The Tor Browser: comparison js/src/frontend/BytecodeEmitter.cpp

--1:000000000000
+:b659d68ce610
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
+* vim: set ts=8 sts=4 et sw=4 tw=99:
+* This Source Code Form is subject to the terms of the Mozilla Public
+* License, v. 2.0. If a copy of the MPL was not distributed with this
+* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+/*
+* JS bytecode generation.
+*/
+#include "frontend/BytecodeEmitter.h"
+#include "mozilla/DebugOnly.h"
+#include "mozilla/FloatingPoint.h"
+#include "mozilla/PodOperations.h"
+#include <string.h>
+#include "jsapi.h"
+#include "jsatom.h"
+#include "jscntxt.h"
+#include "jsfun.h"
+#include "jsnum.h"
+#include "jsopcode.h"
+#include "jsscript.h"
+#include "jstypes.h"
+#include "jsutil.h"
+#include "frontend/Parser.h"
+#include "frontend/TokenStream.h"
+#include "jit/AsmJSLink.h"
+#include "vm/Debugger.h"
+#include "jsatominlines.h"
+#include "jsobjinlines.h"
+#include "jsscriptinlines.h"
+#include "frontend/ParseMaps-inl.h"
+#include "frontend/ParseNode-inl.h"
+#include "vm/ScopeObject-inl.h"
+using namespace js;
+using namespace js::gc;
+using namespace js::frontend;
+using mozilla::DebugOnly;
+using mozilla::NumberIsInt32;
+using mozilla::PodCopy;
+static bool
+SetSrcNoteOffset(ExclusiveContext *cx, BytecodeEmitter *bce, unsigned index, unsigned which, ptrdiff_t offset);
+struct frontend::StmtInfoBCE : public StmtInfoBase
+{
+StmtInfoBCE     *down;          /* info for enclosing statement */
+StmtInfoBCE     *downScope;     /* next enclosing lexical scope */
+ptrdiff_t       update;         /* loop update offset (top if none) */
+ptrdiff_t       breaks;         /* offset of last break in loop */
+ptrdiff_t       continues;      /* offset of last continue in loop */
+uint32_t        blockScopeIndex; /* index of scope in BlockScopeArray */
+StmtInfoBCE(ExclusiveContext *cx) : StmtInfoBase(cx) {}
+/*
+* To reuse space, alias two of the ptrdiff_t fields for use during
+* try/catch/finally code generation and backpatching.
+*
+* Only a loop, switch, or label statement info record can have breaks and
+* continues, and only a for loop has an update backpatch chain, so it's
+* safe to overlay these for the "trying" StmtTypes.
+*/
+ptrdiff_t &gosubs() {
+JS_ASSERT(type == STMT_FINALLY);
+return breaks;
+}
+ptrdiff_t &guardJump() {
+JS_ASSERT(type == STMT_TRY || type == STMT_FINALLY);
+return continues;
+}
+};
+namespace {
+struct LoopStmtInfo : public StmtInfoBCE
+{
+int32_t         stackDepth;     // Stack depth when this loop was pushed.
+uint32_t        loopDepth;      // Loop depth.
+// Can we OSR into Ion from here?  True unless there is non-loop state on the stack.
+bool            canIonOsr;
+LoopStmtInfo(ExclusiveContext *cx) : StmtInfoBCE(cx) {}
+static LoopStmtInfo* fromStmtInfo(StmtInfoBCE *stmt) {
+JS_ASSERT(stmt->isLoop());
+return static_cast<LoopStmtInfo*>(stmt);
+}
+};
+} // anonymous namespace
+BytecodeEmitter::BytecodeEmitter(BytecodeEmitter *parent,
+Parser<FullParseHandler> *parser, SharedContext *sc,
+HandleScript script, bool insideEval, HandleScript evalCaller,
+bool hasGlobalScope, uint32_t lineNum, EmitterMode emitterMode)
+: sc(sc),
+parent(parent),
+script(sc->context, script),
+prolog(sc->context, lineNum),
+main(sc->context, lineNum),
+current(&main),
+parser(parser),
+evalCaller(evalCaller),
+topStmt(nullptr),
+topScopeStmt(nullptr),
+staticScope(sc->context),
+atomIndices(sc->context),
+firstLine(lineNum),
+stackDepth(0), maxStackDepth(0),
+arrayCompDepth(0),
+emitLevel(0),
+constList(sc->context),
+tryNoteList(sc->context),
+blockScopeList(sc->context),
+typesetCount(0),
+hasSingletons(false),
+emittingForInit(false),
+emittingRunOnceLambda(false),
+lazyRunOnceLambda(false),
+insideEval(insideEval),
+hasGlobalScope(hasGlobalScope),
+emitterMode(emitterMode)
+{
+JS_ASSERT_IF(evalCaller, insideEval);
+}
+bool
+BytecodeEmitter::init()
+{
+return atomIndices.ensureMap(sc->context);
+}
+static ptrdiff_t
+EmitCheck(ExclusiveContext *cx, BytecodeEmitter *bce, ptrdiff_t delta)
+{
+ptrdiff_t offset = bce->code().length();
+// Start it off moderately large to avoid repeated resizings early on.
+if (bce->code().capacity() == 0 && !bce->code().reserve(1024))
+return -1;
+jsbytecode dummy = 0;
+if (!bce->code().appendN(dummy, delta)) {
+js_ReportOutOfMemory(cx);
+return -1;
+}
+return offset;
+}
+static void
+UpdateDepth(ExclusiveContext *cx, BytecodeEmitter *bce, ptrdiff_t target)
+{
+jsbytecode *pc = bce->code(target);
+JSOp op = (JSOp) *pc;
+const JSCodeSpec *cs = &js_CodeSpec[op];
+if (cs->format & JOF_TMPSLOT_MASK) {
+/*
+* An opcode may temporarily consume stack space during execution.
+* Account for this in maxStackDepth separately from uses/defs here.
+*/
+uint32_t depth = (uint32_t) bce->stackDepth +
+((cs->format & JOF_TMPSLOT_MASK) >> JOF_TMPSLOT_SHIFT);
+if (depth > bce->maxStackDepth)
+bce->maxStackDepth = depth;
+}
+int nuses = StackUses(nullptr, pc);
+int ndefs = StackDefs(nullptr, pc);
+bce->stackDepth -= nuses;
+JS_ASSERT(bce->stackDepth >= 0);
+bce->stackDepth += ndefs;
+if ((uint32_t)bce->stackDepth > bce->maxStackDepth)
+bce->maxStackDepth = bce->stackDepth;
+}
+ptrdiff_t
+frontend::Emit1(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp op)
+{
+ptrdiff_t offset = EmitCheck(cx, bce, 1);
+if (offset < 0)
+return -1;
+jsbytecode *code = bce->code(offset);
+code[0] = jsbytecode(op);
+UpdateDepth(cx, bce, offset);
+return offset;
+}
+ptrdiff_t
+frontend::Emit2(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp op, jsbytecode op1)
+{
+ptrdiff_t offset = EmitCheck(cx, bce, 2);
+if (offset < 0)
+return -1;
+jsbytecode *code = bce->code(offset);
+code[0] = jsbytecode(op);
+code[1] = op1;
+UpdateDepth(cx, bce, offset);
+return offset;
+}
+ptrdiff_t
+frontend::Emit3(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp op, jsbytecode op1,
+jsbytecode op2)
+{
+/* These should filter through EmitVarOp. */
+JS_ASSERT(!IsArgOp(op));
+JS_ASSERT(!IsLocalOp(op));
+ptrdiff_t offset = EmitCheck(cx, bce, 3);
+if (offset < 0)
+return -1;
+jsbytecode *code = bce->code(offset);
+code[0] = jsbytecode(op);
+code[1] = op1;
+code[2] = op2;
+UpdateDepth(cx, bce, offset);
+return offset;
+}
+ptrdiff_t
+frontend::EmitN(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp op, size_t extra)
+{
+ptrdiff_t length = 1 + (ptrdiff_t)extra;
+ptrdiff_t offset = EmitCheck(cx, bce, length);
+if (offset < 0)
+return -1;
+jsbytecode *code = bce->code(offset);
+code[0] = jsbytecode(op);
+/* The remaining |extra| bytes are set by the caller */
+/*
+* Don't UpdateDepth if op's use-count comes from the immediate
+* operand yet to be stored in the extra bytes after op.
+*/
+if (js_CodeSpec[op].nuses >= 0)
+UpdateDepth(cx, bce, offset);
+return offset;
+}
+static ptrdiff_t
+EmitJump(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp op, ptrdiff_t off)
+{
+ptrdiff_t offset = EmitCheck(cx, bce, 5);
+if (offset < 0)
+return -1;
+jsbytecode *code = bce->code(offset);
+code[0] = jsbytecode(op);
+SET_JUMP_OFFSET(code, off);
+UpdateDepth(cx, bce, offset);
+return offset;
+}
+static ptrdiff_t
+EmitCall(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp op, uint16_t argc)
+{
+return Emit3(cx, bce, op, ARGC_HI(argc), ARGC_LO(argc));
+}
+// Dup the var in operand stack slot "slot".  The first item on the operand
+// stack is one slot past the last fixed slot.  The last (most recent) item is
+// slot bce->stackDepth - 1.
+//
+// The instruction that is written (JSOP_DUPAT) switches the depth around so
+// that it is addressed from the sp instead of from the fp.  This is useful when
+// you don't know the size of the fixed stack segment (nfixed), as is the case
+// when compiling scripts (because each statement is parsed and compiled
+// separately, but they all together form one script with one fixed stack
+// frame).
+static bool
+EmitDupAt(ExclusiveContext *cx, BytecodeEmitter *bce, unsigned slot)
+{
+JS_ASSERT(slot < unsigned(bce->stackDepth));
+// The slot's position on the operand stack, measured from the top.
+unsigned slotFromTop = bce->stackDepth - 1 - slot;
+if (slotFromTop >= JS_BIT(24)) {
+bce->reportError(nullptr, JSMSG_TOO_MANY_LOCALS);
+return false;
+}
+ptrdiff_t off = EmitN(cx, bce, JSOP_DUPAT, 3);
+if (off < 0)
+return false;
+jsbytecode *pc = bce->code(off);
+SET_UINT24(pc, slotFromTop);
+return true;
+}
+/* XXX too many "... statement" L10N gaffes below -- fix via js.msg! */
+const char js_with_statement_str[] = "with statement";
+const char js_finally_block_str[]  = "finally block";
+const char js_script_str[]         = "script";
+static const char * const statementName[] = {
+"label statement",       /* LABEL */
+"if statement",          /* IF */
+"else statement",        /* ELSE */
+"destructuring body",    /* BODY */
+"switch statement",      /* SWITCH */
+"block",                 /* BLOCK */
+js_with_statement_str,   /* WITH */
+"catch block",           /* CATCH */
+"try block",             /* TRY */
+js_finally_block_str,    /* FINALLY */
+js_finally_block_str,    /* SUBROUTINE */
+"do loop",               /* DO_LOOP */
+"for loop",              /* FOR_LOOP */
+"for/in loop",           /* FOR_IN_LOOP */
+"for/of loop",           /* FOR_OF_LOOP */
+"while loop",            /* WHILE_LOOP */
+};
+JS_STATIC_ASSERT(JS_ARRAY_LENGTH(statementName) == STMT_LIMIT);
+static const char *
+StatementName(StmtInfoBCE *topStmt)
+{
+if (!topStmt)
+return js_script_str;
+return statementName[topStmt->type];
+}
+static void
+ReportStatementTooLarge(TokenStream &ts, StmtInfoBCE *topStmt)
+{
+ts.reportError(JSMSG_NEED_DIET, StatementName(topStmt));
+}
+/*
+* Emit a backpatch op with offset pointing to the previous jump of this type,
+* so that we can walk back up the chain fixing up the op and jump offset.
+*/
+static ptrdiff_t
+EmitBackPatchOp(ExclusiveContext *cx, BytecodeEmitter *bce, ptrdiff_t *lastp)
+{
+ptrdiff_t offset, delta;
+offset = bce->offset();
+delta = offset - *lastp;
+*lastp = offset;
+JS_ASSERT(delta > 0);
+return EmitJump(cx, bce, JSOP_BACKPATCH, delta);
+}
+static inline unsigned
+LengthOfSetLine(unsigned line)
+{
+return 1 /* SN_SETLINE */ + (line > SN_4BYTE_OFFSET_MASK ? 4 : 1);
+}
+/* Updates line number notes, not column notes. */
+static inline bool
+UpdateLineNumberNotes(ExclusiveContext *cx, BytecodeEmitter *bce, uint32_t offset)
+{
+TokenStream *ts = &bce->parser->tokenStream;
+if (!ts->srcCoords.isOnThisLine(offset, bce->currentLine())) {
+unsigned line = ts->srcCoords.lineNum(offset);
+unsigned delta = line - bce->currentLine();
+/*
+* Encode any change in the current source line number by using
+* either several SRC_NEWLINE notes or just one SRC_SETLINE note,
+* whichever consumes less space.
+*
+* NB: We handle backward line number deltas (possible with for
+* loops where the update part is emitted after the body, but its
+* line number is <= any line number in the body) here by letting
+* unsigned delta_ wrap to a very large number, which triggers a
+* SRC_SETLINE.
+*/
+bce->current->currentLine = line;
+bce->current->lastColumn  = 0;
+if (delta >= LengthOfSetLine(line)) {
+if (NewSrcNote2(cx, bce, SRC_SETLINE, (ptrdiff_t)line) < 0)
+return false;
+} else {
+do {
+if (NewSrcNote(cx, bce, SRC_NEWLINE) < 0)
+return false;
+} while (--delta != 0);
+}
+}
+return true;
+}
+/* A function, so that we avoid macro-bloating all the other callsites. */
+static bool
+UpdateSourceCoordNotes(ExclusiveContext *cx, BytecodeEmitter *bce, uint32_t offset)
+{
+if (!UpdateLineNumberNotes(cx, bce, offset))
+return false;
+uint32_t columnIndex = bce->parser->tokenStream.srcCoords.columnIndex(offset);
+ptrdiff_t colspan = ptrdiff_t(columnIndex) - ptrdiff_t(bce->current->lastColumn);
+if (colspan != 0) {
+if (colspan < 0) {
+colspan += SN_COLSPAN_DOMAIN;
+} else if (colspan >= SN_COLSPAN_DOMAIN / 2) {
+// If the column span is so large that we can't store it, then just
+// discard this information because column information would most
+// likely be useless anyway once the column numbers are ~4000000.
+// This has been known to happen with scripts that have been
+// minimized and put into all one line.
+return true;
+}
+if (NewSrcNote2(cx, bce, SRC_COLSPAN, colspan) < 0)
+return false;
+bce->current->lastColumn = columnIndex;
+}
+return true;
+}
+static ptrdiff_t
+EmitLoopHead(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *nextpn)
+{
+if (nextpn) {
+/*
+* Try to give the JSOP_LOOPHEAD the same line number as the next
+* instruction. nextpn is often a block, in which case the next
+* instruction typically comes from the first statement inside.
+*/
+JS_ASSERT_IF(nextpn->isKind(PNK_STATEMENTLIST), nextpn->isArity(PN_LIST));
+if (nextpn->isKind(PNK_STATEMENTLIST) && nextpn->pn_head)
+nextpn = nextpn->pn_head;
+if (!UpdateSourceCoordNotes(cx, bce, nextpn->pn_pos.begin))
+return -1;
+}
+return Emit1(cx, bce, JSOP_LOOPHEAD);
+}
+static bool
+EmitLoopEntry(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *nextpn)
+{
+if (nextpn) {
+/* Update the line number, as for LOOPHEAD. */
+JS_ASSERT_IF(nextpn->isKind(PNK_STATEMENTLIST), nextpn->isArity(PN_LIST));
+if (nextpn->isKind(PNK_STATEMENTLIST) && nextpn->pn_head)
+nextpn = nextpn->pn_head;
+if (!UpdateSourceCoordNotes(cx, bce, nextpn->pn_pos.begin))
+return false;
+}
+LoopStmtInfo *loop = LoopStmtInfo::fromStmtInfo(bce->topStmt);
+JS_ASSERT(loop->loopDepth > 0);
+uint8_t loopDepthAndFlags = PackLoopEntryDepthHintAndFlags(loop->loopDepth, loop->canIonOsr);
+return Emit2(cx, bce, JSOP_LOOPENTRY, loopDepthAndFlags) >= 0;
+}
+/*
+* If op is JOF_TYPESET (see the type barriers comment in jsinfer.h), reserve
+* a type set to store its result.
+*/
+static inline void
+CheckTypeSet(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp op)
+{
+if (js_CodeSpec[op].format & JOF_TYPESET) {
+if (bce->typesetCount < UINT16_MAX)
+bce->typesetCount++;
+}
+}
+/*
+* Macro to emit a bytecode followed by a uint16_t immediate operand stored in
+* big-endian order.
+*
+* NB: We use cx and bce from our caller's lexical environment, and return
+* false on error.
+*/
+#define EMIT_UINT16_IMM_OP(op, i)                                             \
+JS_BEGIN_MACRO                                                            \
+if (Emit3(cx, bce, op, UINT16_HI(i), UINT16_LO(i)) < 0)               \
+return false;                                                     \
+CheckTypeSet(cx, bce, op);                                            \
+JS_END_MACRO
+static bool
+FlushPops(ExclusiveContext *cx, BytecodeEmitter *bce, int *npops)
+{
+JS_ASSERT(*npops != 0);
+EMIT_UINT16_IMM_OP(JSOP_POPN, *npops);
+*npops = 0;
+return true;
+}
+static bool
+PopIterator(ExclusiveContext *cx, BytecodeEmitter *bce)
+{
+if (Emit1(cx, bce, JSOP_ENDITER) < 0)
+return false;
+return true;
+}
+namespace {
+class NonLocalExitScope {
+ExclusiveContext *cx;
+BytecodeEmitter *bce;
+const uint32_t savedScopeIndex;
+const int savedDepth;
+uint32_t openScopeIndex;
+NonLocalExitScope(const NonLocalExitScope &) MOZ_DELETE;
+public:
+explicit NonLocalExitScope(ExclusiveContext *cx_, BytecodeEmitter *bce_)
+: cx(cx_),
+bce(bce_),
+savedScopeIndex(bce->blockScopeList.length()),
+savedDepth(bce->stackDepth),
+openScopeIndex(UINT32_MAX) {
+if (bce->staticScope) {
+StmtInfoBCE *stmt = bce->topStmt;
+while (1) {
+JS_ASSERT(stmt);
+if (stmt->isNestedScope) {
+openScopeIndex = stmt->blockScopeIndex;
+break;
+}
+stmt = stmt->down;
+}
+}
+}
+~NonLocalExitScope() {
+for (uint32_t n = savedScopeIndex; n < bce->blockScopeList.length(); n++)
+bce->blockScopeList.recordEnd(n, bce->offset());
+bce->stackDepth = savedDepth;
+}
+bool popScopeForNonLocalExit(uint32_t blockScopeIndex) {
+uint32_t scopeObjectIndex = bce->blockScopeList.findEnclosingScope(blockScopeIndex);
+uint32_t parent = openScopeIndex;
+if (!bce->blockScopeList.append(scopeObjectIndex, bce->offset(), parent))
+return false;
+openScopeIndex = bce->blockScopeList.length() - 1;
+return true;
+}
+bool prepareForNonLocalJump(StmtInfoBCE *toStmt);
+};
+/*
+* Emit additional bytecode(s) for non-local jumps.
+*/
+bool
+NonLocalExitScope::prepareForNonLocalJump(StmtInfoBCE *toStmt)
+{
+int npops = 0;
+#define FLUSH_POPS() if (npops && !FlushPops(cx, bce, &npops)) return false
+for (StmtInfoBCE *stmt = bce->topStmt; stmt != toStmt; stmt = stmt->down) {
+switch (stmt->type) {
+case STMT_FINALLY:
+FLUSH_POPS();
+if (EmitBackPatchOp(cx, bce, &stmt->gosubs()) < 0)
+return false;
+break;
+case STMT_WITH:
+if (Emit1(cx, bce, JSOP_LEAVEWITH) < 0)
+return false;
+JS_ASSERT(stmt->isNestedScope);
+if (!popScopeForNonLocalExit(stmt->blockScopeIndex))
+return false;
+break;
+case STMT_FOR_OF_LOOP:
+npops += 2;
+break;
+case STMT_FOR_IN_LOOP:
+FLUSH_POPS();
+if (!PopIterator(cx, bce))
+return false;
+break;
+case STMT_SUBROUTINE:
+/*
+* There's a [exception or hole, retsub pc-index] pair on the
+* stack that we need to pop.
+*/
+npops += 2;
+break;
+default:;
+}
+if (stmt->isBlockScope) {
+JS_ASSERT(stmt->isNestedScope);
+StaticBlockObject &blockObj = stmt->staticBlock();
+if (Emit1(cx, bce, JSOP_DEBUGLEAVEBLOCK) < 0)
+return false;
+if (!popScopeForNonLocalExit(stmt->blockScopeIndex))
+return false;
+if (blockObj.needsClone()) {
+if (Emit1(cx, bce, JSOP_POPBLOCKSCOPE) < 0)
+return false;
+}
+}
+}
+FLUSH_POPS();
+return true;
+#undef FLUSH_POPS
+}
+}  // anonymous namespace
+static ptrdiff_t
+EmitGoto(ExclusiveContext *cx, BytecodeEmitter *bce, StmtInfoBCE *toStmt, ptrdiff_t *lastp,
+SrcNoteType noteType = SRC_NULL)
+{
+NonLocalExitScope nle(cx, bce);
+if (!nle.prepareForNonLocalJump(toStmt))
+return -1;
+if (noteType != SRC_NULL) {
+if (NewSrcNote(cx, bce, noteType) < 0)
+return -1;
+}
+return EmitBackPatchOp(cx, bce, lastp);
+}
+static bool
+BackPatch(ExclusiveContext *cx, BytecodeEmitter *bce, ptrdiff_t last, jsbytecode *target, jsbytecode op)
+{
+jsbytecode *pc, *stop;
+ptrdiff_t delta, span;
+pc = bce->code(last);
+stop = bce->code(-1);
+while (pc != stop) {
+delta = GET_JUMP_OFFSET(pc);
+span = target - pc;
+SET_JUMP_OFFSET(pc, span);
+*pc = op;
+pc -= delta;
+}
+return true;
+}
+#define SET_STATEMENT_TOP(stmt, top)                                          \
+((stmt)->update = (top), (stmt)->breaks = (stmt)->continues = (-1))
+static void
+PushStatementInner(BytecodeEmitter *bce, StmtInfoBCE *stmt, StmtType type, ptrdiff_t top)
+{
+SET_STATEMENT_TOP(stmt, top);
+PushStatement(bce, stmt, type);
+}
+static void
+PushStatementBCE(BytecodeEmitter *bce, StmtInfoBCE *stmt, StmtType type, ptrdiff_t top)
+{
+PushStatementInner(bce, stmt, type, top);
+JS_ASSERT(!stmt->isLoop());
+}
+static void
+PushLoopStatement(BytecodeEmitter *bce, LoopStmtInfo *stmt, StmtType type, ptrdiff_t top)
+{
+PushStatementInner(bce, stmt, type, top);
+JS_ASSERT(stmt->isLoop());
+LoopStmtInfo *downLoop = nullptr;
+for (StmtInfoBCE *outer = stmt->down; outer; outer = outer->down) {
+if (outer->isLoop()) {
+downLoop = LoopStmtInfo::fromStmtInfo(outer);
+break;
+}
+}
+stmt->stackDepth = bce->stackDepth;
+stmt->loopDepth = downLoop ? downLoop->loopDepth + 1 : 1;
+int loopSlots;
+if (type == STMT_FOR_OF_LOOP)
+loopSlots = 2;
+else if (type == STMT_FOR_IN_LOOP)
+loopSlots = 1;
+else
+loopSlots = 0;
+if (downLoop)
+stmt->canIonOsr = (downLoop->canIonOsr &&
+stmt->stackDepth == downLoop->stackDepth + loopSlots);
+else
+stmt->canIonOsr = stmt->stackDepth == loopSlots;
+}
+/*
+* Return the enclosing lexical scope, which is the innermost enclosing static
+* block object or compiler created function.
+*/
+static JSObject *
+EnclosingStaticScope(BytecodeEmitter *bce)
+{
+if (bce->staticScope)
+return bce->staticScope;
+if (!bce->sc->isFunctionBox()) {
+JS_ASSERT(!bce->parent);
+return nullptr;
+}
+return bce->sc->asFunctionBox()->function();
+}
+#ifdef DEBUG
+static bool
+AllLocalsAliased(StaticBlockObject &obj)
+{
+for (unsigned i = 0; i < obj.numVariables(); i++)
+if (!obj.isAliased(i))
+return false;
+return true;
+}
+#endif
+static bool
+ComputeAliasedSlots(ExclusiveContext *cx, BytecodeEmitter *bce, Handle<StaticBlockObject *> blockObj)
+{
+for (unsigned i = 0; i < blockObj->numVariables(); i++) {
+Definition *dn = blockObj->definitionParseNode(i);
+JS_ASSERT(dn->isDefn());
+if (!dn->pn_cookie.set(bce->parser->tokenStream, dn->pn_cookie.level(),
+blockObj->blockIndexToLocalIndex(dn->frameSlot())))
+{
+return false;
+}
+#ifdef DEBUG
+for (ParseNode *pnu = dn->dn_uses; pnu; pnu = pnu->pn_link) {
+JS_ASSERT(pnu->pn_lexdef == dn);
+JS_ASSERT(!(pnu->pn_dflags & PND_BOUND));
+JS_ASSERT(pnu->pn_cookie.isFree());
+}
+#endif
+blockObj->setAliased(i, bce->isAliasedName(dn));
+}
+JS_ASSERT_IF(bce->sc->allLocalsAliased(), AllLocalsAliased(*blockObj));
+return true;
+}
+static bool
+EmitInternedObjectOp(ExclusiveContext *cx, uint32_t index, JSOp op, BytecodeEmitter *bce);
+// In a function, block-scoped locals go after the vars, and form part of the
+// fixed part of a stack frame.  Outside a function, there are no fixed vars,
+// but block-scoped locals still form part of the fixed part of a stack frame
+// and are thus addressable via GETLOCAL and friends.
+static void
+ComputeLocalOffset(ExclusiveContext *cx, BytecodeEmitter *bce, Handle<StaticBlockObject *> blockObj)
+{
+unsigned nfixedvars = bce->sc->isFunctionBox() ? bce->script->bindings.numVars() : 0;
+unsigned localOffset = nfixedvars;
+if (bce->staticScope) {
+Rooted<NestedScopeObject *> outer(cx, bce->staticScope);
+for (; outer; outer = outer->enclosingNestedScope()) {
+if (outer->is<StaticBlockObject>()) {
+StaticBlockObject &outerBlock = outer->as<StaticBlockObject>();
+localOffset = outerBlock.localOffset() + outerBlock.numVariables();
+break;
+}
+}
+}
+JS_ASSERT(localOffset + blockObj->numVariables()
+<= nfixedvars + bce->script->bindings.numBlockScoped());
+blockObj->setLocalOffset(localOffset);
+}
+// ~ Nested Scopes ~
+//
+// A nested scope is a region of a compilation unit (function, script, or eval
+// code) with an additional node on the scope chain.  This node may either be a
+// "with" object or a "block" object.  "With" objects represent "with" scopes.
+// Block objects represent lexical scopes, and contain named block-scoped
+// bindings, for example "let" bindings or the exception in a catch block.
+// Those variables may be local and thus accessible directly from the stack, or
+// "aliased" (accessed by name from nested functions, or dynamically via nested
+// "eval" or "with") and only accessible through the scope chain.
+//
+// All nested scopes are present on the "static scope chain".  A nested scope
+// that is a "with" scope will be present on the scope chain at run-time as
+// well.  A block scope may or may not have a corresponding link on the run-time
+// scope chain; if no variable declared in the block scope is "aliased", then no
+// scope chain node is allocated.
+//
+// To help debuggers, the bytecode emitter arranges to record the PC ranges
+// comprehended by a nested scope, and ultimately attach them to the JSScript.
+// An element in the "block scope array" specifies the PC range, and links to a
+// NestedScopeObject in the object list of the script.  That scope object is
+// linked to the previous link in the static scope chain, if any.  The static
+// scope chain at any pre-retire PC can be retrieved using
+// JSScript::getStaticScope(jsbytecode *pc).
+//
+// Block scopes store their locals in the fixed part of a stack frame, after the
+// "fixed var" bindings.  A fixed var binding is a "var" or legacy "const"
+// binding that occurs in a function (as opposed to a script or in eval code).
+// Only functions have fixed var bindings.
+//
+// To assist the debugger, we emit a DEBUGLEAVEBLOCK opcode before leaving a
+// block scope, even if the block has no aliased locals.  This allows
+// DebugScopes to invalidate any association between a debugger scope object,
+// which can proxy access to unaliased stack locals, and the actual live frame.
+// In normal, non-debug mode, this opcode does not cause any baseline code to be
+// emitted.
+//
+// Enter a nested scope with EnterNestedScope.  It will emit
+// PUSHBLOCKSCOPE/ENTERWITH if needed, and arrange to record the PC bounds of
+// the scope.  Leave a nested scope with LeaveNestedScope, which, for blocks,
+// will emit DEBUGLEAVEBLOCK and may emit POPBLOCKSCOPE.  (For "with" scopes it
+// emits LEAVEWITH, of course.)  Pass EnterNestedScope a fresh StmtInfoBCE
+// object, and pass that same object to the corresponding LeaveNestedScope.  If
+// the statement is a block scope, pass STMT_BLOCK as stmtType; otherwise for
+// with scopes pass STMT_WITH.
+//
+static bool
+EnterNestedScope(ExclusiveContext *cx, BytecodeEmitter *bce, StmtInfoBCE *stmt, ObjectBox *objbox,
+StmtType stmtType)
+{
+Rooted<NestedScopeObject *> scopeObj(cx, &objbox->object->as<NestedScopeObject>());
+uint32_t scopeObjectIndex = bce->objectList.add(objbox);
+switch (stmtType) {
+case STMT_BLOCK: {
+Rooted<StaticBlockObject *> blockObj(cx, &scopeObj->as<StaticBlockObject>());
+ComputeLocalOffset(cx, bce, blockObj);
+if (!ComputeAliasedSlots(cx, bce, blockObj))
+return false;
+if (blockObj->needsClone()) {
+if (!EmitInternedObjectOp(cx, scopeObjectIndex, JSOP_PUSHBLOCKSCOPE, bce))
+return false;
+}
+break;
+}
+case STMT_WITH:
+JS_ASSERT(scopeObj->is<StaticWithObject>());
+if (!EmitInternedObjectOp(cx, scopeObjectIndex, JSOP_ENTERWITH, bce))
+return false;
+break;
+default:
+MOZ_ASSUME_UNREACHABLE();
+}
+uint32_t parent = BlockScopeNote::NoBlockScopeIndex;
+if (StmtInfoBCE *stmt = bce->topScopeStmt) {
+for (; stmt->staticScope != bce->staticScope; stmt = stmt->down) {}
+parent = stmt->blockScopeIndex;
+}
+stmt->blockScopeIndex = bce->blockScopeList.length();
+if (!bce->blockScopeList.append(scopeObjectIndex, bce->offset(), parent))
+return false;
+PushStatementBCE(bce, stmt, stmtType, bce->offset());
+scopeObj->initEnclosingNestedScope(EnclosingStaticScope(bce));
+FinishPushNestedScope(bce, stmt, *scopeObj);
+JS_ASSERT(stmt->isNestedScope);
+stmt->isBlockScope = (stmtType == STMT_BLOCK);
+return true;
+}
+// Patches |breaks| and |continues| unless the top statement info record
+// represents a try-catch-finally suite. May fail if a jump offset overflows.
+static bool
+PopStatementBCE(ExclusiveContext *cx, BytecodeEmitter *bce)
+{
+StmtInfoBCE *stmt = bce->topStmt;
+if (!stmt->isTrying() &&
+(!BackPatch(cx, bce, stmt->breaks, bce->code().end(), JSOP_GOTO) ||
+!BackPatch(cx, bce, stmt->continues, bce->code(stmt->update), JSOP_GOTO)))
+{
+return false;
+}
+FinishPopStatement(bce);
+return true;
+}
+static bool
+LeaveNestedScope(ExclusiveContext *cx, BytecodeEmitter *bce, StmtInfoBCE *stmt)
+{
+JS_ASSERT(stmt == bce->topStmt);
+JS_ASSERT(stmt->isNestedScope);
+JS_ASSERT(stmt->isBlockScope == !(stmt->type == STMT_WITH));
+uint32_t blockScopeIndex = stmt->blockScopeIndex;
+#ifdef DEBUG
+JS_ASSERT(bce->blockScopeList.list[blockScopeIndex].length == 0);
+uint32_t blockObjIndex = bce->blockScopeList.list[blockScopeIndex].index;
+ObjectBox *blockObjBox = bce->objectList.find(blockObjIndex);
+NestedScopeObject *staticScope = &blockObjBox->object->as<NestedScopeObject>();
+JS_ASSERT(stmt->staticScope == staticScope);
+JS_ASSERT(staticScope == bce->staticScope);
+JS_ASSERT_IF(!stmt->isBlockScope, staticScope->is<StaticWithObject>());
+#endif
+if (!PopStatementBCE(cx, bce))
+return false;
+if (Emit1(cx, bce, stmt->isBlockScope ? JSOP_DEBUGLEAVEBLOCK : JSOP_LEAVEWITH) < 0)
+return false;
+bce->blockScopeList.recordEnd(blockScopeIndex, bce->offset());
+if (stmt->isBlockScope && stmt->staticScope->as<StaticBlockObject>().needsClone()) {
+if (Emit1(cx, bce, JSOP_POPBLOCKSCOPE) < 0)
+return false;
+}
+return true;
+}
+static bool
+EmitIndex32(ExclusiveContext *cx, JSOp op, uint32_t index, BytecodeEmitter *bce)
+{
+const size_t len = 1 + UINT32_INDEX_LEN;
+JS_ASSERT(len == size_t(js_CodeSpec[op].length));
+ptrdiff_t offset = EmitCheck(cx, bce, len);
+if (offset < 0)
+return false;
+jsbytecode *code = bce->code(offset);
+code[0] = jsbytecode(op);
+SET_UINT32_INDEX(code, index);
+UpdateDepth(cx, bce, offset);
+CheckTypeSet(cx, bce, op);
+return true;
+}
+static bool
+EmitIndexOp(ExclusiveContext *cx, JSOp op, uint32_t index, BytecodeEmitter *bce)
+{
+const size_t len = js_CodeSpec[op].length;
+JS_ASSERT(len >= 1 + UINT32_INDEX_LEN);
+ptrdiff_t offset = EmitCheck(cx, bce, len);
+if (offset < 0)
+return false;
+jsbytecode *code = bce->code(offset);
+code[0] = jsbytecode(op);
+SET_UINT32_INDEX(code, index);
+UpdateDepth(cx, bce, offset);
+CheckTypeSet(cx, bce, op);
+return true;
+}
+static bool
+EmitAtomOp(ExclusiveContext *cx, JSAtom *atom, JSOp op, BytecodeEmitter *bce)
+{
+JS_ASSERT(JOF_OPTYPE(op) == JOF_ATOM);
+if (op == JSOP_GETPROP && atom == cx->names().length) {
+/* Specialize length accesses for the interpreter. */
+op = JSOP_LENGTH;
+}
+jsatomid index;
+if (!bce->makeAtomIndex(atom, &index))
+return false;
+return EmitIndexOp(cx, op, index, bce);
+}
+static bool
+EmitAtomOp(ExclusiveContext *cx, ParseNode *pn, JSOp op, BytecodeEmitter *bce)
+{
+JS_ASSERT(pn->pn_atom != nullptr);
+return EmitAtomOp(cx, pn->pn_atom, op, bce);
+}
+static bool
+EmitInternedObjectOp(ExclusiveContext *cx, uint32_t index, JSOp op, BytecodeEmitter *bce)
+{
+JS_ASSERT(JOF_OPTYPE(op) == JOF_OBJECT);
+JS_ASSERT(index < bce->objectList.length);
+return EmitIndex32(cx, op, index, bce);
+}
+static bool
+EmitObjectOp(ExclusiveContext *cx, ObjectBox *objbox, JSOp op, BytecodeEmitter *bce)
+{
+return EmitInternedObjectOp(cx, bce->objectList.add(objbox), op, bce);
+}
+static bool
+EmitRegExp(ExclusiveContext *cx, uint32_t index, BytecodeEmitter *bce)
+{
+return EmitIndex32(cx, JSOP_REGEXP, index, bce);
+}
+/*
+* To catch accidental misuse, EMIT_UINT16_IMM_OP/Emit3 assert that they are
+* not used to unconditionally emit JSOP_GETLOCAL. Variable access should
+* instead be emitted using EmitVarOp. In special cases, when the caller
+* definitely knows that a given local slot is unaliased, this function may be
+* used as a non-asserting version of EMIT_UINT16_IMM_OP.
+*/
+static bool
+EmitUnaliasedVarOp(ExclusiveContext *cx, JSOp op, uint32_t slot, BytecodeEmitter *bce)
+{
+JS_ASSERT(JOF_OPTYPE(op) != JOF_SCOPECOORD);
+if (IsLocalOp(op)) {
+ptrdiff_t off = EmitN(cx, bce, op, LOCALNO_LEN);
+if (off < 0)
+return false;
+SET_LOCALNO(bce->code(off), slot);
+return true;
+}
+JS_ASSERT(IsArgOp(op));
+ptrdiff_t off = EmitN(cx, bce, op, ARGNO_LEN);
+if (off < 0)
+return false;
+SET_ARGNO(bce->code(off), slot);
+return true;
+}
+static bool
+EmitAliasedVarOp(ExclusiveContext *cx, JSOp op, ScopeCoordinate sc, BytecodeEmitter *bce)
+{
+JS_ASSERT(JOF_OPTYPE(op) == JOF_SCOPECOORD);
+unsigned n = SCOPECOORD_HOPS_LEN + SCOPECOORD_SLOT_LEN;
+JS_ASSERT(int(n) + 1 /* op */ == js_CodeSpec[op].length);
+ptrdiff_t off = EmitN(cx, bce, op, n);
+if (off < 0)
+return false;
+jsbytecode *pc = bce->code(off);
+SET_SCOPECOORD_HOPS(pc, sc.hops());
+pc += SCOPECOORD_HOPS_LEN;
+SET_SCOPECOORD_SLOT(pc, sc.slot());
+pc += SCOPECOORD_SLOT_LEN;
+CheckTypeSet(cx, bce, op);
+return true;
+}
+// Compute the number of nested scope objects that will actually be on the scope
+// chain at runtime, given the BCE's current staticScope.
+static unsigned
+DynamicNestedScopeDepth(BytecodeEmitter *bce)
+{
+unsigned depth = 0;
+for (NestedScopeObject *b = bce->staticScope; b; b = b->enclosingNestedScope()) {
+if (!b->is<StaticBlockObject>() || b->as<StaticBlockObject>().needsClone())
+++depth;
+}
+return depth;
+}
+static bool
+LookupAliasedName(HandleScript script, PropertyName *name, uint32_t *pslot)
+{
+/*
+* Beware: BindingIter may contain more than one Binding for a given name
+* (in the case of |function f(x,x) {}|) but only one will be aliased.
+*/
+uint32_t slot = CallObject::RESERVED_SLOTS;
+for (BindingIter bi(script); !bi.done(); bi++) {
+if (bi->aliased()) {
+if (bi->name() == name) {
+*pslot = slot;
+return true;
+}
+slot++;
+}
+}
+return false;
+}
+static bool
+LookupAliasedNameSlot(HandleScript script, PropertyName *name, ScopeCoordinate *sc)
+{
+uint32_t slot;
+if (!LookupAliasedName(script, name, &slot))
+return false;
+sc->setSlot(slot);
+return true;
+}
+/*
+* Use this function instead of assigning directly to 'hops' to guard for
+* uint8_t overflows.
+*/
+static bool
+AssignHops(BytecodeEmitter *bce, ParseNode *pn, unsigned src, ScopeCoordinate *dst)
+{
+if (src > UINT8_MAX) {
+bce->reportError(pn, JSMSG_TOO_DEEP, js_function_str);
+return false;
+}
+dst->setHops(src);
+return true;
+}
+static bool
+EmitAliasedVarOp(ExclusiveContext *cx, JSOp op, ParseNode *pn, BytecodeEmitter *bce)
+{
+/*
+* While pn->pn_cookie tells us how many function scopes are between the use and the def this
+* is not the same as how many hops up the dynamic scope chain are needed. In particular:
+*  - a lexical function scope only contributes a hop if it is "heavyweight" (has a dynamic
+*    scope object).
+*  - a heavyweight named function scope contributes an extra scope to the scope chain (a
+*    DeclEnvObject that holds just the name).
+*  - all the intervening let/catch blocks must be counted.
+*/
+unsigned skippedScopes = 0;
+BytecodeEmitter *bceOfDef = bce;
+if (pn->isUsed()) {
+/*
+* As explained in BindNameToSlot, the 'level' of a use indicates how
+* many function scopes (i.e., BytecodeEmitters) to skip to find the
+* enclosing function scope of the definition being accessed.
+*/
+for (unsigned i = pn->pn_cookie.level(); i; i--) {
+skippedScopes += DynamicNestedScopeDepth(bceOfDef);
+FunctionBox *funbox = bceOfDef->sc->asFunctionBox();
+if (funbox->isHeavyweight()) {
+skippedScopes++;
+if (funbox->function()->isNamedLambda())
+skippedScopes++;
+}
+bceOfDef = bceOfDef->parent;
+}
+} else {
+JS_ASSERT(pn->isDefn());
+JS_ASSERT(pn->pn_cookie.level() == bce->script->staticLevel());
+}
+/*
+* The final part of the skippedScopes computation depends on the type of
+* variable. An arg or local variable is at the outer scope of a function
+* and so includes the full DynamicNestedScopeDepth. A let/catch-binding
+* requires a search of the block chain to see how many (dynamic) block
+* objects to skip.
+*/
+ScopeCoordinate sc;
+if (IsArgOp(pn->getOp())) {
+if (!AssignHops(bce, pn, skippedScopes + DynamicNestedScopeDepth(bceOfDef), &sc))
+return false;
+JS_ALWAYS_TRUE(LookupAliasedNameSlot(bceOfDef->script, pn->name(), &sc));
+} else {
+JS_ASSERT(IsLocalOp(pn->getOp()) || pn->isKind(PNK_FUNCTION));
+uint32_t local = pn->pn_cookie.slot();
+if (local < bceOfDef->script->bindings.numVars()) {
+if (!AssignHops(bce, pn, skippedScopes + DynamicNestedScopeDepth(bceOfDef), &sc))
+return false;
+JS_ALWAYS_TRUE(LookupAliasedNameSlot(bceOfDef->script, pn->name(), &sc));
+} else {
+JS_ASSERT_IF(bce->sc->isFunctionBox(), local <= bceOfDef->script->bindings.numLocals());
+JS_ASSERT(bceOfDef->staticScope->is<StaticBlockObject>());
+Rooted<StaticBlockObject*> b(cx, &bceOfDef->staticScope->as<StaticBlockObject>());
+while (local < b->localOffset()) {
+if (b->needsClone())
+skippedScopes++;
+b = &b->enclosingNestedScope()->as<StaticBlockObject>();
+}
+if (!AssignHops(bce, pn, skippedScopes, &sc))
+return false;
+sc.setSlot(b->localIndexToSlot(local));
+}
+}
+return EmitAliasedVarOp(cx, op, sc, bce);
+}
+static bool
+EmitVarOp(ExclusiveContext *cx, ParseNode *pn, JSOp op, BytecodeEmitter *bce)
+{
+JS_ASSERT(pn->isKind(PNK_FUNCTION) || pn->isKind(PNK_NAME));
+JS_ASSERT(!pn->pn_cookie.isFree());
+if (IsAliasedVarOp(op)) {
+ScopeCoordinate sc;
+sc.setHops(pn->pn_cookie.level());
+sc.setSlot(pn->pn_cookie.slot());
+return EmitAliasedVarOp(cx, op, sc, bce);
+}
+JS_ASSERT_IF(pn->isKind(PNK_NAME), IsArgOp(op) || IsLocalOp(op));
+if (!bce->isAliasedName(pn)) {
+JS_ASSERT(pn->isUsed() || pn->isDefn());
+JS_ASSERT_IF(pn->isUsed(), pn->pn_cookie.level() == 0);
+JS_ASSERT_IF(pn->isDefn(), pn->pn_cookie.level() == bce->script->staticLevel());
+return EmitUnaliasedVarOp(cx, op, pn->pn_cookie.slot(), bce);
+}
+switch (op) {
+case JSOP_GETARG: case JSOP_GETLOCAL: op = JSOP_GETALIASEDVAR; break;
+case JSOP_SETARG: case JSOP_SETLOCAL: op = JSOP_SETALIASEDVAR; break;
+default: MOZ_ASSUME_UNREACHABLE("unexpected var op");
+}
+return EmitAliasedVarOp(cx, op, pn, bce);
+}
+static JSOp
+GetIncDecInfo(ParseNodeKind kind, bool *post)
+{
+JS_ASSERT(kind == PNK_POSTINCREMENT || kind == PNK_PREINCREMENT ||
+kind == PNK_POSTDECREMENT || kind == PNK_PREDECREMENT);
+*post = kind == PNK_POSTINCREMENT || kind == PNK_POSTDECREMENT;
+return (kind == PNK_POSTINCREMENT || kind == PNK_PREINCREMENT) ? JSOP_ADD : JSOP_SUB;
+}
+static bool
+EmitVarIncDec(ExclusiveContext *cx, ParseNode *pn, BytecodeEmitter *bce)
+{
+JSOp op = pn->pn_kid->getOp();
+JS_ASSERT(IsArgOp(op) || IsLocalOp(op) || IsAliasedVarOp(op));
+JS_ASSERT(pn->pn_kid->isKind(PNK_NAME));
+JS_ASSERT(!pn->pn_kid->pn_cookie.isFree());
+bool post;
+JSOp binop = GetIncDecInfo(pn->getKind(), &post);
+JSOp getOp, setOp;
+if (IsLocalOp(op)) {
+getOp = JSOP_GETLOCAL;
+setOp = JSOP_SETLOCAL;
+} else if (IsArgOp(op)) {
+getOp = JSOP_GETARG;
+setOp = JSOP_SETARG;
+} else {
+getOp = JSOP_GETALIASEDVAR;
+setOp = JSOP_SETALIASEDVAR;
+}
+if (!EmitVarOp(cx, pn->pn_kid, getOp, bce))              // V
+return false;
+if (Emit1(cx, bce, JSOP_POS) < 0)                        // N
+return false;
+if (post && Emit1(cx, bce, JSOP_DUP) < 0)                // N? N
+return false;
+if (Emit1(cx, bce, JSOP_ONE) < 0)                        // N? N 1
+return false;
+if (Emit1(cx, bce, binop) < 0)                           // N? N+1
+return false;
+if (!EmitVarOp(cx, pn->pn_kid, setOp, bce))              // N? N+1
+return false;
+if (post && Emit1(cx, bce, JSOP_POP) < 0)                // RESULT
+return false;
+return true;
+}
+bool
+BytecodeEmitter::isAliasedName(ParseNode *pn)
+{
+Definition *dn = pn->resolve();
+JS_ASSERT(dn->isDefn());
+JS_ASSERT(!dn->isPlaceholder());
+JS_ASSERT(dn->isBound());
+/* If dn is in an enclosing function, it is definitely aliased. */
+if (dn->pn_cookie.level() != script->staticLevel())
+return true;
+switch (dn->kind()) {
+case Definition::LET:
+/*
+* There are two ways to alias a let variable: nested functions and
+* dynamic scope operations. (This is overly conservative since the
+* bindingsAccessedDynamically flag, checked by allLocalsAliased, is
+* function-wide.)
+*
+* In addition all locals in generators are marked as aliased, to ensure
+* that they are allocated on scope chains instead of on the stack.  See
+* the definition of SharedContext::allLocalsAliased.
+*/
+return dn->isClosed() || sc->allLocalsAliased();
+case Definition::ARG:
+/*
+* Consult the bindings, since they already record aliasing. We might
+* be tempted to use the same definition as VAR/CONST/LET, but there is
+* a problem caused by duplicate arguments: only the last argument with
+* a given name is aliased. This is necessary to avoid generating a
+* shape for the call object with with more than one name for a given
+* slot (which violates internal engine invariants). All this means that
+* the '|| sc->allLocalsAliased()' disjunct is incorrect since it will
+* mark both parameters in function(x,x) as aliased.
+*/
+return script->formalIsAliased(pn->pn_cookie.slot());
+case Definition::VAR:
+case Definition::CONST:
+JS_ASSERT_IF(sc->allLocalsAliased(), script->varIsAliased(pn->pn_cookie.slot()));
+return script->varIsAliased(pn->pn_cookie.slot());
+case Definition::PLACEHOLDER:
+case Definition::NAMED_LAMBDA:
+case Definition::MISSING:
+MOZ_ASSUME_UNREACHABLE("unexpected dn->kind");
+}
+return false;
+}
+/*
+* Try to convert a *NAME op with a free name to a more specialized GNAME,
+* INTRINSIC or ALIASEDVAR op, which optimize accesses on that name.
+* Return true if a conversion was made.
+*/
+static bool
+TryConvertFreeName(BytecodeEmitter *bce, ParseNode *pn)
+{
+/*
+* In self-hosting mode, JSOP_*NAME is unconditionally converted to
+* JSOP_*INTRINSIC. This causes lookups to be redirected to the special
+* intrinsics holder in the global object, into which any missing values are
+* cloned lazily upon first access.
+*/
+if (bce->emitterMode == BytecodeEmitter::SelfHosting) {
+JSOp op;
+switch (pn->getOp()) {
+case JSOP_NAME:     op = JSOP_GETINTRINSIC; break;
+case JSOP_SETNAME:  op = JSOP_SETINTRINSIC; break;
+/* Other *NAME ops aren't (yet) supported in self-hosted code. */
+default: MOZ_ASSUME_UNREACHABLE("intrinsic");
+}
+pn->setOp(op);
+return true;
+}
+/*
+* When parsing inner functions lazily, parse nodes for outer functions no
+* longer exist and only the function's scope chain is available for
+* resolving upvar accesses within the inner function.
+*/
+if (bce->emitterMode == BytecodeEmitter::LazyFunction) {
+// The only statements within a lazy function which can push lexical
+// scopes are try/catch blocks. Use generic ops in this case.
+for (StmtInfoBCE *stmt = bce->topStmt; stmt; stmt = stmt->down) {
+if (stmt->type == STMT_CATCH)
+return true;
+}
+size_t hops = 0;
+FunctionBox *funbox = bce->sc->asFunctionBox();
+if (funbox->hasExtensibleScope())
+return false;
+if (funbox->function()->isNamedLambda() && funbox->function()->atom() == pn->pn_atom)
+return false;
+if (funbox->isHeavyweight()) {
+hops++;
+if (funbox->function()->isNamedLambda())
+hops++;
+}
+if (bce->script->directlyInsideEval())
+return false;
+RootedObject outerScope(bce->sc->context, bce->script->enclosingStaticScope());
+for (StaticScopeIter<CanGC> ssi(bce->sc->context, outerScope); !ssi.done(); ssi++) {
+if (ssi.type() != StaticScopeIter<CanGC>::FUNCTION) {
+if (ssi.type() == StaticScopeIter<CanGC>::BLOCK) {
+// Use generic ops if a catch block is encountered.
+return false;
+}
+if (ssi.hasDynamicScopeObject())
+hops++;
+continue;
+}
+RootedScript script(bce->sc->context, ssi.funScript());
+if (script->functionNonDelazifying()->atom() == pn->pn_atom)
+return false;
+if (ssi.hasDynamicScopeObject()) {
+uint32_t slot;
+if (LookupAliasedName(script, pn->pn_atom->asPropertyName(), &slot)) {
+JSOp op;
+switch (pn->getOp()) {
+case JSOP_NAME:     op = JSOP_GETALIASEDVAR; break;
+case JSOP_SETNAME:  op = JSOP_SETALIASEDVAR; break;
+default: return false;
+}
+pn->setOp(op);
+JS_ALWAYS_TRUE(pn->pn_cookie.set(bce->parser->tokenStream, hops, slot));
+return true;
+}
+hops++;
+}
+if (script->funHasExtensibleScope() || script->directlyInsideEval())
+return false;
+}
+}
+// Unbound names aren't recognizable global-property references if the
+// script isn't running against its global object.
+if (!bce->script->compileAndGo() || !bce->hasGlobalScope)
+return false;
+// Deoptimized names also aren't necessarily globals.
+if (pn->isDeoptimized())
+return false;
+if (bce->sc->isFunctionBox()) {
+// Unbound names in function code may not be globals if new locals can
+// be added to this function (or an enclosing one) to alias a global
+// reference.
+FunctionBox *funbox = bce->sc->asFunctionBox();
+if (funbox->mightAliasLocals())
+return false;
+}
+// If this is eval code, being evaluated inside strict mode eval code,
+// an "unbound" name might be a binding local to that outer eval:
+//
+//   var x = "GLOBAL";
+//   eval('"use strict"; ' +
+//        'var x; ' +
+//        'eval("print(x)");'); // "undefined", not "GLOBAL"
+//
+// Given the enclosing eval code's strictness and its bindings (neither is
+// readily available now), we could exactly check global-ness, but it's not
+// worth the trouble for doubly-nested eval code.  So we conservatively
+// approximate.  If the outer eval code is strict, then this eval code will
+// be: thus, don't optimize if we're compiling strict code inside an eval.
+if (bce->insideEval && bce->sc->strict)
+return false;
+// Beware: if you change anything here, you might also need to change
+// js::ReportIfUndeclaredVarAssignment.
+JSOp op;
+switch (pn->getOp()) {
+case JSOP_NAME:     op = JSOP_GETGNAME; break;
+case JSOP_SETNAME:  op = JSOP_SETGNAME; break;
+case JSOP_SETCONST:
+// Not supported.
+return false;
+default: MOZ_ASSUME_UNREACHABLE("gname");
+}
+pn->setOp(op);
+return true;
+}
+/*
+* BindNameToSlotHelper attempts to optimize name gets and sets to stack slot
+* loads and stores, given the compile-time information in bce and a PNK_NAME
+* node pn.  It returns false on error, true on success.
+*
+* The caller can test pn->pn_cookie.isFree() to tell whether optimization
+* occurred, in which case BindNameToSlotHelper also updated pn->pn_op.  If
+* pn->pn_cookie.isFree() is still true on return, pn->pn_op still may have
+* been optimized, e.g., from JSOP_NAME to JSOP_CALLEE.  Whether or not
+* pn->pn_op was modified, if this function finds an argument or local variable
+* name, PND_CONST will be set in pn_dflags for read-only properties after a
+* successful return.
+*
+* NB: if you add more opcodes specialized from JSOP_NAME, etc., don't forget
+* to update the special cases in EmitFor (for-in) and EmitAssignment (= and
+* op=, e.g. +=).
+*/
+static bool
+BindNameToSlotHelper(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+JS_ASSERT(pn->isKind(PNK_NAME));
+JS_ASSERT_IF(pn->isKind(PNK_FUNCTION), pn->isBound());
+/* Don't attempt if 'pn' is already bound or deoptimized or a function. */
+if (pn->isBound() || pn->isDeoptimized())
+return true;
+/* JSOP_CALLEE is pre-bound by definition. */
+JSOp op = pn->getOp();
+JS_ASSERT(op != JSOP_CALLEE);
+JS_ASSERT(JOF_OPTYPE(op) == JOF_ATOM);
+/*
+* The parser already linked name uses to definitions when (where not
+* prevented by non-lexical constructs like 'with' and 'eval').
+*/
+Definition *dn;
+if (pn->isUsed()) {
+JS_ASSERT(pn->pn_cookie.isFree());
+dn = pn->pn_lexdef;
+JS_ASSERT(dn->isDefn());
+pn->pn_dflags |= (dn->pn_dflags & PND_CONST);
+} else if (pn->isDefn()) {
+dn = (Definition *) pn;
+} else {
+return true;
+}
+/*
+* Turn attempts to mutate const-declared bindings into get ops (for
+* pre-increment and pre-decrement ops, our caller will have to emit
+* JSOP_POS, JSOP_ONE, and JSOP_ADD as well).
+*
+* Turn JSOP_DELNAME into JSOP_FALSE if dn is known, as all declared
+* bindings visible to the compiler are permanent in JS unless the
+* declaration originates at top level in eval code.
+*/
+switch (op) {
+case JSOP_NAME:
+case JSOP_SETCONST:
+break;
+default:
+if (pn->isConst()) {
+if (bce->sc->needStrictChecks()) {
+JSAutoByteString name;
+if (!AtomToPrintableString(cx, pn->pn_atom, &name) ||
+!bce->reportStrictModeError(pn, JSMSG_READ_ONLY, name.ptr()))
+{
+return false;
+}
+}
+pn->setOp(op = JSOP_NAME);
+}
+}
+if (dn->pn_cookie.isFree()) {
+if (HandleScript caller = bce->evalCaller) {
+JS_ASSERT(bce->script->compileAndGo());
+/*
+* Don't generate upvars on the left side of a for loop. See
+* bug 470758.
+*/
+if (bce->emittingForInit)
+return true;
+/*
+* If this is an eval in the global scope, then unbound variables
+* must be globals, so try to use GNAME ops.
+*/
+if (!caller->functionOrCallerFunction() && TryConvertFreeName(bce, pn)) {
+pn->pn_dflags |= PND_BOUND;
+return true;
+}
+/*
+* Out of tricks, so we must rely on PICs to optimize named
+* accesses from direct eval called from function code.
+*/
+return true;
+}
+/* Optimize accesses to undeclared globals. */
+if (!TryConvertFreeName(bce, pn))
+return true;
+pn->pn_dflags |= PND_BOUND;
+return true;
+}
+/*
+* At this point, we are only dealing with uses that have already been
+* bound to definitions via pn_lexdef. The rest of this routine converts
+* the parse node of the use from its initial JSOP_*NAME* op to a LOCAL/ARG
+* op. This requires setting the node's pn_cookie with a pair (level, slot)
+* where 'level' is the number of function scopes between the use and the
+* def and 'slot' is the index to emit as the immediate of the ARG/LOCAL
+* op. For example, in this code:
+*
+*   function(a,b,x) { return x }
+*   function(y) { function() { return y } }
+*
+* x will get (level = 0, slot = 2) and y will get (level = 1, slot = 0).
+*/
+JS_ASSERT(!pn->isDefn());
+JS_ASSERT(pn->isUsed());
+JS_ASSERT(pn->pn_lexdef);
+JS_ASSERT(pn->pn_cookie.isFree());
+/*
+* We are compiling a function body and may be able to optimize name
+* to stack slot. Look for an argument or variable in the function and
+* rewrite pn_op and update pn accordingly.
+*/
+switch (dn->kind()) {
+case Definition::ARG:
+switch (op) {
+case JSOP_NAME:     op = JSOP_GETARG; break;
+case JSOP_SETNAME:  op = JSOP_SETARG; break;
+default: MOZ_ASSUME_UNREACHABLE("arg");
+}
+JS_ASSERT(!pn->isConst());
+break;
+case Definition::VAR:
+case Definition::CONST:
+case Definition::LET:
+switch (op) {
+case JSOP_NAME:     op = JSOP_GETLOCAL; break;
+case JSOP_SETNAME:  op = JSOP_SETLOCAL; break;
+case JSOP_SETCONST: op = JSOP_SETLOCAL; break;
+default: MOZ_ASSUME_UNREACHABLE("local");
+}
+break;
+case Definition::NAMED_LAMBDA: {
+JS_ASSERT(dn->isOp(JSOP_CALLEE));
+JS_ASSERT(op != JSOP_CALLEE);
+/*
+* Currently, the ALIASEDVAR ops do not support accessing the
+* callee of a DeclEnvObject, so use NAME.
+*/
+if (dn->pn_cookie.level() != bce->script->staticLevel())
+return true;
+DebugOnly<JSFunction *> fun = bce->sc->asFunctionBox()->function();
+JS_ASSERT(fun->isLambda());
+JS_ASSERT(pn->pn_atom == fun->atom());
+/*
+* Leave pn->isOp(JSOP_NAME) if bce->fun is heavyweight to
+* address two cases: a new binding introduced by eval, and
+* assignment to the name in strict mode.
+*
+*   var fun = (function f(s) { eval(s); return f; });
+*   assertEq(fun("var f = 42"), 42);
+*
+* ECMAScript specifies that a function expression's name is bound
+* in a lexical environment distinct from that used to bind its
+* named parameters, the arguments object, and its variables.  The
+* new binding for "var f = 42" shadows the binding for the
+* function itself, so the name of the function will not refer to
+* the function.
+*
+*    (function f() { "use strict"; f = 12; })();
+*
+* Outside strict mode, assignment to a function expression's name
+* has no effect.  But in strict mode, this attempt to mutate an
+* immutable binding must throw a TypeError.  We implement this by
+* not optimizing such assignments and by marking such functions as
+* heavyweight, ensuring that the function name is represented in
+* the scope chain so that assignment will throw a TypeError.
+*/
+if (!bce->sc->asFunctionBox()->isHeavyweight()) {
+op = JSOP_CALLEE;
+pn->pn_dflags |= PND_CONST;
+}
+pn->setOp(op);
+pn->pn_dflags |= PND_BOUND;
+return true;
+}
+case Definition::PLACEHOLDER:
+return true;
+case Definition::MISSING:
+MOZ_ASSUME_UNREACHABLE("missing");
+}
+/*
+* The difference between the current static level and the static level of
+* the definition is the number of function scopes between the current
+* scope and dn's scope.
+*/
+unsigned skip = bce->script->staticLevel() - dn->pn_cookie.level();
+JS_ASSERT_IF(skip, dn->isClosed());
+/*
+* Explicitly disallow accessing var/let bindings in global scope from
+* nested functions. The reason for this limitation is that, since the
+* global script is not included in the static scope chain (1. because it
+* has no object to stand in the static scope chain, 2. to minimize memory
+* bloat where a single live function keeps its whole global script
+* alive.), ScopeCoordinateToTypeSet is not able to find the var/let's
+* associated types::TypeSet.
+*/
+if (skip) {
+BytecodeEmitter *bceSkipped = bce;
+for (unsigned i = 0; i < skip; i++)
+bceSkipped = bceSkipped->parent;
+if (!bceSkipped->sc->isFunctionBox())
+return true;
+}
+JS_ASSERT(!pn->isOp(op));
+pn->setOp(op);
+if (!pn->pn_cookie.set(bce->parser->tokenStream, skip, dn->pn_cookie.slot()))
+return false;
+pn->pn_dflags |= PND_BOUND;
+return true;
+}
+/*
+* Attempts to bind the name, then checks that no dynamic scope lookup ops are
+* emitted in self-hosting mode. NAME ops do lookups off current scope chain,
+* and we do not want to allow self-hosted code to use the dynamic scope.
+*/
+static bool
+BindNameToSlot(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+if (!BindNameToSlotHelper(cx, bce, pn))
+return false;
+if (bce->emitterMode == BytecodeEmitter::SelfHosting && !pn->isBound()) {
+bce->reportError(pn, JSMSG_SELFHOSTED_UNBOUND_NAME);
+return false;
+}
+return true;
+}
+/*
+* If pn contains a useful expression, return true with *answer set to true.
+* If pn contains a useless expression, return true with *answer set to false.
+* Return false on error.
+*
+* The caller should initialize *answer to false and invoke this function on
+* an expression statement or similar subtree to decide whether the tree could
+* produce code that has any side effects.  For an expression statement, we
+* define useless code as code with no side effects, because the main effect,
+* the value left on the stack after the code executes, will be discarded by a
+* pop bytecode.
+*/
+static bool
+CheckSideEffects(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, bool *answer)
+{
+if (!pn || *answer)
+return true;
+switch (pn->getArity()) {
+case PN_CODE:
+/*
+* A named function, contrary to ES3, is no longer useful, because we
+* bind its name lexically (using JSOP_CALLEE) instead of creating an
+* Object instance and binding a readonly, permanent property in it
+* (the object and binding can be detected and hijacked or captured).
+* This is a bug fix to ES3; it is fixed in ES3.1 drafts.
+*/
+MOZ_ASSERT(*answer == false);
+return true;
+case PN_LIST:
+if (pn->isOp(JSOP_NOP) || pn->isOp(JSOP_OR) || pn->isOp(JSOP_AND) ||
+pn->isOp(JSOP_STRICTEQ) || pn->isOp(JSOP_STRICTNE)) {
+/*
+* Non-operators along with ||, &&, ===, and !== never invoke
+* toString or valueOf.
+*/
+bool ok = true;
+for (ParseNode *pn2 = pn->pn_head; pn2; pn2 = pn2->pn_next)
+ok &= CheckSideEffects(cx, bce, pn2, answer);
+return ok;
+}
+if (pn->isKind(PNK_GENEXP)) {
+/* Generator-expressions are harmless if the result is ignored. */
+MOZ_ASSERT(*answer == false);
+return true;
+}
+/*
+* All invocation operations (construct: PNK_NEW, call: PNK_CALL)
+* are presumed to be useful, because they may have side effects
+* even if their main effect (their return value) is discarded.
+*
+* PNK_ELEM binary trees of 3+ nodes are flattened into lists to
+* avoid too much recursion. All such lists must be presumed to be
+* useful because each index operation could invoke a getter.
+*
+* Likewise, array and object initialisers may call prototype
+* setters (the __defineSetter__ built-in, and writable __proto__
+* on Array.prototype create this hazard). Initialiser list nodes
+* have JSOP_NEWINIT in their pn_op.
+*/
+*answer = true;
+return true;
+case PN_TERNARY:
+return CheckSideEffects(cx, bce, pn->pn_kid1, answer) &&
+CheckSideEffects(cx, bce, pn->pn_kid2, answer) &&
+CheckSideEffects(cx, bce, pn->pn_kid3, answer);
+case PN_BINARY:
+case PN_BINARY_OBJ:
+if (pn->isAssignment()) {
+/*
+* Assignment is presumed to be useful, even if the next operation
+* is another assignment overwriting this one's ostensible effect,
+* because the left operand may be a property with a setter that
+* has side effects.
+*
+* The only exception is assignment of a useless value to a const
+* declared in the function currently being compiled.
+*/
+ParseNode *pn2 = pn->pn_left;
+if (!pn2->isKind(PNK_NAME)) {
+*answer = true;
+} else {
+if (!BindNameToSlot(cx, bce, pn2))
+return false;
+if (!CheckSideEffects(cx, bce, pn->pn_right, answer))
+return false;
+if (!*answer && (!pn->isOp(JSOP_NOP) || !pn2->isConst()))
+*answer = true;
+}
+return true;
+}
+if (pn->isOp(JSOP_OR) || pn->isOp(JSOP_AND) || pn->isOp(JSOP_STRICTEQ) ||
+pn->isOp(JSOP_STRICTNE)) {
+/*
+* ||, &&, ===, and !== do not convert their operands via
+* toString or valueOf method calls.
+*/
+return CheckSideEffects(cx, bce, pn->pn_left, answer) &&
+CheckSideEffects(cx, bce, pn->pn_right, answer);
+}
+/*
+* We can't easily prove that neither operand ever denotes an
+* object with a toString or valueOf method.
+*/
+*answer = true;
+return true;
+case PN_UNARY:
+switch (pn->getKind()) {
+case PNK_DELETE:
+{
+ParseNode *pn2 = pn->pn_kid;
+switch (pn2->getKind()) {
+case PNK_NAME:
+if (!BindNameToSlot(cx, bce, pn2))
+return false;
+if (pn2->isConst()) {
+MOZ_ASSERT(*answer == false);
+return true;
+}
+/* FALL THROUGH */
+case PNK_DOT:
+case PNK_CALL:
+case PNK_ELEM:
+/* All these delete addressing modes have effects too. */
+*answer = true;
+return true;
+default:
+return CheckSideEffects(cx, bce, pn2, answer);
+}
+MOZ_ASSUME_UNREACHABLE("We have a returning default case");
+}
+case PNK_TYPEOF:
+case PNK_VOID:
+case PNK_NOT:
+case PNK_BITNOT:
+if (pn->isOp(JSOP_NOT)) {
+/* ! does not convert its operand via toString or valueOf. */
+return CheckSideEffects(cx, bce, pn->pn_kid, answer);
+}
+/* FALL THROUGH */
+default:
+/*
+* All of PNK_INC, PNK_DEC, PNK_THROW, PNK_YIELD, and PNK_YIELD_STAR
+* have direct effects. Of the remaining unary-arity node types, we
+* can't easily prove that the operand never denotes an object with
+* a toString or valueOf method.
+*/
+*answer = true;
+return true;
+}
+MOZ_ASSUME_UNREACHABLE("We have a returning default case");
+case PN_NAME:
+/*
+* Take care to avoid trying to bind a label name (labels, both for
+* statements and property values in object initialisers, have pn_op
+* defaulted to JSOP_NOP).
+*/
+if (pn->isKind(PNK_NAME) && !pn->isOp(JSOP_NOP)) {
+if (!BindNameToSlot(cx, bce, pn))
+return false;
+if (!pn->isOp(JSOP_CALLEE) && pn->pn_cookie.isFree()) {
+/*
+* Not a use of an unshadowed named function expression's given
+* name, so this expression could invoke a getter that has side
+* effects.
+*/
+*answer = true;
+}
+}
+if (pn->isKind(PNK_DOT)) {
+/* Dotted property references in general can call getters. */
+*answer = true;
+}
+return CheckSideEffects(cx, bce, pn->maybeExpr(), answer);
+case PN_NULLARY:
+if (pn->isKind(PNK_DEBUGGER))
+*answer = true;
+return true;
+}
+return true;
+}
+bool
+BytecodeEmitter::isInLoop()
+{
+for (StmtInfoBCE *stmt = topStmt; stmt; stmt = stmt->down) {
+if (stmt->isLoop())
+return true;
+}
+return false;
+}
+bool
+BytecodeEmitter::checkSingletonContext()
+{
+if (!script->compileAndGo() || sc->isFunctionBox() || isInLoop())
+return false;
+hasSingletons = true;
+return true;
+}
+bool
+BytecodeEmitter::needsImplicitThis()
+{
+if (!script->compileAndGo())
+return true;
+if (sc->isFunctionBox()) {
+if (sc->asFunctionBox()->inWith)
+return true;
+} else {
+JSObject *scope = sc->asGlobalSharedContext()->scopeChain();
+while (scope) {
+if (scope->is<DynamicWithObject>())
+return true;
+scope = scope->enclosingScope();
+}
+}
+for (StmtInfoBCE *stmt = topStmt; stmt; stmt = stmt->down) {
+if (stmt->type == STMT_WITH)
+return true;
+}
+return false;
+}
+void
+BytecodeEmitter::tellDebuggerAboutCompiledScript(ExclusiveContext *cx)
+{
+// Note: when parsing off thread the resulting scripts need to be handed to
+// the debugger after rejoining to the main thread.
+if (!cx->isJSContext())
+return;
+RootedFunction function(cx, script->functionNonDelazifying());
+CallNewScriptHook(cx->asJSContext(), script, function);
+// Lazy scripts are never top level (despite always being invoked with a
+// nullptr parent), and so the hook should never be fired.
+if (emitterMode != LazyFunction && !parent) {
+GlobalObject *compileAndGoGlobal = nullptr;
+if (script->compileAndGo())
+compileAndGoGlobal = &script->global();
+Debugger::onNewScript(cx->asJSContext(), script, compileAndGoGlobal);
+}
+}
+inline TokenStream *
+BytecodeEmitter::tokenStream()
+{
+return &parser->tokenStream;
+}
+bool
+BytecodeEmitter::reportError(ParseNode *pn, unsigned errorNumber, ...)
+{
+TokenPos pos = pn ? pn->pn_pos : tokenStream()->currentToken().pos;
+va_list args;
+va_start(args, errorNumber);
+bool result = tokenStream()->reportCompileErrorNumberVA(pos.begin, JSREPORT_ERROR,
+errorNumber, args);
+va_end(args);
+return result;
+}
+bool
+BytecodeEmitter::reportStrictWarning(ParseNode *pn, unsigned errorNumber, ...)
+{
+TokenPos pos = pn ? pn->pn_pos : tokenStream()->currentToken().pos;
+va_list args;
+va_start(args, errorNumber);
+bool result = tokenStream()->reportStrictWarningErrorNumberVA(pos.begin, errorNumber, args);
+va_end(args);
+return result;
+}
+bool
+BytecodeEmitter::reportStrictModeError(ParseNode *pn, unsigned errorNumber, ...)
+{
+TokenPos pos = pn ? pn->pn_pos : tokenStream()->currentToken().pos;
+va_list args;
+va_start(args, errorNumber);
+bool result = tokenStream()->reportStrictModeErrorNumberVA(pos.begin, sc->strict,
+errorNumber, args);
+va_end(args);
+return result;
+}
+static bool
+EmitNewInit(ExclusiveContext *cx, BytecodeEmitter *bce, JSProtoKey key)
+{
+const size_t len = 1 + UINT32_INDEX_LEN;
+ptrdiff_t offset = EmitCheck(cx, bce, len);
+if (offset < 0)
+return false;
+jsbytecode *code = bce->code(offset);
+code[0] = JSOP_NEWINIT;
+code[1] = jsbytecode(key);
+code[2] = 0;
+code[3] = 0;
+code[4] = 0;
+UpdateDepth(cx, bce, offset);
+CheckTypeSet(cx, bce, JSOP_NEWINIT);
+return true;
+}
+static bool
+IteratorResultShape(ExclusiveContext *cx, BytecodeEmitter *bce, unsigned *shape)
+{
+JS_ASSERT(bce->script->compileAndGo());
+RootedObject obj(cx);
+gc::AllocKind kind = GuessObjectGCKind(2);
+obj = NewBuiltinClassInstance(cx, &JSObject::class_, kind);
+if (!obj)
+return false;
+Rooted<jsid> value_id(cx, AtomToId(cx->names().value));
+Rooted<jsid> done_id(cx, AtomToId(cx->names().done));
+if (!DefineNativeProperty(cx, obj, value_id, UndefinedHandleValue, nullptr, nullptr,
+JSPROP_ENUMERATE))
+return false;
+if (!DefineNativeProperty(cx, obj, done_id, UndefinedHandleValue, nullptr, nullptr,
+JSPROP_ENUMERATE))
+return false;
+ObjectBox *objbox = bce->parser->newObjectBox(obj);
+if (!objbox)
+return false;
+*shape = bce->objectList.add(objbox);
+return true;
+}
+static bool
+EmitPrepareIteratorResult(ExclusiveContext *cx, BytecodeEmitter *bce)
+{
+if (bce->script->compileAndGo()) {
+unsigned shape;
+if (!IteratorResultShape(cx, bce, &shape))
+return false;
+return EmitIndex32(cx, JSOP_NEWOBJECT, shape, bce);
+}
+return EmitNewInit(cx, bce, JSProto_Object);
+}
+static bool
+EmitFinishIteratorResult(ExclusiveContext *cx, BytecodeEmitter *bce, bool done)
+{
+jsatomid value_id;
+if (!bce->makeAtomIndex(cx->names().value, &value_id))
+return UINT_MAX;
+jsatomid done_id;
+if (!bce->makeAtomIndex(cx->names().done, &done_id))
+return UINT_MAX;
+if (!EmitIndex32(cx, JSOP_INITPROP, value_id, bce))
+return false;
+if (Emit1(cx, bce, done ? JSOP_TRUE : JSOP_FALSE) < 0)
+return false;
+if (!EmitIndex32(cx, JSOP_INITPROP, done_id, bce))
+return false;
+if (Emit1(cx, bce, JSOP_ENDINIT) < 0)
+return false;
+return true;
+}
+static bool
+EmitNameOp(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, bool callContext)
+{
+if (!BindNameToSlot(cx, bce, pn))
+return false;
+JSOp op = pn->getOp();
+if (op == JSOP_CALLEE) {
+if (Emit1(cx, bce, op) < 0)
+return false;
+} else {
+if (!pn->pn_cookie.isFree()) {
+JS_ASSERT(JOF_OPTYPE(op) != JOF_ATOM);
+if (!EmitVarOp(cx, pn, op, bce))
+return false;
+} else {
+if (!EmitAtomOp(cx, pn, op, bce))
+return false;
+}
+}
+/* Need to provide |this| value for call */
+if (callContext) {
+if (op == JSOP_NAME && bce->needsImplicitThis()) {
+if (!EmitAtomOp(cx, pn, JSOP_IMPLICITTHIS, bce))
+return false;
+} else {
+if (Emit1(cx, bce, JSOP_UNDEFINED) < 0)
+return false;
+}
+}
+return true;
+}
+static bool
+EmitPropLHS(ExclusiveContext *cx, ParseNode *pn, JSOp op, BytecodeEmitter *bce)
+{
+JS_ASSERT(pn->isKind(PNK_DOT));
+ParseNode *pn2 = pn->maybeExpr();
+/*
+* If the object operand is also a dotted property reference, reverse the
+* list linked via pn_expr temporarily so we can iterate over it from the
+* bottom up (reversing again as we go), to avoid excessive recursion.
+*/
+if (pn2->isKind(PNK_DOT)) {
+ParseNode *pndot = pn2;
+ParseNode *pnup = nullptr, *pndown;
+ptrdiff_t top = bce->offset();
+for (;;) {
+/* Reverse pndot->pn_expr to point up, not down. */
+pndot->pn_offset = top;
+JS_ASSERT(!pndot->isUsed());
+pndown = pndot->pn_expr;
+pndot->pn_expr = pnup;
+if (!pndown->isKind(PNK_DOT))
+break;
+pnup = pndot;
+pndot = pndown;
+}
+/* pndown is a primary expression, not a dotted property reference. */
+if (!EmitTree(cx, bce, pndown))
+return false;
+do {
+/* Walk back up the list, emitting annotated name ops. */
+if (!EmitAtomOp(cx, pndot, JSOP_GETPROP, bce))
+return false;
+/* Reverse the pn_expr link again. */
+pnup = pndot->pn_expr;
+pndot->pn_expr = pndown;
+pndown = pndot;
+} while ((pndot = pnup) != nullptr);
+return true;
+}
+// The non-optimized case.
+return EmitTree(cx, bce, pn2);
+}
+static bool
+EmitPropOp(ExclusiveContext *cx, ParseNode *pn, JSOp op, BytecodeEmitter *bce)
+{
+JS_ASSERT(pn->isArity(PN_NAME));
+if (!EmitPropLHS(cx, pn, op, bce))
+return false;
+if (op == JSOP_CALLPROP && Emit1(cx, bce, JSOP_DUP) < 0)
+return false;
+if (!EmitAtomOp(cx, pn, op, bce))
+return false;
+if (op == JSOP_CALLPROP && Emit1(cx, bce, JSOP_SWAP) < 0)
+return false;
+return true;
+}
+static bool
+EmitPropIncDec(ExclusiveContext *cx, ParseNode *pn, BytecodeEmitter *bce)
+{
+JS_ASSERT(pn->pn_kid->getKind() == PNK_DOT);
+bool post;
+JSOp binop = GetIncDecInfo(pn->getKind(), &post);
+JSOp get = JSOP_GETPROP;
+if (!EmitPropLHS(cx, pn->pn_kid, get, bce))     // OBJ
+return false;
+if (Emit1(cx, bce, JSOP_DUP) < 0)               // OBJ OBJ
+return false;
+if (!EmitAtomOp(cx, pn->pn_kid, JSOP_GETPROP, bce)) // OBJ V
+return false;
+if (Emit1(cx, bce, JSOP_POS) < 0)               // OBJ N
+return false;
+if (post && Emit1(cx, bce, JSOP_DUP) < 0)       // OBJ N? N
+return false;
+if (Emit1(cx, bce, JSOP_ONE) < 0)               // OBJ N? N 1
+return false;
+if (Emit1(cx, bce, binop) < 0)                  // OBJ N? N+1
+return false;
+if (post) {
+if (Emit2(cx, bce, JSOP_PICK, (jsbytecode)2) < 0)   // N? N+1 OBJ
+return false;
+if (Emit1(cx, bce, JSOP_SWAP) < 0)                  // N? OBJ N+1
+return false;
+}
+if (!EmitAtomOp(cx, pn->pn_kid, JSOP_SETPROP, bce))     // N? N+1
+return false;
+if (post && Emit1(cx, bce, JSOP_POP) < 0)       // RESULT
+return false;
+return true;
+}
+static bool
+EmitNameIncDec(ExclusiveContext *cx, ParseNode *pn, BytecodeEmitter *bce)
+{
+const JSCodeSpec *cs = &js_CodeSpec[pn->pn_kid->getOp()];
+bool global = (cs->format & JOF_GNAME);
+bool post;
+JSOp binop = GetIncDecInfo(pn->getKind(), &post);
+if (!EmitAtomOp(cx, pn->pn_kid, global ? JSOP_BINDGNAME : JSOP_BINDNAME, bce))  // OBJ
+return false;
+if (!EmitAtomOp(cx, pn->pn_kid, global ? JSOP_GETGNAME : JSOP_NAME, bce))       // OBJ V
+return false;
+if (Emit1(cx, bce, JSOP_POS) < 0)               // OBJ N
+return false;
+if (post && Emit1(cx, bce, JSOP_DUP) < 0)       // OBJ N? N
+return false;
+if (Emit1(cx, bce, JSOP_ONE) < 0)               // OBJ N? N 1
+return false;
+if (Emit1(cx, bce, binop) < 0)                  // OBJ N? N+1
+return false;
+if (post) {
+if (Emit2(cx, bce, JSOP_PICK, (jsbytecode)2) < 0)   // N? N+1 OBJ
+return false;
+if (Emit1(cx, bce, JSOP_SWAP) < 0)                  // N? OBJ N+1
+return false;
+}
+if (!EmitAtomOp(cx, pn->pn_kid, global ? JSOP_SETGNAME : JSOP_SETNAME, bce)) // N? N+1
+return false;
+if (post && Emit1(cx, bce, JSOP_POP) < 0)       // RESULT
+return false;
+return true;
+}
+/*
+* Emit bytecode to put operands for a JSOP_GETELEM/CALLELEM/SETELEM/DELELEM
+* opcode onto the stack in the right order. In the case of SETELEM, the
+* value to be assigned must already be pushed.
+*/
+static bool
+EmitElemOperands(ExclusiveContext *cx, ParseNode *pn, JSOp op, BytecodeEmitter *bce)
+{
+JS_ASSERT(pn->isArity(PN_BINARY));
+if (!EmitTree(cx, bce, pn->pn_left))
+return false;
+if (op == JSOP_CALLELEM && Emit1(cx, bce, JSOP_DUP) < 0)
+return false;
+if (!EmitTree(cx, bce, pn->pn_right))
+return false;
+if (op == JSOP_SETELEM && Emit2(cx, bce, JSOP_PICK, (jsbytecode)2) < 0)
+return false;
+return true;
+}
+static inline bool
+EmitElemOpBase(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp op)
+{
+if (Emit1(cx, bce, op) < 0)
+return false;
+CheckTypeSet(cx, bce, op);
+if (op == JSOP_CALLELEM) {
+if (Emit1(cx, bce, JSOP_SWAP) < 0)
+return false;
+}
+return true;
+}
+static bool
+EmitElemOp(ExclusiveContext *cx, ParseNode *pn, JSOp op, BytecodeEmitter *bce)
+{
+return EmitElemOperands(cx, pn, op, bce) && EmitElemOpBase(cx, bce, op);
+}
+static bool
+EmitElemIncDec(ExclusiveContext *cx, ParseNode *pn, BytecodeEmitter *bce)
+{
+JS_ASSERT(pn->pn_kid->getKind() == PNK_ELEM);
+if (!EmitElemOperands(cx, pn->pn_kid, JSOP_GETELEM, bce))
+return false;
+bool post;
+JSOp binop = GetIncDecInfo(pn->getKind(), &post);
+/*
+* We need to convert the key to an object id first, so that we do not do
+* it inside both the GETELEM and the SETELEM.
+*/
+// OBJ KEY*
+if (Emit1(cx, bce, JSOP_TOID) < 0)              // OBJ KEY
+return false;
+if (Emit1(cx, bce, JSOP_DUP2) < 0)              // OBJ KEY OBJ KEY
+return false;
+if (!EmitElemOpBase(cx, bce, JSOP_GETELEM))     // OBJ KEY V
+return false;
+if (Emit1(cx, bce, JSOP_POS) < 0)               // OBJ KEY N
+return false;
+if (post && Emit1(cx, bce, JSOP_DUP) < 0)       // OBJ KEY N? N
+return false;
+if (Emit1(cx, bce, JSOP_ONE) < 0)               // OBJ KEY N? N 1
+return false;
+if (Emit1(cx, bce, binop) < 0)                  // OBJ KEY N? N+1
+return false;
+if (post) {
+if (Emit2(cx, bce, JSOP_PICK, (jsbytecode)3) < 0)   // KEY N N+1 OBJ
+return false;
+if (Emit2(cx, bce, JSOP_PICK, (jsbytecode)3) < 0)   // N N+1 OBJ KEY
+return false;
+if (Emit2(cx, bce, JSOP_PICK, (jsbytecode)2) < 0)   // N OBJ KEY N+1
+return false;
+}
+if (!EmitElemOpBase(cx, bce, JSOP_SETELEM))     // N? N+1
+return false;
+if (post && Emit1(cx, bce, JSOP_POP) < 0)       // RESULT
+return false;
+return true;
+}
+static bool
+EmitNumberOp(ExclusiveContext *cx, double dval, BytecodeEmitter *bce)
+{
+int32_t ival;
+uint32_t u;
+ptrdiff_t off;
+jsbytecode *pc;
+if (NumberIsInt32(dval, &ival)) {
+if (ival == 0)
+return Emit1(cx, bce, JSOP_ZERO) >= 0;
+if (ival == 1)
+return Emit1(cx, bce, JSOP_ONE) >= 0;
+if ((int)(int8_t)ival == ival)
+return Emit2(cx, bce, JSOP_INT8, (jsbytecode)(int8_t)ival) >= 0;
+u = (uint32_t)ival;
+if (u < JS_BIT(16)) {
+EMIT_UINT16_IMM_OP(JSOP_UINT16, u);
+} else if (u < JS_BIT(24)) {
+off = EmitN(cx, bce, JSOP_UINT24, 3);
+if (off < 0)
+return false;
+pc = bce->code(off);
+SET_UINT24(pc, u);
+} else {
+off = EmitN(cx, bce, JSOP_INT32, 4);
+if (off < 0)
+return false;
+pc = bce->code(off);
+SET_INT32(pc, ival);
+}
+return true;
+}
+if (!bce->constList.append(DoubleValue(dval)))
+return false;
+return EmitIndex32(cx, JSOP_DOUBLE, bce->constList.length() - 1, bce);
+}
+static inline void
+SetJumpOffsetAt(BytecodeEmitter *bce, ptrdiff_t off)
+{
+SET_JUMP_OFFSET(bce->code(off), bce->offset() - off);
+}
+static bool
+PushUndefinedValues(ExclusiveContext *cx, BytecodeEmitter *bce, unsigned n)
+{
+for (unsigned i = 0; i < n; ++i) {
+if (Emit1(cx, bce, JSOP_UNDEFINED) < 0)
+return false;
+}
+return true;
+}
+static bool
+InitializeBlockScopedLocalsFromStack(ExclusiveContext *cx, BytecodeEmitter *bce,
+Handle<StaticBlockObject *> blockObj)
+{
+for (unsigned i = blockObj->numVariables(); i > 0; --i) {
+if (blockObj->isAliased(i - 1)) {
+ScopeCoordinate sc;
+sc.setHops(0);
+sc.setSlot(BlockObject::RESERVED_SLOTS + i - 1);
+if (!EmitAliasedVarOp(cx, JSOP_SETALIASEDVAR, sc, bce))
+return false;
+} else {
+unsigned local = blockObj->blockIndexToLocalIndex(i - 1);
+if (!EmitUnaliasedVarOp(cx, JSOP_SETLOCAL, local, bce))
+return false;
+}
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+return true;
+}
+static bool
+EnterBlockScope(ExclusiveContext *cx, BytecodeEmitter *bce, StmtInfoBCE *stmtInfo,
+ObjectBox *objbox, unsigned alreadyPushed = 0)
+{
+// Initial values for block-scoped locals.
+Rooted<StaticBlockObject *> blockObj(cx, &objbox->object->as<StaticBlockObject>());
+if (!PushUndefinedValues(cx, bce, blockObj->numVariables() - alreadyPushed))
+return false;
+if (!EnterNestedScope(cx, bce, stmtInfo, objbox, STMT_BLOCK))
+return false;
+if (!InitializeBlockScopedLocalsFromStack(cx, bce, blockObj))
+return false;
+return true;
+}
+/*
+* Using MOZ_NEVER_INLINE in here is a workaround for llvm.org/pr14047.
+* LLVM is deciding to inline this function which uses a lot of stack space
+* into EmitTree which is recursive and uses relatively little stack space.
+*/
+MOZ_NEVER_INLINE static bool
+EmitSwitch(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+JSOp switchOp;
+bool hasDefault;
+ptrdiff_t top, off, defaultOffset;
+ParseNode *pn2, *pn3, *pn4;
+int32_t low, high;
+int noteIndex;
+size_t switchSize;
+jsbytecode *pc;
+/* Try for most optimal, fall back if not dense ints. */
+switchOp = JSOP_TABLESWITCH;
+hasDefault = false;
+defaultOffset = -1;
+pn2 = pn->pn_right;
+JS_ASSERT(pn2->isKind(PNK_LEXICALSCOPE) || pn2->isKind(PNK_STATEMENTLIST));
+/* Push the discriminant. */
+if (!EmitTree(cx, bce, pn->pn_left))
+return false;
+StmtInfoBCE stmtInfo(cx);
+if (pn2->isKind(PNK_LEXICALSCOPE)) {
+if (!EnterBlockScope(cx, bce, &stmtInfo, pn2->pn_objbox, 0))
+return false;
+stmtInfo.type = STMT_SWITCH;
+stmtInfo.update = top = bce->offset();
+/* Advance pn2 to refer to the switch case list. */
+pn2 = pn2->expr();
+} else {
+JS_ASSERT(pn2->isKind(PNK_STATEMENTLIST));
+top = bce->offset();
+PushStatementBCE(bce, &stmtInfo, STMT_SWITCH, top);
+}
+/* Switch bytecodes run from here till end of final case. */
+uint32_t caseCount = pn2->pn_count;
+uint32_t tableLength = 0;
+ScopedJSFreePtr<ParseNode*> table(nullptr);
+if (caseCount > JS_BIT(16)) {
+bce->parser->tokenStream.reportError(JSMSG_TOO_MANY_CASES);
+return false;
+}
+if (caseCount == 0 ||
+(caseCount == 1 &&
+(hasDefault = (pn2->pn_head->isKind(PNK_DEFAULT))))) {
+caseCount = 0;
+low = 0;
+high = -1;
+} else {
+bool ok = true;
+#define INTMAP_LENGTH   256
+jsbitmap intmap_space[INTMAP_LENGTH];
+jsbitmap *intmap = nullptr;
+int32_t intmap_bitlen = 0;
+low  = JSVAL_INT_MAX;
+high = JSVAL_INT_MIN;
+for (pn3 = pn2->pn_head; pn3; pn3 = pn3->pn_next) {
+if (pn3->isKind(PNK_DEFAULT)) {
+hasDefault = true;
+caseCount--;    /* one of the "cases" was the default */
+continue;
+}
+JS_ASSERT(pn3->isKind(PNK_CASE));
+if (switchOp == JSOP_CONDSWITCH)
+continue;
+JS_ASSERT(switchOp == JSOP_TABLESWITCH);
+pn4 = pn3->pn_left;
+if (pn4->getKind() != PNK_NUMBER) {
+switchOp = JSOP_CONDSWITCH;
+continue;
+}
+int32_t i;
+if (!NumberIsInt32(pn4->pn_dval, &i)) {
+switchOp = JSOP_CONDSWITCH;
+continue;
+}
+if ((unsigned)(i + (int)JS_BIT(15)) >= (unsigned)JS_BIT(16)) {
+switchOp = JSOP_CONDSWITCH;
+continue;
+}
+if (i < low)
+low = i;
+if (high < i)
+high = i;
+/*
+* Check for duplicates, which require a JSOP_CONDSWITCH.
+* We bias i by 65536 if it's negative, and hope that's a rare
+* case (because it requires a malloc'd bitmap).
+*/
+if (i < 0)
+i += JS_BIT(16);
+if (i >= intmap_bitlen) {
+if (!intmap &&
+size_t(i) < (INTMAP_LENGTH * JS_BITMAP_NBITS)) {
+intmap = intmap_space;
+intmap_bitlen = INTMAP_LENGTH * JS_BITMAP_NBITS;
+} else {
+/* Just grab 8K for the worst-case bitmap. */
+intmap_bitlen = JS_BIT(16);
+intmap = cx->pod_malloc<jsbitmap>(JS_BIT(16) / JS_BITMAP_NBITS);
+if (!intmap) {
+js_ReportOutOfMemory(cx);
+return false;
+}
+}
+memset(intmap, 0, size_t(intmap_bitlen) / CHAR_BIT);
+}
+if (JS_TEST_BIT(intmap, i)) {
+switchOp = JSOP_CONDSWITCH;
+continue;
+}
+JS_SET_BIT(intmap, i);
+}
+if (intmap && intmap != intmap_space)
+js_free(intmap);
+if (!ok)
+return false;
+/*
+* Compute table length and select condswitch instead if overlarge or
+* more than half-sparse.
+*/
+if (switchOp == JSOP_TABLESWITCH) {
+tableLength = (uint32_t)(high - low + 1);
+if (tableLength >= JS_BIT(16) || tableLength > 2 * caseCount)
+switchOp = JSOP_CONDSWITCH;
+}
+}
+/*
+* The note has one or two offsets: first tells total switch code length;
+* second (if condswitch) tells offset to first JSOP_CASE.
+*/
+if (switchOp == JSOP_CONDSWITCH) {
+/* 0 bytes of immediate for unoptimized switch. */
+switchSize = 0;
+noteIndex = NewSrcNote3(cx, bce, SRC_CONDSWITCH, 0, 0);
+} else {
+JS_ASSERT(switchOp == JSOP_TABLESWITCH);
+/* 3 offsets (len, low, high) before the table, 1 per entry. */
+switchSize = (size_t)(JUMP_OFFSET_LEN * (3 + tableLength));
+noteIndex = NewSrcNote2(cx, bce, SRC_TABLESWITCH, 0);
+}
+if (noteIndex < 0)
+return false;
+/* Emit switchOp followed by switchSize bytes of jump or lookup table. */
+if (EmitN(cx, bce, switchOp, switchSize) < 0)
+return false;
+off = -1;
+if (switchOp == JSOP_CONDSWITCH) {
+int caseNoteIndex = -1;
+bool beforeCases = true;
+/* Emit code for evaluating cases and jumping to case statements. */
+for (pn3 = pn2->pn_head; pn3; pn3 = pn3->pn_next) {
+pn4 = pn3->pn_left;
+if (pn4 && !EmitTree(cx, bce, pn4))
+return false;
+if (caseNoteIndex >= 0) {
+/* off is the previous JSOP_CASE's bytecode offset. */
+if (!SetSrcNoteOffset(cx, bce, (unsigned)caseNoteIndex, 0, bce->offset() - off))
+return false;
+}
+if (!pn4) {
+JS_ASSERT(pn3->isKind(PNK_DEFAULT));
+continue;
+}
+caseNoteIndex = NewSrcNote2(cx, bce, SRC_NEXTCASE, 0);
+if (caseNoteIndex < 0)
+return false;
+off = EmitJump(cx, bce, JSOP_CASE, 0);
+if (off < 0)
+return false;
+pn3->pn_offset = off;
+if (beforeCases) {
+unsigned noteCount, noteCountDelta;
+/* Switch note's second offset is to first JSOP_CASE. */
+noteCount = bce->notes().length();
+if (!SetSrcNoteOffset(cx, bce, (unsigned)noteIndex, 1, off - top))
+return false;
+noteCountDelta = bce->notes().length() - noteCount;
+if (noteCountDelta != 0)
+caseNoteIndex += noteCountDelta;
+beforeCases = false;
+}
+}
+/*
+* If we didn't have an explicit default (which could fall in between
+* cases, preventing us from fusing this SetSrcNoteOffset with the call
+* in the loop above), link the last case to the implicit default for
+* the benefit of IonBuilder.
+*/
+if (!hasDefault &&
+caseNoteIndex >= 0 &&
+!SetSrcNoteOffset(cx, bce, (unsigned)caseNoteIndex, 0, bce->offset() - off))
+{
+return false;
+}
+/* Emit default even if no explicit default statement. */
+defaultOffset = EmitJump(cx, bce, JSOP_DEFAULT, 0);
+if (defaultOffset < 0)
+return false;
+} else {
+JS_ASSERT(switchOp == JSOP_TABLESWITCH);
+pc = bce->code(top + JUMP_OFFSET_LEN);
+/* Fill in switch bounds, which we know fit in 16-bit offsets. */
+SET_JUMP_OFFSET(pc, low);
+pc += JUMP_OFFSET_LEN;
+SET_JUMP_OFFSET(pc, high);
+pc += JUMP_OFFSET_LEN;
+/*
+* Use malloc to avoid arena bloat for programs with many switches.
+* ScopedJSFreePtr takes care of freeing it on exit.
+*/
+if (tableLength != 0) {
+table = cx->pod_calloc<ParseNode*>(tableLength);
+if (!table)
+return false;
+for (pn3 = pn2->pn_head; pn3; pn3 = pn3->pn_next) {
+if (pn3->isKind(PNK_DEFAULT))
+continue;
+JS_ASSERT(pn3->isKind(PNK_CASE));
+pn4 = pn3->pn_left;
+JS_ASSERT(pn4->getKind() == PNK_NUMBER);
+int32_t i = int32_t(pn4->pn_dval);
+JS_ASSERT(double(i) == pn4->pn_dval);
+i -= low;
+JS_ASSERT(uint32_t(i) < tableLength);
+table[i] = pn3;
+}
+}
+}
+/* Emit code for each case's statements, copying pn_offset up to pn3. */
+for (pn3 = pn2->pn_head; pn3; pn3 = pn3->pn_next) {
+if (switchOp == JSOP_CONDSWITCH && !pn3->isKind(PNK_DEFAULT))
+SetJumpOffsetAt(bce, pn3->pn_offset);
+pn4 = pn3->pn_right;
+if (!EmitTree(cx, bce, pn4))
+return false;
+pn3->pn_offset = pn4->pn_offset;
+if (pn3->isKind(PNK_DEFAULT))
+off = pn3->pn_offset - top;
+}
+if (!hasDefault) {
+/* If no default case, offset for default is to end of switch. */
+off = bce->offset() - top;
+}
+/* We better have set "off" by now. */
+JS_ASSERT(off != -1);
+/* Set the default offset (to end of switch if no default). */
+if (switchOp == JSOP_CONDSWITCH) {
+pc = nullptr;
+JS_ASSERT(defaultOffset != -1);
+SET_JUMP_OFFSET(bce->code(defaultOffset), off - (defaultOffset - top));
+} else {
+pc = bce->code(top);
+SET_JUMP_OFFSET(pc, off);
+pc += JUMP_OFFSET_LEN;
+}
+/* Set the SRC_SWITCH note's offset operand to tell end of switch. */
+off = bce->offset() - top;
+if (!SetSrcNoteOffset(cx, bce, (unsigned)noteIndex, 0, off))
+return false;
+if (switchOp == JSOP_TABLESWITCH) {
+/* Skip over the already-initialized switch bounds. */
+pc += 2 * JUMP_OFFSET_LEN;
+/* Fill in the jump table, if there is one. */
+for (uint32_t i = 0; i < tableLength; i++) {
+pn3 = table[i];
+off = pn3 ? pn3->pn_offset - top : 0;
+SET_JUMP_OFFSET(pc, off);
+pc += JUMP_OFFSET_LEN;
+}
+}
+if (pn->pn_right->isKind(PNK_LEXICALSCOPE)) {
+if (!LeaveNestedScope(cx, bce, &stmtInfo))
+return false;
+} else {
+if (!PopStatementBCE(cx, bce))
+return false;
+}
+return true;
+}
+bool
+BytecodeEmitter::isRunOnceLambda()
+{
+// The run once lambda flags set by the parser are approximate, and we look
+// at properties of the function itself before deciding to emit a function
+// as a run once lambda.
+if (!(parent && parent->emittingRunOnceLambda) && !lazyRunOnceLambda)
+return false;
+FunctionBox *funbox = sc->asFunctionBox();
+return !funbox->argumentsHasLocalBinding() &&
+!funbox->isGenerator() &&
+!funbox->function()->name();
+}
+bool
+frontend::EmitFunctionScript(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *body)
+{
+/*
+* IonBuilder has assumptions about what may occur immediately after
+* script->main (e.g., in the case of destructuring params). Thus, put the
+* following ops into the range [script->code, script->main). Note:
+* execution starts from script->code, so this has no semantic effect.
+*/
+FunctionBox *funbox = bce->sc->asFunctionBox();
+if (funbox->argumentsHasLocalBinding()) {
+JS_ASSERT(bce->offset() == 0);  /* See JSScript::argumentsBytecode. */
+bce->switchToProlog();
+if (Emit1(cx, bce, JSOP_ARGUMENTS) < 0)
+return false;
+InternalBindingsHandle bindings(bce->script, &bce->script->bindings);
+uint32_t varIndex = Bindings::argumentsVarIndex(cx, bindings);
+if (bce->script->varIsAliased(varIndex)) {
+ScopeCoordinate sc;
+sc.setHops(0);
+JS_ALWAYS_TRUE(LookupAliasedNameSlot(bce->script, cx->names().arguments, &sc));
+if (!EmitAliasedVarOp(cx, JSOP_SETALIASEDVAR, sc, bce))
+return false;
+} else {
+if (!EmitUnaliasedVarOp(cx, JSOP_SETLOCAL, varIndex, bce))
+return false;
+}
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+bce->switchToMain();
+}
+if (funbox->isGenerator()) {
+bce->switchToProlog();
+if (Emit1(cx, bce, JSOP_GENERATOR) < 0)
+return false;
+bce->switchToMain();
+}
+/*
+* Emit a prologue for run-once scripts which will deoptimize JIT code if
+* the script ends up running multiple times via foo.caller related
+* shenanigans.
+*/
+bool runOnce = bce->isRunOnceLambda();
+if (runOnce) {
+bce->switchToProlog();
+if (Emit1(cx, bce, JSOP_RUNONCE) < 0)
+return false;
+bce->switchToMain();
+}
+if (!EmitTree(cx, bce, body))
+return false;
+// If we fall off the end of an ES6 generator, return a boxed iterator
+// result object of the form { value: undefined, done: true }.
+if (bce->sc->isFunctionBox() && bce->sc->asFunctionBox()->isStarGenerator()) {
+if (!EmitPrepareIteratorResult(cx, bce))
+return false;
+if (Emit1(cx, bce, JSOP_UNDEFINED) < 0)
+return false;
+if (!EmitFinishIteratorResult(cx, bce, true))
+return false;
+// No need to check for finally blocks, etc as in EmitReturn.
+if (Emit1(cx, bce, JSOP_RETURN) < 0)
+return false;
+}
+/*
+* Always end the script with a JSOP_RETRVAL. Some other parts of the codebase
+* depend on this opcode, e.g. js_InternalInterpret.
+*/
+if (Emit1(cx, bce, JSOP_RETRVAL) < 0)
+return false;
+if (!JSScript::fullyInitFromEmitter(cx, bce->script, bce))
+return false;
+/*
+* If this function is only expected to run once, mark the script so that
+* initializers created within it may be given more precise types.
+*/
+if (runOnce) {
+bce->script->setTreatAsRunOnce();
+JS_ASSERT(!bce->script->hasRunOnce());
+}
+/* Initialize fun->script() so that the debugger has a valid fun->script(). */
+RootedFunction fun(cx, bce->script->functionNonDelazifying());
+JS_ASSERT(fun->isInterpreted());
+if (fun->isInterpretedLazy())
+fun->setUnlazifiedScript(bce->script);
+else
+fun->setScript(bce->script);
+bce->tellDebuggerAboutCompiledScript(cx);
+return true;
+}
+static bool
+MaybeEmitVarDecl(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp prologOp, ParseNode *pn,
+jsatomid *result)
+{
+jsatomid atomIndex;
+if (!pn->pn_cookie.isFree()) {
+atomIndex = pn->pn_cookie.slot();
+} else {
+if (!bce->makeAtomIndex(pn->pn_atom, &atomIndex))
+return false;
+}
+if (JOF_OPTYPE(pn->getOp()) == JOF_ATOM &&
+(!bce->sc->isFunctionBox() || bce->sc->asFunctionBox()->isHeavyweight()))
+{
+bce->switchToProlog();
+if (!UpdateSourceCoordNotes(cx, bce, pn->pn_pos.begin))
+return false;
+if (!EmitIndexOp(cx, prologOp, atomIndex, bce))
+return false;
+bce->switchToMain();
+}
+if (result)
+*result = atomIndex;
+return true;
+}
+/*
+* This enum tells EmitVariables and the destructuring functions how emit the
+* given Parser::variables parse tree. In the base case, DefineVars, the caller
+* only wants variables to be defined in the prologue (if necessary). For
+* PushInitialValues, variable initializer expressions are evaluated and left
+* on the stack. For InitializeVars, the initializer expressions values are
+* assigned (to local variables) and popped.
+*/
+enum VarEmitOption
+{
+DefineVars        = 0,
+PushInitialValues = 1,
+InitializeVars    = 2
+};
+typedef bool
+(*DestructuringDeclEmitter)(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp prologOp, ParseNode *pn);
+static bool
+EmitDestructuringDecl(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp prologOp, ParseNode *pn)
+{
+JS_ASSERT(pn->isKind(PNK_NAME));
+if (!BindNameToSlot(cx, bce, pn))
+return false;
+JS_ASSERT(!pn->isOp(JSOP_CALLEE));
+return MaybeEmitVarDecl(cx, bce, prologOp, pn, nullptr);
+}
+static bool
+EmitDestructuringDecls(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp prologOp,
+ParseNode *pattern)
+{
+if (pattern->isKind(PNK_ARRAY)) {
+for (ParseNode *element = pattern->pn_head; element; element = element->pn_next) {
+if (element->isKind(PNK_ELISION))
+continue;
+DestructuringDeclEmitter emitter =
+element->isKind(PNK_NAME) ? EmitDestructuringDecl : EmitDestructuringDecls;
+if (!emitter(cx, bce, prologOp, element))
+return false;
+}
+return true;
+}
+MOZ_ASSERT(pattern->isKind(PNK_OBJECT));
+for (ParseNode *member = pattern->pn_head; member; member = member->pn_next) {
+ParseNode *target = member->pn_right;
+DestructuringDeclEmitter emitter =
+target->isKind(PNK_NAME) ? EmitDestructuringDecl : EmitDestructuringDecls;
+if (!emitter(cx, bce, prologOp, target))
+return false;
+}
+return true;
+}
+static bool
+EmitDestructuringOpsHelper(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn,
+VarEmitOption emitOption);
+/*
+* EmitDestructuringLHS assumes the to-be-destructured value has been pushed on
+* the stack and emits code to destructure a single lhs expression (either a
+* name or a compound []/{} expression).
+*
+* If emitOption is InitializeVars, the to-be-destructured value is assigned to
+* locals and ultimately the initial slot is popped (-1 total depth change).
+*
+* If emitOption is PushInitialValues, the to-be-destructured value is replaced
+* with the initial values of the N (where 0 <= N) variables assigned in the
+* lhs expression. (Same post-condition as EmitDestructuringOpsHelper)
+*/
+static bool
+EmitDestructuringLHS(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, VarEmitOption emitOption)
+{
+JS_ASSERT(emitOption != DefineVars);
+// Now emit the lvalue opcode sequence. If the lvalue is a nested
+// destructuring initialiser-form, call ourselves to handle it, then pop
+// the matched value. Otherwise emit an lvalue bytecode sequence followed
+// by an assignment op.
+if (pn->isKind(PNK_ARRAY) || pn->isKind(PNK_OBJECT)) {
+if (!EmitDestructuringOpsHelper(cx, bce, pn, emitOption))
+return false;
+if (emitOption == InitializeVars) {
+// Per its post-condition, EmitDestructuringOpsHelper has left the
+// to-be-destructured value on top of the stack.
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+} else if (emitOption == PushInitialValues) {
+// The lhs is a simple name so the to-be-destructured value is
+// its initial value and there is nothing to do.
+JS_ASSERT(pn->getOp() == JSOP_GETLOCAL);
+JS_ASSERT(pn->pn_dflags & PND_BOUND);
+} else {
+switch (pn->getKind()) {
+case PNK_NAME:
+if (!BindNameToSlot(cx, bce, pn))
+return false;
+// Allow 'const [x,y] = o', make 'const x,y; [x,y] = o' a nop.
+if (pn->isConst() && !pn->isDefn())
+return Emit1(cx, bce, JSOP_POP) >= 0;
+switch (pn->getOp()) {
+case JSOP_SETNAME:
+case JSOP_SETGNAME:
+case JSOP_SETCONST: {
+// This is like ordinary assignment, but with one difference.
+//
+// In `a = b`, we first determine a binding for `a` (using
+// JSOP_BINDNAME or JSOP_BINDGNAME), then we evaluate `b`, then
+// a JSOP_SETNAME instruction.
+//
+// In `[a] = [b]`, per spec, `b` is evaluated first, then we
+// determine a binding for `a`. Then we need to do assignment--
+// but the operands are on the stack in the wrong order for
+// JSOP_SETPROP, so we have to add a JSOP_SWAP.
+jsatomid atomIndex;
+if (!bce->makeAtomIndex(pn->pn_atom, &atomIndex))
+return false;
+if (!pn->isOp(JSOP_SETCONST)) {
+JSOp bindOp = pn->isOp(JSOP_SETNAME) ? JSOP_BINDNAME : JSOP_BINDGNAME;
+if (!EmitIndex32(cx, bindOp, atomIndex, bce))
+return false;
+if (Emit1(cx, bce, JSOP_SWAP) < 0)
+return false;
+}
+if (!EmitIndexOp(cx, pn->getOp(), atomIndex, bce))
+return false;
+break;
+}
+case JSOP_SETLOCAL:
+case JSOP_SETARG:
+if (!EmitVarOp(cx, pn, pn->getOp(), bce))
+return false;
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("EmitDestructuringLHS: bad name op");
+}
+break;
+case PNK_DOT:
+// See the (PNK_NAME, JSOP_SETNAME) case above.
+//
+// In `a.x = b`, `a` is evaluated first, then `b`, then a
+// JSOP_SETPROP instruction.
+//
+// In `[a.x] = [b]`, per spec, `b` is evaluated before `a`. Then we
+// need a property set -- but the operands are on the stack in the
+// wrong order for JSOP_SETPROP, so we have to add a JSOP_SWAP.
+if (!EmitTree(cx, bce, pn->pn_expr))
+return false;
+if (Emit1(cx, bce, JSOP_SWAP) < 0)
+return false;
+if (!EmitAtomOp(cx, pn, JSOP_SETPROP, bce))
+return false;
+break;
+case PNK_ELEM:
+// See the comment at `case PNK_DOT:` above. This case,
+// `[a[x]] = [b]`, is handled much the same way. The JSOP_SWAP
+// is emitted by EmitElemOperands.
+if (!EmitElemOp(cx, pn, JSOP_SETELEM, bce))
+return false;
+break;
+case PNK_CALL:
+JS_ASSERT(pn->pn_xflags & PNX_SETCALL);
+if (!EmitTree(cx, bce, pn))
+return false;
+// Pop the call return value. Below, we pop the RHS too, balancing
+// the stack --- presumably for the benefit of bytecode
+// analysis. (The interpreter will never reach these instructions
+// since we just emitted JSOP_SETCALL, which always throws. It's
+// possible no analyses actually depend on this either.)
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+break;
+default:
+MOZ_ASSUME_UNREACHABLE("EmitDestructuringLHS: bad lhs kind");
+}
+// Pop the assigned value.
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+return true;
+}
+/*
+* Recursive helper for EmitDestructuringOps.
+* EmitDestructuringOpsHelper assumes the to-be-destructured value has been
+* pushed on the stack and emits code to destructure each part of a [] or {}
+* lhs expression.
+*
+* If emitOption is InitializeVars, the initial to-be-destructured value is
+* left untouched on the stack and the overall depth is not changed.
+*
+* If emitOption is PushInitialValues, the to-be-destructured value is replaced
+* with the initial values of the N (where 0 <= N) variables assigned in the
+* lhs expression. (Same post-condition as EmitDestructuringLHS)
+*/
+static bool
+EmitDestructuringOpsHelper(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn,
+VarEmitOption emitOption)
+{
+JS_ASSERT(emitOption != DefineVars);
+unsigned index;
+ParseNode *pn2, *pn3;
+bool doElemOp;
+#ifdef DEBUG
+int stackDepth = bce->stackDepth;
+JS_ASSERT(stackDepth != 0);
+JS_ASSERT(pn->isArity(PN_LIST));
+JS_ASSERT(pn->isKind(PNK_ARRAY) || pn->isKind(PNK_OBJECT));
+#endif
+index = 0;
+for (pn2 = pn->pn_head; pn2; pn2 = pn2->pn_next) {
+/* Duplicate the value being destructured to use as a reference base. */
+if (Emit1(cx, bce, JSOP_DUP) < 0)
+return false;
+/*
+* Now push the property name currently being matched, which is either
+* the array initialiser's current index, or the current property name
+* "label" on the left of a colon in the object initialiser.  Set pn3
+* to the lvalue node, which is in the value-initializing position.
+*/
+doElemOp = true;
+if (pn->isKind(PNK_ARRAY)) {
+if (!EmitNumberOp(cx, index, bce))
+return false;
+pn3 = pn2;
+} else {
+JS_ASSERT(pn->isKind(PNK_OBJECT));
+JS_ASSERT(pn2->isKind(PNK_COLON));
+ParseNode *key = pn2->pn_left;
+if (key->isKind(PNK_NUMBER)) {
+if (!EmitNumberOp(cx, key->pn_dval, bce))
+return false;
+} else {
+MOZ_ASSERT(key->isKind(PNK_STRING) || key->isKind(PNK_NAME));
+PropertyName *name = key->pn_atom->asPropertyName();
+// The parser already checked for atoms representing indexes and
+// used PNK_NUMBER instead, but also watch for ids which TI treats
+// as indexes for simplification of downstream analysis.
+jsid id = NameToId(name);
+if (id != types::IdToTypeId(id)) {
+if (!EmitTree(cx, bce, key))
+return false;
+} else {
+if (!EmitAtomOp(cx, name, JSOP_GETPROP, bce))
+return false;
+doElemOp = false;
+}
+}
+pn3 = pn2->pn_right;
+}
+if (doElemOp) {
+/*
+* Ok, get the value of the matching property name.  This leaves
+* that value on top of the value being destructured, so the stack
+* is one deeper than when we started.
+*/
+if (!EmitElemOpBase(cx, bce, JSOP_GETELEM))
+return false;
+JS_ASSERT(bce->stackDepth >= stackDepth + 1);
+}
+/* Elision node makes a hole in the array destructurer. */
+if (pn3->isKind(PNK_ELISION)) {
+JS_ASSERT(pn->isKind(PNK_ARRAY));
+JS_ASSERT(pn2 == pn3);
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+} else {
+int32_t depthBefore = bce->stackDepth;
+if (!EmitDestructuringLHS(cx, bce, pn3, emitOption))
+return false;
+if (emitOption == PushInitialValues) {
+/*
+* After '[x,y]' in 'let ([[x,y], z] = o)', the stack is
+*   | to-be-destructured-value | x | y |
+* The goal is:
+*   | x | y | z |
+* so emit a pick to produce the intermediate state
+*   | x | y | to-be-destructured-value |
+* before destructuring z. This gives the loop invariant that
+* the to-be-destructured-value is always on top of the stack.
+*/
+JS_ASSERT((bce->stackDepth - bce->stackDepth) >= -1);
+uint32_t pickDistance = (uint32_t)((bce->stackDepth + 1) - depthBefore);
+if (pickDistance > 0) {
+if (pickDistance > UINT8_MAX) {
+bce->reportError(pn3, JSMSG_TOO_MANY_LOCALS);
+return false;
+}
+if (Emit2(cx, bce, JSOP_PICK, (jsbytecode)pickDistance) < 0)
+return false;
+}
+}
+}
+++index;
+}
+if (emitOption == PushInitialValues) {
+/*
+* Per the above loop invariant, to-be-destructured-value is at the top
+* of the stack. To achieve the post-condition, pop it.
+*/
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+return true;
+}
+static bool
+EmitDestructuringOps(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, bool isLet = false)
+{
+/*
+* Call our recursive helper to emit the destructuring assignments and
+* related stack manipulations.
+*/
+VarEmitOption emitOption = isLet ? PushInitialValues : InitializeVars;
+return EmitDestructuringOpsHelper(cx, bce, pn, emitOption);
+}
+static bool
+EmitGroupAssignment(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp prologOp,
+ParseNode *lhs, ParseNode *rhs)
+{
+uint32_t depth, limit, i, nslots;
+ParseNode *pn;
+depth = limit = (uint32_t) bce->stackDepth;
+for (pn = rhs->pn_head; pn; pn = pn->pn_next) {
+if (limit == JS_BIT(16)) {
+bce->reportError(rhs, JSMSG_ARRAY_INIT_TOO_BIG);
+return false;
+}
+/* MaybeEmitGroupAssignment won't call us if rhs is holey. */
+JS_ASSERT(!pn->isKind(PNK_ELISION));
+if (!EmitTree(cx, bce, pn))
+return false;
+++limit;
+}
+i = depth;
+for (pn = lhs->pn_head; pn; pn = pn->pn_next, ++i) {
+/* MaybeEmitGroupAssignment requires lhs->pn_count <= rhs->pn_count. */
+JS_ASSERT(i < limit);
+if (!EmitDupAt(cx, bce, i))
+return false;
+if (pn->isKind(PNK_ELISION)) {
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+} else {
+if (!EmitDestructuringLHS(cx, bce, pn, InitializeVars))
+return false;
+}
+}
+nslots = limit - depth;
+EMIT_UINT16_IMM_OP(JSOP_POPN, nslots);
+bce->stackDepth = (uint32_t) depth;
+return true;
+}
+enum GroupOption { GroupIsDecl, GroupIsNotDecl };
+/*
+* Helper called with pop out param initialized to a JSOP_POP* opcode.  If we
+* can emit a group assignment sequence, which results in 0 stack depth delta,
+* we set *pop to JSOP_NOP so callers can veto emitting pn followed by a pop.
+*/
+static bool
+MaybeEmitGroupAssignment(ExclusiveContext *cx, BytecodeEmitter *bce, JSOp prologOp, ParseNode *pn,
+GroupOption groupOption, JSOp *pop)
+{
+JS_ASSERT(pn->isKind(PNK_ASSIGN));
+JS_ASSERT(pn->isOp(JSOP_NOP));
+JS_ASSERT(*pop == JSOP_POP || *pop == JSOP_SETRVAL);
+ParseNode *lhs = pn->pn_left;
+ParseNode *rhs = pn->pn_right;
+if (lhs->isKind(PNK_ARRAY) && rhs->isKind(PNK_ARRAY) &&
+!(rhs->pn_xflags & PNX_SPECIALARRAYINIT) &&
+lhs->pn_count <= rhs->pn_count)
+{
+if (groupOption == GroupIsDecl && !EmitDestructuringDecls(cx, bce, prologOp, lhs))
+return false;
+if (!EmitGroupAssignment(cx, bce, prologOp, lhs, rhs))
+return false;
+*pop = JSOP_NOP;
+}
+return true;
+}
+/*
+* Like MaybeEmitGroupAssignment, but for 'let ([x,y] = [a,b]) ...'.
+*
+* Instead of issuing a sequence |dup|eval-rhs|set-lhs|pop| (which doesn't work
+* since the bound vars don't yet have slots), just eval/push each rhs element
+* just like what EmitLet would do for 'let (x = a, y = b) ...'. While shorter,
+* simpler and more efficient than MaybeEmitGroupAssignment, it is harder to
+* decompile so we restrict the ourselves to cases where the lhs and rhs are in
+* 1:1 correspondence and lhs elements are simple names.
+*/
+static bool
+MaybeEmitLetGroupDecl(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, JSOp *pop)
+{
+JS_ASSERT(pn->isKind(PNK_ASSIGN));
+JS_ASSERT(pn->isOp(JSOP_NOP));
+JS_ASSERT(*pop == JSOP_POP || *pop == JSOP_SETRVAL);
+ParseNode *lhs = pn->pn_left;
+ParseNode *rhs = pn->pn_right;
+if (lhs->isKind(PNK_ARRAY) && rhs->isKind(PNK_ARRAY) &&
+!(rhs->pn_xflags & PNX_SPECIALARRAYINIT) &&
+!(lhs->pn_xflags & PNX_SPECIALARRAYINIT) &&
+lhs->pn_count == rhs->pn_count)
+{
+for (ParseNode *l = lhs->pn_head; l; l = l->pn_next) {
+if (l->getOp() != JSOP_SETLOCAL)
+return true;
+}
+for (ParseNode *r = rhs->pn_head; r; r = r->pn_next) {
+if (!EmitTree(cx, bce, r))
+return false;
+}
+*pop = JSOP_NOP;
+}
+return true;
+}
+static bool
+EmitVariables(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, VarEmitOption emitOption,
+bool isLet = false)
+{
+JS_ASSERT(pn->isArity(PN_LIST));
+JS_ASSERT(isLet == (emitOption == PushInitialValues));
+ParseNode *next;
+for (ParseNode *pn2 = pn->pn_head; ; pn2 = next) {
+if (!UpdateSourceCoordNotes(cx, bce, pn2->pn_pos.begin))
+return false;
+next = pn2->pn_next;
+ParseNode *pn3;
+if (!pn2->isKind(PNK_NAME)) {
+if (pn2->isKind(PNK_ARRAY) || pn2->isKind(PNK_OBJECT)) {
+/*
+* Emit variable binding ops, but not destructuring ops.  The
+* parser (see Parser::variables) has ensured that our caller
+* will be the PNK_FOR/PNK_FORIN/PNK_FOROF case in EmitTree, and
+* that case will emit the destructuring code only after
+* emitting an enumerating opcode and a branch that tests
+* whether the enumeration ended.
+*/
+JS_ASSERT(emitOption == DefineVars);
+JS_ASSERT(pn->pn_count == 1);
+if (!EmitDestructuringDecls(cx, bce, pn->getOp(), pn2))
+return false;
+break;
+}
+/*
+* A destructuring initialiser assignment preceded by var will
+* never occur to the left of 'in' in a for-in loop.  As with 'for
+* (var x = i in o)...', this will cause the entire 'var [a, b] =
+* i' to be hoisted out of the loop.
+*/
+JS_ASSERT(pn2->isKind(PNK_ASSIGN));
+JS_ASSERT(pn2->isOp(JSOP_NOP));
+JS_ASSERT(emitOption != DefineVars);
+/*
+* To allow the front end to rewrite var f = x; as f = x; when a
+* function f(){} precedes the var, detect simple name assignment
+* here and initialize the name.
+*/
+if (pn2->pn_left->isKind(PNK_NAME)) {
+pn3 = pn2->pn_right;
+pn2 = pn2->pn_left;
+goto do_name;
+}
+JSOp op = JSOP_POP;
+if (pn->pn_count == 1) {
+/*
+* If this is the only destructuring assignment in the list,
+* try to optimize to a group assignment.  If we're in a let
+* head, pass JSOP_POP rather than the pseudo-prolog JSOP_NOP
+* in pn->pn_op, to suppress a second (and misplaced) 'let'.
+*/
+JS_ASSERT(!pn2->pn_next);
+if (isLet) {
+if (!MaybeEmitLetGroupDecl(cx, bce, pn2, &op))
+return false;
+} else {
+if (!MaybeEmitGroupAssignment(cx, bce, pn->getOp(), pn2, GroupIsDecl, &op))
+return false;
+}
+}
+if (op == JSOP_NOP) {
+pn->pn_xflags = (pn->pn_xflags & ~PNX_POPVAR) | PNX_GROUPINIT;
+} else {
+pn3 = pn2->pn_left;
+if (!EmitDestructuringDecls(cx, bce, pn->getOp(), pn3))
+return false;
+if (!EmitTree(cx, bce, pn2->pn_right))
+return false;
+if (!EmitDestructuringOps(cx, bce, pn3, isLet))
+return false;
+}
+/* If we are not initializing, nothing to pop. */
+if (emitOption != InitializeVars) {
+if (next)
+continue;
+break;
+}
+goto emit_note_pop;
+}
+/*
+* Load initializer early to share code above that jumps to do_name.
+* NB: if this var redeclares an existing binding, then pn2 is linked
+* on its definition's use-chain and pn_expr has been overlayed with
+* pn_lexdef.
+*/
+pn3 = pn2->maybeExpr();
+do_name:
+if (!BindNameToSlot(cx, bce, pn2))
+return false;
+JSOp op;
+op = pn2->getOp();
+JS_ASSERT(op != JSOP_CALLEE);
+JS_ASSERT(!pn2->pn_cookie.isFree() || !pn->isOp(JSOP_NOP));
+jsatomid atomIndex;
+if (!MaybeEmitVarDecl(cx, bce, pn->getOp(), pn2, &atomIndex))
+return false;
+if (pn3) {
+JS_ASSERT(emitOption != DefineVars);
+if (op == JSOP_SETNAME || op == JSOP_SETGNAME || op == JSOP_SETINTRINSIC) {
+JS_ASSERT(emitOption != PushInitialValues);
+JSOp bindOp;
+if (op == JSOP_SETNAME)
+bindOp = JSOP_BINDNAME;
+else if (op == JSOP_SETGNAME)
+bindOp = JSOP_BINDGNAME;
+else
+bindOp = JSOP_BINDINTRINSIC;
+if (!EmitIndex32(cx, bindOp, atomIndex, bce))
+return false;
+}
+bool oldEmittingForInit = bce->emittingForInit;
+bce->emittingForInit = false;
+if (!EmitTree(cx, bce, pn3))
+return false;
+bce->emittingForInit = oldEmittingForInit;
+} else if (isLet) {
+/* JSOP_ENTERLETx expects at least 1 slot to have been pushed. */
+if (Emit1(cx, bce, JSOP_UNDEFINED) < 0)
+return false;
+}
+/* If we are not initializing, nothing to pop. */
+if (emitOption != InitializeVars) {
+if (next)
+continue;
+break;
+}
+JS_ASSERT_IF(pn2->isDefn(), pn3 == pn2->pn_expr);
+if (!pn2->pn_cookie.isFree()) {
+if (!EmitVarOp(cx, pn2, op, bce))
+return false;
+} else {
+if (!EmitIndexOp(cx, op, atomIndex, bce))
+return false;
+}
+emit_note_pop:
+if (!next)
+break;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+if (pn->pn_xflags & PNX_POPVAR) {
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+return true;
+}
+static bool
+EmitAssignment(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *lhs, JSOp op, ParseNode *rhs)
+{
+/*
+* Check left operand type and generate specialized code for it.
+* Specialize to avoid ECMA "reference type" values on the operand
+* stack, which impose pervasive runtime "GetValue" costs.
+*/
+jsatomid atomIndex = (jsatomid) -1;
+jsbytecode offset = 1;
+switch (lhs->getKind()) {
+case PNK_NAME:
+if (!BindNameToSlot(cx, bce, lhs))
+return false;
+if (lhs->pn_cookie.isFree()) {
+if (!bce->makeAtomIndex(lhs->pn_atom, &atomIndex))
+return false;
+if (!lhs->isConst()) {
+JSOp bindOp;
+if (lhs->isOp(JSOP_SETNAME))
+bindOp = JSOP_BINDNAME;
+else if (lhs->isOp(JSOP_SETGNAME))
+bindOp = JSOP_BINDGNAME;
+else
+bindOp = JSOP_BINDINTRINSIC;
+if (!EmitIndex32(cx, bindOp, atomIndex, bce))
+return false;
+offset++;
+}
+}
+break;
+case PNK_DOT:
+if (!EmitTree(cx, bce, lhs->expr()))
+return false;
+offset++;
+if (!bce->makeAtomIndex(lhs->pn_atom, &atomIndex))
+return false;
+break;
+case PNK_ELEM:
+JS_ASSERT(lhs->isArity(PN_BINARY));
+if (!EmitTree(cx, bce, lhs->pn_left))
+return false;
+if (!EmitTree(cx, bce, lhs->pn_right))
+return false;
+offset += 2;
+break;
+case PNK_ARRAY:
+case PNK_OBJECT:
+break;
+case PNK_CALL:
+JS_ASSERT(lhs->pn_xflags & PNX_SETCALL);
+if (!EmitTree(cx, bce, lhs))
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+break;
+default:
+JS_ASSERT(0);
+}
+if (op != JSOP_NOP) {
+JS_ASSERT(rhs);
+switch (lhs->getKind()) {
+case PNK_NAME:
+if (lhs->isConst()) {
+if (lhs->isOp(JSOP_CALLEE)) {
+if (Emit1(cx, bce, JSOP_CALLEE) < 0)
+return false;
+} else if (lhs->isOp(JSOP_NAME) || lhs->isOp(JSOP_GETGNAME)) {
+if (!EmitIndex32(cx, lhs->getOp(), atomIndex, bce))
+return false;
+} else {
+JS_ASSERT(JOF_OPTYPE(lhs->getOp()) != JOF_ATOM);
+if (!EmitVarOp(cx, lhs, lhs->getOp(), bce))
+return false;
+}
+} else if (lhs->isOp(JSOP_SETNAME)) {
+if (Emit1(cx, bce, JSOP_DUP) < 0)
+return false;
+if (!EmitIndex32(cx, JSOP_GETXPROP, atomIndex, bce))
+return false;
+} else if (lhs->isOp(JSOP_SETGNAME)) {
+JS_ASSERT(lhs->pn_cookie.isFree());
+if (!EmitAtomOp(cx, lhs, JSOP_GETGNAME, bce))
+return false;
+} else if (lhs->isOp(JSOP_SETINTRINSIC)) {
+JS_ASSERT(lhs->pn_cookie.isFree());
+if (!EmitAtomOp(cx, lhs, JSOP_GETINTRINSIC, bce))
+return false;
+} else {
+JSOp op;
+switch (lhs->getOp()) {
+case JSOP_SETARG: op = JSOP_GETARG; break;
+case JSOP_SETLOCAL: op = JSOP_GETLOCAL; break;
+case JSOP_SETALIASEDVAR: op = JSOP_GETALIASEDVAR; break;
+default: MOZ_ASSUME_UNREACHABLE("Bad op");
+}
+if (!EmitVarOp(cx, lhs, op, bce))
+return false;
+}
+break;
+case PNK_DOT: {
+if (Emit1(cx, bce, JSOP_DUP) < 0)
+return false;
+bool isLength = (lhs->pn_atom == cx->names().length);
+if (!EmitIndex32(cx, isLength ? JSOP_LENGTH : JSOP_GETPROP, atomIndex, bce))
+return false;
+break;
+}
+case PNK_ELEM:
+if (Emit1(cx, bce, JSOP_DUP2) < 0)
+return false;
+if (!EmitElemOpBase(cx, bce, JSOP_GETELEM))
+return false;
+break;
+case PNK_CALL:
+/*
+* We just emitted a JSOP_SETCALL (which will always throw) and
+* popped the call's return value. Push a random value to make sure
+* the stack depth is correct.
+*/
+JS_ASSERT(lhs->pn_xflags & PNX_SETCALL);
+if (Emit1(cx, bce, JSOP_NULL) < 0)
+return false;
+break;
+default:;
+}
+}
+/* Now emit the right operand (it may affect the namespace). */
+if (rhs) {
+if (!EmitTree(cx, bce, rhs))
+return false;
+} else {
+/*
+* The value to assign is the next enumeration value in a for-in or
+* for-of loop.  That value has already been emitted: by JSOP_ITERNEXT
+* in the for-in case, or via a GETPROP "value" on the result object in
+* the for-of case.  If offset == 1, that slot is already at the top of
+* the stack. Otherwise, rearrange the stack to put that value on top.
+*/
+if (offset != 1 && Emit2(cx, bce, JSOP_PICK, offset - 1) < 0)
+return false;
+}
+/* If += etc., emit the binary operator with a source note. */
+if (op != JSOP_NOP) {
+/*
+* Take care to avoid SRC_ASSIGNOP if the left-hand side is a const
+* declared in the current compilation unit, as in this case (just
+* a bit further below) we will avoid emitting the assignment op.
+*/
+if (!lhs->isKind(PNK_NAME) || !lhs->isConst()) {
+if (NewSrcNote(cx, bce, SRC_ASSIGNOP) < 0)
+return false;
+}
+if (Emit1(cx, bce, op) < 0)
+return false;
+}
+/* Finally, emit the specialized assignment bytecode. */
+switch (lhs->getKind()) {
+case PNK_NAME:
+if (lhs->isConst()) {
+if (!rhs) {
+bce->reportError(lhs, JSMSG_BAD_FOR_LEFTSIDE);
+return false;
+}
+break;
+}
+if (lhs->isOp(JSOP_SETARG) || lhs->isOp(JSOP_SETLOCAL) || lhs->isOp(JSOP_SETALIASEDVAR)) {
+if (!EmitVarOp(cx, lhs, lhs->getOp(), bce))
+return false;
+} else {
+if (!EmitIndexOp(cx, lhs->getOp(), atomIndex, bce))
+return false;
+}
+break;
+case PNK_DOT:
+if (!EmitIndexOp(cx, JSOP_SETPROP, atomIndex, bce))
+return false;
+break;
+case PNK_CALL:
+/* Do nothing. The JSOP_SETCALL we emitted will always throw. */
+JS_ASSERT(lhs->pn_xflags & PNX_SETCALL);
+break;
+case PNK_ELEM:
+if (Emit1(cx, bce, JSOP_SETELEM) < 0)
+return false;
+break;
+case PNK_ARRAY:
+case PNK_OBJECT:
+if (!EmitDestructuringOps(cx, bce, lhs))
+return false;
+break;
+default:
+JS_ASSERT(0);
+}
+return true;
+}
+bool
+ParseNode::getConstantValue(ExclusiveContext *cx, bool strictChecks, MutableHandleValue vp)
+{
+switch (getKind()) {
+case PNK_NUMBER:
+vp.setNumber(pn_dval);
+return true;
+case PNK_STRING:
+vp.setString(pn_atom);
+return true;
+case PNK_TRUE:
+vp.setBoolean(true);
+return true;
+case PNK_FALSE:
+vp.setBoolean(false);
+return true;
+case PNK_NULL:
+vp.setNull();
+return true;
+case PNK_SPREAD:
+return false;
+case PNK_ARRAY: {
+JS_ASSERT(isOp(JSOP_NEWINIT) && !(pn_xflags & PNX_NONCONST));
+RootedObject obj(cx,
+NewDenseAllocatedArray(cx, pn_count, nullptr, MaybeSingletonObject));
+if (!obj)
+return false;
+unsigned idx = 0;
+RootedId id(cx);
+RootedValue value(cx);
+for (ParseNode *pn = pn_head; pn; idx++, pn = pn->pn_next) {
+if (!pn->getConstantValue(cx, strictChecks, &value))
+return false;
+id = INT_TO_JSID(idx);
+if (!JSObject::defineGeneric(cx, obj, id, value, nullptr, nullptr, JSPROP_ENUMERATE))
+return false;
+}
+JS_ASSERT(idx == pn_count);
+types::FixArrayType(cx, obj);
+vp.setObject(*obj);
+return true;
+}
+case PNK_OBJECT: {
+JS_ASSERT(isOp(JSOP_NEWINIT));
+JS_ASSERT(!(pn_xflags & PNX_NONCONST));
+gc::AllocKind kind = GuessObjectGCKind(pn_count);
+RootedObject obj(cx, NewBuiltinClassInstance(cx, &JSObject::class_, kind, MaybeSingletonObject));
+if (!obj)
+return false;
+RootedValue value(cx), idvalue(cx);
+for (ParseNode *pn = pn_head; pn; pn = pn->pn_next) {
+if (!pn->pn_right->getConstantValue(cx, strictChecks, &value))
+return false;
+ParseNode *pnid = pn->pn_left;
+if (pnid->isKind(PNK_NUMBER)) {
+idvalue = NumberValue(pnid->pn_dval);
+} else {
+JS_ASSERT(pnid->isKind(PNK_NAME) || pnid->isKind(PNK_STRING));
+JS_ASSERT(pnid->pn_atom != cx->names().proto);
+idvalue = StringValue(pnid->pn_atom);
+}
+uint32_t index;
+if (IsDefinitelyIndex(idvalue, &index)) {
+if (!JSObject::defineElement(cx, obj, index, value, nullptr, nullptr,
+JSPROP_ENUMERATE))
+{
+return false;
+}
+continue;
+}
+JSAtom *name = ToAtom<CanGC>(cx, idvalue);
+if (!name)
+return false;
+if (name->isIndex(&index)) {
+if (!JSObject::defineElement(cx, obj, index, value,
+nullptr, nullptr, JSPROP_ENUMERATE))
+return false;
+} else {
+if (!JSObject::defineProperty(cx, obj, name->asPropertyName(), value,
+nullptr, nullptr, JSPROP_ENUMERATE))
+{
+return false;
+}
+}
+}
+types::FixObjectType(cx, obj);
+vp.setObject(*obj);
+return true;
+}
+default:
+MOZ_ASSUME_UNREACHABLE("Unexpected node");
+}
+return false;
+}
+static bool
+EmitSingletonInitialiser(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+RootedValue value(cx);
+if (!pn->getConstantValue(cx, bce->sc->needStrictChecks(), &value))
+return false;
+JS_ASSERT(value.isObject());
+ObjectBox *objbox = bce->parser->newObjectBox(&value.toObject());
+if (!objbox)
+return false;
+return EmitObjectOp(cx, objbox, JSOP_OBJECT, bce);
+}
+/* See the SRC_FOR source note offsetBias comments later in this file. */
+JS_STATIC_ASSERT(JSOP_NOP_LENGTH == 1);
+JS_STATIC_ASSERT(JSOP_POP_LENGTH == 1);
+namespace {
+class EmitLevelManager
+{
+BytecodeEmitter *bce;
+public:
+EmitLevelManager(BytecodeEmitter *bce) : bce(bce) { bce->emitLevel++; }
+~EmitLevelManager() { bce->emitLevel--; }
+};
+} /* anonymous namespace */
+static bool
+EmitCatch(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+/*
+* Morph STMT_BLOCK to STMT_CATCH, note the block entry code offset,
+* and save the block object atom.
+*/
+StmtInfoBCE *stmt = bce->topStmt;
+JS_ASSERT(stmt->type == STMT_BLOCK && stmt->isBlockScope);
+stmt->type = STMT_CATCH;
+/* Go up one statement info record to the TRY or FINALLY record. */
+stmt = stmt->down;
+JS_ASSERT(stmt->type == STMT_TRY || stmt->type == STMT_FINALLY);
+/* Pick up the pending exception and bind it to the catch variable. */
+if (Emit1(cx, bce, JSOP_EXCEPTION) < 0)
+return false;
+/*
+* Dup the exception object if there is a guard for rethrowing to use
+* it later when rethrowing or in other catches.
+*/
+if (pn->pn_kid2 && Emit1(cx, bce, JSOP_DUP) < 0)
+return false;
+ParseNode *pn2 = pn->pn_kid1;
+switch (pn2->getKind()) {
+case PNK_ARRAY:
+case PNK_OBJECT:
+if (!EmitDestructuringOps(cx, bce, pn2))
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+break;
+case PNK_NAME:
+/* Inline and specialize BindNameToSlot for pn2. */
+JS_ASSERT(!pn2->pn_cookie.isFree());
+if (!EmitVarOp(cx, pn2, JSOP_SETLOCAL, bce))
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+break;
+default:
+JS_ASSERT(0);
+}
+// If there is a guard expression, emit it and arrange to jump to the next
+// catch block if the guard expression is false.
+if (pn->pn_kid2) {
+if (!EmitTree(cx, bce, pn->pn_kid2))
+return false;
+// If the guard expression is false, fall through, pop the block scope,
+// and jump to the next catch block.  Otherwise jump over that code and
+// pop the dupped exception.
+ptrdiff_t guardCheck = EmitJump(cx, bce, JSOP_IFNE, 0);
+if (guardCheck < 0)
+return false;
+{
+NonLocalExitScope nle(cx, bce);
+// Move exception back to cx->exception to prepare for
+// the next catch.
+if (Emit1(cx, bce, JSOP_THROWING) < 0)
+return false;
+// Leave the scope for this catch block.
+if (!nle.prepareForNonLocalJump(stmt))
+return false;
+// Jump to the next handler.  The jump target is backpatched by EmitTry.
+ptrdiff_t guardJump = EmitJump(cx, bce, JSOP_GOTO, 0);
+if (guardJump < 0)
+return false;
+stmt->guardJump() = guardJump;
+}
+// Back to normal control flow.
+SetJumpOffsetAt(bce, guardCheck);
+// Pop duplicated exception object as we no longer need it.
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+/* Emit the catch body. */
+return EmitTree(cx, bce, pn->pn_kid3);
+}
+// Using MOZ_NEVER_INLINE in here is a workaround for llvm.org/pr14047. See the
+// comment on EmitSwitch.
+//
+MOZ_NEVER_INLINE static bool
+EmitTry(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+StmtInfoBCE stmtInfo(cx);
+// Push stmtInfo to track jumps-over-catches and gosubs-to-finally
+// for later fixup.
+//
+// When a finally block is active (STMT_FINALLY in our parse context),
+// non-local jumps (including jumps-over-catches) result in a GOSUB
+// being written into the bytecode stream and fixed-up later (c.f.
+// EmitBackPatchOp and BackPatch).
+//
+PushStatementBCE(bce, &stmtInfo, pn->pn_kid3 ? STMT_FINALLY : STMT_TRY, bce->offset());
+// Since an exception can be thrown at any place inside the try block,
+// we need to restore the stack and the scope chain before we transfer
+// the control to the exception handler.
+//
+// For that we store in a try note associated with the catch or
+// finally block the stack depth upon the try entry. The interpreter
+// uses this depth to properly unwind the stack and the scope chain.
+//
+int depth = bce->stackDepth;
+// Record the try location, then emit the try block.
+ptrdiff_t noteIndex = NewSrcNote(cx, bce, SRC_TRY);
+if (noteIndex < 0 || Emit1(cx, bce, JSOP_TRY) < 0)
+return false;
+ptrdiff_t tryStart = bce->offset();
+if (!EmitTree(cx, bce, pn->pn_kid1))
+return false;
+JS_ASSERT(depth == bce->stackDepth);
+// GOSUB to finally, if present.
+if (pn->pn_kid3) {
+if (EmitBackPatchOp(cx, bce, &stmtInfo.gosubs()) < 0)
+return false;
+}
+// Source note points to the jump at the end of the try block.
+if (!SetSrcNoteOffset(cx, bce, noteIndex, 0, bce->offset() - tryStart + JSOP_TRY_LENGTH))
+return false;
+// Emit jump over catch and/or finally.
+ptrdiff_t catchJump = -1;
+if (EmitBackPatchOp(cx, bce, &catchJump) < 0)
+return false;
+ptrdiff_t tryEnd = bce->offset();
+// If this try has a catch block, emit it.
+if (ParseNode *pn2 = pn->pn_kid2) {
+// The emitted code for a catch block looks like:
+//
+// [pushblockscope]             only if any local aliased
+// exception
+// if there is a catchguard:
+//   dup
+// setlocal 0; pop              assign or possibly destructure exception
+// if there is a catchguard:
+//   < catchguard code >
+//   ifne POST
+//   debugleaveblock
+//   [popblockscope]            only if any local aliased
+//   throwing                   pop exception to cx->exception
+//   goto <next catch block>
+//   POST: pop
+// < catch block contents >
+// debugleaveblock
+// [popblockscope]              only if any local aliased
+// goto <end of catch blocks>   non-local; finally applies
+//
+// If there's no catch block without a catchguard, the last <next catch
+// block> points to rethrow code.  This code will [gosub] to the finally
+// code if appropriate, and is also used for the catch-all trynote for
+// capturing exceptions thrown from catch{} blocks.
+//
+for (ParseNode *pn3 = pn2->pn_head; pn3; pn3 = pn3->pn_next) {
+JS_ASSERT(bce->stackDepth == depth);
+// Emit the lexical scope and catch body.
+JS_ASSERT(pn3->isKind(PNK_LEXICALSCOPE));
+if (!EmitTree(cx, bce, pn3))
+return false;
+// gosub <finally>, if required.
+if (pn->pn_kid3) {
+if (EmitBackPatchOp(cx, bce, &stmtInfo.gosubs()) < 0)
+return false;
+JS_ASSERT(bce->stackDepth == depth);
+}
+// Jump over the remaining catch blocks.  This will get fixed
+// up to jump to after catch/finally.
+if (EmitBackPatchOp(cx, bce, &catchJump) < 0)
+return false;
+// If this catch block had a guard clause, patch the guard jump to
+// come here.
+if (stmtInfo.guardJump() != -1) {
+SetJumpOffsetAt(bce, stmtInfo.guardJump());
+stmtInfo.guardJump() = -1;
+// If this catch block is the last one, rethrow, delegating
+// execution of any finally block to the exception handler.
+if (!pn3->pn_next) {
+if (Emit1(cx, bce, JSOP_EXCEPTION) < 0)
+return false;
+if (Emit1(cx, bce, JSOP_THROW) < 0)
+return false;
+}
+}
+}
+}
+JS_ASSERT(bce->stackDepth == depth);
+// Emit the finally handler, if there is one.
+ptrdiff_t finallyStart = 0;
+if (pn->pn_kid3) {
+// Fix up the gosubs that might have been emitted before non-local
+// jumps to the finally code.
+if (!BackPatch(cx, bce, stmtInfo.gosubs(), bce->code().end(), JSOP_GOSUB))
+return false;
+finallyStart = bce->offset();
+// Indicate that we're emitting a subroutine body.
+stmtInfo.type = STMT_SUBROUTINE;
+if (!UpdateSourceCoordNotes(cx, bce, pn->pn_kid3->pn_pos.begin))
+return false;
+if (Emit1(cx, bce, JSOP_FINALLY) < 0 ||
+!EmitTree(cx, bce, pn->pn_kid3) ||
+Emit1(cx, bce, JSOP_RETSUB) < 0)
+{
+return false;
+}
+JS_ASSERT(bce->stackDepth == depth);
+}
+if (!PopStatementBCE(cx, bce))
+return false;
+// ReconstructPCStack needs a NOP here to mark the end of the last catch block.
+if (Emit1(cx, bce, JSOP_NOP) < 0)
+return false;
+// Fix up the end-of-try/catch jumps to come here.
+if (!BackPatch(cx, bce, catchJump, bce->code().end(), JSOP_GOTO))
+return false;
+// Add the try note last, to let post-order give us the right ordering
+// (first to last for a given nesting level, inner to outer by level).
+if (pn->pn_kid2 && !bce->tryNoteList.append(JSTRY_CATCH, depth, tryStart, tryEnd))
+return false;
+// If we've got a finally, mark try+catch region with additional
+// trynote to catch exceptions (re)thrown from a catch block or
+// for the try{}finally{} case.
+if (pn->pn_kid3 && !bce->tryNoteList.append(JSTRY_FINALLY, depth, tryStart, finallyStart))
+return false;
+return true;
+}
+static bool
+EmitIf(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+StmtInfoBCE stmtInfo(cx);
+/* Initialize so we can detect else-if chains and avoid recursion. */
+stmtInfo.type = STMT_IF;
+ptrdiff_t beq = -1;
+ptrdiff_t jmp = -1;
+ptrdiff_t noteIndex = -1;
+if_again:
+/* Emit code for the condition before pushing stmtInfo. */
+if (!EmitTree(cx, bce, pn->pn_kid1))
+return false;
+ptrdiff_t top = bce->offset();
+if (stmtInfo.type == STMT_IF) {
+PushStatementBCE(bce, &stmtInfo, STMT_IF, top);
+} else {
+/*
+* We came here from the goto further below that detects else-if
+* chains, so we must mutate stmtInfo back into a STMT_IF record.
+* Also we need a note offset for SRC_IF_ELSE to help IonMonkey.
+*/
+JS_ASSERT(stmtInfo.type == STMT_ELSE);
+stmtInfo.type = STMT_IF;
+stmtInfo.update = top;
+if (!SetSrcNoteOffset(cx, bce, noteIndex, 0, jmp - beq))
+return false;
+}
+/* Emit an annotated branch-if-false around the then part. */
+ParseNode *pn3 = pn->pn_kid3;
+noteIndex = NewSrcNote(cx, bce, pn3 ? SRC_IF_ELSE : SRC_IF);
+if (noteIndex < 0)
+return false;
+beq = EmitJump(cx, bce, JSOP_IFEQ, 0);
+if (beq < 0)
+return false;
+/* Emit code for the then and optional else parts. */
+if (!EmitTree(cx, bce, pn->pn_kid2))
+return false;
+if (pn3) {
+/* Modify stmtInfo so we know we're in the else part. */
+stmtInfo.type = STMT_ELSE;
+/*
+* Emit a JSOP_BACKPATCH op to jump from the end of our then part
+* around the else part.  The PopStatementBCE call at the bottom of
+* this function will fix up the backpatch chain linked from
+* stmtInfo.breaks.
+*/
+jmp = EmitGoto(cx, bce, &stmtInfo, &stmtInfo.breaks);
+if (jmp < 0)
+return false;
+/* Ensure the branch-if-false comes here, then emit the else. */
+SetJumpOffsetAt(bce, beq);
+if (pn3->isKind(PNK_IF)) {
+pn = pn3;
+goto if_again;
+}
+if (!EmitTree(cx, bce, pn3))
+return false;
+/*
+* Annotate SRC_IF_ELSE with the offset from branch to jump, for
+* IonMonkey's benefit.  We can't just "back up" from the pc
+* of the else clause, because we don't know whether an extended
+* jump was required to leap from the end of the then clause over
+* the else clause.
+*/
+if (!SetSrcNoteOffset(cx, bce, noteIndex, 0, jmp - beq))
+return false;
+} else {
+/* No else part, fixup the branch-if-false to come here. */
+SetJumpOffsetAt(bce, beq);
+}
+return PopStatementBCE(cx, bce);
+}
+/*
+* pnLet represents one of:
+*
+*   let-expression:   (let (x = y) EXPR)
+*   let-statement:    let (x = y) { ... }
+*
+* For a let-expression 'let (x = a, [y,z] = b) e', EmitLet produces:
+*
+*  bytecode          stackDepth  srcnotes
+*  evaluate a        +1
+*  evaluate b        +1
+*  dup               +1
+*  destructure y
+*  pick 1
+*  dup               +1
+*  destructure z
+*  pick 1
+*  pop               -1
+*  setlocal 2        -1
+*  setlocal 1        -1
+*  setlocal 0        -1
+*  pushblockscope (if needed)
+*  evaluate e        +1
+*  debugleaveblock
+*  popblockscope (if needed)
+*
+* Note that, since pushblockscope simply changes fp->scopeChain and does not
+* otherwise touch the stack, evaluation of the let-var initializers must leave
+* the initial value in the let-var's future slot.
+*/
+/*
+* Using MOZ_NEVER_INLINE in here is a workaround for llvm.org/pr14047. See
+* the comment on EmitSwitch.
+*/
+MOZ_NEVER_INLINE static bool
+EmitLet(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pnLet)
+{
+JS_ASSERT(pnLet->isArity(PN_BINARY));
+ParseNode *varList = pnLet->pn_left;
+JS_ASSERT(varList->isArity(PN_LIST));
+ParseNode *letBody = pnLet->pn_right;
+JS_ASSERT(letBody->isLet() && letBody->isKind(PNK_LEXICALSCOPE));
+int letHeadDepth = bce->stackDepth;
+if (!EmitVariables(cx, bce, varList, PushInitialValues, true))
+return false;
+/* Push storage for hoisted let decls (e.g. 'let (x) { let y }'). */
+uint32_t alreadyPushed = bce->stackDepth - letHeadDepth;
+StmtInfoBCE stmtInfo(cx);
+if (!EnterBlockScope(cx, bce, &stmtInfo, letBody->pn_objbox, alreadyPushed))
+return false;
+if (!EmitTree(cx, bce, letBody->pn_expr))
+return false;
+if (!LeaveNestedScope(cx, bce, &stmtInfo))
+return false;
+return true;
+}
+/*
+* Using MOZ_NEVER_INLINE in here is a workaround for llvm.org/pr14047. See
+* the comment on EmitSwitch.
+*/
+MOZ_NEVER_INLINE static bool
+EmitLexicalScope(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+JS_ASSERT(pn->isKind(PNK_LEXICALSCOPE));
+StmtInfoBCE stmtInfo(cx);
+if (!EnterBlockScope(cx, bce, &stmtInfo, pn->pn_objbox, 0))
+return false;
+if (!EmitTree(cx, bce, pn->pn_expr))
+return false;
+if (!LeaveNestedScope(cx, bce, &stmtInfo))
+return false;
+return true;
+}
+static bool
+EmitWith(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+StmtInfoBCE stmtInfo(cx);
+if (!EmitTree(cx, bce, pn->pn_left))
+return false;
+if (!EnterNestedScope(cx, bce, &stmtInfo, pn->pn_binary_obj, STMT_WITH))
+return false;
+if (!EmitTree(cx, bce, pn->pn_right))
+return false;
+if (!LeaveNestedScope(cx, bce, &stmtInfo))
+return false;
+return true;
+}
+static bool
+EmitForOf(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, ptrdiff_t top)
+{
+ParseNode *forHead = pn->pn_left;
+ParseNode *forBody = pn->pn_right;
+ParseNode *pn1 = forHead->pn_kid1;
+bool letDecl = pn1 && pn1->isKind(PNK_LEXICALSCOPE);
+JS_ASSERT_IF(letDecl, pn1->isLet());
+// If the left part is 'var x', emit code to define x if necessary using a
+// prolog opcode, but do not emit a pop.
+if (pn1) {
+ParseNode *decl = letDecl ? pn1->pn_expr : pn1;
+JS_ASSERT(decl->isKind(PNK_VAR) || decl->isKind(PNK_LET));
+bce->emittingForInit = true;
+if (!EmitVariables(cx, bce, decl, DefineVars))
+return false;
+bce->emittingForInit = false;
+}
+// For-of loops run with two values on the stack: the iterator and the
+// current result object.
+// Compile the object expression to the right of 'of'.
+if (!EmitTree(cx, bce, forHead->pn_kid3))
+return false;
+// Convert iterable to iterator.
+if (Emit1(cx, bce, JSOP_DUP) < 0)                          // OBJ OBJ
+return false;
+if (!EmitAtomOp(cx, cx->names().std_iterator, JSOP_CALLPROP, bce)) // OBJ @@ITERATOR
+return false;
+if (Emit1(cx, bce, JSOP_SWAP) < 0)                         // @@ITERATOR OBJ
+return false;
+if (EmitCall(cx, bce, JSOP_CALL, 0) < 0)                   // ITER
+return false;
+CheckTypeSet(cx, bce, JSOP_CALL);
+// Push a dummy result so that we properly enter iteration midstream.
+if (Emit1(cx, bce, JSOP_UNDEFINED) < 0)                    // ITER RESULT
+return false;
+// Enter the block before the loop body, after evaluating the obj.
+StmtInfoBCE letStmt(cx);
+if (letDecl) {
+if (!EnterBlockScope(cx, bce, &letStmt, pn1->pn_objbox, 0))
+return false;
+}
+LoopStmtInfo stmtInfo(cx);
+PushLoopStatement(bce, &stmtInfo, STMT_FOR_OF_LOOP, top);
+// Jump down to the loop condition to minimize overhead assuming at least
+// one iteration, as the other loop forms do.  Annotate so IonMonkey can
+// find the loop-closing jump.
+int noteIndex = NewSrcNote(cx, bce, SRC_FOR_OF);
+if (noteIndex < 0)
+return false;
+ptrdiff_t jmp = EmitJump(cx, bce, JSOP_GOTO, 0);
+if (jmp < 0)
+return false;
+top = bce->offset();
+SET_STATEMENT_TOP(&stmtInfo, top);
+if (EmitLoopHead(cx, bce, nullptr) < 0)
+return false;
+#ifdef DEBUG
+int loopDepth = bce->stackDepth;
+#endif
+// Emit code to assign result.value to the iteration variable.
+if (Emit1(cx, bce, JSOP_DUP) < 0)                          // ITER RESULT RESULT
+return false;
+if (!EmitAtomOp(cx, cx->names().value, JSOP_GETPROP, bce)) // ITER RESULT VALUE
+return false;
+if (!EmitAssignment(cx, bce, forHead->pn_kid2, JSOP_NOP, nullptr)) // ITER RESULT VALUE
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)                          // ITER RESULT
+return false;
+// The stack should be balanced around the assignment opcode sequence.
+JS_ASSERT(bce->stackDepth == loopDepth);
+// Emit code for the loop body.
+if (!EmitTree(cx, bce, forBody))
+return false;
+// Set loop and enclosing "update" offsets, for continue.
+StmtInfoBCE *stmt = &stmtInfo;
+do {
+stmt->update = bce->offset();
+} while ((stmt = stmt->down) != nullptr && stmt->type == STMT_LABEL);
+// COME FROM the beginning of the loop to here.
+SetJumpOffsetAt(bce, jmp);
+if (!EmitLoopEntry(cx, bce, nullptr))
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)                          // ITER
+return false;
+if (Emit1(cx, bce, JSOP_DUP) < 0)                          // ITER ITER
+return false;
+if (Emit1(cx, bce, JSOP_DUP) < 0)                          // ITER ITER ITER
+return false;
+if (!EmitAtomOp(cx, cx->names().next, JSOP_CALLPROP, bce)) // ITER ITER NEXT
+return false;
+if (Emit1(cx, bce, JSOP_SWAP) < 0)                         // ITER NEXT ITER
+return false;
+if (Emit1(cx, bce, JSOP_UNDEFINED) < 0)                    // ITER NEXT ITER UNDEFINED
+return false;
+if (EmitCall(cx, bce, JSOP_CALL, 1) < 0)                   // ITER RESULT
+return false;
+CheckTypeSet(cx, bce, JSOP_CALL);
+if (Emit1(cx, bce, JSOP_DUP) < 0)                          // ITER RESULT RESULT
+return false;
+if (!EmitAtomOp(cx, cx->names().done, JSOP_GETPROP, bce))  // ITER RESULT DONE?
+return false;
+ptrdiff_t beq = EmitJump(cx, bce, JSOP_IFEQ, top - bce->offset()); // ITER RESULT
+if (beq < 0)
+return false;
+JS_ASSERT(bce->stackDepth == loopDepth);
+// Let Ion know where the closing jump of this loop is.
+if (!SetSrcNoteOffset(cx, bce, (unsigned)noteIndex, 0, beq - jmp))
+return false;
+// Fixup breaks and continues.
+if (!PopStatementBCE(cx, bce))
+return false;
+if (letDecl) {
+if (!LeaveNestedScope(cx, bce, &letStmt))
+return false;
+}
+// Pop the result and the iter.
+EMIT_UINT16_IMM_OP(JSOP_POPN, 2);
+return true;
+}
+static bool
+EmitForIn(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, ptrdiff_t top)
+{
+ParseNode *forHead = pn->pn_left;
+ParseNode *forBody = pn->pn_right;
+ParseNode *pn1 = forHead->pn_kid1;
+bool letDecl = pn1 && pn1->isKind(PNK_LEXICALSCOPE);
+JS_ASSERT_IF(letDecl, pn1->isLet());
+/*
+* If the left part is 'var x', emit code to define x if necessary
+* using a prolog opcode, but do not emit a pop. If the left part was
+* originally 'var x = i', the parser will have rewritten it; see
+* Parser::forStatement. 'for (let x = i in o)' is mercifully banned.
+*/
+if (pn1) {
+ParseNode *decl = letDecl ? pn1->pn_expr : pn1;
+JS_ASSERT(decl->isKind(PNK_VAR) || decl->isKind(PNK_LET));
+bce->emittingForInit = true;
+if (!EmitVariables(cx, bce, decl, DefineVars))
+return false;
+bce->emittingForInit = false;
+}
+/* Compile the object expression to the right of 'in'. */
+if (!EmitTree(cx, bce, forHead->pn_kid3))
+return false;
+/*
+* Emit a bytecode to convert top of stack value to the iterator
+* object depending on the loop variant (for-in, for-each-in, or
+* destructuring for-in).
+*/
+JS_ASSERT(pn->isOp(JSOP_ITER));
+if (Emit2(cx, bce, JSOP_ITER, (uint8_t) pn->pn_iflags) < 0)
+return false;
+/* Enter the block before the loop body, after evaluating the obj. */
+StmtInfoBCE letStmt(cx);
+if (letDecl) {
+if (!EnterBlockScope(cx, bce, &letStmt, pn1->pn_objbox, 0))
+return false;
+}
+LoopStmtInfo stmtInfo(cx);
+PushLoopStatement(bce, &stmtInfo, STMT_FOR_IN_LOOP, top);
+/* Annotate so IonMonkey can find the loop-closing jump. */
+int noteIndex = NewSrcNote(cx, bce, SRC_FOR_IN);
+if (noteIndex < 0)
+return false;
+/*
+* Jump down to the loop condition to minimize overhead assuming at
+* least one iteration, as the other loop forms do.
+*/
+ptrdiff_t jmp = EmitJump(cx, bce, JSOP_GOTO, 0);
+if (jmp < 0)
+return false;
+top = bce->offset();
+SET_STATEMENT_TOP(&stmtInfo, top);
+if (EmitLoopHead(cx, bce, nullptr) < 0)
+return false;
+#ifdef DEBUG
+int loopDepth = bce->stackDepth;
+#endif
+/*
+* Emit code to get the next enumeration value and assign it to the
+* left hand side.
+*/
+if (Emit1(cx, bce, JSOP_ITERNEXT) < 0)
+return false;
+if (!EmitAssignment(cx, bce, forHead->pn_kid2, JSOP_NOP, nullptr))
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+/* The stack should be balanced around the assignment opcode sequence. */
+JS_ASSERT(bce->stackDepth == loopDepth);
+/* Emit code for the loop body. */
+if (!EmitTree(cx, bce, forBody))
+return false;
+/* Set loop and enclosing "update" offsets, for continue. */
+StmtInfoBCE *stmt = &stmtInfo;
+do {
+stmt->update = bce->offset();
+} while ((stmt = stmt->down) != nullptr && stmt->type == STMT_LABEL);
+/*
+* Fixup the goto that starts the loop to jump down to JSOP_MOREITER.
+*/
+SetJumpOffsetAt(bce, jmp);
+if (!EmitLoopEntry(cx, bce, nullptr))
+return false;
+if (Emit1(cx, bce, JSOP_MOREITER) < 0)
+return false;
+ptrdiff_t beq = EmitJump(cx, bce, JSOP_IFNE, top - bce->offset());
+if (beq < 0)
+return false;
+/* Set the srcnote offset so we can find the closing jump. */
+if (!SetSrcNoteOffset(cx, bce, (unsigned)noteIndex, 0, beq - jmp))
+return false;
+// Fix up breaks and continues.
+if (!PopStatementBCE(cx, bce))
+return false;
+if (!bce->tryNoteList.append(JSTRY_ITER, bce->stackDepth, top, bce->offset()))
+return false;
+if (Emit1(cx, bce, JSOP_ENDITER) < 0)
+return false;
+if (letDecl) {
+if (!LeaveNestedScope(cx, bce, &letStmt))
+return false;
+}
+return true;
+}
+static bool
+EmitNormalFor(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, ptrdiff_t top)
+{
+LoopStmtInfo stmtInfo(cx);
+PushLoopStatement(bce, &stmtInfo, STMT_FOR_LOOP, top);
+ParseNode *forHead = pn->pn_left;
+ParseNode *forBody = pn->pn_right;
+/* C-style for (init; cond; update) ... loop. */
+JSOp op = JSOP_POP;
+ParseNode *pn3 = forHead->pn_kid1;
+if (!pn3) {
+// No initializer, but emit a nop so that there's somewhere to put the
+// SRC_FOR annotation that IonBuilder will look for.
+op = JSOP_NOP;
+} else {
+bce->emittingForInit = true;
+if (pn3->isKind(PNK_ASSIGN)) {
+JS_ASSERT(pn3->isOp(JSOP_NOP));
+if (!MaybeEmitGroupAssignment(cx, bce, op, pn3, GroupIsNotDecl, &op))
+return false;
+}
+if (op == JSOP_POP) {
+if (!UpdateSourceCoordNotes(cx, bce, pn3->pn_pos.begin))
+return false;
+if (!EmitTree(cx, bce, pn3))
+return false;
+if (pn3->isKind(PNK_VAR) || pn3->isKind(PNK_CONST) || pn3->isKind(PNK_LET)) {
+/*
+* Check whether a destructuring-initialized var decl
+* was optimized to a group assignment.  If so, we do
+* not need to emit a pop below, so switch to a nop,
+* just for IonBuilder.
+*/
+JS_ASSERT(pn3->isArity(PN_LIST) || pn3->isArity(PN_BINARY));
+if (pn3->pn_xflags & PNX_GROUPINIT)
+op = JSOP_NOP;
+}
+}
+bce->emittingForInit = false;
+}
+/*
+* NB: the SRC_FOR note has offsetBias 1 (JSOP_{NOP,POP}_LENGTH).
+* Use tmp to hold the biased srcnote "top" offset, which differs
+* from the top local variable by the length of the JSOP_GOTO
+* emitted in between tmp and top if this loop has a condition.
+*/
+int noteIndex = NewSrcNote(cx, bce, SRC_FOR);
+if (noteIndex < 0 || Emit1(cx, bce, op) < 0)
+return false;
+ptrdiff_t tmp = bce->offset();
+ptrdiff_t jmp = -1;
+if (forHead->pn_kid2) {
+/* Goto the loop condition, which branches back to iterate. */
+jmp = EmitJump(cx, bce, JSOP_GOTO, 0);
+if (jmp < 0)
+return false;
+} else {
+if (op != JSOP_NOP && Emit1(cx, bce, JSOP_NOP) < 0)
+return false;
+}
+top = bce->offset();
+SET_STATEMENT_TOP(&stmtInfo, top);
+/* Emit code for the loop body. */
+if (EmitLoopHead(cx, bce, forBody) < 0)
+return false;
+if (jmp == -1 && !EmitLoopEntry(cx, bce, forBody))
+return false;
+if (!EmitTree(cx, bce, forBody))
+return false;
+/* Set the second note offset so we can find the update part. */
+JS_ASSERT(noteIndex != -1);
+ptrdiff_t tmp2 = bce->offset();
+/* Set loop and enclosing "update" offsets, for continue. */
+StmtInfoBCE *stmt = &stmtInfo;
+do {
+stmt->update = bce->offset();
+} while ((stmt = stmt->down) != nullptr && stmt->type == STMT_LABEL);
+/* Check for update code to do before the condition (if any). */
+pn3 = forHead->pn_kid3;
+if (pn3) {
+if (!UpdateSourceCoordNotes(cx, bce, pn3->pn_pos.begin))
+return false;
+op = JSOP_POP;
+if (pn3->isKind(PNK_ASSIGN)) {
+JS_ASSERT(pn3->isOp(JSOP_NOP));
+if (!MaybeEmitGroupAssignment(cx, bce, op, pn3, GroupIsNotDecl, &op))
+return false;
+}
+if (op == JSOP_POP && !EmitTree(cx, bce, pn3))
+return false;
+/* Always emit the POP or NOP to help IonBuilder. */
+if (Emit1(cx, bce, op) < 0)
+return false;
+/* Restore the absolute line number for source note readers. */
+uint32_t lineNum = bce->parser->tokenStream.srcCoords.lineNum(pn->pn_pos.end);
+if (bce->currentLine() != lineNum) {
+if (NewSrcNote2(cx, bce, SRC_SETLINE, ptrdiff_t(lineNum)) < 0)
+return false;
+bce->current->currentLine = lineNum;
+bce->current->lastColumn = 0;
+}
+}
+ptrdiff_t tmp3 = bce->offset();
+if (forHead->pn_kid2) {
+/* Fix up the goto from top to target the loop condition. */
+JS_ASSERT(jmp >= 0);
+SetJumpOffsetAt(bce, jmp);
+if (!EmitLoopEntry(cx, bce, forHead->pn_kid2))
+return false;
+if (!EmitTree(cx, bce, forHead->pn_kid2))
+return false;
+}
+/* Set the first note offset so we can find the loop condition. */
+if (!SetSrcNoteOffset(cx, bce, (unsigned)noteIndex, 0, tmp3 - tmp))
+return false;
+if (!SetSrcNoteOffset(cx, bce, (unsigned)noteIndex, 1, tmp2 - tmp))
+return false;
+/* The third note offset helps us find the loop-closing jump. */
+if (!SetSrcNoteOffset(cx, bce, (unsigned)noteIndex, 2, bce->offset() - tmp))
+return false;
+/* If no loop condition, just emit a loop-closing jump. */
+op = forHead->pn_kid2 ? JSOP_IFNE : JSOP_GOTO;
+if (EmitJump(cx, bce, op, top - bce->offset()) < 0)
+return false;
+if (!bce->tryNoteList.append(JSTRY_LOOP, bce->stackDepth, top, bce->offset()))
+return false;
+/* Now fixup all breaks and continues. */
+return PopStatementBCE(cx, bce);
+}
+static inline bool
+EmitFor(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, ptrdiff_t top)
+{
+if (pn->pn_left->isKind(PNK_FORIN))
+return EmitForIn(cx, bce, pn, top);
+if (pn->pn_left->isKind(PNK_FOROF))
+return EmitForOf(cx, bce, pn, top);
+JS_ASSERT(pn->pn_left->isKind(PNK_FORHEAD));
+return EmitNormalFor(cx, bce, pn, top);
+}
+static MOZ_NEVER_INLINE bool
+EmitFunc(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+FunctionBox *funbox = pn->pn_funbox;
+RootedFunction fun(cx, funbox->function());
+JS_ASSERT_IF(fun->isInterpretedLazy(), fun->lazyScript());
+/*
+* Set the EMITTEDFUNCTION flag in function definitions once they have been
+* emitted. Function definitions that need hoisting to the top of the
+* function will be seen by EmitFunc in two places.
+*/
+if (pn->pn_dflags & PND_EMITTEDFUNCTION) {
+JS_ASSERT_IF(fun->hasScript(), fun->nonLazyScript());
+JS_ASSERT(pn->functionIsHoisted());
+JS_ASSERT(bce->sc->isFunctionBox());
+return true;
+}
+pn->pn_dflags |= PND_EMITTEDFUNCTION;
+/*
+* Mark as singletons any function which will only be executed once, or
+* which is inner to a lambda we only expect to run once. In the latter
+* case, if the lambda runs multiple times then CloneFunctionObject will
+* make a deep clone of its contents.
+*/
+if (fun->isInterpreted()) {
+bool singleton =
+bce->script->compileAndGo() &&
+fun->isInterpreted() &&
+(bce->checkSingletonContext() ||
+(!bce->isInLoop() && bce->isRunOnceLambda()));
+if (!JSFunction::setTypeForScriptedFunction(cx, fun, singleton))
+return false;
+if (fun->isInterpretedLazy()) {
+if (!fun->lazyScript()->sourceObject()) {
+JSObject *scope = bce->staticScope;
+if (!scope && bce->sc->isFunctionBox())
+scope = bce->sc->asFunctionBox()->function();
+JSObject *source = bce->script->sourceObject();
+fun->lazyScript()->setParent(scope, &source->as<ScriptSourceObject>());
+}
+if (bce->emittingRunOnceLambda)
+fun->lazyScript()->setTreatAsRunOnce();
+} else {
+SharedContext *outersc = bce->sc;
+if (outersc->isFunctionBox() && outersc->asFunctionBox()->mightAliasLocals())
+funbox->setMightAliasLocals();      // inherit mightAliasLocals from parent
+JS_ASSERT_IF(outersc->strict, funbox->strict);
+// Inherit most things (principals, version, etc) from the parent.
+Rooted<JSScript*> parent(cx, bce->script);
+CompileOptions options(cx, bce->parser->options());
+options.setOriginPrincipals(parent->originPrincipals())
+.setCompileAndGo(parent->compileAndGo())
+.setSelfHostingMode(parent->selfHosted())
+.setNoScriptRval(false)
+.setForEval(false)
+.setVersion(parent->getVersion());
+Rooted<JSObject*> enclosingScope(cx, EnclosingStaticScope(bce));
+Rooted<JSObject*> sourceObject(cx, bce->script->sourceObject());
+Rooted<JSScript*> script(cx, JSScript::Create(cx, enclosingScope, false, options,
+parent->staticLevel() + 1,
+sourceObject,
+funbox->bufStart, funbox->bufEnd));
+if (!script)
+return false;
+script->bindings = funbox->bindings;
+uint32_t lineNum = bce->parser->tokenStream.srcCoords.lineNum(pn->pn_pos.begin);
+BytecodeEmitter bce2(bce, bce->parser, funbox, script, bce->insideEval,
+bce->evalCaller, bce->hasGlobalScope, lineNum,
+bce->emitterMode);
+if (!bce2.init())
+return false;
+/* We measured the max scope depth when we parsed the function. */
+if (!EmitFunctionScript(cx, &bce2, pn->pn_body))
+return false;
+if (funbox->usesArguments && funbox->usesApply)
+script->setUsesArgumentsAndApply();
+}
+} else {
+JS_ASSERT(IsAsmJSModuleNative(fun->native()));
+}
+/* Make the function object a literal in the outer script's pool. */
+unsigned index = bce->objectList.add(pn->pn_funbox);
+/* Non-hoisted functions simply emit their respective op. */
+if (!pn->functionIsHoisted()) {
+/* JSOP_LAMBDA_ARROW is always preceded by JSOP_THIS. */
+MOZ_ASSERT(fun->isArrow() == (pn->getOp() == JSOP_LAMBDA_ARROW));
+if (fun->isArrow() && Emit1(cx, bce, JSOP_THIS) < 0)
+return false;
+return EmitIndex32(cx, pn->getOp(), index, bce);
+}
+/*
+* For a script we emit the code as we parse. Thus the bytecode for
+* top-level functions should go in the prolog to predefine their
+* names in the variable object before the already-generated main code
+* is executed. This extra work for top-level scripts is not necessary
+* when we emit the code for a function. It is fully parsed prior to
+* invocation of the emitter and calls to EmitTree for function
+* definitions can be scheduled before generating the rest of code.
+*/
+if (!bce->sc->isFunctionBox()) {
+JS_ASSERT(pn->pn_cookie.isFree());
+JS_ASSERT(pn->getOp() == JSOP_NOP);
+JS_ASSERT(!bce->topStmt);
+bce->switchToProlog();
+if (!EmitIndex32(cx, JSOP_DEFFUN, index, bce))
+return false;
+if (!UpdateSourceCoordNotes(cx, bce, pn->pn_pos.begin))
+return false;
+bce->switchToMain();
+} else {
+#ifdef DEBUG
+BindingIter bi(bce->script);
+while (bi->name() != fun->atom())
+bi++;
+JS_ASSERT(bi->kind() == Binding::VARIABLE || bi->kind() == Binding::CONSTANT ||
+bi->kind() == Binding::ARGUMENT);
+JS_ASSERT(bi.frameIndex() < JS_BIT(20));
+#endif
+pn->pn_index = index;
+if (!EmitIndexOp(cx, JSOP_LAMBDA, index, bce))
+return false;
+JS_ASSERT(pn->getOp() == JSOP_GETLOCAL || pn->getOp() == JSOP_GETARG);
+JSOp setOp = pn->getOp() == JSOP_GETLOCAL ? JSOP_SETLOCAL : JSOP_SETARG;
+if (!EmitVarOp(cx, pn, setOp, bce))
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+return true;
+}
+static bool
+EmitDo(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+/* Emit an annotated nop so IonBuilder can recognize the 'do' loop. */
+ptrdiff_t noteIndex = NewSrcNote(cx, bce, SRC_WHILE);
+if (noteIndex < 0 || Emit1(cx, bce, JSOP_NOP) < 0)
+return false;
+ptrdiff_t noteIndex2 = NewSrcNote(cx, bce, SRC_WHILE);
+if (noteIndex2 < 0)
+return false;
+/* Compile the loop body. */
+ptrdiff_t top = EmitLoopHead(cx, bce, pn->pn_left);
+if (top < 0)
+return false;
+LoopStmtInfo stmtInfo(cx);
+PushLoopStatement(bce, &stmtInfo, STMT_DO_LOOP, top);
+if (!EmitLoopEntry(cx, bce, nullptr))
+return false;
+if (!EmitTree(cx, bce, pn->pn_left))
+return false;
+/* Set loop and enclosing label update offsets, for continue. */
+ptrdiff_t off = bce->offset();
+StmtInfoBCE *stmt = &stmtInfo;
+do {
+stmt->update = off;
+} while ((stmt = stmt->down) != nullptr && stmt->type == STMT_LABEL);
+/* Compile the loop condition, now that continues know where to go. */
+if (!EmitTree(cx, bce, pn->pn_right))
+return false;
+ptrdiff_t beq = EmitJump(cx, bce, JSOP_IFNE, top - bce->offset());
+if (beq < 0)
+return false;
+if (!bce->tryNoteList.append(JSTRY_LOOP, bce->stackDepth, top, bce->offset()))
+return false;
+/*
+* Update the annotations with the update and back edge positions, for
+* IonBuilder.
+*
+* Be careful: We must set noteIndex2 before noteIndex in case the noteIndex
+* note gets bigger.
+*/
+if (!SetSrcNoteOffset(cx, bce, noteIndex2, 0, beq - top))
+return false;
+if (!SetSrcNoteOffset(cx, bce, noteIndex, 0, 1 + (off - top)))
+return false;
+return PopStatementBCE(cx, bce);
+}
+static bool
+EmitWhile(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, ptrdiff_t top)
+{
+/*
+* Minimize bytecodes issued for one or more iterations by jumping to
+* the condition below the body and closing the loop if the condition
+* is true with a backward branch. For iteration count i:
+*
+*  i    test at the top                 test at the bottom
+*  =    ===============                 ==================
+*  0    ifeq-pass                       goto; ifne-fail
+*  1    ifeq-fail; goto; ifne-pass      goto; ifne-pass; ifne-fail
+*  2    2*(ifeq-fail; goto); ifeq-pass  goto; 2*ifne-pass; ifne-fail
+*  . . .
+*  N    N*(ifeq-fail; goto); ifeq-pass  goto; N*ifne-pass; ifne-fail
+*/
+LoopStmtInfo stmtInfo(cx);
+PushLoopStatement(bce, &stmtInfo, STMT_WHILE_LOOP, top);
+ptrdiff_t noteIndex = NewSrcNote(cx, bce, SRC_WHILE);
+if (noteIndex < 0)
+return false;
+ptrdiff_t jmp = EmitJump(cx, bce, JSOP_GOTO, 0);
+if (jmp < 0)
+return false;
+top = EmitLoopHead(cx, bce, pn->pn_right);
+if (top < 0)
+return false;
+if (!EmitTree(cx, bce, pn->pn_right))
+return false;
+SetJumpOffsetAt(bce, jmp);
+if (!EmitLoopEntry(cx, bce, pn->pn_left))
+return false;
+if (!EmitTree(cx, bce, pn->pn_left))
+return false;
+ptrdiff_t beq = EmitJump(cx, bce, JSOP_IFNE, top - bce->offset());
+if (beq < 0)
+return false;
+if (!bce->tryNoteList.append(JSTRY_LOOP, bce->stackDepth, top, bce->offset()))
+return false;
+if (!SetSrcNoteOffset(cx, bce, noteIndex, 0, beq - jmp))
+return false;
+return PopStatementBCE(cx, bce);
+}
+static bool
+EmitBreak(ExclusiveContext *cx, BytecodeEmitter *bce, PropertyName *label)
+{
+StmtInfoBCE *stmt = bce->topStmt;
+SrcNoteType noteType;
+if (label) {
+while (stmt->type != STMT_LABEL || stmt->label != label)
+stmt = stmt->down;
+noteType = SRC_BREAK2LABEL;
+} else {
+while (!stmt->isLoop() && stmt->type != STMT_SWITCH)
+stmt = stmt->down;
+noteType = (stmt->type == STMT_SWITCH) ? SRC_SWITCHBREAK : SRC_BREAK;
+}
+return EmitGoto(cx, bce, stmt, &stmt->breaks, noteType) >= 0;
+}
+static bool
+EmitContinue(ExclusiveContext *cx, BytecodeEmitter *bce, PropertyName *label)
+{
+StmtInfoBCE *stmt = bce->topStmt;
+if (label) {
+/* Find the loop statement enclosed by the matching label. */
+StmtInfoBCE *loop = nullptr;
+while (stmt->type != STMT_LABEL || stmt->label != label) {
+if (stmt->isLoop())
+loop = stmt;
+stmt = stmt->down;
+}
+stmt = loop;
+} else {
+while (!stmt->isLoop())
+stmt = stmt->down;
+}
+return EmitGoto(cx, bce, stmt, &stmt->continues, SRC_CONTINUE) >= 0;
+}
+static bool
+EmitReturn(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+if (!UpdateSourceCoordNotes(cx, bce, pn->pn_pos.begin))
+return false;
+if (bce->sc->isFunctionBox() && bce->sc->asFunctionBox()->isStarGenerator()) {
+if (!EmitPrepareIteratorResult(cx, bce))
+return false;
+}
+/* Push a return value */
+if (ParseNode *pn2 = pn->pn_kid) {
+if (!EmitTree(cx, bce, pn2))
+return false;
+} else {
+/* No explicit return value provided */
+if (Emit1(cx, bce, JSOP_UNDEFINED) < 0)
+return false;
+}
+if (bce->sc->isFunctionBox() && bce->sc->asFunctionBox()->isStarGenerator()) {
+if (!EmitFinishIteratorResult(cx, bce, true))
+return false;
+}
+/*
+* EmitNonLocalJumpFixup may add fixup bytecode to close open try
+* blocks having finally clauses and to exit intermingled let blocks.
+* We can't simply transfer control flow to our caller in that case,
+* because we must gosub to those finally clauses from inner to outer,
+* with the correct stack pointer (i.e., after popping any with,
+* for/in, etc., slots nested inside the finally's try).
+*
+* In this case we mutate JSOP_RETURN into JSOP_SETRVAL and add an
+* extra JSOP_RETRVAL after the fixups.
+*/
+ptrdiff_t top = bce->offset();
+if (Emit1(cx, bce, JSOP_RETURN) < 0)
+return false;
+NonLocalExitScope nle(cx, bce);
+if (!nle.prepareForNonLocalJump(nullptr))
+return false;
+if (top + static_cast<ptrdiff_t>(JSOP_RETURN_LENGTH) != bce->offset()) {
+bce->code()[top] = JSOP_SETRVAL;
+if (Emit1(cx, bce, JSOP_RETRVAL) < 0)
+return false;
+}
+return true;
+}
+static bool
+EmitYieldStar(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *iter)
+{
+JS_ASSERT(bce->sc->isFunctionBox());
+JS_ASSERT(bce->sc->asFunctionBox()->isStarGenerator());
+if (!EmitTree(cx, bce, iter))                                // ITERABLE
+return false;
+// Convert iterable to iterator.
+if (Emit1(cx, bce, JSOP_DUP) < 0)                            // ITERABLE ITERABLE
+return false;
+if (!EmitAtomOp(cx, cx->names().std_iterator, JSOP_CALLPROP, bce)) // ITERABLE @@ITERATOR
+return false;
+if (Emit1(cx, bce, JSOP_SWAP) < 0)                           // @@ITERATOR ITERABLE
+return false;
+if (EmitCall(cx, bce, JSOP_CALL, 0) < 0)                     // ITER
+return false;
+CheckTypeSet(cx, bce, JSOP_CALL);
+int depth = bce->stackDepth;
+JS_ASSERT(depth >= 1);
+// Initial send value is undefined.
+if (Emit1(cx, bce, JSOP_UNDEFINED) < 0)                      // ITER RECEIVED
+return false;
+ptrdiff_t initialSend = -1;
+if (EmitBackPatchOp(cx, bce, &initialSend) < 0)              // goto initialSend
+return false;
+// Try prologue.                                             // ITER RESULT
+StmtInfoBCE stmtInfo(cx);
+PushStatementBCE(bce, &stmtInfo, STMT_TRY, bce->offset());
+ptrdiff_t noteIndex = NewSrcNote(cx, bce, SRC_TRY);
+if (noteIndex < 0 || Emit1(cx, bce, JSOP_TRY) < 0)
+return false;
+ptrdiff_t tryStart = bce->offset();                          // tryStart:
+JS_ASSERT(bce->stackDepth == depth + 1);
+// Yield RESULT as-is, without re-boxing.
+if (Emit1(cx, bce, JSOP_YIELD) < 0)                          // ITER RECEIVED
+return false;
+// Try epilogue.
+if (!SetSrcNoteOffset(cx, bce, noteIndex, 0, bce->offset() - tryStart + JSOP_TRY_LENGTH))
+return false;
+ptrdiff_t subsequentSend = -1;
+if (EmitBackPatchOp(cx, bce, &subsequentSend) < 0)           // goto subsequentSend
+return false;
+ptrdiff_t tryEnd = bce->offset();                            // tryEnd:
+// Catch location.
+// THROW? = 'throw' in ITER                                  // ITER
+bce->stackDepth = (uint32_t) depth;
+if (Emit1(cx, bce, JSOP_EXCEPTION) < 0)                      // ITER EXCEPTION
+return false;
+if (Emit1(cx, bce, JSOP_SWAP) < 0)                           // EXCEPTION ITER
+return false;
+if (Emit1(cx, bce, JSOP_DUP) < 0)                            // EXCEPTION ITER ITER
+return false;
+if (!EmitAtomOp(cx, cx->names().throw_, JSOP_STRING, bce))   // EXCEPTION ITER ITER "throw"
+return false;
+if (Emit1(cx, bce, JSOP_SWAP) < 0)                           // EXCEPTION ITER "throw" ITER
+return false;
+if (Emit1(cx, bce, JSOP_IN) < 0)                             // EXCEPTION ITER THROW?
+return false;
+// if (THROW?) goto delegate
+ptrdiff_t checkThrow = EmitJump(cx, bce, JSOP_IFNE, 0);      // EXCEPTION ITER
+if (checkThrow < 0)
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)                            // EXCEPTION
+return false;
+if (Emit1(cx, bce, JSOP_THROW) < 0)                          // throw EXCEPTION
+return false;
+SetJumpOffsetAt(bce, checkThrow);                            // delegate:
+// RESULT = ITER.throw(EXCEPTION)                            // EXCEPTION ITER
+bce->stackDepth = (uint32_t) depth + 1;
+if (Emit1(cx, bce, JSOP_DUP) < 0)                            // EXCEPTION ITER ITER
+return false;
+if (Emit1(cx, bce, JSOP_DUP) < 0)                            // EXCEPTION ITER ITER ITER
+return false;
+if (!EmitAtomOp(cx, cx->names().throw_, JSOP_CALLPROP, bce)) // EXCEPTION ITER ITER THROW
+return false;
+if (Emit1(cx, bce, JSOP_SWAP) < 0)                           // EXCEPTION ITER THROW ITER
+return false;
+if (Emit2(cx, bce, JSOP_PICK, (jsbytecode)3) < 0)            // ITER THROW ITER EXCEPTION
+return false;
+if (EmitCall(cx, bce, JSOP_CALL, 1) < 0)                     // ITER RESULT
+return false;
+CheckTypeSet(cx, bce, JSOP_CALL);
+JS_ASSERT(bce->stackDepth == depth + 1);
+ptrdiff_t checkResult = -1;
+if (EmitBackPatchOp(cx, bce, &checkResult) < 0)              // goto checkResult
+return false;
+// Catch epilogue.
+if (!PopStatementBCE(cx, bce))
+return false;
+// This is a peace offering to ReconstructPCStack.  See the note in EmitTry.
+if (Emit1(cx, bce, JSOP_NOP) < 0)
+return false;
+if (!bce->tryNoteList.append(JSTRY_CATCH, depth, tryStart, tryEnd))
+return false;
+// After the try/catch block: send the received value to the iterator.
+if (!BackPatch(cx, bce, initialSend, bce->code().end(), JSOP_GOTO)) // initialSend:
+return false;
+if (!BackPatch(cx, bce, subsequentSend, bce->code().end(), JSOP_GOTO)) // subsequentSend:
+return false;
+// Send location.
+// result = iter.next(received)                              // ITER RECEIVED
+if (Emit1(cx, bce, JSOP_SWAP) < 0)                           // RECEIVED ITER
+return false;
+if (Emit1(cx, bce, JSOP_DUP) < 0)                            // RECEIVED ITER ITER
+return false;
+if (Emit1(cx, bce, JSOP_DUP) < 0)                            // RECEIVED ITER ITER ITER
+return false;
+if (!EmitAtomOp(cx, cx->names().next, JSOP_CALLPROP, bce))   // RECEIVED ITER ITER NEXT
+return false;
+if (Emit1(cx, bce, JSOP_SWAP) < 0)                           // RECEIVED ITER NEXT ITER
+return false;
+if (Emit2(cx, bce, JSOP_PICK, (jsbytecode)3) < 0)            // ITER NEXT ITER RECEIVED
+return false;
+if (EmitCall(cx, bce, JSOP_CALL, 1) < 0)                     // ITER RESULT
+return false;
+CheckTypeSet(cx, bce, JSOP_CALL);
+JS_ASSERT(bce->stackDepth == depth + 1);
+if (!BackPatch(cx, bce, checkResult, bce->code().end(), JSOP_GOTO)) // checkResult:
+return false;
+// if (!result.done) goto tryStart;                          // ITER RESULT
+if (Emit1(cx, bce, JSOP_DUP) < 0)                            // ITER RESULT RESULT
+return false;
+if (!EmitAtomOp(cx, cx->names().done, JSOP_GETPROP, bce))    // ITER RESULT DONE
+return false;
+// if (!DONE) goto tryStart;
+if (EmitJump(cx, bce, JSOP_IFEQ, tryStart - bce->offset()) < 0) // ITER RESULT
+return false;
+// result.value
+if (Emit1(cx, bce, JSOP_SWAP) < 0)                           // RESULT ITER
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)                            // RESULT
+return false;
+if (!EmitAtomOp(cx, cx->names().value, JSOP_GETPROP, bce))   // VALUE
+return false;
+JS_ASSERT(bce->stackDepth == depth);
+return true;
+}
+static bool
+EmitStatementList(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, ptrdiff_t top)
+{
+JS_ASSERT(pn->isArity(PN_LIST));
+StmtInfoBCE stmtInfo(cx);
+PushStatementBCE(bce, &stmtInfo, STMT_BLOCK, top);
+ParseNode *pnchild = pn->pn_head;
+if (pn->pn_xflags & PNX_DESTRUCT)
+pnchild = pnchild->pn_next;
+for (ParseNode *pn2 = pnchild; pn2; pn2 = pn2->pn_next) {
+if (!EmitTree(cx, bce, pn2))
+return false;
+}
+return PopStatementBCE(cx, bce);
+}
+static bool
+EmitStatement(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+JS_ASSERT(pn->isKind(PNK_SEMI));
+ParseNode *pn2 = pn->pn_kid;
+if (!pn2)
+return true;
+if (!UpdateSourceCoordNotes(cx, bce, pn->pn_pos.begin))
+return false;
+/*
+* Top-level or called-from-a-native JS_Execute/EvaluateScript,
+* debugger, and eval frames may need the value of the ultimate
+* expression statement as the script's result, despite the fact
+* that it appears useless to the compiler.
+*
+* API users may also set the JSOPTION_NO_SCRIPT_RVAL option when
+* calling JS_Compile* to suppress JSOP_SETRVAL.
+*/
+bool wantval = false;
+bool useful = false;
+if (bce->sc->isFunctionBox()) {
+JS_ASSERT(!bce->script->noScriptRval());
+} else {
+useful = wantval = !bce->script->noScriptRval();
+}
+/* Don't eliminate expressions with side effects. */
+if (!useful) {
+if (!CheckSideEffects(cx, bce, pn2, &useful))
+return false;
+/*
+* Don't eliminate apparently useless expressions if they are
+* labeled expression statements.  The pc->topStmt->update test
+* catches the case where we are nesting in EmitTree for a labeled
+* compound statement.
+*/
+if (bce->topStmt &&
+bce->topStmt->type == STMT_LABEL &&
+bce->topStmt->update >= bce->offset())
+{
+useful = true;
+}
+}
+if (useful) {
+JSOp op = wantval ? JSOP_SETRVAL : JSOP_POP;
+JS_ASSERT_IF(pn2->isKind(PNK_ASSIGN), pn2->isOp(JSOP_NOP));
+if (!wantval &&
+pn2->isKind(PNK_ASSIGN) &&
+!MaybeEmitGroupAssignment(cx, bce, op, pn2, GroupIsNotDecl, &op))
+{
+return false;
+}
+if (op != JSOP_NOP) {
+if (!EmitTree(cx, bce, pn2))
+return false;
+if (Emit1(cx, bce, op) < 0)
+return false;
+}
+} else if (!pn->isDirectivePrologueMember()) {
+/* Don't complain about directive prologue members; just don't emit their code. */
+bce->current->currentLine = bce->parser->tokenStream.srcCoords.lineNum(pn2->pn_pos.begin);
+bce->current->lastColumn = 0;
+if (!bce->reportStrictWarning(pn2, JSMSG_USELESS_EXPR))
+return false;
+}
+return true;
+}
+static bool
+EmitDelete(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+/*
+* Under ECMA 3, deleting a non-reference returns true -- but alas we
+* must evaluate the operand if it appears it might have side effects.
+*/
+ParseNode *pn2 = pn->pn_kid;
+switch (pn2->getKind()) {
+case PNK_NAME:
+{
+if (!BindNameToSlot(cx, bce, pn2))
+return false;
+JSOp op = pn2->getOp();
+if (op == JSOP_FALSE) {
+if (Emit1(cx, bce, op) < 0)
+return false;
+} else {
+if (!EmitAtomOp(cx, pn2, op, bce))
+return false;
+}
+break;
+}
+case PNK_DOT:
+if (!EmitPropOp(cx, pn2, JSOP_DELPROP, bce))
+return false;
+break;
+case PNK_ELEM:
+if (!EmitElemOp(cx, pn2, JSOP_DELELEM, bce))
+return false;
+break;
+default:
+{
+/*
+* If useless, just emit JSOP_TRUE; otherwise convert delete foo()
+* to foo(), true (a comma expression).
+*/
+bool useful = false;
+if (!CheckSideEffects(cx, bce, pn2, &useful))
+return false;
+if (useful) {
+JS_ASSERT_IF(pn2->isKind(PNK_CALL), !(pn2->pn_xflags & PNX_SETCALL));
+if (!EmitTree(cx, bce, pn2))
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+if (Emit1(cx, bce, JSOP_TRUE) < 0)
+return false;
+}
+}
+return true;
+}
+static bool
+EmitArray(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, uint32_t count);
+static bool
+EmitCallOrNew(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+bool callop = pn->isKind(PNK_CALL);
+/*
+* Emit callable invocation or operator new (constructor call) code.
+* First, emit code for the left operand to evaluate the callable or
+* constructable object expression.
+*
+* For operator new, we emit JSOP_GETPROP instead of JSOP_CALLPROP, etc.
+* This is necessary to interpose the lambda-initialized method read
+* barrier -- see the code in jsinterp.cpp for JSOP_LAMBDA followed by
+* JSOP_{SET,INIT}PROP.
+*
+* Then (or in a call case that has no explicit reference-base
+* object) we emit JSOP_UNDEFINED to produce the undefined |this|
+* value required for calls (which non-strict mode functions
+* will box into the global object).
+*/
+uint32_t argc = pn->pn_count - 1;
+if (argc >= ARGC_LIMIT) {
+bce->parser->tokenStream.reportError(callop
+? JSMSG_TOO_MANY_FUN_ARGS
+: JSMSG_TOO_MANY_CON_ARGS);
+return false;
+}
+bool emitArgs = true;
+ParseNode *pn2 = pn->pn_head;
+bool spread = JOF_OPTYPE(pn->getOp()) == JOF_BYTE;
+switch (pn2->getKind()) {
+case PNK_NAME:
+if (bce->emitterMode == BytecodeEmitter::SelfHosting &&
+pn2->name() == cx->names().callFunction &&
+!spread)
+{
+/*
+* Special-casing of callFunction to emit bytecode that directly
+* invokes the callee with the correct |this| object and arguments.
+* callFunction(fun, thisArg, arg0, arg1) thus becomes:
+* - emit lookup for fun
+* - emit lookup for thisArg
+* - emit lookups for arg0, arg1
+*
+* argc is set to the amount of actually emitted args and the
+* emitting of args below is disabled by setting emitArgs to false.
+*/
+if (pn->pn_count < 3) {
+bce->reportError(pn, JSMSG_MORE_ARGS_NEEDED, "callFunction", "1", "s");
+return false;
+}
+ParseNode *funNode = pn2->pn_next;
+if (!EmitTree(cx, bce, funNode))
+return false;
+ParseNode *thisArg = funNode->pn_next;
+if (!EmitTree(cx, bce, thisArg))
+return false;
+bool oldEmittingForInit = bce->emittingForInit;
+bce->emittingForInit = false;
+for (ParseNode *argpn = thisArg->pn_next; argpn; argpn = argpn->pn_next) {
+if (!EmitTree(cx, bce, argpn))
+return false;
+}
+bce->emittingForInit = oldEmittingForInit;
+argc -= 2;
+emitArgs = false;
+break;
+}
+if (!EmitNameOp(cx, bce, pn2, callop))
+return false;
+break;
+case PNK_DOT:
+if (!EmitPropOp(cx, pn2, callop ? JSOP_CALLPROP : JSOP_GETPROP, bce))
+return false;
+break;
+case PNK_ELEM:
+if (!EmitElemOp(cx, pn2, callop ? JSOP_CALLELEM : JSOP_GETELEM, bce))
+return false;
+break;
+case PNK_FUNCTION:
+/*
+* Top level lambdas which are immediately invoked should be
+* treated as only running once. Every time they execute we will
+* create new types and scripts for their contents, to increase
+* the quality of type information within them and enable more
+* backend optimizations. Note that this does not depend on the
+* lambda being invoked at most once (it may be named or be
+* accessed via foo.caller indirection), as multiple executions
+* will just cause the inner scripts to be repeatedly cloned.
+*/
+JS_ASSERT(!bce->emittingRunOnceLambda);
+if (bce->checkSingletonContext() || (!bce->isInLoop() && bce->isRunOnceLambda())) {
+bce->emittingRunOnceLambda = true;
+if (!EmitTree(cx, bce, pn2))
+return false;
+bce->emittingRunOnceLambda = false;
+} else {
+if (!EmitTree(cx, bce, pn2))
+return false;
+}
+callop = false;
+break;
+default:
+if (!EmitTree(cx, bce, pn2))
+return false;
+callop = false;             /* trigger JSOP_UNDEFINED after */
+break;
+}
+if (!callop) {
+JSOp thisop = pn->isKind(PNK_GENEXP) ? JSOP_THIS : JSOP_UNDEFINED;
+if (Emit1(cx, bce, thisop) < 0)
+return false;
+}
+if (emitArgs) {
+/*
+* Emit code for each argument in order, then emit the JSOP_*CALL or
+* JSOP_NEW bytecode with a two-byte immediate telling how many args
+* were pushed on the operand stack.
+*/
+bool oldEmittingForInit = bce->emittingForInit;
+bce->emittingForInit = false;
+if (!spread) {
+for (ParseNode *pn3 = pn2->pn_next; pn3; pn3 = pn3->pn_next) {
+if (!EmitTree(cx, bce, pn3))
+return false;
+}
+} else {
+if (!EmitArray(cx, bce, pn2->pn_next, argc))
+return false;
+}
+bce->emittingForInit = oldEmittingForInit;
+}
+if (!spread) {
+if (EmitCall(cx, bce, pn->getOp(), argc) < 0)
+return false;
+} else {
+if (Emit1(cx, bce, pn->getOp()) < 0)
+return false;
+}
+CheckTypeSet(cx, bce, pn->getOp());
+if (pn->isOp(JSOP_EVAL) || pn->isOp(JSOP_SPREADEVAL)) {
+uint32_t lineNum = bce->parser->tokenStream.srcCoords.lineNum(pn->pn_pos.begin);
+EMIT_UINT16_IMM_OP(JSOP_LINENO, lineNum);
+}
+if (pn->pn_xflags & PNX_SETCALL) {
+if (Emit1(cx, bce, JSOP_SETCALL) < 0)
+return false;
+}
+return true;
+}
+static bool
+EmitLogical(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+/*
+* JSOP_OR converts the operand on the stack to boolean, leaves the original
+* value on the stack and jumps if true; otherwise it falls into the next
+* bytecode, which pops the left operand and then evaluates the right operand.
+* The jump goes around the right operand evaluation.
+*
+* JSOP_AND converts the operand on the stack to boolean and jumps if false;
+* otherwise it falls into the right operand's bytecode.
+*/
+if (pn->isArity(PN_BINARY)) {
+if (!EmitTree(cx, bce, pn->pn_left))
+return false;
+ptrdiff_t top = EmitJump(cx, bce, JSOP_BACKPATCH, 0);
+if (top < 0)
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+if (!EmitTree(cx, bce, pn->pn_right))
+return false;
+ptrdiff_t off = bce->offset();
+jsbytecode *pc = bce->code(top);
+SET_JUMP_OFFSET(pc, off - top);
+*pc = pn->getOp();
+return true;
+}
+JS_ASSERT(pn->isArity(PN_LIST));
+JS_ASSERT(pn->pn_head->pn_next->pn_next);
+/* Left-associative operator chain: avoid too much recursion. */
+ParseNode *pn2 = pn->pn_head;
+if (!EmitTree(cx, bce, pn2))
+return false;
+ptrdiff_t top = EmitJump(cx, bce, JSOP_BACKPATCH, 0);
+if (top < 0)
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+/* Emit nodes between the head and the tail. */
+ptrdiff_t jmp = top;
+while ((pn2 = pn2->pn_next)->pn_next) {
+if (!EmitTree(cx, bce, pn2))
+return false;
+ptrdiff_t off = EmitJump(cx, bce, JSOP_BACKPATCH, 0);
+if (off < 0)
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+SET_JUMP_OFFSET(bce->code(jmp), off - jmp);
+jmp = off;
+}
+if (!EmitTree(cx, bce, pn2))
+return false;
+pn2 = pn->pn_head;
+ptrdiff_t off = bce->offset();
+do {
+jsbytecode *pc = bce->code(top);
+ptrdiff_t tmp = GET_JUMP_OFFSET(pc);
+SET_JUMP_OFFSET(pc, off - top);
+*pc = pn->getOp();
+top += tmp;
+} while ((pn2 = pn2->pn_next)->pn_next);
+return true;
+}
+/*
+* Using MOZ_NEVER_INLINE in here is a workaround for llvm.org/pr14047. See
+* the comment on EmitSwitch.
+*/
+MOZ_NEVER_INLINE static bool
+EmitIncOrDec(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+/* Emit lvalue-specialized code for ++/-- operators. */
+ParseNode *pn2 = pn->pn_kid;
+switch (pn2->getKind()) {
+case PNK_DOT:
+if (!EmitPropIncDec(cx, pn, bce))
+return false;
+break;
+case PNK_ELEM:
+if (!EmitElemIncDec(cx, pn, bce))
+return false;
+break;
+case PNK_CALL:
+JS_ASSERT(pn2->pn_xflags & PNX_SETCALL);
+if (!EmitTree(cx, bce, pn2))
+return false;
+break;
+default:
+JS_ASSERT(pn2->isKind(PNK_NAME));
+pn2->setOp(JSOP_SETNAME);
+if (!BindNameToSlot(cx, bce, pn2))
+return false;
+JSOp op = pn2->getOp();
+bool maySet;
+switch (op) {
+case JSOP_SETLOCAL:
+case JSOP_SETARG:
+case JSOP_SETALIASEDVAR:
+case JSOP_SETNAME:
+case JSOP_SETGNAME:
+maySet = true;
+break;
+default:
+maySet = false;
+}
+if (op == JSOP_CALLEE) {
+if (Emit1(cx, bce, op) < 0)
+return false;
+} else if (!pn2->pn_cookie.isFree()) {
+if (maySet) {
+if (!EmitVarIncDec(cx, pn, bce))
+return false;
+} else {
+if (!EmitVarOp(cx, pn2, op, bce))
+return false;
+}
+} else {
+JS_ASSERT(JOF_OPTYPE(op) == JOF_ATOM);
+if (maySet) {
+if (!EmitNameIncDec(cx, pn, bce))
+return false;
+} else {
+if (!EmitAtomOp(cx, pn2, op, bce))
+return false;
+}
+break;
+}
+if (pn2->isConst()) {
+if (Emit1(cx, bce, JSOP_POS) < 0)
+return false;
+bool post;
+JSOp binop = GetIncDecInfo(pn->getKind(), &post);
+if (!post) {
+if (Emit1(cx, bce, JSOP_ONE) < 0)
+return false;
+if (Emit1(cx, bce, binop) < 0)
+return false;
+}
+}
+}
+return true;
+}
+/*
+* Using MOZ_NEVER_INLINE in here is a workaround for llvm.org/pr14047. See
+* the comment on EmitSwitch.
+*/
+MOZ_NEVER_INLINE static bool
+EmitLabeledStatement(ExclusiveContext *cx, BytecodeEmitter *bce, const LabeledStatement *pn)
+{
+/*
+* Emit a JSOP_LABEL instruction. The argument is the offset to the statement
+* following the labeled statement.
+*/
+jsatomid index;
+if (!bce->makeAtomIndex(pn->label(), &index))
+return false;
+ptrdiff_t top = EmitJump(cx, bce, JSOP_LABEL, 0);
+if (top < 0)
+return false;
+/* Emit code for the labeled statement. */
+StmtInfoBCE stmtInfo(cx);
+PushStatementBCE(bce, &stmtInfo, STMT_LABEL, bce->offset());
+stmtInfo.label = pn->label();
+if (!EmitTree(cx, bce, pn->statement()))
+return false;
+if (!PopStatementBCE(cx, bce))
+return false;
+/* Patch the JSOP_LABEL offset. */
+SetJumpOffsetAt(bce, top);
+return true;
+}
+static bool
+EmitSyntheticStatements(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, ptrdiff_t top)
+{
+JS_ASSERT(pn->isArity(PN_LIST));
+StmtInfoBCE stmtInfo(cx);
+PushStatementBCE(bce, &stmtInfo, STMT_SEQ, top);
+ParseNode *pn2 = pn->pn_head;
+if (pn->pn_xflags & PNX_DESTRUCT)
+pn2 = pn2->pn_next;
+for (; pn2; pn2 = pn2->pn_next) {
+if (!EmitTree(cx, bce, pn2))
+return false;
+}
+return PopStatementBCE(cx, bce);
+}
+static bool
+EmitConditionalExpression(ExclusiveContext *cx, BytecodeEmitter *bce, ConditionalExpression &conditional)
+{
+/* Emit the condition, then branch if false to the else part. */
+if (!EmitTree(cx, bce, &conditional.condition()))
+return false;
+ptrdiff_t noteIndex = NewSrcNote(cx, bce, SRC_COND);
+if (noteIndex < 0)
+return false;
+ptrdiff_t beq = EmitJump(cx, bce, JSOP_IFEQ, 0);
+if (beq < 0 || !EmitTree(cx, bce, &conditional.thenExpression()))
+return false;
+/* Jump around else, fixup the branch, emit else, fixup jump. */
+ptrdiff_t jmp = EmitJump(cx, bce, JSOP_GOTO, 0);
+if (jmp < 0)
+return false;
+SetJumpOffsetAt(bce, beq);
+/*
+* Because each branch pushes a single value, but our stack budgeting
+* analysis ignores branches, we now have to adjust bce->stackDepth to
+* ignore the value pushed by the first branch.  Execution will follow
+* only one path, so we must decrement bce->stackDepth.
+*
+* Failing to do this will foil code, such as let expression and block
+* code generation, which must use the stack depth to compute local
+* stack indexes correctly.
+*/
+JS_ASSERT(bce->stackDepth > 0);
+bce->stackDepth--;
+if (!EmitTree(cx, bce, &conditional.elseExpression()))
+return false;
+SetJumpOffsetAt(bce, jmp);
+return SetSrcNoteOffset(cx, bce, noteIndex, 0, jmp - beq);
+}
+/*
+* Using MOZ_NEVER_INLINE in here is a workaround for llvm.org/pr14047. See
+* the comment on EmitSwitch.
+*/
+MOZ_NEVER_INLINE static bool
+EmitObject(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+if (pn->pn_xflags & PNX_DESTRUCT) {
+bce->reportError(pn, JSMSG_BAD_OBJECT_INIT);
+return false;
+}
+if (!(pn->pn_xflags & PNX_NONCONST) && pn->pn_head && bce->checkSingletonContext())
+return EmitSingletonInitialiser(cx, bce, pn);
+/*
+* Emit code for {p:a, '%q':b, 2:c} that is equivalent to constructing
+* a new object and defining (in source order) each property on the object
+* (or mutating the object's [[Prototype]], in the case of __proto__).
+*/
+ptrdiff_t offset = bce->offset();
+if (!EmitNewInit(cx, bce, JSProto_Object))
+return false;
+/*
+* Try to construct the shape of the object as we go, so we can emit a
+* JSOP_NEWOBJECT with the final shape instead.
+*/
+RootedObject obj(cx);
+if (bce->script->compileAndGo()) {
+gc::AllocKind kind = GuessObjectGCKind(pn->pn_count);
+obj = NewBuiltinClassInstance(cx, &JSObject::class_, kind, TenuredObject);
+if (!obj)
+return false;
+}
+for (ParseNode *pn2 = pn->pn_head; pn2; pn2 = pn2->pn_next) {
+if (!UpdateSourceCoordNotes(cx, bce, pn2->pn_pos.begin))
+return false;
+/* Emit an index for t[2] for later consumption by JSOP_INITELEM. */
+ParseNode *pn3 = pn2->pn_left;
+bool isIndex = false;
+if (pn3->isKind(PNK_NUMBER)) {
+if (!EmitNumberOp(cx, pn3->pn_dval, bce))
+return false;
+isIndex = true;
+} else {
+// The parser already checked for atoms representing indexes and
+// used PNK_NUMBER instead, but also watch for ids which TI treats
+// as indexes for simpliciation of downstream analysis.
+JS_ASSERT(pn3->isKind(PNK_NAME) || pn3->isKind(PNK_STRING));
+jsid id = NameToId(pn3->pn_atom->asPropertyName());
+if (id != types::IdToTypeId(id)) {
+if (!EmitTree(cx, bce, pn3))
+return false;
+isIndex = true;
+}
+}
+/* Emit code for the property initializer. */
+if (!EmitTree(cx, bce, pn2->pn_right))
+return false;
+JSOp op = pn2->getOp();
+JS_ASSERT(op == JSOP_INITPROP ||
+op == JSOP_INITPROP_GETTER ||
+op == JSOP_INITPROP_SETTER);
+if (op == JSOP_INITPROP_GETTER || op == JSOP_INITPROP_SETTER)
+obj = nullptr;
+if (isIndex) {
+obj = nullptr;
+switch (op) {
+case JSOP_INITPROP:        op = JSOP_INITELEM;        break;
+case JSOP_INITPROP_GETTER: op = JSOP_INITELEM_GETTER; break;
+case JSOP_INITPROP_SETTER: op = JSOP_INITELEM_SETTER; break;
+default: MOZ_ASSUME_UNREACHABLE("Invalid op");
+}
+if (Emit1(cx, bce, op) < 0)
+return false;
+} else {
+JS_ASSERT(pn3->isKind(PNK_NAME) || pn3->isKind(PNK_STRING));
+// If we have { __proto__: expr }, implement prototype mutation.
+if (op == JSOP_INITPROP && pn3->pn_atom == cx->names().proto) {
+obj = nullptr;
+if (Emit1(cx, bce, JSOP_MUTATEPROTO) < 0)
+return false;
+continue;
+}
+jsatomid index;
+if (!bce->makeAtomIndex(pn3->pn_atom, &index))
+return false;
+MOZ_ASSERT(op == JSOP_INITPROP ||
+op == JSOP_INITPROP_GETTER ||
+op == JSOP_INITPROP_SETTER);
+if (obj) {
+JS_ASSERT(!obj->inDictionaryMode());
+Rooted<jsid> id(cx, AtomToId(pn3->pn_atom));
+RootedValue undefinedValue(cx, UndefinedValue());
+if (!DefineNativeProperty(cx, obj, id, undefinedValue, nullptr,
+nullptr, JSPROP_ENUMERATE))
+{
+return false;
+}
+if (obj->inDictionaryMode())
+obj = nullptr;
+}
+if (!EmitIndex32(cx, op, index, bce))
+return false;
+}
+}
+if (Emit1(cx, bce, JSOP_ENDINIT) < 0)
+return false;
+if (obj) {
+/*
+* The object survived and has a predictable shape: update the original
+* bytecode.
+*/
+ObjectBox *objbox = bce->parser->newObjectBox(obj);
+if (!objbox)
+return false;
+static_assert(JSOP_NEWINIT_LENGTH == JSOP_NEWOBJECT_LENGTH,
+"newinit and newobject must have equal length to edit in-place");
+uint32_t index = bce->objectList.add(objbox);
+jsbytecode *code = bce->code(offset);
+code[0] = JSOP_NEWOBJECT;
+code[1] = jsbytecode(index >> 24);
+code[2] = jsbytecode(index >> 16);
+code[3] = jsbytecode(index >> 8);
+code[4] = jsbytecode(index);
+}
+return true;
+}
+static bool
+EmitArrayComp(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+if (!EmitNewInit(cx, bce, JSProto_Array))
+return false;
+/*
+* Pass the new array's stack index to the PNK_ARRAYPUSH case via
+* bce->arrayCompDepth, then simply traverse the PNK_FOR node and
+* its kids under pn2 to generate this comprehension.
+*/
+JS_ASSERT(bce->stackDepth > 0);
+uint32_t saveDepth = bce->arrayCompDepth;
+bce->arrayCompDepth = (uint32_t) (bce->stackDepth - 1);
+if (!EmitTree(cx, bce, pn->pn_head))
+return false;
+bce->arrayCompDepth = saveDepth;
+/* Emit the usual op needed for decompilation. */
+return Emit1(cx, bce, JSOP_ENDINIT) >= 0;
+}
+static bool
+EmitArray(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn, uint32_t count)
+{
+/*
+* Emit code for [a, b, c] that is equivalent to constructing a new
+* array and in source order evaluating each element value and adding
+* it to the array, without invoking latent setters.  We use the
+* JSOP_NEWINIT and JSOP_INITELEM_ARRAY bytecodes to ignore setters and
+* to avoid dup'ing and popping the array as each element is added, as
+* JSOP_SETELEM/JSOP_SETPROP would do.
+*/
+int32_t nspread = 0;
+for (ParseNode *elt = pn; elt; elt = elt->pn_next) {
+if (elt->isKind(PNK_SPREAD))
+nspread++;
+}
+ptrdiff_t off = EmitN(cx, bce, JSOP_NEWARRAY, 3);
+if (off < 0)
+return false;
+CheckTypeSet(cx, bce, JSOP_NEWARRAY);
+jsbytecode *pc = bce->code(off);
+// For arrays with spread, this is a very pessimistic allocation, the
+// minimum possible final size.
+SET_UINT24(pc, count - nspread);
+ParseNode *pn2 = pn;
+jsatomid atomIndex;
+if (nspread && !EmitNumberOp(cx, 0, bce))
+return false;
+for (atomIndex = 0; pn2; atomIndex++, pn2 = pn2->pn_next) {
+if (!UpdateSourceCoordNotes(cx, bce, pn2->pn_pos.begin))
+return false;
+if (pn2->isKind(PNK_ELISION)) {
+if (Emit1(cx, bce, JSOP_HOLE) < 0)
+return false;
+} else {
+ParseNode *expr = pn2->isKind(PNK_SPREAD) ? pn2->pn_kid : pn2;
+if (!EmitTree(cx, bce, expr))
+return false;
+}
+if (pn2->isKind(PNK_SPREAD)) {
+if (Emit1(cx, bce, JSOP_SPREAD) < 0)
+return false;
+} else if (nspread) {
+if (Emit1(cx, bce, JSOP_INITELEM_INC) < 0)
+return false;
+} else {
+off = EmitN(cx, bce, JSOP_INITELEM_ARRAY, 3);
+if (off < 0)
+return false;
+SET_UINT24(bce->code(off), atomIndex);
+}
+}
+JS_ASSERT(atomIndex == count);
+if (nspread) {
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+/* Emit an op to finish the array and aid in decompilation. */
+return Emit1(cx, bce, JSOP_ENDINIT) >= 0;
+}
+static bool
+EmitUnary(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+if (!UpdateSourceCoordNotes(cx, bce, pn->pn_pos.begin))
+return false;
+/* Unary op, including unary +/-. */
+JSOp op = pn->getOp();
+ParseNode *pn2 = pn->pn_kid;
+if (op == JSOP_TYPEOF && !pn2->isKind(PNK_NAME))
+op = JSOP_TYPEOFEXPR;
+bool oldEmittingForInit = bce->emittingForInit;
+bce->emittingForInit = false;
+if (!EmitTree(cx, bce, pn2))
+return false;
+bce->emittingForInit = oldEmittingForInit;
+return Emit1(cx, bce, op) >= 0;
+}
+static bool
+EmitDefaults(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+JS_ASSERT(pn->isKind(PNK_ARGSBODY));
+ParseNode *arg, *pnlast = pn->last();
+for (arg = pn->pn_head; arg != pnlast; arg = arg->pn_next) {
+if (!(arg->pn_dflags & PND_DEFAULT) || !arg->isKind(PNK_NAME))
+continue;
+if (!BindNameToSlot(cx, bce, arg))
+return false;
+if (!EmitVarOp(cx, arg, JSOP_GETARG, bce))
+return false;
+if (Emit1(cx, bce, JSOP_UNDEFINED) < 0)
+return false;
+if (Emit1(cx, bce, JSOP_STRICTEQ) < 0)
+return false;
+// Emit source note to enable ion compilation.
+if (NewSrcNote(cx, bce, SRC_IF) < 0)
+return false;
+ptrdiff_t jump = EmitJump(cx, bce, JSOP_IFEQ, 0);
+if (jump < 0)
+return false;
+if (!EmitTree(cx, bce, arg->expr()))
+return false;
+if (!EmitVarOp(cx, arg, JSOP_SETARG, bce))
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+SET_JUMP_OFFSET(bce->code(jump), bce->offset() - jump);
+}
+return true;
+}
+bool
+frontend::EmitTree(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
+{
+JS_CHECK_RECURSION(cx, return false);
+EmitLevelManager elm(bce);
+bool ok = true;
+ptrdiff_t top = bce->offset();
+pn->pn_offset = top;
+/* Emit notes to tell the current bytecode's source line number. */
+if (!UpdateLineNumberNotes(cx, bce, pn->pn_pos.begin))
+return false;
+switch (pn->getKind()) {
+case PNK_FUNCTION:
+ok = EmitFunc(cx, bce, pn);
+break;
+case PNK_ARGSBODY:
+{
+RootedFunction fun(cx, bce->sc->asFunctionBox()->function());
+ParseNode *pnlast = pn->last();
+// Carefully emit everything in the right order:
+// 1. Destructuring
+// 2. Functions
+// 3. Defaults
+ParseNode *pnchild = pnlast->pn_head;
+if (pnlast->pn_xflags & PNX_DESTRUCT) {
+// Assign the destructuring arguments before defining any functions,
+// see bug 419662.
+JS_ASSERT(pnchild->isKind(PNK_SEMI));
+JS_ASSERT(pnchild->pn_kid->isKind(PNK_VAR) || pnchild->pn_kid->isKind(PNK_CONST));
+if (!EmitTree(cx, bce, pnchild))
+return false;
+pnchild = pnchild->pn_next;
+}
+if (pnlast->pn_xflags & PNX_FUNCDEFS) {
+// This block contains top-level function definitions. To ensure
+// that we emit the bytecode defining them before the rest of code
+// in the block we use a separate pass over functions. During the
+// main pass later the emitter will add JSOP_NOP with source notes
+// for the function to preserve the original functions position
+// when decompiling.
+//
+// Currently this is used only for functions, as compile-as-we go
+// mode for scripts does not allow separate emitter passes.
+for (ParseNode *pn2 = pnchild; pn2; pn2 = pn2->pn_next) {
+if (pn2->isKind(PNK_FUNCTION) && pn2->functionIsHoisted()) {
+if (!EmitTree(cx, bce, pn2))
+return false;
+}
+}
+}
+bool hasDefaults = bce->sc->asFunctionBox()->hasDefaults();
+if (hasDefaults) {
+ParseNode *rest = nullptr;
+bool restIsDefn = false;
+if (fun->hasRest()) {
+JS_ASSERT(!bce->sc->asFunctionBox()->argumentsHasLocalBinding());
+// Defaults with a rest parameter need special handling. The
+// rest parameter needs to be undefined while defaults are being
+// processed. To do this, we create the rest argument and let it
+// sit on the stack while processing defaults. The rest
+// parameter's slot is set to undefined for the course of
+// default processing.
+rest = pn->pn_head;
+while (rest->pn_next != pnlast)
+rest = rest->pn_next;
+restIsDefn = rest->isDefn();
+if (Emit1(cx, bce, JSOP_REST) < 0)
+return false;
+CheckTypeSet(cx, bce, JSOP_REST);
+// Only set the rest parameter if it's not aliased by a nested
+// function in the body.
+if (restIsDefn) {
+if (Emit1(cx, bce, JSOP_UNDEFINED) < 0)
+return false;
+if (!BindNameToSlot(cx, bce, rest))
+return false;
+if (!EmitVarOp(cx, rest, JSOP_SETARG, bce))
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+}
+if (!EmitDefaults(cx, bce, pn))
+return false;
+if (fun->hasRest()) {
+if (restIsDefn && !EmitVarOp(cx, rest, JSOP_SETARG, bce))
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+}
+for (ParseNode *pn2 = pn->pn_head; pn2 != pnlast; pn2 = pn2->pn_next) {
+// Only bind the parameter if it's not aliased by a nested function
+// in the body.
+if (!pn2->isDefn())
+continue;
+if (!BindNameToSlot(cx, bce, pn2))
+return false;
+if (pn2->pn_next == pnlast && fun->hasRest() && !hasDefaults) {
+// Fill rest parameter. We handled the case with defaults above.
+JS_ASSERT(!bce->sc->asFunctionBox()->argumentsHasLocalBinding());
+bce->switchToProlog();
+if (Emit1(cx, bce, JSOP_REST) < 0)
+return false;
+CheckTypeSet(cx, bce, JSOP_REST);
+if (!EmitVarOp(cx, pn2, JSOP_SETARG, bce))
+return false;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+bce->switchToMain();
+}
+}
+ok = EmitTree(cx, bce, pnlast);
+break;
+}
+case PNK_IF:
+ok = EmitIf(cx, bce, pn);
+break;
+case PNK_SWITCH:
+ok = EmitSwitch(cx, bce, pn);
+break;
+case PNK_WHILE:
+ok = EmitWhile(cx, bce, pn, top);
+break;
+case PNK_DOWHILE:
+ok = EmitDo(cx, bce, pn);
+break;
+case PNK_FOR:
+ok = EmitFor(cx, bce, pn, top);
+break;
+case PNK_BREAK:
+ok = EmitBreak(cx, bce, pn->as<BreakStatement>().label());
+break;
+case PNK_CONTINUE:
+ok = EmitContinue(cx, bce, pn->as<ContinueStatement>().label());
+break;
+case PNK_WITH:
+ok = EmitWith(cx, bce, pn);
+break;
+case PNK_TRY:
+if (!EmitTry(cx, bce, pn))
+return false;
+break;
+case PNK_CATCH:
+if (!EmitCatch(cx, bce, pn))
+return false;
+break;
+case PNK_VAR:
+case PNK_CONST:
+if (!EmitVariables(cx, bce, pn, InitializeVars))
+return false;
+break;
+case PNK_RETURN:
+ok = EmitReturn(cx, bce, pn);
+break;
+case PNK_YIELD_STAR:
+ok = EmitYieldStar(cx, bce, pn->pn_kid);
+break;
+case PNK_YIELD:
+JS_ASSERT(bce->sc->isFunctionBox());
+if (bce->sc->asFunctionBox()->isStarGenerator()) {
+if (!EmitPrepareIteratorResult(cx, bce))
+return false;
+}
+if (pn->pn_kid) {
+if (!EmitTree(cx, bce, pn->pn_kid))
+return false;
+} else {
+if (Emit1(cx, bce, JSOP_UNDEFINED) < 0)
+return false;
+}
+if (bce->sc->asFunctionBox()->isStarGenerator()) {
+if (!EmitFinishIteratorResult(cx, bce, false))
+return false;
+}
+if (Emit1(cx, bce, JSOP_YIELD) < 0)
+return false;
+break;
+case PNK_STATEMENTLIST:
+ok = EmitStatementList(cx, bce, pn, top);
+break;
+case PNK_SEQ:
+ok = EmitSyntheticStatements(cx, bce, pn, top);
+break;
+case PNK_SEMI:
+ok = EmitStatement(cx, bce, pn);
+break;
+case PNK_LABEL:
+ok = EmitLabeledStatement(cx, bce, &pn->as<LabeledStatement>());
+break;
+case PNK_COMMA:
+{
+for (ParseNode *pn2 = pn->pn_head; ; pn2 = pn2->pn_next) {
+if (!UpdateSourceCoordNotes(cx, bce, pn2->pn_pos.begin))
+return false;
+if (!EmitTree(cx, bce, pn2))
+return false;
+if (!pn2->pn_next)
+break;
+if (Emit1(cx, bce, JSOP_POP) < 0)
+return false;
+}
+break;
+}
+case PNK_ASSIGN:
+case PNK_ADDASSIGN:
+case PNK_SUBASSIGN:
+case PNK_BITORASSIGN:
+case PNK_BITXORASSIGN:
+case PNK_BITANDASSIGN:
+case PNK_LSHASSIGN:
+case PNK_RSHASSIGN:
+case PNK_URSHASSIGN:
+case PNK_MULASSIGN:
+case PNK_DIVASSIGN:
+case PNK_MODASSIGN:
+if (!EmitAssignment(cx, bce, pn->pn_left, pn->getOp(), pn->pn_right))
+return false;
+break;
+case PNK_CONDITIONAL:
+ok = EmitConditionalExpression(cx, bce, pn->as<ConditionalExpression>());
+break;
+case PNK_OR:
+case PNK_AND:
+ok = EmitLogical(cx, bce, pn);
+break;
+case PNK_ADD:
+case PNK_SUB:
+case PNK_BITOR:
+case PNK_BITXOR:
+case PNK_BITAND:
+case PNK_STRICTEQ:
+case PNK_EQ:
+case PNK_STRICTNE:
+case PNK_NE:
+case PNK_LT:
+case PNK_LE:
+case PNK_GT:
+case PNK_GE:
+case PNK_IN:
+case PNK_INSTANCEOF:
+case PNK_LSH:
+case PNK_RSH:
+case PNK_URSH:
+case PNK_STAR:
+case PNK_DIV:
+case PNK_MOD:
+if (pn->isArity(PN_LIST)) {
+/* Left-associative operator chain: avoid too much recursion. */
+ParseNode *pn2 = pn->pn_head;
+if (!EmitTree(cx, bce, pn2))
+return false;
+JSOp op = pn->getOp();
+while ((pn2 = pn2->pn_next) != nullptr) {
+if (!EmitTree(cx, bce, pn2))
+return false;
+if (Emit1(cx, bce, op) < 0)
+return false;
+}
+} else {
+/* Binary operators that evaluate both operands unconditionally. */
+if (!EmitTree(cx, bce, pn->pn_left))
+return false;
+if (!EmitTree(cx, bce, pn->pn_right))
+return false;
+if (Emit1(cx, bce, pn->getOp()) < 0)
+return false;
+}
+break;
+case PNK_THROW:
+case PNK_TYPEOF:
+case PNK_VOID:
+case PNK_NOT:
+case PNK_BITNOT:
+case PNK_POS:
+case PNK_NEG:
+ok = EmitUnary(cx, bce, pn);
+break;
+case PNK_PREINCREMENT:
+case PNK_PREDECREMENT:
+case PNK_POSTINCREMENT:
+case PNK_POSTDECREMENT:
+ok = EmitIncOrDec(cx, bce, pn);
+break;
+case PNK_DELETE:
+ok = EmitDelete(cx, bce, pn);
+break;
+case PNK_DOT:
+ok = EmitPropOp(cx, pn, JSOP_GETPROP, bce);
+break;
+case PNK_ELEM:
+ok = EmitElemOp(cx, pn, JSOP_GETELEM, bce);
+break;
+case PNK_NEW:
+case PNK_CALL:
+case PNK_GENEXP:
+ok = EmitCallOrNew(cx, bce, pn);
+break;
+case PNK_LEXICALSCOPE:
+ok = EmitLexicalScope(cx, bce, pn);
+break;
+case PNK_LET:
+ok = pn->isArity(PN_BINARY)
+? EmitLet(cx, bce, pn)
+: EmitVariables(cx, bce, pn, InitializeVars);
+break;
+case PNK_IMPORT:
+case PNK_EXPORT:
+// TODO: Implement emitter support for modules
+bce->reportError(nullptr, JSMSG_MODULES_NOT_IMPLEMENTED);
+return false;
+case PNK_ARRAYPUSH: {
+/*
+* The array object's stack index is in bce->arrayCompDepth. See below
+* under the array initialiser code generator for array comprehension
+* special casing. Note that the array object is a pure stack value,
+* unaliased by blocks, so we can EmitUnaliasedVarOp.
+*/
+if (!EmitTree(cx, bce, pn->pn_kid))
+return false;
+if (!EmitDupAt(cx, bce, bce->arrayCompDepth))
+return false;
+if (Emit1(cx, bce, JSOP_ARRAYPUSH) < 0)
+return false;
+break;
+}
+case PNK_ARRAY:
+if (!(pn->pn_xflags & PNX_NONCONST) && pn->pn_head && bce->checkSingletonContext())
+ok = EmitSingletonInitialiser(cx, bce, pn);
+else
+ok = EmitArray(cx, bce, pn->pn_head, pn->pn_count);
+break;
+case PNK_ARRAYCOMP:
+ok = EmitArrayComp(cx, bce, pn);
+break;
+case PNK_OBJECT:
+ok = EmitObject(cx, bce, pn);
+break;
+case PNK_NAME:
+if (!EmitNameOp(cx, bce, pn, false))
+return false;
+break;
+case PNK_STRING:
+ok = EmitAtomOp(cx, pn, pn->getOp(), bce);
+break;
+case PNK_NUMBER:
+ok = EmitNumberOp(cx, pn->pn_dval, bce);
+break;
+case PNK_REGEXP:
+ok = EmitRegExp(cx, bce->regexpList.add(pn->as<RegExpLiteral>().objbox()), bce);
+break;
+case PNK_TRUE:
+case PNK_FALSE:
+case PNK_THIS:
+case PNK_NULL:
+if (Emit1(cx, bce, pn->getOp()) < 0)
+return false;
+break;
+case PNK_DEBUGGER:
+if (!UpdateSourceCoordNotes(cx, bce, pn->pn_pos.begin))
+return false;
+if (Emit1(cx, bce, JSOP_DEBUGGER) < 0)
+return false;
+break;
+case PNK_NOP:
+JS_ASSERT(pn->getArity() == PN_NULLARY);
+break;
+default:
+JS_ASSERT(0);
+}
+/* bce->emitLevel == 1 means we're last on the stack, so finish up. */
+if (ok && bce->emitLevel == 1) {
+if (!UpdateSourceCoordNotes(cx, bce, pn->pn_pos.end))
+return false;
+}
+return ok;
+}
+static int
+AllocSrcNote(ExclusiveContext *cx, SrcNotesVector &notes)
+{
+// Start it off moderately large to avoid repeated resizings early on.
+if (notes.capacity() == 0 && !notes.reserve(1024))
+return -1;
+jssrcnote dummy = 0;
+if (!notes.append(dummy)) {
+js_ReportOutOfMemory(cx);
+return -1;
+}
+return notes.length() - 1;
+}
+int
+frontend::NewSrcNote(ExclusiveContext *cx, BytecodeEmitter *bce, SrcNoteType type)
+{
+SrcNotesVector &notes = bce->notes();
+int index;
+index = AllocSrcNote(cx, notes);
+if (index < 0)
+return -1;
+/*
+* Compute delta from the last annotated bytecode's offset.  If it's too
+* big to fit in sn, allocate one or more xdelta notes and reset sn.
+*/
+ptrdiff_t offset = bce->offset();
+ptrdiff_t delta = offset - bce->lastNoteOffset();
+bce->current->lastNoteOffset = offset;
+if (delta >= SN_DELTA_LIMIT) {
+do {
+ptrdiff_t xdelta = Min(delta, SN_XDELTA_MASK);
+SN_MAKE_XDELTA(&notes[index], xdelta);
+delta -= xdelta;
+index = AllocSrcNote(cx, notes);
+if (index < 0)
+return -1;
+} while (delta >= SN_DELTA_LIMIT);
+}
+/*
+* Initialize type and delta, then allocate the minimum number of notes
+* needed for type's arity.  Usually, we won't need more, but if an offset
+* does take two bytes, SetSrcNoteOffset will grow notes.
+*/
+SN_MAKE_NOTE(&notes[index], type, delta);
+for (int n = (int)js_SrcNoteSpec[type].arity; n > 0; n--) {
+if (NewSrcNote(cx, bce, SRC_NULL) < 0)
+return -1;
+}
+return index;
+}
+int
+frontend::NewSrcNote2(ExclusiveContext *cx, BytecodeEmitter *bce, SrcNoteType type, ptrdiff_t offset)
+{
+int index;
+index = NewSrcNote(cx, bce, type);
+if (index >= 0) {
+if (!SetSrcNoteOffset(cx, bce, index, 0, offset))
+return -1;
+}
+return index;
+}
+int
+frontend::NewSrcNote3(ExclusiveContext *cx, BytecodeEmitter *bce, SrcNoteType type, ptrdiff_t offset1,
+ptrdiff_t offset2)
+{
+int index;
+index = NewSrcNote(cx, bce, type);
+if (index >= 0) {
+if (!SetSrcNoteOffset(cx, bce, index, 0, offset1))
+return -1;
+if (!SetSrcNoteOffset(cx, bce, index, 1, offset2))
+return -1;
+}
+return index;
+}
+bool
+frontend::AddToSrcNoteDelta(ExclusiveContext *cx, BytecodeEmitter *bce, jssrcnote *sn, ptrdiff_t delta)
+{
+/*
+* Called only from FinishTakingSrcNotes to add to main script note
+* deltas, and only by a small positive amount.
+*/
+JS_ASSERT(bce->current == &bce->main);
+JS_ASSERT((unsigned) delta < (unsigned) SN_XDELTA_LIMIT);
+ptrdiff_t base = SN_DELTA(sn);
+ptrdiff_t limit = SN_IS_XDELTA(sn) ? SN_XDELTA_LIMIT : SN_DELTA_LIMIT;
+ptrdiff_t newdelta = base + delta;
+if (newdelta < limit) {
+SN_SET_DELTA(sn, newdelta);
+} else {
+jssrcnote xdelta;
+SN_MAKE_XDELTA(&xdelta, delta);
+if (!(sn = bce->main.notes.insert(sn, xdelta)))
+return false;
+}
+return true;
+}
+static bool
+SetSrcNoteOffset(ExclusiveContext *cx, BytecodeEmitter *bce, unsigned index, unsigned which,
+ptrdiff_t offset)
+{
+if (size_t(offset) > SN_MAX_OFFSET) {
+ReportStatementTooLarge(bce->parser->tokenStream, bce->topStmt);
+return false;
+}
+SrcNotesVector &notes = bce->notes();
+/* Find the offset numbered which (i.e., skip exactly which offsets). */
+jssrcnote *sn = notes.begin() + index;
+JS_ASSERT(SN_TYPE(sn) != SRC_XDELTA);
+JS_ASSERT((int) which < js_SrcNoteSpec[SN_TYPE(sn)].arity);
+for (sn++; which; sn++, which--) {
+if (*sn & SN_4BYTE_OFFSET_FLAG)
+sn += 3;
+}
+/*
+* See if the new offset requires three bytes either by being too big or if
+* the offset has already been inflated (in which case, we need to stay big
+* to not break the srcnote encoding if this isn't the last srcnote).
+*/
+if (offset > (ptrdiff_t)SN_4BYTE_OFFSET_MASK || (*sn & SN_4BYTE_OFFSET_FLAG)) {
+/* Maybe this offset was already set to a three-byte value. */
+if (!(*sn & SN_4BYTE_OFFSET_FLAG)) {
+/* Insert two dummy bytes that will be overwritten shortly. */
+jssrcnote dummy = 0;
+if (!(sn = notes.insert(sn, dummy)) ||
+!(sn = notes.insert(sn, dummy)) ||
+!(sn = notes.insert(sn, dummy)))
+{
+js_ReportOutOfMemory(cx);
+return false;
+}
+}
+*sn++ = (jssrcnote)(SN_4BYTE_OFFSET_FLAG | (offset >> 24));
+*sn++ = (jssrcnote)(offset >> 16);
+*sn++ = (jssrcnote)(offset >> 8);
+}
+*sn = (jssrcnote)offset;
+return true;
+}
+/*
+* Finish taking source notes in cx's notePool.
+* If successful, the final source note count is stored in the out outparam.
+*/
+bool
+frontend::FinishTakingSrcNotes(ExclusiveContext *cx, BytecodeEmitter *bce, uint32_t *out)
+{
+JS_ASSERT(bce->current == &bce->main);
+unsigned prologCount = bce->prolog.notes.length();
+if (prologCount && bce->prolog.currentLine != bce->firstLine) {
+bce->switchToProlog();
+if (NewSrcNote2(cx, bce, SRC_SETLINE, (ptrdiff_t)bce->firstLine) < 0)
+return false;
+bce->switchToMain();
+} else {
+/*
+* Either no prolog srcnotes, or no line number change over prolog.
+* We don't need a SRC_SETLINE, but we may need to adjust the offset
+* of the first main note, by adding to its delta and possibly even
+* prepending SRC_XDELTA notes to it to account for prolog bytecodes
+* that came at and after the last annotated bytecode.
+*/
+ptrdiff_t offset = bce->prologOffset() - bce->prolog.lastNoteOffset;
+JS_ASSERT(offset >= 0);
+if (offset > 0 && bce->main.notes.length() != 0) {
+/* NB: Use as much of the first main note's delta as we can. */
+jssrcnote *sn = bce->main.notes.begin();
+ptrdiff_t delta = SN_IS_XDELTA(sn)
+? SN_XDELTA_MASK - (*sn & SN_XDELTA_MASK)
+: SN_DELTA_MASK - (*sn & SN_DELTA_MASK);
+if (offset < delta)
+delta = offset;
+for (;;) {
+if (!AddToSrcNoteDelta(cx, bce, sn, delta))
+return false;
+offset -= delta;
+if (offset == 0)
+break;
+delta = Min(offset, SN_XDELTA_MASK);
+sn = bce->main.notes.begin();
+}
+}
+}
+// The prolog count might have changed, so we can't reuse prologCount.
+// The + 1 is to account for the final SN_MAKE_TERMINATOR that is appended
+// when the notes are copied to their final destination by CopySrcNotes.
+*out = bce->prolog.notes.length() + bce->main.notes.length() + 1;
+return true;
+}
+void
+frontend::CopySrcNotes(BytecodeEmitter *bce, jssrcnote *destination, uint32_t nsrcnotes)
+{
+unsigned prologCount = bce->prolog.notes.length();
+unsigned mainCount = bce->main.notes.length();
+unsigned totalCount = prologCount + mainCount;
+MOZ_ASSERT(totalCount == nsrcnotes - 1);
+if (prologCount)
+PodCopy(destination, bce->prolog.notes.begin(), prologCount);
+PodCopy(destination + prologCount, bce->main.notes.begin(), mainCount);
+SN_MAKE_TERMINATOR(&destination[totalCount]);
+}
+void
+CGConstList::finish(ConstArray *array)
+{
+JS_ASSERT(length() == array->length);
+for (unsigned i = 0; i < length(); i++)
+array->vector[i] = list[i];
+}
+/*
+* Find the index of the given object for code generator.
+*
+* Since the emitter refers to each parsed object only once, for the index we
+* use the number of already indexes objects. We also add the object to a list
+* to convert the list to a fixed-size array when we complete code generation,
+* see js::CGObjectList::finish below.
+*
+* Most of the objects go to BytecodeEmitter::objectList but for regexp we use
+* a separated BytecodeEmitter::regexpList. In this way the emitted index can
+* be directly used to store and fetch a reference to a cloned RegExp object
+* that shares the same JSRegExp private data created for the object literal in
+* objbox. We need a cloned object to hold lastIndex and other direct
+* properties that should not be shared among threads sharing a precompiled
+* function or script.
+*
+* If the code being compiled is function code, allocate a reserved slot in
+* the cloned function object that shares its precompiled script with other
+* cloned function objects and with the compiler-created clone-parent. There
+* are nregexps = script->regexps()->length such reserved slots in each
+* function object cloned from fun->object. NB: during compilation, a funobj
+* slots element must never be allocated, because JSObject::allocSlot could
+* hand out one of the slots that should be given to a regexp clone.
+*
+* If the code being compiled is global code, the cloned regexp are stored in
+* fp->vars slot and to protect regexp slots from GC we set fp->nvars to
+* nregexps.
+*
+* The slots initially contain undefined or null. We populate them lazily when
+* JSOP_REGEXP is executed for the first time.
+*
+* Why clone regexp objects?  ECMA specifies that when a regular expression
+* literal is scanned, a RegExp object is created.  In the spec, compilation
+* and execution happen indivisibly, but in this implementation and many of
+* its embeddings, code is precompiled early and re-executed in multiple
+* threads, or using multiple global objects, or both, for efficiency.
+*
+* In such cases, naively following ECMA leads to wrongful sharing of RegExp
+* objects, which makes for collisions on the lastIndex property (especially
+* for global regexps) and on any ad-hoc properties.  Also, __proto__ refers to
+* the pre-compilation prototype, a pigeon-hole problem for instanceof tests.
+*/
+unsigned
+CGObjectList::add(ObjectBox *objbox)
+{
+JS_ASSERT(!objbox->emitLink);
+objbox->emitLink = lastbox;
+lastbox = objbox;
+return length++;
+}
+unsigned
+CGObjectList::indexOf(JSObject *obj)
+{
+JS_ASSERT(length > 0);
+unsigned index = length - 1;
+for (ObjectBox *box = lastbox; box->object != obj; box = box->emitLink)
+index--;
+return index;
+}
+void
+CGObjectList::finish(ObjectArray *array)
+{
+JS_ASSERT(length <= INDEX_LIMIT);
+JS_ASSERT(length == array->length);
+js::HeapPtrObject *cursor = array->vector + array->length;
+ObjectBox *objbox = lastbox;
+do {
+--cursor;
+JS_ASSERT(!*cursor);
+*cursor = objbox->object;
+} while ((objbox = objbox->emitLink) != nullptr);
+JS_ASSERT(cursor == array->vector);
+}
+ObjectBox*
+CGObjectList::find(uint32_t index)
+{
+JS_ASSERT(index < length);
+ObjectBox *box = lastbox;
+for (unsigned n = length - 1; n > index; n--)
+box = box->emitLink;
+return box;
+}
+bool
+CGTryNoteList::append(JSTryNoteKind kind, uint32_t stackDepth, size_t start, size_t end)
+{
+JS_ASSERT(start <= end);
+JS_ASSERT(size_t(uint32_t(start)) == start);
+JS_ASSERT(size_t(uint32_t(end)) == end);
+JSTryNote note;
+note.kind = kind;
+note.stackDepth = stackDepth;
+note.start = uint32_t(start);
+note.length = uint32_t(end - start);
+return list.append(note);
+}
+void
+CGTryNoteList::finish(TryNoteArray *array)
+{
+JS_ASSERT(length() == array->length);
+for (unsigned i = 0; i < length(); i++)
+array->vector[i] = list[i];
+}
+bool
+CGBlockScopeList::append(uint32_t scopeObject, uint32_t offset, uint32_t parent)
+{
+BlockScopeNote note;
+mozilla::PodZero(&note);
+note.index = scopeObject;
+note.start = offset;
+note.parent = parent;
+return list.append(note);
+}
+uint32_t
+CGBlockScopeList::findEnclosingScope(uint32_t index)
+{
+JS_ASSERT(index < length());
+JS_ASSERT(list[index].index != BlockScopeNote::NoBlockScopeIndex);
+DebugOnly<uint32_t> pos = list[index].start;
+while (index--) {
+JS_ASSERT(list[index].start <= pos);
+if (list[index].length == 0) {
+// We are looking for the nearest enclosing live scope.  If the
+// scope contains POS, it should still be open, so its length should
+// be zero.
+return list[index].index;
+} else {
+// Conversely, if the length is not zero, it should not contain
+// POS.
+JS_ASSERT(list[index].start + list[index].length <= pos);
+}
+}
+return BlockScopeNote::NoBlockScopeIndex;
+}
+void
+CGBlockScopeList::recordEnd(uint32_t index, uint32_t offset)
+{
+JS_ASSERT(index < length());
+JS_ASSERT(offset >= list[index].start);
+JS_ASSERT(list[index].length == 0);
+list[index].length = offset - list[index].start;
+}
+void
+CGBlockScopeList::finish(BlockScopeArray *array)
+{
+JS_ASSERT(length() == array->length);
+for (unsigned i = 0; i < length(); i++)
+array->vector[i] = list[i];
+}
+/*
+* We should try to get rid of offsetBias (always 0 or 1, where 1 is
+* JSOP_{NOP,POP}_LENGTH), which is used only by SRC_FOR.
+*/
+const JSSrcNoteSpec js_SrcNoteSpec[] = {
+#define DEFINE_SRC_NOTE_SPEC(sym, name, arity) { name, arity },
+FOR_EACH_SRC_NOTE_TYPE(DEFINE_SRC_NOTE_SPEC)
+#undef DEFINE_SRC_NOTE_SPEC
+};
+static int
+SrcNoteArity(jssrcnote *sn)
+{
+JS_ASSERT(SN_TYPE(sn) < SRC_LAST);
+return js_SrcNoteSpec[SN_TYPE(sn)].arity;
+}
+JS_FRIEND_API(unsigned)
+js_SrcNoteLength(jssrcnote *sn)
+{
+unsigned arity;
+jssrcnote *base;
+arity = SrcNoteArity(sn);
+for (base = sn++; arity; sn++, arity--) {
+if (*sn & SN_4BYTE_OFFSET_FLAG)
+sn += 3;
+}
+return sn - base;
+}
+JS_FRIEND_API(ptrdiff_t)
+js_GetSrcNoteOffset(jssrcnote *sn, unsigned which)
+{
+/* Find the offset numbered which (i.e., skip exactly which offsets). */
+JS_ASSERT(SN_TYPE(sn) != SRC_XDELTA);
+JS_ASSERT((int) which < SrcNoteArity(sn));
+for (sn++; which; sn++, which--) {
+if (*sn & SN_4BYTE_OFFSET_FLAG)
+sn += 3;
+}
+if (*sn & SN_4BYTE_OFFSET_FLAG) {
+return (ptrdiff_t)(((uint32_t)(sn[0] & SN_4BYTE_OFFSET_MASK) << 24)
+| (sn[1] << 16)
+| (sn[2] << 8)
+| sn[3]);
+}
+return (ptrdiff_t)*sn;
+}

The Tor Browser / file comparison

comparison: js/src/frontend/BytecodeEmitter.cpp

js/src/frontend/BytecodeEmitter.cpp