diff --git a/lib/Backend/BackwardPass.cpp b/lib/Backend/BackwardPass.cpp index d6677c5dc7d..487db2a1c64 100644 --- a/lib/Backend/BackwardPass.cpp +++ b/lib/Backend/BackwardPass.cpp @@ -4847,7 +4847,7 @@ BackwardPass::ProcessNewScObject(IR::Instr* instr) // The instruction could have a lazy bailout associated with it, which might get cleared // later, so we make sure that we only process instructions with the right bailout kind. - if (instr->HasBailOutInfo() && instr->GetBailOutKind() == IR::BailOutFailedCtorGuardCheck) + if (instr->HasBailOutInfo() && instr->GetBailOutKindNoBits() == IR::BailOutFailedCtorGuardCheck) { Assert(instr->IsProfiledInstr()); Assert(instr->GetDst()->IsRegOpnd()); diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp index 2bc30f7428a..2c2b8733bf0 100644 --- a/lib/Backend/GlobOpt.cpp +++ b/lib/Backend/GlobOpt.cpp @@ -13514,6 +13514,7 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr) const bool useValueTypes = !IsLoopPrePass(); // Source value types are not guaranteed to be correct in a loop prepass switch(instr->m_opcode) { + case Js::OpCode::StElemC: case Js::OpCode::StElemI_A: case Js::OpCode::StElemI_A_Strict: { @@ -13564,8 +13565,13 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr) } break; + case Js::OpCode::ConsoleScopedStFld: + case Js::OpCode::ConsoleScopedStFldStrict: + case Js::OpCode::ScopedStFld: + case Js::OpCode::ScopedStFldStrict: case Js::OpCode::StFld: case Js::OpCode::StFldStrict: + case Js::OpCode::StSuperFld: { Assert(instr->GetDst()); @@ -13777,6 +13783,7 @@ GlobOpt::CheckJsArrayKills(IR::Instr *const instr) break; case Js::OpCode::NewScObjectNoCtor: + case Js::OpCode::NewScObjectNoCtorFull: if(doNativeArrayTypeSpec) { // Class/object construction can make something a prototype diff --git a/lib/Backend/GlobOptArrays.cpp b/lib/Backend/GlobOptArrays.cpp index c0ea7d88090..5460e62ad9f 100644 --- a/lib/Backend/GlobOptArrays.cpp +++ b/lib/Backend/GlobOptArrays.cpp @@ -1746,7 +1746,14 @@ void GlobOpt::ArraySrcOpt::Optimize() { if (newBaseValueType != baseValueType) { - UpdateValue(nullptr, nullptr, nullptr); + if (globOpt->IsSafeToTransferInPrePass(baseOpnd, baseValue)) + { + UpdateValue(nullptr, nullptr, nullptr); + } + else if (isLikelyJsArray && globOpt->IsOperationThatLikelyKillsJsArraysWithNoMissingValues(instr) && baseValueInfo->HasNoMissingValues()) + { + globOpt->ChangeValueType(nullptr, baseValue, baseValueInfo->Type().SetHasNoMissingValues(false), true); + } } // For javascript arrays and objects with javascript arrays: diff --git a/lib/Backend/GlobOptBailOut.cpp b/lib/Backend/GlobOptBailOut.cpp index fe586ea1a39..b8a1917deec 100644 --- a/lib/Backend/GlobOptBailOut.cpp +++ b/lib/Backend/GlobOptBailOut.cpp @@ -1499,6 +1499,14 @@ GlobOpt::MayNeedBailOnImplicitCall(IR::Instr const * instr, Value const * src1Va ); } + case Js::OpCode::NewScObjectNoCtor: + if (instr->HasBailOutInfo() && (instr->GetBailOutKind() & ~IR::BailOutKindBits) == IR::BailOutFailedCtorGuardCheck) + { + // No helper call with this bailout. + return false; + } + break; + default: break; } diff --git a/lib/Backend/GlobOptExpr.cpp b/lib/Backend/GlobOptExpr.cpp index cc1d4ff0820..d95b63779ce 100644 --- a/lib/Backend/GlobOptExpr.cpp +++ b/lib/Backend/GlobOptExpr.cpp @@ -814,20 +814,28 @@ GlobOpt::ProcessArrayValueKills(IR::Instr *instr) { switch (instr->m_opcode) { + case Js::OpCode::StElemC: case Js::OpCode::StElemI_A: case Js::OpCode::StElemI_A_Strict: case Js::OpCode::DeleteElemI_A: case Js::OpCode::DeleteElemIStrict_A: + case Js::OpCode::ConsoleScopedStFld: + case Js::OpCode::ConsoleScopedStFldStrict: + case Js::OpCode::ScopedStFld: + case Js::OpCode::ScopedStFldStrict: case Js::OpCode::StFld: case Js::OpCode::StRootFld: case Js::OpCode::StFldStrict: case Js::OpCode::StRootFldStrict: + case Js::OpCode::StSuperFld: case Js::OpCode::StSlot: case Js::OpCode::StSlotChkUndecl: case Js::OpCode::DeleteFld: case Js::OpCode::DeleteRootFld: case Js::OpCode::DeleteFldStrict: case Js::OpCode::DeleteRootFldStrict: + case Js::OpCode::ScopedDeleteFld: + case Js::OpCode::ScopedDeleteFldStrict: case Js::OpCode::StArrViewElem: // These array helpers may change A.length (and A[i] could be A.length)... case Js::OpCode::InlineArrayPush: diff --git a/lib/Backend/GlobOptFields.cpp b/lib/Backend/GlobOptFields.cpp index 9523e49e240..6f1f04c1ba5 100644 --- a/lib/Backend/GlobOptFields.cpp +++ b/lib/Backend/GlobOptFields.cpp @@ -327,6 +327,7 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse *bv, bo IR::JnHelperMethod fnHelper; switch(instr->m_opcode) { + case Js::OpCode::StElemC: case Js::OpCode::StElemI_A: case Js::OpCode::StElemI_A_Strict: Assert(dstOpnd != nullptr); @@ -358,6 +359,8 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse *bv, bo case Js::OpCode::DeleteRootFld: case Js::OpCode::DeleteFldStrict: case Js::OpCode::DeleteRootFldStrict: + case Js::OpCode::ScopedDeleteFld: + case Js::OpCode::ScopedDeleteFldStrict: sym = instr->GetSrc1()->AsSymOpnd()->m_sym; KillLiveFields(sym->AsPropertySym(), bv); if (inGlobOpt) @@ -379,13 +382,36 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse *bv, bo this->KillAllObjectTypes(bv); } break; + + case Js::OpCode::ConsoleScopedStFld: + case Js::OpCode::ConsoleScopedStFldStrict: + case Js::OpCode::ScopedStFld: + case Js::OpCode::ScopedStFldStrict: + // This is already taken care of for FastFld opcodes + + if (inGlobOpt) + { + KillObjectHeaderInlinedTypeSyms(this->currentBlock, false); + } + + // fall through + case Js::OpCode::InitFld: + case Js::OpCode::InitConstFld: + case Js::OpCode::InitLetFld: + case Js::OpCode::InitRootFld: + case Js::OpCode::InitRootConstFld: + case Js::OpCode::InitRootLetFld: +#if !FLOATVAR + case Js::OpCode::StSlotBoxTemp: +#endif case Js::OpCode::StFld: case Js::OpCode::StRootFld: case Js::OpCode::StFldStrict: case Js::OpCode::StRootFldStrict: case Js::OpCode::StSlot: case Js::OpCode::StSlotChkUndecl: + case Js::OpCode::StSuperFld: Assert(dstOpnd != nullptr); sym = dstOpnd->AsSymOpnd()->m_sym; if (inGlobOpt) @@ -407,11 +433,19 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse *bv, bo case Js::OpCode::InlineArrayPush: case Js::OpCode::InlineArrayPop: - KillLiveFields(this->lengthEquivBv, bv); - if (inGlobOpt) + if(instr->m_func->GetThisOrParentInlinerHasArguments()) { - // Deleting an item, or pushing a property to a non-array, may change object layout - KillAllObjectTypes(bv); + this->KillAllFields(bv); + this->SetAnyPropertyMayBeWrittenTo(); + } + else + { + KillLiveFields(this->lengthEquivBv, bv); + if (inGlobOpt) + { + // Deleting an item, or pushing a property to a non-array, may change object layout + KillAllObjectTypes(bv); + } } break; @@ -436,14 +470,23 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse *bv, bo // Kill length field for built-ins that can update it. if (nullptr != this->lengthEquivBv) { - KillLiveFields(this->lengthEquivBv, bv); + // If has arguments, all fields are killed in fall through + if (!instr->m_func->GetThisOrParentInlinerHasArguments()) + { + KillLiveFields(this->lengthEquivBv, bv); + } } // fall through case IR::JnHelperMethod::HelperArray_Reverse: - // Deleting an item may change object layout - if (inGlobOpt) + if (instr->m_func->GetThisOrParentInlinerHasArguments()) + { + this->KillAllFields(bv); + this->SetAnyPropertyMayBeWrittenTo(); + } + else if (inGlobOpt) { + // Deleting an item may change object layout KillAllObjectTypes(bv); } break; @@ -484,6 +527,7 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse *bv, bo case Js::OpCode::InitClass: case Js::OpCode::InitProto: case Js::OpCode::NewScObjectNoCtor: + case Js::OpCode::NewScObjectNoCtorFull: if (inGlobOpt) { // Opcodes that make an object into a prototype may break object-header-inlining and final type opt. diff --git a/lib/Backend/IRBuilder.cpp b/lib/Backend/IRBuilder.cpp index 99d6c1a4120..8690bec38ab 100644 --- a/lib/Backend/IRBuilder.cpp +++ b/lib/Backend/IRBuilder.cpp @@ -1674,7 +1674,7 @@ IRBuilder::BuildReg1(Js::OpCode newOpcode, uint32 offset, Js::RegSlot R0) } case Js::OpCode::NewScObjectSimple: - dstValueType = ValueType::GetObject(ObjectType::Object); + dstValueType = ValueType::GetObject(ObjectType::UninitializedObject); // fall-through case Js::OpCode::LdFuncExpr: m_func->DisableCanDoInlineArgOpt(); @@ -4992,7 +4992,7 @@ IRBuilder::BuildAuxiliary(Js::OpCode newOpcode, uint32 offset) // lower take it from there... srcOpnd = IR::IntConstOpnd::New(auxInsn->Offset, TyUint32, m_func); dstOpnd = this->BuildDstOpnd(dstRegSlot); - dstOpnd->SetValueType(ValueType::GetObject(ObjectType::Object)); + dstOpnd->SetValueType(ValueType::GetObject(ObjectType::UninitializedObject)); instr = IR::Instr::New(newOpcode, dstOpnd, srcOpnd, m_func); // Because we're going to be making decisions based off the value, we have to defer diff --git a/lib/Backend/Inline.cpp b/lib/Backend/Inline.cpp index 00fddd07435..a6a6f917497 100644 --- a/lib/Backend/Inline.cpp +++ b/lib/Backend/Inline.cpp @@ -4501,6 +4501,8 @@ Inline::SplitConstructorCallCommon( { createObjInstr->SetByteCodeOffset(newObjInstr); createObjInstr->GetSrc1()->SetIsJITOptimizedReg(true); + // We're splitting a single byte code, so the interpreter has to resume from the beginning if we bail out. + createObjInstr->forcePreOpBailOutIfNeeded = true; newObjInstr->InsertBefore(createObjInstr); createObjDst->SetValueType(ValueType::GetObject(ObjectType::UninitializedObject)); diff --git a/lib/Backend/Lower.cpp b/lib/Backend/Lower.cpp index 2b4323d4aff..3a2e89454fa 100644 --- a/lib/Backend/Lower.cpp +++ b/lib/Backend/Lower.cpp @@ -4580,18 +4580,40 @@ Lowerer::LowerNewScObject(IR::Instr *newObjInstr, bool callCtor, bool hasArgs, b { Assert(!newObjDst->CanStoreTemp()); // createObjDst = NewScObject...(ctorOpnd) - newScHelper = !callCtor ? - (isBaseClassConstructorNewScObject ? - (hasArgs ? IR::HelperNewScObjectNoCtorFull : IR::HelperNewScObjectNoArgNoCtorFull) : - (hasArgs ? IR::HelperNewScObjectNoCtor : IR::HelperNewScObjectNoArgNoCtor)) : - (hasArgs || usedFixedCtorCache ? IR::HelperNewScObjectNoCtor : IR::HelperNewScObjectNoArg); LoadScriptContext(newObjInstr); - m_lowererMD.LoadHelperArgument(newObjInstr, newObjInstr->GetSrc1()); - newScObjCall = IR::Instr::New(Js::OpCode::Call, createObjDst, IR::HelperCallOpnd::New(newScHelper, func), func); - newObjInstr->InsertBefore(newScObjCall); - m_lowererMD.LowerCall(newScObjCall, 0); + if (callCtor) + { + newScHelper = (hasArgs || usedFixedCtorCache ? IR::HelperNewScObjectNoCtor : IR::HelperNewScObjectNoArg); + + m_lowererMD.LoadHelperArgument(newObjInstr, newObjInstr->GetSrc1()); + + newScObjCall = IR::Instr::New(Js::OpCode::Call, createObjDst, IR::HelperCallOpnd::New(newScHelper, func), func); + newObjInstr->InsertBefore(newScObjCall); + m_lowererMD.LowerCall(newScObjCall, 0); + } + else + { + newScHelper = + (isBaseClassConstructorNewScObject ? + (hasArgs ? IR::HelperNewScObjectNoCtorFull : IR::HelperNewScObjectNoArgNoCtorFull) : + (hasArgs ? IR::HelperNewScObjectNoCtor : IR::HelperNewScObjectNoArgNoCtor)); + + // Branch around the helper call to execute the inlined ctor. + Assert(callCtorLabel != nullptr); + newObjInstr->InsertAfter(callCtorLabel); + + // Change the NewScObject* to a helper call on the spot. This generates implicit call bailout for us if we need one. + m_lowererMD.LoadHelperArgument(newObjInstr, newObjInstr->UnlinkSrc1()); + m_lowererMD.ChangeToHelperCall(newObjInstr, newScHelper); + + // Then we're done. + Assert(createObjDst == newObjDst); + + // Return the first instruction above the region we've just lowered. + return RemoveLoweredRegionStartMarker(startMarkerInstr); + } } } @@ -4836,9 +4858,6 @@ bool Lowerer::TryLowerNewScObjectWithFixedCtorCache(IR::Instr* newObjInstr, IR:: skipNewScObj = false; returnNewScObj = false; - AssertMsg(!PHASE_OFF(Js::ObjTypeSpecNewObjPhase, this->m_func) || !newObjInstr->HasBailOutInfo(), - "Why do we have bailout on NewScObject when ObjTypeSpecNewObj is off?"); - if (PHASE_OFF(Js::FixedNewObjPhase, newObjInstr->m_func) && PHASE_OFF(Js::ObjTypeSpecNewObjPhase, this->m_func)) { return false; @@ -4846,11 +4865,11 @@ bool Lowerer::TryLowerNewScObjectWithFixedCtorCache(IR::Instr* newObjInstr, IR:: JITTimeConstructorCache * ctorCache; - if (newObjInstr->HasBailOutInfo() && !newObjInstr->HasLazyBailOut()) + if (newObjInstr->HasBailOutInfo() && !newObjInstr->HasLazyBailOut() && newObjInstr->GetBailOutKindNoBits() == IR::BailOutFailedCtorGuardCheck) { Assert(newObjInstr->IsNewScObjectInstr()); Assert(newObjInstr->IsProfiledInstr()); - Assert(newObjInstr->GetBailOutKind() == IR::BailOutFailedCtorGuardCheck || newObjInstr->HasLazyBailOut()); + Assert(newObjInstr->GetBailOutKindNoBits() == IR::BailOutFailedCtorGuardCheck || newObjInstr->HasLazyBailOut()); emitBailOut = true; diff --git a/lib/Runtime/ByteCode/ByteCodeEmitter.cpp b/lib/Runtime/ByteCode/ByteCodeEmitter.cpp index 26876d59fb0..d329f6b1a4e 100644 --- a/lib/Runtime/ByteCode/ByteCodeEmitter.cpp +++ b/lib/Runtime/ByteCode/ByteCodeEmitter.cpp @@ -3636,6 +3636,7 @@ void ByteCodeGenerator::StartEmitFunction(ParseNodeFnc *pnodeFnc) #if ENABLE_TTD && !funcInfo->GetParsedFunctionBody()->GetScriptContext()->GetThreadContext()->IsRuntimeInTTDMode() #endif + && !funcInfo->byteCodeFunction->IsCoroutine() ); if (funcInfo->GetHasCachedScope()) @@ -4051,6 +4052,11 @@ void ByteCodeGenerator::StartEmitCatch(ParseNodeCatch *pnodeCatch) sym->SetIsGlobalCatch(true); } + if (sym->NeedsScopeObject()) + { + scope->SetIsObject(); + } + Assert(sym->GetScopeSlot() == Js::Constants::NoProperty); if (sym->NeedsSlotAlloc(this, funcInfo)) { @@ -4071,6 +4077,11 @@ void ByteCodeGenerator::StartEmitCatch(ParseNodeCatch *pnodeCatch) sym->SetIsGlobalCatch(true); } + if (sym->NeedsScopeObject()) + { + scope->SetIsObject(); + } + if (scope->GetMustInstantiate()) { if (sym->IsInSlot(this, funcInfo)) diff --git a/lib/Runtime/ByteCode/ByteCodeGenerator.cpp b/lib/Runtime/ByteCode/ByteCodeGenerator.cpp index 3b3ca3c5e64..42ee019901a 100644 --- a/lib/Runtime/ByteCode/ByteCodeGenerator.cpp +++ b/lib/Runtime/ByteCode/ByteCodeGenerator.cpp @@ -119,10 +119,10 @@ void EndVisitBlock(ParseNodeBlock *pnode, ByteCodeGenerator *byteCodeGenerator) Scope *scope = pnode->scope; FuncInfo *func = scope->GetFunc(); - if (!byteCodeGenerator->IsInDebugMode() && - scope->HasInnerScopeIndex()) + if (!(byteCodeGenerator->IsInDebugMode() || func->byteCodeFunction->IsCoroutine()) + && scope->HasInnerScopeIndex()) { - // In debug mode, don't release the current index, as we're giving each scope a unique index, regardless + // In debug mode (or for the generator/async function), don't release the current index, as we're giving each scope a unique index, regardless // of nesting. Assert(scope->GetInnerScopeIndex() == func->CurrentInnerScopeIndex()); func->ReleaseInnerScopeIndex(); @@ -155,12 +155,12 @@ void BeginVisitCatch(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator) void EndVisitCatch(ParseNode *pnode, ByteCodeGenerator *byteCodeGenerator) { Scope *scope = pnode->AsParseNodeCatch()->scope; + FuncInfo *func = scope->GetFunc(); - if (scope->HasInnerScopeIndex() && !byteCodeGenerator->IsInDebugMode()) + if (scope->HasInnerScopeIndex() && !(byteCodeGenerator->IsInDebugMode() || func->byteCodeFunction->IsCoroutine())) { - // In debug mode, don't release the current index, as we're giving each scope a unique index, + // In debug mode (or for the generator/async function), don't release the current index, as we're giving each scope a unique index, // regardless of nesting. - FuncInfo *func = scope->GetFunc(); Assert(scope->GetInnerScopeIndex() == func->CurrentInnerScopeIndex()); func->ReleaseInnerScopeIndex(); diff --git a/lib/Runtime/ByteCode/OpCodes.h b/lib/Runtime/ByteCode/OpCodes.h index 66d9f67cd66..4df19dede87 100755 --- a/lib/Runtime/ByteCode/OpCodes.h +++ b/lib/Runtime/ByteCode/OpCodes.h @@ -578,8 +578,8 @@ MACRO_EXTEND_WMS_AND_PROFILED(NewScObjectSpread, CallIExtended, OpSideEffect|O MACRO_WMS_PROFILED2( NewScObjArray, CallI, OpSideEffect|OpUseAllFields|OpCallInstr) // Create new ScriptObject instance MACRO_WMS_PROFILED2( NewScObjArraySpread, CallIExtended, OpSideEffect|OpUseAllFields|OpCallInstr) // Create new ScriptObject instance MACRO( NewScObject_A, Auxiliary, OpSideEffect|OpUseAllFields) // Create new ScriptObject instance passing only constants -MACRO_WMS( NewScObjectNoCtorFull, Reg2, OpTempObjectCanStoreTemp) // Create new object that will be used for the 'this' binding in a base class constructor -MACRO_BACKEND_ONLY( NewScObjectNoCtor, Empty, OpTempObjectCanStoreTemp) // Create new object that will be passed into a constructor +MACRO_WMS( NewScObjectNoCtorFull, Reg2, OpTempObjectCanStoreTemp|OpHasImplicitCall) // Create new object that will be used for the 'this' binding in a base class constructor +MACRO_BACKEND_ONLY( NewScObjectNoCtor, Empty, OpTempObjectCanStoreTemp|OpHasImplicitCall) // Create new object that will be passed into a constructor MACRO_BACKEND_ONLY( GetNewScObject, Empty, OpTempObjectTransfer) // Determine which object to finally use as the result of NewScObject (object passed into constructor as 'this', or object returned by constructor) MACRO_BACKEND_ONLY( UpdateNewScObjectCache, Empty, None) // Update the cache used for NewScObject MACRO_WMS( NewScObjectSimple, Reg1, OpTempObjectCanStoreTemp) diff --git a/lib/Runtime/Debug/DebugContext.cpp b/lib/Runtime/Debug/DebugContext.cpp index 7f9eb30c8a0..35379ddf6de 100644 --- a/lib/Runtime/Debug/DebugContext.cpp +++ b/lib/Runtime/Debug/DebugContext.cpp @@ -193,6 +193,11 @@ namespace Js Js::TempArenaAllocatorObject *tempAllocator = nullptr; JsUtil::List* pFunctionsToRegister = nullptr; JsUtil::List* utf8SourceInfoList = nullptr; + typedef JsUtil::BaseDictionary FunctionStartToYieldRegister; + + // This container ensures that for Generator/Async functions the yield register is same between non-debug to debug parse. + // Each entry represent a function's start position (each function will have unique start position in a file) and that function yield register + FunctionStartToYieldRegister *yieldFunctions = nullptr; HRESULT hr = S_OK; ThreadContext* threadContext = this->scriptContext->GetThreadContext(); @@ -201,6 +206,7 @@ namespace Js tempAllocator = threadContext->GetTemporaryAllocator(_u("debuggerAlloc")); utf8SourceInfoList = JsUtil::List::New(this->scriptContext->GetRecycler()); + yieldFunctions = Anew(tempAllocator->GetAllocator(), FunctionStartToYieldRegister, tempAllocator->GetAllocator()); this->MapUTF8SourceInfoUntil([&](Js::Utf8SourceInfo * sourceInfo) -> bool { @@ -276,6 +282,23 @@ namespace Js this->hostDebugContext->SetThreadDescription(sourceInfo->GetSourceContextInfo()->url); // the HRESULT is omitted. } + if (shouldReparseFunctions) + { + yieldFunctions->Clear(); + BEGIN_TRANSLATE_OOM_TO_HRESULT_NESTED + { + sourceInfo->MapFunction([&](Js::FunctionBody *const pFuncBody) + { + if (pFuncBody->IsCoroutine() && pFuncBody->GetYieldRegister() != Js::Constants::NoRegister) + { + yieldFunctions->Add(pFuncBody->StartInDocument(), pFuncBody->GetYieldRegister()); + } + }); + } + END_TRANSLATE_OOM_TO_HRESULT(hr); + DEBUGGER_ATTACHDETACH_FATAL_ERROR_IF_FAILED(hr); + } + bool fHasDoneSourceRundown = false; for (int i = 0; i < pFunctionsToRegister->Count(); i++) { @@ -326,8 +349,17 @@ namespace Js if (shouldReparseFunctions) { - sourceInfo->MapFunction([](Js::FunctionBody *const pFuncBody) + sourceInfo->MapFunction([&](Js::FunctionBody *const pFuncBody) { + if (pFuncBody->IsCoroutine()) + { + RegSlot oldYieldRegister = Constants::NoRegister; + if (yieldFunctions->TryGetValue(pFuncBody->StartInDocument(), &oldYieldRegister)) + { + AssertOrFailFast(pFuncBody->GetYieldRegister() == oldYieldRegister); + } + } + if (pFuncBody->IsFunctionParsed()) { pFuncBody->ReinitializeExecutionModeAndLimits(); diff --git a/lib/Runtime/Language/ValueType.cpp b/lib/Runtime/Language/ValueType.cpp index 4c65faa07b0..4a418aab38f 100644 --- a/lib/Runtime/Language/ValueType.cpp +++ b/lib/Runtime/Language/ValueType.cpp @@ -582,7 +582,8 @@ bool ValueType::IsNotArrayOrObjectWithArray() const { return IsNotObject() || - (IsObject() && GetObjectType() != ObjectType::ObjectWithArray && GetObjectType() != ObjectType::Array); + (IsObject() && GetObjectType() != ObjectType::ObjectWithArray && GetObjectType() != ObjectType::Array + && GetObjectType() != ObjectType::UninitializedObject && GetObjectType() != ObjectType::Object); } bool ValueType::IsNativeArray() const diff --git a/lib/Runtime/Library/ES5Array.cpp b/lib/Runtime/Library/ES5Array.cpp index 267b41efdf9..418a741d45f 100644 --- a/lib/Runtime/Library/ES5Array.cpp +++ b/lib/Runtime/Library/ES5Array.cpp @@ -131,6 +131,10 @@ namespace Js { JavascriptError::ThrowRangeError(scriptContext, JSERR_ArrayLengthAssignIncorrect); } + + // Conversion can change the type (e.g. from String), invalidating assumptions made by the JIT + scriptContext->GetThreadContext()->AddImplicitCallFlags(ImplicitCall_Accessor); + return newLen; } } diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp index 14a977d7563..efeae74fa6d 100644 --- a/lib/Runtime/Library/JavascriptArray.cpp +++ b/lib/Runtime/Library/JavascriptArray.cpp @@ -2921,6 +2921,9 @@ using namespace Js; double dblValue = JavascriptConversion::ToNumber(newLength, scriptContext); if (dblValue == uintValue) { + // Conversion can change the type (e.g. from String), invalidating assumptions made by the JIT + scriptContext->GetThreadContext()->AddImplicitCallFlags(ImplicitCall_Accessor); + this->SetLength(uintValue); } else