inlineStackEntry = inlineStackEntry->m_caller) { flush(inlineStackEntry); + + ASSERT(origin.inlineCallFrame == inlineStackEntry->m_inlineCallFrame); + InlineCallFrame* inlineCallFrame = inlineStackEntry->m_inlineCallFrame; + CodeBlock* codeBlock = m_graph.baselineCodeBlockFor(inlineCallFrame); + FullBytecodeLiveness& fullLiveness = m_graph.livenessFor(codeBlock); + const FastBitVector& livenessAtBytecode = fullLiveness.getLiveness(bytecodeIndex); + + for (unsigned local = codeBlock->m_numCalleeLocals; local--;) { + if (livenessAtBytecode.get(local)) { + VirtualRegister reg = virtualRegisterForLocal(local); + if (inlineCallFrame) + reg = inlineStackEntry->remapOperand(reg); + phantomLocalDirect(reg); + } + } + + if (inlineCallFrame) { + bytecodeIndex = inlineCallFrame->directCaller.bytecodeIndex; + origin = inlineCallFrame->directCaller; + } + } } void flushForReturn() diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h index d7ce00df5..566bc398c 100644 --- a/Source/JavaScriptCore/dfg/DFGClobberize.h +++ b/Source/JavaScriptCore/dfg/DFGClobberize.h @@ -204,6 +204,10 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu read(JSObject_butterfly); ArrayMode mode = node->arrayMode(); switch (mode.type()) { + case Array::ForceExit: { + write(SideState); + return; + } case Array::Int32: { if (mode.isInBounds()) { read(Butterfly_publicLength); diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp index 97e924df2..474f1a08a 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp @@ -3815,8 +3815,6 @@ void SpeculativeJIT::compile(Node* node) } case GetById: { - ASSERT(node->prediction()); - switch (node->child1().useKind()) { case CellUse: { SpeculateCellOperand base(this, node->child1()); diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp index dbcdfb5f7..d5fd25d96 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp @@ -3877,8 +3877,6 @@ void SpeculativeJIT::compile(Node* node) break; } case GetById: { - ASSERT(node->prediction()); - switch (node->child1().useKind()) { case CellUse: { SpeculateCellOperand base(this, node->child1()); diff --git a/Source/JavaScriptCore/jit/JIT.cpp b/Source/JavaScriptCore/jit/JIT.cpp index ac8c132aa..8f5c02177 100644 --- a/Source/JavaScriptCore/jit/JIT.cpp +++ b/Source/JavaScriptCore/jit/JIT.cpp @@ -671,27 +671,33 @@ CompilationResult JIT::privateCompile(JITCompilationEffort effort) for (unsigned i = m_putByIds.size(); i--;) m_putByIds[i].finalize(patchBuffer); - for (const auto& byValCompilationInfo : m_byValCompilationInfo) { - PatchableJump patchableNotIndexJump = byValCompilationInfo.notIndexJump; - CodeLocationJump notIndexJump = CodeLocationJump(); - if (Jump(patchableNotIndexJump).isSet()) - notIndexJump = CodeLocationJump(patchBuffer.locationOf(patchableNotIndexJump)); - CodeLocationJump badTypeJump = CodeLocationJump(patchBuffer.locationOf(byValCompilationInfo.badTypeJump)); - CodeLocationLabel doneTarget = patchBuffer.locationOf(byValCompilationInfo.doneTarget); - CodeLocationLabel nextHotPathTarget = patchBuffer.locationOf(byValCompilationInfo.nextHotPathTarget); - CodeLocationLabel slowPathTarget = patchBuffer.locationOf(byValCompilationInfo.slowPathTarget); - CodeLocationCall returnAddress = patchBuffer.locationOf(byValCompilationInfo.returnAddress); - - *byValCompilationInfo.byValInfo = ByValInfo( - byValCompilationInfo.bytecodeIndex, - notIndexJump, - badTypeJump, - byValCompilationInfo.arrayMode, - byValCompilationInfo.arrayProfile, - differenceBetweenCodePtr(badTypeJump, doneTarget), - differenceBetweenCodePtr(badTypeJump, nextHotPathTarget), - differenceBetweenCodePtr(returnAddress, slowPathTarget)); + if (m_byValCompilationInfo.size()) { + CodeLocationLabel exceptionHandler = patchBuffer.locationOf(m_exceptionHandler); + + for (const auto& byValCompilationInfo : m_byValCompilationInfo) { + PatchableJump patchableNotIndexJump = byValCompilationInfo.notIndexJump; + CodeLocationJump notIndexJump = CodeLocationJump(); + if (Jump(patchableNotIndexJump).isSet()) + notIndexJump = CodeLocationJump(patchBuffer.locationOf(patchableNotIndexJump)); + CodeLocationJump badTypeJump = CodeLocationJump(patchBuffer.locationOf(byValCompilationInfo.badTypeJump)); + CodeLocationLabel doneTarget = patchBuffer.locationOf(byValCompilationInfo.doneTarget); + CodeLocationLabel nextHotPathTarget = patchBuffer.locationOf(byValCompilationInfo.nextHotPathTarget); + CodeLocationLabel slowPathTarget = patchBuffer.locationOf(byValCompilationInfo.slowPathTarget); + CodeLocationCall returnAddress = patchBuffer.locationOf(byValCompilationInfo.returnAddress); + + *byValCompilationInfo.byValInfo = ByValInfo( + byValCompilationInfo.bytecodeIndex, + notIndexJump, + badTypeJump, + exceptionHandler, + byValCompilationInfo.arrayMode, + byValCompilationInfo.arrayProfile, + differenceBetweenCodePtr(badTypeJump, doneTarget), + differenceBetweenCodePtr(badTypeJump, nextHotPathTarget), + differenceBetweenCodePtr(returnAddress, slowPathTarget)); + } } + for (unsigned i = 0; i < m_callCompilationInfo.size(); ++i) { CallCompilationInfo& compilationInfo = m_callCompilationInfo[i]; CallLinkInfo& info = *compilationInfo.callLinkInfo; @@ -763,7 +769,8 @@ void JIT::privateCompileExceptionHandlers() jumpToExceptionHandler(); } - if (!m_exceptionChecks.empty()) { + if (!m_exceptionChecks.empty() || m_byValCompilationInfo.size()) { + m_exceptionHandler = label(); m_exceptionChecks.link(this); copyCalleeSavesToVMCalleeSavesBuffer(); diff --git a/Source/JavaScriptCore/jit/JIT.h b/Source/JavaScriptCore/jit/JIT.h index e81824268..949b4b134 100644 --- a/Source/JavaScriptCore/jit/JIT.h +++ b/Source/JavaScriptCore/jit/JIT.h @@ -903,6 +903,7 @@ namespace JSC { JumpList m_exceptionChecks; JumpList m_exceptionChecksWithCallFrameRollback; + Label m_exceptionHandler; unsigned m_getByIdIndex; unsigned m_putByIdIndex; diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp index 3781c1df2..8b6d6ecc3 100644 --- a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp +++ b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp @@ -1256,6 +1256,8 @@ void JIT::privateCompileGetByValWithCachedId(ByValInfo* byValInfo, ReturnAddress patchBuffer.link(slowCases, CodeLocationLabel(MacroAssemblerCodePtr::createFromExecutableAddress(returnAddress.value())).labelAtOffset(byValInfo->returnAddressToSlowPath)); patchBuffer.link(fastDoneCase, byValInfo->badTypeJump.labelAtOffset(byValInfo->badTypeJumpToDone)); patchBuffer.link(slowDoneCase, byValInfo->badTypeJump.labelAtOffset(byValInfo->badTypeJumpToNextHotPath)); + if (!m_exceptionChecks.empty()) + patchBuffer.link(m_exceptionChecks, byValInfo->exceptionHandler); for (const auto& callSite : m_calls) { if (callSite.to) @@ -1344,6 +1346,9 @@ void JIT::privateCompilePutByValWithCachedId(ByValInfo* byValInfo, ReturnAddress LinkBuffer patchBuffer(*m_vm, *this, m_codeBlock); patchBuffer.link(slowCases, CodeLocationLabel(MacroAssemblerCodePtr::createFromExecutableAddress(returnAddress.value())).labelAtOffset(byValInfo->returnAddressToSlowPath)); patchBuffer.link(doneCases, byValInfo->badTypeJump.labelAtOffset(byValInfo->badTypeJumpToDone)); + if (!m_exceptionChecks.empty()) + patchBuffer.link(m_exceptionChecks, byValInfo->exceptionHandler); + for (const auto& callSite : m_calls) { if (callSite.to) patchBuffer.link(callSite.from, FunctionPtr(callSite.to)); diff --git a/Source/JavaScriptCore/jsc.cpp b/Source/JavaScriptCore/jsc.cpp index c672add34..d9f888fb1 100644 --- a/Source/JavaScriptCore/jsc.cpp +++ b/Source/JavaScriptCore/jsc.cpp @@ -1122,23 +1122,29 @@ EncodedJSValue JSC_HOST_CALL functionCreateRoot(ExecState* exec) EncodedJSValue JSC_HOST_CALL functionCreateElement(ExecState* exec) { JSLockHolder lock(exec); - JSValue arg = exec->argument(0); - return JSValue::encode(Element::create(exec->vm(), exec->lexicalGlobalObject(), arg.isNull() ? nullptr : jsCast<Root*>(exec->argument(0)))); + Root* root = jsDynamicCast<Root*>(exec->argument(0)); + if (!root) + return JSValue::encode(exec->vm().throwException(exec, createError(exec, ASCIILiteral("Cannot create Element without a Root.")))); + return JSValue::encode(Element::create(exec->vm(), exec->lexicalGlobalObject(), root)); } EncodedJSValue JSC_HOST_CALL functionGetElement(ExecState* exec) { JSLockHolder lock(exec); - Element* result = jsCast<Root*>(exec->argument(0).asCell())->element(); + Root* root = jsDynamicCast<Root*>(exec->argument(0)); + if (!root) + return JSValue::encode(jsUndefined()); + Element* result = root->element(); return JSValue::encode(result ? result : jsUndefined()); } EncodedJSValue JSC_HOST_CALL functionSetElementRoot(ExecState* exec) { JSLockHolder lock(exec); - Element* element = jsCast<Element*>(exec->argument(0)); - Root* root = jsCast<Root*>(exec->argument(1)); - element->setRoot(exec->vm(), root); + Element* element = jsDynamicCast<Element*>(exec->argument(0)); + Root* root = jsDynamicCast<Root*>(exec->argument(1)); + if (element && root) + element->setRoot(exec->vm(), root); return JSValue::encode(jsUndefined()); } diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm index a92d55aa9..14ffda64e 100644 --- a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm +++ b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm @@ -1514,6 +1514,12 @@ _llint_op_put_by_id: .opPutByIdTransitionDirect: storei t1, JSCell::m_structureID[t0] + loadi 12[PC], t1 + loadConstantOrVariable(t1, t2, t3) + loadi 20[PC], t1 + storePropertyAtVariableOffset(t1, t0, t2, t3) + writeBarrierOnOperand(1) + dispatch(9) .opPutByIdNotTransition: # The only thing live right now is t0, which holds the base. diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm index 85173bc82..4b3febb3f 100644 --- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm +++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm @@ -1398,6 +1398,10 @@ _llint_op_put_by_id: .opPutByIdTransitionDirect: storei t1, JSCell::m_structureID[t0] + writeBarrierOnOperand(1) + # Reload base into t0 + loadisFromInstruction(1, t1) + loadConstantOrVariable(t1, t0) .opPutByIdNotTransition: # The only thing live right now is t0, which holds the base. diff --git a/Source/JavaScriptCore/runtime/ArgList.cpp b/Source/JavaScriptCore/runtime/ArgList.cpp index 3023151bf..7813b404f 100644 --- a/Source/JavaScriptCore/runtime/ArgList.cpp +++ b/Source/JavaScriptCore/runtime/ArgList.cpp @@ -30,6 +30,19 @@ using std::min; namespace JSC { +void MarkedArgumentBuffer::addMarkSet(JSValue v) +{ + if (m_markSet) + return; + + Heap* heap = Heap::heap(v); + if (!heap) + return; + + m_markSet = &heap->markListSet(); + m_markSet->add(this); +} + void ArgList::getSlice(int startIndex, ArgList& result) const { if (startIndex <= 0 || startIndex >= m_argCount) { @@ -51,40 +64,31 @@ void MarkedArgumentBuffer::markLists(HeapRootVisitor& heapRootVisitor, ListSet& } } -void MarkedArgumentBuffer::slowAppend(JSValue v) +void MarkedArgumentBuffer::expandCapacity() { int newCapacity = (Checked<int>(m_capacity) * 2).unsafeGet(); size_t size = (Checked<size_t>(newCapacity) * sizeof(EncodedJSValue)).unsafeGet(); EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(fastMalloc(size)); - for (int i = 0; i < m_capacity; ++i) + for (int i = 0; i < m_capacity; ++i) { newBuffer[i] = m_buffer[i]; + addMarkSet(JSValue::decode(m_buffer[i])); + } if (EncodedJSValue* base = mallocBase()) fastFree(base); m_buffer = newBuffer; m_capacity = newCapacity; +} + +void MarkedArgumentBuffer::slowAppend(JSValue v) +{ + if (m_size >= m_capacity) + expandCapacity(); slotFor(m_size) = JSValue::encode(v); ++m_size; - - if (m_markSet) - return; - - // As long as our size stays within our Vector's inline - // capacity, all our values are allocated on the stack, and - // therefore don't need explicit marking. Once our size exceeds - // our Vector's inline capacity, though, our values move to the - // heap, where they do need explicit marking. - for (int i = 0; i < m_size; ++i) { - Heap* heap = Heap::heap(JSValue::decode(slotFor(i))); - if (!heap) - continue; - - m_markSet = &heap->markListSet(); - m_markSet->add(this); - break; - } + addMarkSet(v); } } // namespace JSC diff --git a/Source/JavaScriptCore/runtime/ArgList.h b/Source/JavaScriptCore/runtime/ArgList.h index 8ae622d07..b7e6e4a1a 100644 --- a/Source/JavaScriptCore/runtime/ArgList.h +++ b/Source/JavaScriptCore/runtime/ArgList.h @@ -78,7 +78,7 @@ public: void append(JSValue v) { - if (m_size >= m_capacity) + if (m_size >= m_capacity || mallocBase()) return slowAppend(v); slotFor(m_size) = JSValue::encode(v); @@ -100,6 +100,10 @@ public: static void markLists(HeapRootVisitor&, ListSet&); private: + void expandCapacity(); + + void addMarkSet(JSValue); + JS_EXPORT_PRIVATE void slowAppend(JSValue); EncodedJSValue& slotFor(int item) const @@ -109,7 +113,7 @@ private: EncodedJSValue* mallocBase() { - if (m_capacity == static_cast<int>(inlineCapacity)) + if (m_buffer == m_inlineBuffer) return 0; return &slotFor(0); } diff --git a/Source/JavaScriptCore/runtime/ErrorPrototype.cpp b/Source/JavaScriptCore/runtime/ErrorPrototype.cpp index 5bc2ec3c8..d17a28e5b 100644 --- a/Source/JavaScriptCore/runtime/ErrorPrototype.cpp +++ b/Source/JavaScriptCore/runtime/ErrorPrototype.cpp @@ -122,7 +122,7 @@ EncodedJSValue JSC_HOST_CALL errorProtoFuncToString(ExecState* exec) // 9. If msg is the empty String, return name. if (!messageString.length()) - return JSValue::encode(name.isString() ? name : jsNontrivialString(exec, nameString)); + return JSValue::encode(name.isString() ? name : jsString(exec, nameString)); // 10. Return the result of concatenating name, ":", a single space character, and msg. return JSValue::encode(jsMakeNontrivialString(exec, nameString, ": ", messageString)); diff --git a/Source/JavaScriptCore/runtime/ScopedArguments.h b/Source/JavaScriptCore/runtime/ScopedArguments.h index 8d36a1bab..5e2df3cc9 100644 --- a/Source/JavaScriptCore/runtime/ScopedArguments.h +++ b/Source/JavaScriptCore/runtime/ScopedArguments.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2015 Apple Inc. All rights reserved. + * Copyright (C) 2015-2016 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -100,7 +100,7 @@ public: ASSERT_WITH_SECURITY_IMPLICATION(canAccessIndexQuickly(i)); unsigned namedLength = m_table->length(); if (i < namedLength) - m_scope->variableAt(m_table->get(i)).set(vm, this, value); + m_scope->variableAt(m_table->get(i)).set(vm, m_scope.get(), value); else overflowStorage()[i - namedLength].set(vm, this, value); } |