Changeset 270874 in webkit

Timestamp:

Dec 15, 2020 4:33:34 PM (19 months ago)

Author:

Alexey Shvayka

Message:

Non-enumerable property fails to shadow inherited enumerable property from for-in
​https://bugs.webkit.org/show_bug.cgi?id=38970

Reviewed by Keith Miller.

JSTests:

• stress/arguments-bizarre-behaviour-disable-enumerability.js:
• stress/for-in-redefine-enumerable.js: Added.
• stress/for-in-shadow-non-enumerable.js: Added.
• test262/expectations.yaml: Mark 4 test cases as passing.

Source/JavaScriptCore:

While for/in was initially specified with notion of "shadowing", it wasn't clarified
until ES5 that Enumerable? attributes are ignored when determining if a property
has already been processed. Recently, for/in spec was expanded [1] to pin down common
case enumeration as it's currently implemented by V8 and SpiderMonkey.

Since keeping track of DontEnum properties is a massive slowdown for uncached runs
(with any data structure used), this patch simply adds Enumerable? check to
has_{indexed,structure,generic}_property bytecode ops and does renaming chores.

Common code is now shared between HasIndexedProperty (emitted for 0 in arr) and
HasEnumerableIndexedProperty DFG nodes via passing different slow path ops rather
than having OpInfo with PropertySlot::InternalMethodType, which is a nice refactor.

While this change aligns common case for/in enumeration with the spec and other
engines, it also introduces a few observable discrepancies from V8 and SpiderMonkey,
which are permitted by the spec [2]:
a) properties that have been redefined as DontEnum within loop body are skipped,

which matches the spec [3] and seems like expected behavior;

b) "shadowing" is broken if a DontEnum property of already visited object is

added / deleted / redefined within loop body, which (pretty much) never happens.

This patch introduces a new invariant: all properties getOwn*PropertyNames() returns
in DontEnumPropertiesMode::Exclude should be reported as Enumerable? by
getOwnPropertySlot(). JSCallbackObject and RuntimeArray are fixed to follow it.

for/in and Object.keys microbenchmarks are neutral. This change does not affect
JSPropertyNameEnumerator caching, nor fast paths of its bytecodes.

[1]: ​https://github.com/tc39/ecma262/pull/1791
[2]: ​https://tc39.es/ecma262/#sec-enumerate-object-properties (last paragraph)
[3]: ​https://tc39.es/ecma262/#sec-%foriniteratorprototype%.next (step 7.b.iii)

• API/JSCallbackObjectFunctions.h:

(JSC::JSCallbackObject<Parent>::getOwnPropertySlot):

• API/tests/testapi.c:
• API/tests/testapiScripts/testapi.js:
• bytecode/BytecodeList.rb:
• bytecode/BytecodeUseDef.cpp:

(JSC::computeUsesForBytecodeIndexImpl):
(JSC::computeDefsForBytecodeIndexImpl):

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):

• bytecode/Opcode.h:
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitHasEnumerableIndexedProperty):
(JSC::BytecodeGenerator::emitHasEnumerableStructureProperty):
(JSC::BytecodeGenerator::emitHasEnumerableProperty):
(JSC::BytecodeGenerator::emitHasGenericProperty): Deleted.
(JSC::BytecodeGenerator::emitHasIndexedProperty): Deleted.
(JSC::BytecodeGenerator::emitHasStructureProperty): Deleted.

• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp:

(JSC::ForInNode::emitBytecode):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::convertToHasIndexedProperty):

• dfg/DFGNode.h:

(JSC::DFG::Node::hasArrayMode):
(JSC::DFG::Node::hasInternalMethodType const): Deleted.
(JSC::DFG::Node::internalMethodType const): Deleted.
(JSC::DFG::Node::setInternalMethodType): Deleted.

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:

(JSC::DFG::JSC_DEFINE_JIT_OPERATION):

• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSSALoweringPhase.cpp:

(JSC::DFG::SSALoweringPhase::handleNode):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileHasEnumerableProperty):
(JSC::DFG::SpeculativeJIT::compileHasEnumerableStructureProperty):
(JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
(JSC::DFG::SpeculativeJIT::compileHasGenericProperty): Deleted.
(JSC::DFG::SpeculativeJIT::compileHasStructureProperty): Deleted.

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
(JSC::FTL::DFG::LowerDFGToB3::compileHasEnumerableProperty):
(JSC::FTL::DFG::LowerDFGToB3::compileHasEnumerableStructureProperty):
(JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty): Deleted.
(JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty): Deleted.

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:
• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_has_enumerable_structure_property):
(JSC::JIT::emit_op_has_enumerable_indexed_property):
(JSC::JIT::emitSlow_op_has_enumerable_indexed_property):
(JSC::JIT::emit_op_has_structure_property): Deleted.
(JSC::JIT::emit_op_has_indexed_property): Deleted.
(JSC::JIT::emitSlow_op_has_indexed_property): Deleted.

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_has_enumerable_structure_property):
(JSC::JIT::emit_op_has_enumerable_indexed_property):
(JSC::JIT::emitSlow_op_has_enumerable_indexed_property):
(JSC::JIT::emit_op_has_structure_property): Deleted.
(JSC::JIT::emit_op_has_indexed_property): Deleted.
(JSC::JIT::emitSlow_op_has_indexed_property): Deleted.

• jit/JITOperations.cpp:

(JSC::JSC_DEFINE_JIT_OPERATION):

• jit/JITOperations.h:
• llint/LowLevelInterpreter.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonSlowPaths.cpp:

(JSC::JSC_DEFINE_COMMON_SLOW_PATH):

• runtime/CommonSlowPaths.h:
• runtime/JSObject.cpp:

(JSC::JSObject::hasProperty const):
(JSC::JSObject::hasEnumerableProperty const):
(JSC::JSObject::hasPropertyGeneric const): Deleted.

• runtime/JSObject.h:

Source/WebCore:

Report RuntimeArray indices as Enumerable?.

Test: platform/mac/fast/dom/wrapper-classes-objc.html

• bridge/runtime_array.cpp:

(JSC::RuntimeArray::getOwnPropertySlot):
(JSC::RuntimeArray::getOwnPropertySlotByIndex):

LayoutTests:

• platform/mac/fast/dom/wrapper-classes-objc-expected.txt:
• platform/mac/fast/dom/wrapper-classes-objc.html:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/arguments-bizarre-behaviour-disable-enumerability.js (modified) (1 diff)
• JSTests/stress/for-in-redefine-enumerable.js (added)
• JSTests/stress/for-in-shadow-non-enumerable.js (added)
• JSTests/test262/expectations.yaml (modified) (1 diff)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/platform/mac/fast/dom/wrapper-classes-objc-expected.txt (modified) (1 diff)
• LayoutTests/platform/mac/fast/dom/wrapper-classes-objc.html (modified) (1 diff)
• Source/JavaScriptCore/API/JSCallbackObjectFunctions.h (modified) (5 diffs)
• Source/JavaScriptCore/API/tests/testapi.c (modified) (2 diffs)
• Source/JavaScriptCore/API/tests/testapiScripts/testapi.js (modified) (5 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeList.rb (modified) (3 diffs)
• Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp (modified) (3 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecode/Opcode.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (6 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (10 diffs)
• Source/JavaScriptCore/jit/JIT.cpp (modified) (4 diffs)
• Source/JavaScriptCore/jit/JIT.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOperations.h (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (5 diffs)
• Source/JavaScriptCore/runtime/CommonSlowPaths.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bridge/runtime_array.cpp (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-12-15  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Non-enumerable property fails to shadow inherited enumerable property from for-in
+        https://bugs.webkit.org/show_bug.cgi?id=38970
+
+        Reviewed by Keith Miller.
+
+        * stress/arguments-bizarre-behaviour-disable-enumerability.js:
+        * stress/for-in-redefine-enumerable.js: Added.
+        * stress/for-in-shadow-non-enumerable.js: Added.
+        * test262/expectations.yaml: Mark 4 test cases as passing.
+
 2020-12-15  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/JSTests/stress/arguments-bizarre-behaviour-disable-enumerability.js

@@ -19 +19 @@
     array.push(s);
 
-if (array.join(",") != "0")
+if (array.join(",") != "")
     throw new Error();
 

trunk/JSTests/test262/expectations.yaml

@@ -1859 +1859 @@
   default: 'Test262:AsyncTestFailure:Test262Error: Test262Error: Expected [pre, tick 1, constructor, constructor, tick 2, tick 3, loop, tick 4, constructor] and [pre, constructor, constructor, tick 1, tick 2, loop, constructor, tick 3, tick 4, post] to have the same contents. Ticks and constructor lookups'
   strict mode: 'Test262:AsyncTestFailure:Test262Error: Test262Error: Expected [pre, tick 1, constructor, constructor, tick 2, tick 3, loop, tick 4, constructor] and [pre, constructor, constructor, tick 1, tick 2, loop, constructor, tick 3, tick 4, post] to have the same contents. Ticks and constructor lookups'
-test/language/statements/for-in/12.6.4-2.js:
-  default: 'Test262Error: accessedProp Expected SameValue(«true», «false») to be true'
-  strict mode: 'Test262Error: accessedProp Expected SameValue(«true», «false») to be true'
 test/language/statements/for-in/head-lhs-let.js:
   default: "SyntaxError: Cannot use the keyword 'in' as a lexical variable name."
 test/language/statements/for-in/identifier-let-allowed-as-lefthandside-expression-not-strict.js:
   default: "SyntaxError: Cannot use the keyword 'in' as a lexical variable name."
-test/language/statements/for-in/order-enumerable-shadowed.js:
-  default: 'Test262Error: Expected [p1, p2] and [p1] to have the same contents. '
-  strict mode: 'Test262Error: Expected [p1, p2] and [p1] to have the same contents. '
 test/language/statements/for-in/scope-body-lex-open.js:
   default: 'Test262Error: Expected a ReferenceError to be thrown but no exception was thrown at all'

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2020-12-15  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Non-enumerable property fails to shadow inherited enumerable property from for-in
+        https://bugs.webkit.org/show_bug.cgi?id=38970
+
+        Reviewed by Keith Miller.
+
+        * platform/mac/fast/dom/wrapper-classes-objc-expected.txt:
+        * platform/mac/fast/dom/wrapper-classes-objc.html:
+
 2020-12-15  Alex Christensen  <achristensen@webkit.org>
 

trunk/LayoutTests/platform/mac/fast/dom/wrapper-classes-objc-expected.txt

@@ -190 +190 @@
 PASS objCObjectOfClass('NSArray') instanceof Array is true
 PASS concatenateArray(objCArrayOfString()) is 'onetwothree'
+PASS objCArrayOfString().every((_, i, arr) => arr.propertyIsEnumerable(i)) is true
 PASS let arr = objCArrayOfString(); arr.length is 3
 PASS let arr = objCArrayOfString(); arr.length = 0 threw exception RangeError: Range error.

trunk/LayoutTests/platform/mac/fast/dom/wrapper-classes-objc.html

@@ -287 +287 @@
 
     shouldBe("concatenateArray(objCArrayOfString())", "'onetwothree'");
+    shouldBeTrue("objCArrayOfString().every((_, i, arr) => arr.propertyIsEnumerable(i))");
 
     shouldBe("let arr = objCArrayOfString(); arr.length", "3");

trunk/Source/JavaScriptCore/API/JSCallbackObjectFunctions.h

@@ -163 +163 @@
     
     if (StringImpl* name = propertyName.uid()) {
+        // FIXME: Set ReadOnly conditionally, based on setProperty presence in class inheritance chain.
+        // https://bugs.webkit.org/show_bug.cgi?id=219924
+        unsigned attributes = static_cast<unsigned>(PropertyAttribute::ReadOnly);
         for (JSClassRef jsClass = thisObject->classRef(); jsClass; jsClass = jsClass->parentClass) {
             // optional optimization to bypass getProperty in cases when we only need to know if the property exists
@@ -170 +173 @@
                 JSLock::DropAllLocks dropAllLocks(globalObject);
                 if (hasProperty(ctx, thisRef, propertyNameRef.get())) {
-                    slot.setCustom(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, getCallbackGetter());
+                    slot.setCustom(thisObject, attributes, getCallbackGetter());
                     return true;
                 }
@@ -184 +187 @@
                 if (exception) {
                     throwException(globalObject, scope, toJS(globalObject, exception));
-                    slot.setValue(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, jsUndefined());
+                    slot.setValue(thisObject, attributes, jsUndefined());
                     return true;
                 }
                 if (value) {
-                    slot.setValue(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, toJS(globalObject, value));
+                    slot.setValue(thisObject, attributes, toJS(globalObject, value));
                     return true;
                 }
@@ -194 +197 @@
             
             if (OpaqueJSClassStaticValuesTable* staticValues = jsClass->staticValues(globalObject)) {
-                if (staticValues->contains(name)) {
+                if (StaticValueEntry* entry = staticValues->get(name)) {
+                    // FIXME: getStaticValue() performs the same loop & checks just to acquire `entry`.
+                    // https://bugs.webkit.org/show_bug.cgi?id=219925
                     JSValue value = thisObject->getStaticValue(globalObject, propertyName);
                     RETURN_IF_EXCEPTION(scope, false);
                     if (value) {
-                        slot.setValue(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, value);
+                        slot.setValue(thisObject, entry->attributes, value);
                         return true;
                     }
@@ -205 +210 @@
             
             if (OpaqueJSClassStaticFunctionsTable* staticFunctions = jsClass->staticFunctions(globalObject)) {
-                if (staticFunctions->contains(name)) {
-                    slot.setCustom(thisObject, PropertyAttribute::ReadOnly | PropertyAttribute::DontEnum, getStaticFunctionGetter());
+                if (StaticFunctionEntry* entry = staticFunctions->get(name)) {
+                    slot.setCustom(thisObject, entry->attributes, getStaticFunctionGetter());
                     return true;
                 }

trunk/Source/JavaScriptCore/API/tests/testapi.c

@@ -1018 +1018 @@
 static JSStaticValue globalObject_staticValues[] = {
     { "globalStaticValue", globalObject_get, globalObject_set, kJSPropertyAttributeNone },
+    { "globalStaticValue2", globalObject_get, 0, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontEnum },
     { 0, 0, 0, 0 }
 };
@@ -1024 +1025 @@
     { "globalStaticFunction", globalObject_call, kJSPropertyAttributeNone },
     { "globalStaticFunction2", globalObject_call, kJSPropertyAttributeNone },
+    { "globalStaticFunction3", globalObject_call, kJSPropertyAttributeReadOnly | kJSPropertyAttributeDontEnum },
     { "gc", functionGC, kJSPropertyAttributeNone },
     { 0, 0, 0 }

trunk/Source/JavaScriptCore/API/tests/testapiScripts/testapi.js

@@ -85 +85 @@
 shouldBe("this.globalStaticFunction2();", 20);
 
+var globalStaticValue2Descriptor = Object.getOwnPropertyDescriptor(this, "globalStaticValue2");
+shouldBe('typeof globalStaticValue2Descriptor', "object");
+shouldBe('globalStaticValue2Descriptor.writable', false);
+shouldBe('globalStaticValue2Descriptor.enumerable', false);
+
+var globalStaticFunction3Descriptor = Object.getOwnPropertyDescriptor(this, "globalStaticFunction3");
+shouldBe('typeof globalStaticFunction3Descriptor', "object");
+shouldBe('globalStaticFunction3Descriptor.writable', false);
+shouldBe('globalStaticFunction3Descriptor.enumerable', false);
+
 function iAmNotAStaticFunction() { return 10; }
 shouldBe("iAmNotAStaticFunction();", 10);
@@ -135 +145 @@
 shouldBe('alwaysOneDescriptor.value', MyObject.alwaysOne);
 shouldBe('alwaysOneDescriptor.configurable', true);
-shouldBe('alwaysOneDescriptor.enumerable', false); // Actually it is.
+shouldBe('alwaysOneDescriptor.enumerable', true);
 var cantFindDescriptor = Object.getOwnPropertyDescriptor(MyObject, "cantFind");
 shouldBe('typeof cantFindDescriptor', "object");
 shouldBe('cantFindDescriptor.value', MyObject.cantFind);
 shouldBe('cantFindDescriptor.configurable', true);
-shouldBe('cantFindDescriptor.enumerable', false);
+shouldBe('cantFindDescriptor.enumerable', true);
 try {
     // If getOwnPropertyDescriptor() returned an access descriptor, this wouldn't throw.
@@ -151 +161 @@
 shouldBe('myPropertyNameDescriptor.value', MyObject.myPropertyName);
 shouldBe('myPropertyNameDescriptor.configurable', true);
-shouldBe('myPropertyNameDescriptor.enumerable', false); // Actually it is.
+shouldBe('myPropertyNameDescriptor.enumerable', true);
 try {
     // if getOwnPropertyDescriptor() returned an access descriptor, this wouldn't throw.
@@ -238 +248 @@
 shouldBe('baseDupDescriptor.value', derived.baseDup);
 shouldBe('baseDupDescriptor.configurable', true);
-shouldBe('baseDupDescriptor.enumerable', false);
+shouldBe('baseDupDescriptor.enumerable', true);
 var baseOnlyDescriptor = Object.getOwnPropertyDescriptor(derived, "baseOnly");
 shouldBe('typeof baseOnlyDescriptor', "object");
 shouldBe('baseOnlyDescriptor.value', derived.baseOnly);
 shouldBe('baseOnlyDescriptor.configurable', true);
-shouldBe('baseOnlyDescriptor.enumerable', false);
+shouldBe('baseOnlyDescriptor.enumerable', true);
 shouldBe('Object.getOwnPropertyDescriptor(derived, "protoOnly")', undefined);
 var protoDupDescriptor = Object.getOwnPropertyDescriptor(derived, "protoDup");
@@ -249 +259 @@
 shouldBe('protoDupDescriptor.value', derived.protoDup);
 shouldBe('protoDupDescriptor.configurable', true);
-shouldBe('protoDupDescriptor.enumerable', false);
+shouldBe('protoDupDescriptor.enumerable', true);
 var derivedOnlyDescriptor = Object.getOwnPropertyDescriptor(derived, "derivedOnly");
 shouldBe('typeof derivedOnlyDescriptor', "object");
 shouldBe('derivedOnlyDescriptor.value', derived.derivedOnly);
 shouldBe('derivedOnlyDescriptor.configurable', true);
-shouldBe('derivedOnlyDescriptor.enumerable', false);
+shouldBe('derivedOnlyDescriptor.enumerable', true);
 
 shouldBe("undefined instanceof MyObject", false);

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-12-15  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Non-enumerable property fails to shadow inherited enumerable property from for-in
+        https://bugs.webkit.org/show_bug.cgi?id=38970
+
+        Reviewed by Keith Miller.
+
+        While for/in was initially specified with notion of "shadowing", it wasn't clarified
+        until ES5 that [[Enumerable]] attributes are ignored when determining if a property
+        has already been processed. Recently, for/in spec was expanded [1] to pin down common
+        case enumeration as it's currently implemented by V8 and SpiderMonkey.
+
+        Since keeping track of DontEnum properties is a massive slowdown for uncached runs
+        (with any data structure used), this patch simply adds [[Enumerable]] check to
+        has_{indexed,structure,generic}_property bytecode ops and does renaming chores.
+
+        Common code is now shared between HasIndexedProperty (emitted for `0 in arr`) and
+        HasEnumerableIndexedProperty DFG nodes via passing different slow path ops rather
+        than having OpInfo with PropertySlot::InternalMethodType, which is a nice refactor.
+
+        While this change aligns common case for/in enumeration with the spec and other
+        engines, it also introduces a few observable discrepancies from V8 and SpiderMonkey,
+        which are permitted by the spec [2]:
+        a) properties that have been redefined as DontEnum within loop body are skipped,
+           which matches the spec [3] and seems like expected behavior;
+        b) "shadowing" is broken if a DontEnum property of already visited object is
+           added / deleted / redefined within loop body, which (pretty much) never happens.
+
+        This patch introduces a new invariant: all properties getOwn*PropertyNames() returns
+        in DontEnumPropertiesMode::Exclude should be reported as [[Enumerable]] by
+        getOwnPropertySlot(). JSCallbackObject and RuntimeArray are fixed to follow it.
+
+        for/in and Object.keys microbenchmarks are neutral. This change does not affect
+        JSPropertyNameEnumerator caching, nor fast paths of its bytecodes.
+
+        [1]: https://github.com/tc39/ecma262/pull/1791
+        [2]: https://tc39.es/ecma262/#sec-enumerate-object-properties (last paragraph)
+        [3]: https://tc39.es/ecma262/#sec-%foriniteratorprototype%.next (step 7.b.iii)
+
+        * API/JSCallbackObjectFunctions.h:
+        (JSC::JSCallbackObject<Parent>::getOwnPropertySlot):
+        * API/tests/testapi.c:
+        * API/tests/testapiScripts/testapi.js:
+        * bytecode/BytecodeList.rb:
+        * bytecode/BytecodeUseDef.cpp:
+        (JSC::computeUsesForBytecodeIndexImpl):
+        (JSC::computeDefsForBytecodeIndexImpl):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/Opcode.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitHasEnumerableIndexedProperty):
+        (JSC::BytecodeGenerator::emitHasEnumerableStructureProperty):
+        (JSC::BytecodeGenerator::emitHasEnumerableProperty):
+        (JSC::BytecodeGenerator::emitHasGenericProperty): Deleted.
+        (JSC::BytecodeGenerator::emitHasIndexedProperty): Deleted.
+        (JSC::BytecodeGenerator::emitHasStructureProperty): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ForInNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasArrayMode):
+        (JSC::DFG::Node::hasInternalMethodType const): Deleted.
+        (JSC::DFG::Node::internalMethodType const): Deleted.
+        (JSC::DFG::Node::setInternalMethodType): Deleted.
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSSALoweringPhase.cpp:
+        (JSC::DFG::SSALoweringPhase::handleNode):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileHasEnumerableProperty):
+        (JSC::DFG::SpeculativeJIT::compileHasEnumerableStructureProperty):
+        (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
+        (JSC::DFG::SpeculativeJIT::compileHasGenericProperty): Deleted.
+        (JSC::DFG::SpeculativeJIT::compileHasStructureProperty): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasEnumerableProperty):
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasEnumerableStructureProperty):
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasGenericProperty): Deleted.
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasStructureProperty): Deleted.
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_has_enumerable_structure_property):
+        (JSC::JIT::emit_op_has_enumerable_indexed_property):
+        (JSC::JIT::emitSlow_op_has_enumerable_indexed_property):
+        (JSC::JIT::emit_op_has_structure_property): Deleted.
+        (JSC::JIT::emit_op_has_indexed_property): Deleted.
+        (JSC::JIT::emitSlow_op_has_indexed_property): Deleted.
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_has_enumerable_structure_property):
+        (JSC::JIT::emit_op_has_enumerable_indexed_property):
+        (JSC::JIT::emitSlow_op_has_enumerable_indexed_property):
+        (JSC::JIT::emit_op_has_structure_property): Deleted.
+        (JSC::JIT::emit_op_has_indexed_property): Deleted.
+        (JSC::JIT::emitSlow_op_has_indexed_property): Deleted.
+        * jit/JITOperations.cpp:
+        (JSC::JSC_DEFINE_JIT_OPERATION):
+        * jit/JITOperations.h:
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::JSC_DEFINE_COMMON_SLOW_PATH):
+        * runtime/CommonSlowPaths.h:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::hasProperty const):
+        (JSC::JSObject::hasEnumerableProperty const):
+        (JSC::JSObject::hasPropertyGeneric const): Deleted.
+        * runtime/JSObject.h:
+
 2020-12-15  Saam Barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/BytecodeList.rb

@@ -1126 +1126 @@
     }
 
-op :has_indexed_property,
+op :has_enumerable_indexed_property,
     args: {
         dst: VirtualRegister,
@@ -1136 +1136 @@
     }
 
-op :has_structure_property,
+op :has_enumerable_structure_property,
     args: {
         dst: VirtualRegister,
@@ -1160 +1160 @@
     }
 
-op :has_generic_property,
+op :has_enumerable_property,
     args: {
         dst: VirtualRegister,

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp

@@ -222 +222 @@
     USES(OpNewArrayBuffer, immutableButterfly)
 
-    USES(OpHasGenericProperty, base, property)
-    USES(OpHasIndexedProperty, base, property)
+    USES(OpHasEnumerableIndexedProperty, base, property)
+    USES(OpHasEnumerableStructureProperty, base, property, enumerator)
+    USES(OpHasEnumerableProperty, base, property)
     USES(OpEnumeratorStructurePname, enumerator, index)
     USES(OpEnumeratorGenericPname, enumerator, index)
@@ -261 +262 @@
     USES(OpGetByValWithThis, base, thisValue, property)
     USES(OpInstanceofCustom, value, constructor, hasInstanceValue)
-    USES(OpHasStructureProperty, base, property, enumerator)
     USES(OpHasOwnStructureProperty, base, property, enumerator)
     USES(OpInStructureProperty, base, property, enumerator)
@@ -421 +421 @@
     DEFS(OpToIndexString, dst)
     DEFS(OpGetEnumerableLength, dst)
-    DEFS(OpHasIndexedProperty, dst)
-    DEFS(OpHasStructureProperty, dst)
+    DEFS(OpHasEnumerableIndexedProperty, dst)
+    DEFS(OpHasEnumerableStructureProperty, dst)
+    DEFS(OpHasEnumerableProperty, dst)
     DEFS(OpHasOwnStructureProperty, dst)
     DEFS(OpInStructureProperty, dst)
-    DEFS(OpHasGenericProperty, dst)
     DEFS(OpGetDirectPname, dst)
     DEFS(OpGetPropertyEnumerator, dst)

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -504 +504 @@
         m_bytecodeCost += opcodeLengths[opcodeID];
         switch (opcodeID) {
-        LINK(OpHasIndexedProperty)
+        LINK(OpHasEnumerableIndexedProperty)
 
         LINK(OpCallVarargs, profile)

trunk/Source/JavaScriptCore/bytecode/Opcode.h

@@ -127 +127 @@
 
 #define FOR_EACH_OPCODE_WITH_ARRAY_PROFILE(macro) \
-    macro(OpHasIndexedProperty) \
+    macro(OpHasEnumerableIndexedProperty) \
     macro(OpCallVarargs) \
     macro(OpTailCallVarargs) \

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -4366 +4366 @@
 }
 
-RegisterID* BytecodeGenerator::emitHasGenericProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName)
-{
-    OpHasGenericProperty::emit(this, dst, base, propertyName);
-    return dst;
-}
-
-RegisterID* BytecodeGenerator::emitHasIndexedProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName)
-{
-    OpHasIndexedProperty::emit(this, dst, base, propertyName);
-    return dst;
-}
-
-RegisterID* BytecodeGenerator::emitHasStructureProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName, RegisterID* enumerator)
-{
-    OpHasStructureProperty::emit(this, dst, base, propertyName, enumerator);
+RegisterID* BytecodeGenerator::emitHasEnumerableIndexedProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName)
+{
+    OpHasEnumerableIndexedProperty::emit(this, dst, base, propertyName);
+    return dst;
+}
+
+RegisterID* BytecodeGenerator::emitHasEnumerableStructureProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName, RegisterID* enumerator)
+{
+    OpHasEnumerableStructureProperty::emit(this, dst, base, propertyName, enumerator);
+    return dst;
+}
+
+RegisterID* BytecodeGenerator::emitHasEnumerableProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName)
+{
+    OpHasEnumerableProperty::emit(this, dst, base, propertyName);
     return dst;
 }

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -903 +903 @@
         void emitCheckTraps();
 
-        RegisterID* emitHasIndexedProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName);
-        RegisterID* emitHasStructureProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName, RegisterID* enumerator);
+        RegisterID* emitHasEnumerableIndexedProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName);
+        RegisterID* emitHasEnumerableStructureProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName, RegisterID* enumerator);
+        RegisterID* emitHasEnumerableProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName);
         RegisterID* emitHasOwnStructureProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName, RegisterID* enumerator);
-        RegisterID* emitHasGenericProperty(RegisterID* dst, RegisterID* base, RegisterID* propertyName);
         RegisterID* emitGetPropertyEnumerator(RegisterID* dst, RegisterID* base);
         RegisterID* emitGetEnumerableLength(RegisterID* dst, RegisterID* base);

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -3963 +3963 @@
         RefPtr<RegisterID> result = generator.emitEqualityOp<OpLess>(generator.newTemporary(), i.get(), length.get());
         generator.emitJumpIfFalse(result.get(), loopEnd.get());
-        generator.emitHasIndexedProperty(result.get(), base.get(), i.get());
+        generator.emitHasEnumerableIndexedProperty(result.get(), base.get(), i.get());
         generator.emitJumpIfFalse(result.get(), *scope->continueTarget());
 
@@ -4004 +4004 @@
         RefPtr<RegisterID> result = generator.emitIsNull(generator.newTemporary(), propertyName.get());
         generator.emitJumpIfTrue(result.get(), loopEnd.get());
-        generator.emitHasStructureProperty(result.get(), base.get(), propertyName.get(), enumerator.get());
+        generator.emitHasEnumerableStructureProperty(result.get(), base.get(), propertyName.get(), enumerator.get());
         generator.emitJumpIfFalse(result.get(), *scope->continueTarget());
 
@@ -4046 +4046 @@
         generator.emitJumpIfTrue(result.get(), loopEnd.get());
 
-        generator.emitHasGenericProperty(result.get(), base.get(), propertyName.get());
+        generator.emitHasEnumerableProperty(result.get(), base.get(), propertyName.get());
         generator.emitJumpIfFalse(result.get(), *scope->continueTarget());
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -4156 +4156 @@
         break;
     }
-    case HasGenericProperty: {
+    case HasEnumerableProperty: {
         setNonCellTypeForNode(node, SpecBoolean);
         clobberWorld();
@@ -4163 +4163 @@
     case InStructureProperty:
     case HasOwnStructureProperty:
-    case HasStructureProperty: {
+    case HasEnumerableStructureProperty: {
         setNonCellTypeForNode(node, SpecBoolean);
         clobberWorld();
         break;
     }
-    case HasIndexedProperty: {
+    case HasIndexedProperty:
+    case HasEnumerableIndexedProperty: {
         ArrayMode mode = node->arrayMode();
         switch (mode.type()) {

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -8140 +8140 @@
         }
 
-        case op_has_generic_property: {
-            auto bytecode = currentInstruction->as<OpHasGenericProperty>();
-            set(bytecode.m_dst, addToGraph(HasGenericProperty, get(bytecode.m_base), get(bytecode.m_property)));
-            NEXT_OPCODE(op_has_generic_property);
-        }
-
-        case op_has_structure_property: {
-            auto bytecode = currentInstruction->as<OpHasStructureProperty>();
-            set(bytecode.m_dst, addToGraph(HasStructureProperty,
+        case op_has_enumerable_structure_property: {
+            auto bytecode = currentInstruction->as<OpHasEnumerableStructureProperty>();
+            set(bytecode.m_dst, addToGraph(HasEnumerableStructureProperty,
                 get(bytecode.m_base),
                 get(bytecode.m_property),
                 get(bytecode.m_enumerator)));
-            NEXT_OPCODE(op_has_structure_property);
+            NEXT_OPCODE(op_has_enumerable_structure_property);
+        }
+
+        case op_has_enumerable_property: {
+            auto bytecode = currentInstruction->as<OpHasEnumerableProperty>();
+            set(bytecode.m_dst, addToGraph(HasEnumerableProperty, get(bytecode.m_base), get(bytecode.m_property)));
+            NEXT_OPCODE(op_has_enumerable_property);
         }
 
@@ -8173 +8173 @@
         }
 
-        case op_has_indexed_property: {
-            auto bytecode = currentInstruction->as<OpHasIndexedProperty>();
+        case op_has_enumerable_indexed_property: {
+            auto bytecode = currentInstruction->as<OpHasEnumerableIndexedProperty>();
             Node* base = get(bytecode.m_base);
             ArrayMode arrayMode = getArrayMode(bytecode.metadata(codeBlock).m_arrayProfile, Array::Read);
@@ -8181 +8181 @@
             addVarArgChild(property);
             addVarArgChild(nullptr);
-            Node* hasIterableProperty = addToGraph(Node::VarArg, HasIndexedProperty, OpInfo(arrayMode.asWord()), OpInfo(static_cast<uint32_t>(PropertySlot::InternalMethodType::GetOwnProperty)));
+            Node* hasIterableProperty = addToGraph(Node::VarArg, HasEnumerableIndexedProperty, OpInfo(arrayMode.asWord()));
             m_exitOK = false; // HasIndexedProperty must be treated as if it clobbers exit state, since FixupPhase may make it generic.
             set(bytecode.m_dst, hasIterableProperty);
-            NEXT_OPCODE(op_has_indexed_property);
+            NEXT_OPCODE(op_has_enumerable_indexed_property);
         }
 

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

@@ -254 +254 @@
     case op_get_from_scope:
     case op_get_enumerable_length:
-    case op_has_generic_property:
-    case op_has_structure_property:
+    case op_has_enumerable_indexed_property:
+    case op_has_enumerable_structure_property:
+    case op_has_enumerable_property:
     case op_has_own_structure_property:
     case op_in_structure_property:
-    case op_has_indexed_property:
     case op_get_direct_pname:
     case op_get_property_enumerator:

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -165 +165 @@
         case ArrayIndexOf:
         case HasIndexedProperty:
+        case HasEnumerableIndexedProperty:
         case AtomicsAdd:
         case AtomicsAnd:
@@ -349 +350 @@
     }
 
-    case HasIndexedProperty: {
+    case HasIndexedProperty:
+    case HasEnumerableIndexedProperty: {
         read(JSObject_butterfly);
         ArrayMode mode = node->arrayMode();
@@ -706 +708 @@
     case ResolveScope:
     case ToObject:
-    case HasGenericProperty:
-    case HasStructureProperty:
+    case HasEnumerableStructureProperty:
+    case HasEnumerableProperty:
     case HasOwnStructureProperty:
     case InStructureProperty:

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -296 +296 @@
     case GetDynamicVar:
     case GetMapBucket:
-    case HasGenericProperty:
     case HasIndexedProperty:
+    case HasEnumerableIndexedProperty:
+    case HasEnumerableStructureProperty:
+    case HasEnumerableProperty:
     case HasOwnProperty:
-    case HasStructureProperty:
     case HasOwnStructureProperty:
     case InStructureProperty:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -2205 +2205 @@
             break;
         }
-        case HasGenericProperty: {
+        case HasEnumerableProperty: {
             fixEdge<CellUse>(node->child2());
             break;
         }
-        case HasStructureProperty: {
+        case HasEnumerableStructureProperty: {
             fixEdge<StringUse>(node->child2());
             fixEdge<KnownCellUse>(node->child3());
@@ -2221 +2221 @@
             break;
         }
-        case HasIndexedProperty: {
+        case HasIndexedProperty:
+        case HasEnumerableIndexedProperty: {
             node->setArrayMode(
                 node->arrayMode().refine(
@@ -3989 +3990 @@
                 m_graph.varArgChild(node, 1)->prediction(),
                 SpecNone));
-        node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
 
         blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -2215 +2215 @@
         case ArrayIndexOf:
         case HasIndexedProperty:
+        case HasEnumerableIndexedProperty:
         case AtomicsAdd:
         case AtomicsAnd:
@@ -3004 +3005 @@
     }
 
-    bool hasInternalMethodType() const
-    {
-        return op() == HasIndexedProperty;
-    }
-
-    PropertySlot::InternalMethodType internalMethodType() const
-    {
-        ASSERT(hasInternalMethodType());
-        return static_cast<PropertySlot::InternalMethodType>(m_opInfo2.as<uint32_t>());
-    }
-
-    void setInternalMethodType(PropertySlot::InternalMethodType type)
-    {
-        ASSERT(hasInternalMethodType());
-        m_opInfo2 = static_cast<uint32_t>(type);
-    }
-
     Node* replacement() const
     {

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -499 +499 @@
     /* Must generate because of Proxies on the prototype chain */ \
     macro(HasIndexedProperty, NodeMustGenerate | NodeResultBoolean | NodeHasVarArgs) \
-    macro(HasStructureProperty, NodeResultBoolean) \
+    macro(HasEnumerableIndexedProperty, NodeMustGenerate | NodeResultBoolean | NodeHasVarArgs) \
+    macro(HasEnumerableStructureProperty, NodeResultBoolean) \
+    macro(HasEnumerableProperty, NodeResultBoolean) \
     macro(HasOwnStructureProperty, NodeResultBoolean | NodeMustGenerate) \
     macro(InStructureProperty, NodeMustGenerate | NodeResultBoolean) \
-    macro(HasGenericProperty, NodeResultBoolean) \
     macro(GetDirectPname, NodeMustGenerate | NodeHasVarArgs | NodeResultJS) \
     macro(GetPropertyEnumerator, NodeMustGenerate | NodeResultJS) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -2259 +2259 @@
 }
 
-JSC_DEFINE_JIT_OPERATION(operationHasGenericProperty, EncodedJSValue, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, JSCell* property))
+JSC_DEFINE_JIT_OPERATION(operationHasEnumerableProperty, EncodedJSValue, (JSGlobalObject* globalObject, EncodedJSValue encodedBaseValue, JSCell* property))
 {
     VM& vm = globalObject->vm();
@@ -2276 +2276 @@
     auto propertyName = asString(property)->toIdentifier(globalObject);
     RETURN_IF_EXCEPTION(scope, { });
-    RELEASE_AND_RETURN(scope, JSValue::encode(jsBoolean(base->hasPropertyGeneric(globalObject, propertyName, PropertySlot::InternalMethodType::GetOwnProperty))));
+    RELEASE_AND_RETURN(scope, JSValue::encode(jsBoolean(base->hasEnumerableProperty(globalObject, propertyName))));
 }
 
@@ -2301 +2301 @@
 }
 
-JSC_DEFINE_JIT_OPERATION(operationHasIndexedPropertyByInt, size_t, (JSGlobalObject* globalObject, JSCell* baseCell, int32_t subscript, int32_t internalMethodType))
+JSC_DEFINE_JIT_OPERATION(operationHasIndexedProperty, size_t, (JSGlobalObject* globalObject, JSCell* baseCell, int32_t subscript))
 {
     VM& vm = globalObject->vm();
@@ -2309 +2309 @@
     if (UNLIKELY(subscript < 0)) {
         // Go the slowest way possible because negative indices don't use indexed storage.
-        return object->hasPropertyGeneric(globalObject, Identifier::from(vm, subscript), static_cast<PropertySlot::InternalMethodType>(internalMethodType));
-    }
-    return object->hasPropertyGeneric(globalObject, subscript, static_cast<PropertySlot::InternalMethodType>(internalMethodType));
+        return object->hasProperty(globalObject, Identifier::from(vm, subscript));
+    }
+    return object->hasProperty(globalObject, static_cast<unsigned>(subscript));
+}
+
+JSC_DEFINE_JIT_OPERATION(operationHasEnumerableIndexedProperty, size_t, (JSGlobalObject* globalObject, JSCell* baseCell, int32_t subscript))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+    JSObject* object = baseCell->toObject(globalObject);
+    if (UNLIKELY(subscript < 0)) {
+        // Go the slowest way possible because negative indices don't use indexed storage.
+        return object->hasEnumerableProperty(globalObject, Identifier::from(vm, subscript));
+    }
+    return object->hasEnumerableProperty(globalObject, subscript);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -100 +100 @@
 JSC_DECLARE_JIT_OPERATION(operationGetPrototypeOf, EncodedJSValue, (JSGlobalObject*, EncodedJSValue));
 JSC_DECLARE_JIT_OPERATION(operationGetPrototypeOfObject, EncodedJSValue, (JSGlobalObject*, JSObject*));
-JSC_DECLARE_JIT_OPERATION(operationHasGenericProperty, EncodedJSValue, (JSGlobalObject*, EncodedJSValue, JSCell*));
+JSC_DECLARE_JIT_OPERATION(operationHasIndexedProperty, size_t, (JSGlobalObject*, JSCell*, int32_t));
+JSC_DECLARE_JIT_OPERATION(operationHasEnumerableIndexedProperty, size_t, (JSGlobalObject*, JSCell*, int32_t));
+JSC_DECLARE_JIT_OPERATION(operationHasEnumerableProperty, EncodedJSValue, (JSGlobalObject*, EncodedJSValue, JSCell*));
 JSC_DECLARE_JIT_OPERATION(operationHasOwnStructureProperty, EncodedJSValue, (JSGlobalObject*, JSCell*, JSString*));
 JSC_DECLARE_JIT_OPERATION(operationInStructureProperty, EncodedJSValue, (JSGlobalObject*, JSCell*, JSString*));
-JSC_DECLARE_JIT_OPERATION(operationHasIndexedPropertyByInt, size_t, (JSGlobalObject*, JSCell*, int32_t, int32_t));
 JSC_DECLARE_JIT_OPERATION(operationGetPropertyEnumerator, JSCell*, (JSGlobalObject*, EncodedJSValue));
 JSC_DECLARE_JIT_OPERATION(operationGetPropertyEnumeratorCell, JSCell*, (JSGlobalObject*, JSCell*));

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -1213 +1213 @@
             break;
         }
-        case HasGenericProperty:
-        case HasStructureProperty:
         case HasOwnStructureProperty:
         case InStructureProperty:
-        case HasIndexedProperty: {
+        case HasIndexedProperty:
+        case HasEnumerableIndexedProperty:
+        case HasEnumerableStructureProperty:
+        case HasEnumerableProperty: {
             setPrediction(SpecBoolean);
             break;

trunk/Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp

@@ -83 +83 @@
 
         case HasIndexedProperty:
+        case HasEnumerableIndexedProperty:
             lowerBoundsCheck(m_graph.child(m_node, 0), m_graph.child(m_node, 1), m_graph.child(m_node, 2));
             break;

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -293 +293 @@
     case FiatInt52:
     case HasIndexedProperty:
+    case HasEnumerableIndexedProperty:
     case GetEnumeratorStructurePname:
     case GetEnumeratorGenericPname:
@@ -629 +630 @@
     case MultiDeleteByOffset:
     case GetEnumerableLength:
-    case HasGenericProperty:
-    case HasStructureProperty:
+    case HasEnumerableStructureProperty:
+    case HasEnumerableProperty:
     case HasOwnStructureProperty:
     case InStructureProperty:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -12839 +12839 @@
 }
 
-void SpeculativeJIT::compileHasGenericProperty(Node* node)
+void SpeculativeJIT::compileHasEnumerableProperty(Node* node)
 {
     JSValueOperand base(this, node->child1());
@@ -12850 +12850 @@
     JSValueRegsFlushedCallResult result(this);
     JSValueRegs resultRegs = result.regs();
-    callOperation(operationHasGenericProperty, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyGPR);
+    callOperation(operationHasEnumerableProperty, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyGPR);
     m_jit.exceptionCheck();
     blessedBooleanResult(resultRegs.payloadGPR(), node);
@@ -12990 +12990 @@
 }
 
-void SpeculativeJIT::compileHasStructureProperty(Node* node)
+void SpeculativeJIT::compileHasEnumerableStructureProperty(Node* node)
 {
     JSValueOperand base(this, node->child1());
@@ -13012 +13012 @@
     moveTrueTo(resultRegs.payloadGPR());
 
-    addSlowPathGenerator(slowPathCall(wrongStructure, this, operationHasGenericProperty, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyGPR));
+    addSlowPathGenerator(slowPathCall(wrongStructure, this, operationHasEnumerableProperty, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyGPR));
     blessedBooleanResult(resultRegs.payloadGPR(), node);
 }
@@ -14268 +14268 @@
 }
 
-void SpeculativeJIT::compileHasIndexedProperty(Node* node)
+void SpeculativeJIT::compileHasIndexedProperty(Node* node, S_JITOperation_GCZ slowPathOperation)
 {
     SpeculateCellOperand base(this, m_graph.varArgChild(node, 0));
@@ -14384 +14384 @@
     }
 
-    addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedPropertyByInt, resultGPR, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseGPR, indexGPR, static_cast<int32_t>(node->internalMethodType())));
+    addSlowPathGenerator(slowPathCall(slowCases, this, slowPathOperation, resultGPR, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseGPR, indexGPR));
 
     unblessedBooleanResult(resultGPR, node);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1447 +1447 @@
     void compileThrowStaticError(Node*);
     void compileGetEnumerableLength(Node*);
-    void compileHasGenericProperty(Node*);
+    void compileHasEnumerableStructureProperty(Node*);
+    void compileHasEnumerableProperty(Node*);
     void compileToIndexString(Node*);
     void compilePutByIdFlush(Node*);
@@ -1453 +1454 @@
     void compilePutByIdDirect(Node*);
     void compilePutByIdWithThis(Node*);
-    void compileHasStructureProperty(Node*);
     template <typename Function>
     void compileHasOwnStructurePropertyImpl(Node*, Function);
@@ -1489 +1489 @@
     void compileLogShadowChickenPrologue(Node*);
     void compileLogShadowChickenTail(Node*);
-    void compileHasIndexedProperty(Node*);
+    void compileHasIndexedProperty(Node*, S_JITOperation_GCZ);
     void compileExtractCatchLocal(Node*);
     void compileClearCatchLocals(Node*);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -4074 +4074 @@
         break;
     }
-    case HasGenericProperty: {
-        compileHasGenericProperty(node);
-        break;
-    }
-    case HasStructureProperty: {
-        compileHasStructureProperty(node);
+    case HasEnumerableStructureProperty: {
+        compileHasEnumerableStructureProperty(node);
+        break;
+    }
+    case HasEnumerableProperty: {
+        compileHasEnumerableProperty(node);
         break;
     }
@@ -4091 +4091 @@
     }
     case HasIndexedProperty: {
-        compileHasIndexedProperty(node);
+        compileHasIndexedProperty(node, operationHasIndexedProperty);
+        break;
+    }
+    case HasEnumerableIndexedProperty: {
+        compileHasIndexedProperty(node, operationHasEnumerableIndexedProperty);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -5121 +5121 @@
         break;
     }
-    case HasGenericProperty: {
-        compileHasGenericProperty(node);
-        break;
-    }
-    case HasStructureProperty: {
-        compileHasStructureProperty(node);
+    case HasEnumerableStructureProperty: {
+        compileHasEnumerableStructureProperty(node);
+        break;
+    }
+    case HasEnumerableProperty: {
+        compileHasEnumerableProperty(node);
         break;
     }
@@ -5138 +5138 @@
     }
     case HasIndexedProperty: {
-        compileHasIndexedProperty(node);
+        compileHasIndexedProperty(node, operationHasIndexedProperty);
+        break;
+    }
+    case HasEnumerableIndexedProperty: {
+        compileHasIndexedProperty(node, operationHasEnumerableIndexedProperty);
         break;
     }

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -281 +281 @@
     case Int52Constant:
     case BooleanToNumber:
-    case HasGenericProperty:
-    case HasStructureProperty:
+    case HasIndexedProperty:
+    case HasEnumerableIndexedProperty:
+    case HasEnumerableStructureProperty:
+    case HasEnumerableProperty:
     case HasOwnStructureProperty:
     case InStructureProperty:
-    case HasIndexedProperty:
     case GetDirectPname:
     case GetEnumerableLength:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -1501 +1501 @@
             break;
         case HasIndexedProperty:
-            compileHasIndexedProperty();
-            break;
-        case HasGenericProperty:
-            compileHasGenericProperty();
-            break;
-        case HasStructureProperty:
-            compileHasStructureProperty();
+            compileHasIndexedProperty(operationHasIndexedProperty);
+            break;
+        case HasEnumerableIndexedProperty:
+            compileHasIndexedProperty(operationHasEnumerableIndexedProperty);
+            break;
+        case HasEnumerableStructureProperty:
+            compileHasEnumerableStructureProperty();
+            break;
+        case HasEnumerableProperty:
+            compileHasEnumerableProperty();
             break;
         case HasOwnStructureProperty:
@@ -12493 +12496 @@
     }
     
-    void compileHasIndexedProperty()
+    void compileHasIndexedProperty(S_JITOperation_GCZ slowPathOperation)
     {
         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
@@ -12504 +12507 @@
         case Array::Contiguous: {
             LValue storage = lowStorage(m_graph.varArgChild(m_node, 2));
-            LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
 
             IndexedAbstractHeap& heap = mode.type() == Array::Int32 ?
@@ -12535 +12537 @@
             m_out.appendTo(slowCase, continuation);
             ValueFromBlock slowResult = m_out.anchor(
-                m_out.notZero64(vmCall(Int64, operationHasIndexedPropertyByInt, weakPointer(globalObject), base, index, internalMethodType)));
+                m_out.notZero64(vmCall(Int64, slowPathOperation, weakPointer(globalObject), base, index)));
             m_out.jump(continuation);
 
@@ -12544 +12546 @@
         case Array::Double: {
             LValue storage = lowStorage(m_graph.varArgChild(m_node, 2));
-            LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
             
             IndexedAbstractHeap& heap = m_heaps.indexedDoubleProperties;
@@ -12574 +12575 @@
             m_out.appendTo(slowCase, continuation);
             ValueFromBlock slowResult = m_out.anchor(
-                m_out.notZero64(vmCall(Int64, operationHasIndexedPropertyByInt, weakPointer(globalObject), base, index, internalMethodType)));
+                m_out.notZero64(vmCall(Int64, slowPathOperation, weakPointer(globalObject), base, index)));
             m_out.jump(continuation);
             
@@ -12584 +12585 @@
         case Array::ArrayStorage: {
             LValue storage = lowStorage(m_graph.varArgChild(m_node, 2));
-            LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
 
             LBasicBlock slowCase = m_out.newBlock();
@@ -12612 +12612 @@
             m_out.appendTo(slowCase, continuation);
             ValueFromBlock slowResult = m_out.anchor(
-                m_out.notZero64(vmCall(Int64, operationHasIndexedPropertyByInt, weakPointer(globalObject), base, index, internalMethodType)));
+                m_out.notZero64(vmCall(Int64, slowPathOperation, weakPointer(globalObject), base, index)));
             m_out.jump(continuation);
 
@@ -12621 +12621 @@
 
         default: {
-            LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
-            setBoolean(m_out.notZero64(vmCall(Int64, operationHasIndexedPropertyByInt, weakPointer(globalObject), base, index, internalMethodType)));
-            break;
-        }
-        }
-    }
-
-    void compileHasGenericProperty()
+            setBoolean(m_out.notZero64(vmCall(Int64, slowPathOperation, weakPointer(globalObject), base, index)));
+            break;
+        }
+        }
+    }
+
+    void compileHasEnumerableProperty()
     {
         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
         LValue base = lowJSValue(m_node->child1());
         LValue property = lowCell(m_node->child2());
-        setJSValue(vmCall(Int64, operationHasGenericProperty, weakPointer(globalObject), base, property));
+        setJSValue(vmCall(Int64, operationHasEnumerableProperty, weakPointer(globalObject), base, property));
     }
 
@@ -12673 +12672 @@
     }
 
-    void compileHasStructureProperty()
-    {
-        compileHasStructurePropertyImpl(lowJSValue(m_node->child1()), operationHasGenericProperty);
+    void compileHasEnumerableStructureProperty()
+    {
+        compileHasStructurePropertyImpl(lowJSValue(m_node->child1()), operationHasEnumerableProperty);
     }
 

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -305 +305 @@
         DEFINE_SLOW_OP(spread)
         DEFINE_SLOW_OP(get_enumerable_length)
-        DEFINE_SLOW_OP(has_generic_property)
+        DEFINE_SLOW_OP(has_enumerable_property)
         DEFINE_SLOW_OP(get_property_enumerator)
         DEFINE_SLOW_OP(to_index_string)
@@ -464 +464 @@
         DEFINE_OP(op_put_to_arguments)
 
-        DEFINE_OP(op_has_structure_property)
+        DEFINE_OP(op_has_enumerable_indexed_property)
+        DEFINE_OP(op_has_enumerable_structure_property)
         DEFINE_OP(op_has_own_structure_property)
         DEFINE_OP(op_in_structure_property)
-        DEFINE_OP(op_has_indexed_property)
         DEFINE_OP(op_get_direct_pname)
         DEFINE_OP(op_enumerator_structure_pname)
@@ -593 +593 @@
         DEFINE_SLOWCASE_OP(op_del_by_id)
         DEFINE_SLOWCASE_OP(op_sub)
-        DEFINE_SLOWCASE_OP(op_has_indexed_property)
+        DEFINE_SLOWCASE_OP(op_has_enumerable_indexed_property)
         DEFINE_SLOWCASE_OP(op_get_from_scope)
         DEFINE_SLOWCASE_OP(op_put_to_scope)
@@ -626 +626 @@
         DEFINE_SLOWCASE_SLOW_OP(get_direct_pname)
         DEFINE_SLOWCASE_SLOW_OP(get_prototype_of)
-        DEFINE_SLOWCASE_SLOW_OP(has_structure_property)
+        DEFINE_SLOWCASE_SLOW_OP(has_enumerable_structure_property)
         DEFINE_SLOWCASE_SLOW_OP(has_own_structure_property)
         DEFINE_SLOWCASE_SLOW_OP(in_structure_property)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -666 +666 @@
         template <typename OpCodeType>
         void emit_op_has_structure_propertyImpl(const Instruction*);
-        void emit_op_has_structure_property(const Instruction*);
+        void emit_op_has_enumerable_indexed_property(const Instruction*);
+        void emit_op_has_enumerable_structure_property(const Instruction*);
         void emit_op_has_own_structure_property(const Instruction*);
         void emit_op_in_structure_property(const Instruction*);
-        void emit_op_has_indexed_property(const Instruction*);
         void emit_op_get_direct_pname(const Instruction*);
         void emit_op_enumerator_structure_pname(const Instruction*);
@@ -724 +724 @@
         void emitSlow_op_put_private_name(const Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_sub(const Instruction*, Vector<SlowCaseEntry>::iterator&);
-        void emitSlow_op_has_indexed_property(const Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_has_enumerable_indexed_property(const Instruction*, Vector<SlowCaseEntry>::iterator&);
 
         void emit_op_resolve_scope(const Instruction*);

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -1393 +1393 @@
 }
 
-void JIT::emit_op_has_structure_property(const Instruction* currentInstruction)
-{
-    emit_op_has_structure_propertyImpl<OpHasStructureProperty>(currentInstruction);
+void JIT::emit_op_has_enumerable_structure_property(const Instruction* currentInstruction)
+{
+    emit_op_has_structure_propertyImpl<OpHasEnumerableStructureProperty>(currentInstruction);
 }
 
@@ -1435 +1435 @@
 }
 
-void JIT::emit_op_has_indexed_property(const Instruction* currentInstruction)
-{
-    auto bytecode = currentInstruction->as<OpHasIndexedProperty>();
+void JIT::emit_op_has_enumerable_indexed_property(const Instruction* currentInstruction)
+{
+    auto bytecode = currentInstruction->as<OpHasEnumerableIndexedProperty>();
     auto& metadata = bytecode.metadata(m_codeBlock);
     VirtualRegister dst = bytecode.m_dst;
@@ -1482 +1482 @@
 }
 
-void JIT::emitSlow_op_has_indexed_property(const Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+void JIT::emitSlow_op_has_enumerable_indexed_property(const Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
     linkAllSlowCases(iter);
 
-    auto bytecode = currentInstruction->as<OpHasIndexedProperty>();
+    auto bytecode = currentInstruction->as<OpHasEnumerableIndexedProperty>();
     VirtualRegister dst = bytecode.m_dst;
     VirtualRegister base = bytecode.m_base;

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -1152 +1152 @@
 }
 
-void JIT::emit_op_has_structure_property(const Instruction* currentInstruction)
-{
-    emit_op_has_structure_propertyImpl<OpHasStructureProperty>(currentInstruction);
+void JIT::emit_op_has_enumerable_structure_property(const Instruction* currentInstruction)
+{
+    emit_op_has_structure_propertyImpl<OpHasEnumerableStructureProperty>(currentInstruction);
 }
 
@@ -1194 +1194 @@
 }
 
-void JIT::emit_op_has_indexed_property(const Instruction* currentInstruction)
-{
-    auto bytecode = currentInstruction->as<OpHasIndexedProperty>();
+void JIT::emit_op_has_enumerable_indexed_property(const Instruction* currentInstruction)
+{
+    auto bytecode = currentInstruction->as<OpHasEnumerableIndexedProperty>();
     auto& metadata = bytecode.metadata(m_codeBlock);
     VirtualRegister dst = bytecode.m_dst;
@@ -1241 +1241 @@
 }
 
-void JIT::emitSlow_op_has_indexed_property(const Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+void JIT::emitSlow_op_has_enumerable_indexed_property(const Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
     linkAllSlowCases(iter);
 
-    auto bytecode = currentInstruction->as<OpHasIndexedProperty>();
+    auto bytecode = currentInstruction->as<OpHasEnumerableIndexedProperty>();
     VirtualRegister dst = bytecode.m_dst;
     VirtualRegister base = bytecode.m_base;

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -2446 +2446 @@
     if (!CommonSlowPaths::canAccessArgumentIndexQuickly(*object, index))
         byValInfo->arrayProfile->setOutOfBounds();
-    return JSValue::encode(jsBoolean(object->hasPropertyGeneric(globalObject, index, PropertySlot::InternalMethodType::GetOwnProperty)));
+    return JSValue::encode(jsBoolean(object->hasEnumerableProperty(globalObject, index)));
 }
     
@@ -2467 +2467 @@
     if (!CommonSlowPaths::canAccessArgumentIndexQuickly(*object, index))
         byValInfo->arrayProfile->setOutOfBounds();
-    return JSValue::encode(jsBoolean(object->hasPropertyGeneric(globalObject, index, PropertySlot::InternalMethodType::GetOwnProperty)));
+    return JSValue::encode(jsBoolean(object->hasEnumerableProperty(globalObject, index)));
 }
     

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -139 +139 @@
 using C_JITOperation_B_GJssJss = uintptr_t(JIT_OPERATION_ATTRIBUTES *)(JSGlobalObject*, JSString*, JSString*);
 using S_JITOperation_GC = size_t(JIT_OPERATION_ATTRIBUTES *)(JSGlobalObject*, JSCell*);
+using S_JITOperation_GCZ = size_t(JIT_OPERATION_ATTRIBUTES *)(JSGlobalObject*, JSCell*, int32_t);
 using S_JITOperation_GJJ = size_t(JIT_OPERATION_ATTRIBUTES *)(JSGlobalObject*, EncodedJSValue, EncodedJSValue);
 using V_JITOperation_GJJJ = void(JIT_OPERATION_ATTRIBUTES *)(JSGlobalObject*, EncodedJSValue, EncodedJSValue, EncodedJSValue);

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -1973 +1973 @@
 slowPathOp(greater)
 slowPathOp(greatereq)
-slowPathOp(has_generic_property)
-slowPathOp(has_indexed_property)
+slowPathOp(has_enumerable_indexed_property)
+slowPathOp(has_enumerable_property)
 
 if not JSVALUE64
-    slowPathOp(has_structure_property)
+    slowPathOp(has_enumerable_structure_property)
     slowPathOp(has_own_structure_property)
     slowPathOp(in_structure_property)

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -3042 +3042 @@
 end
 
-llintOpWithReturn(op_has_structure_property, OpHasStructureProperty, macro (size, get, dispatch, return)
-    hasStructurePropertyImpl(size, get, dispatch,  return, _slow_path_has_structure_property)
+llintOpWithReturn(op_has_enumerable_structure_property, OpHasEnumerableStructureProperty, macro (size, get, dispatch, return)
+    hasStructurePropertyImpl(size, get, dispatch,  return, _slow_path_has_enumerable_structure_property)
 end)
 

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -1041 +1041 @@
 }
 
-JSC_DEFINE_COMMON_SLOW_PATH(slow_path_has_indexed_property)
-{
-    BEGIN();
-    auto bytecode = pc->as<OpHasIndexedProperty>();
+JSC_DEFINE_COMMON_SLOW_PATH(slow_path_has_enumerable_indexed_property)
+{
+    BEGIN();
+    auto bytecode = pc->as<OpHasEnumerableIndexedProperty>();
     auto& metadata = bytecode.metadata(codeBlock);
     JSObject* base = GET_C(bytecode.m_base).jsValue().toObject(globalObject);
@@ -1051 +1051 @@
     metadata.m_arrayProfile.observeStructure(base->structure(vm));
     ASSERT(property.isUInt32AsAnyInt());
-    RETURN(jsBoolean(base->hasPropertyGeneric(globalObject, property.asUInt32AsAnyInt(), PropertySlot::InternalMethodType::GetOwnProperty)));
-}
-
-JSC_DEFINE_COMMON_SLOW_PATH(slow_path_has_structure_property)
-{
-    BEGIN();
-    auto bytecode = pc->as<OpHasStructureProperty>();
+    RETURN(jsBoolean(base->hasEnumerableProperty(globalObject, property.asUInt32AsAnyInt())));
+}
+
+JSC_DEFINE_COMMON_SLOW_PATH(slow_path_has_enumerable_structure_property)
+{
+    BEGIN();
+    auto bytecode = pc->as<OpHasEnumerableStructureProperty>();
     JSObject* base = GET_C(bytecode.m_base).jsValue().toObject(globalObject);
     CHECK_EXCEPTION();
@@ -1070 +1070 @@
     auto propertyName = string->toIdentifier(globalObject);
     CHECK_EXCEPTION();
-    RETURN(jsBoolean(base->hasPropertyGeneric(globalObject, propertyName, PropertySlot::InternalMethodType::GetOwnProperty)));
+    RETURN(jsBoolean(base->hasEnumerableProperty(globalObject, propertyName)));
 }
 
@@ -1109 +1109 @@
 }
 
-JSC_DEFINE_COMMON_SLOW_PATH(slow_path_has_generic_property)
-{
-    BEGIN();
-    auto bytecode = pc->as<OpHasGenericProperty>();
+JSC_DEFINE_COMMON_SLOW_PATH(slow_path_has_enumerable_property)
+{
+    BEGIN();
+    auto bytecode = pc->as<OpHasEnumerableProperty>();
     JSObject* base = GET_C(bytecode.m_base).jsValue().toObject(globalObject);
     CHECK_EXCEPTION();
@@ -1120 +1120 @@
     auto propertyName = string->toIdentifier(globalObject);
     CHECK_EXCEPTION();
-    RETURN(jsBoolean(base->hasPropertyGeneric(globalObject, propertyName, PropertySlot::InternalMethodType::GetOwnProperty)));
+    RETURN(jsBoolean(base->hasEnumerableProperty(globalObject, propertyName)));
 }
 

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h

@@ -260 +260 @@
 JSC_DECLARE_COMMON_SLOW_PATH(slow_path_to_property_key);
 JSC_DECLARE_COMMON_SLOW_PATH(slow_path_get_enumerable_length);
-JSC_DECLARE_COMMON_SLOW_PATH(slow_path_has_generic_property);
-JSC_DECLARE_COMMON_SLOW_PATH(slow_path_has_structure_property);
+JSC_DECLARE_COMMON_SLOW_PATH(slow_path_has_enumerable_indexed_property);
+JSC_DECLARE_COMMON_SLOW_PATH(slow_path_has_enumerable_structure_property);
+JSC_DECLARE_COMMON_SLOW_PATH(slow_path_has_enumerable_property);
 JSC_DECLARE_COMMON_SLOW_PATH(slow_path_has_own_structure_property);
 JSC_DECLARE_COMMON_SLOW_PATH(slow_path_in_structure_property);
-JSC_DECLARE_COMMON_SLOW_PATH(slow_path_has_indexed_property);
 JSC_DECLARE_COMMON_SLOW_PATH(slow_path_get_direct_pname);
 JSC_DECLARE_COMMON_SLOW_PATH(slow_path_get_property_enumerator);

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -1988 +1988 @@
 }
 
-// HasProperty(O, P) from Section 7.3.10 of the spec.
-// http://www.ecma-international.org/ecma-262/6.0/index.html#sec-hasproperty
+// https://tc39.es/ecma262/#sec-hasproperty
 bool JSObject::hasProperty(JSGlobalObject* globalObject, PropertyName propertyName) const
 {
-    return hasPropertyGeneric(globalObject, propertyName, PropertySlot::InternalMethodType::HasProperty);
+    PropertySlot slot(this, PropertySlot::InternalMethodType::HasProperty);
+    return const_cast<JSObject*>(this)->getPropertySlot(globalObject, propertyName, slot);
 }
 
 bool JSObject::hasProperty(JSGlobalObject* globalObject, unsigned propertyName) const
 {
-    return hasPropertyGeneric(globalObject, propertyName, PropertySlot::InternalMethodType::HasProperty);
+    PropertySlot slot(this, PropertySlot::InternalMethodType::HasProperty);
+    return const_cast<JSObject*>(this)->getPropertySlot(globalObject, propertyName, slot);
 }
 
@@ -2008 +2009 @@
 }
 
-bool JSObject::hasPropertyGeneric(JSGlobalObject* globalObject, PropertyName propertyName, PropertySlot::InternalMethodType internalMethodType) const
-{
-    PropertySlot slot(this, internalMethodType);
-    return const_cast<JSObject*>(this)->getPropertySlot(globalObject, propertyName, slot);
-}
-
-bool JSObject::hasPropertyGeneric(JSGlobalObject* globalObject, unsigned propertyName, PropertySlot::InternalMethodType internalMethodType) const
-{
-    PropertySlot slot(this, internalMethodType);
-    return const_cast<JSObject*>(this)->getPropertySlot(globalObject, propertyName, slot);
+bool JSObject::hasEnumerableProperty(JSGlobalObject* globalObject, PropertyName propertyName) const
+{
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    PropertySlot slot(this, PropertySlot::InternalMethodType::GetOwnProperty);
+    bool hasProperty = const_cast<JSObject*>(this)->getPropertySlot(globalObject, propertyName, slot);
+    RETURN_IF_EXCEPTION(scope, false);
+    return hasProperty && !(slot.attributes() & PropertyAttribute::DontEnum);
+}
+
+bool JSObject::hasEnumerableProperty(JSGlobalObject* globalObject, unsigned propertyName) const
+{
+    VM& vm = globalObject->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    PropertySlot slot(this, PropertySlot::InternalMethodType::GetOwnProperty);
+    bool hasProperty = const_cast<JSObject*>(this)->getPropertySlot(globalObject, propertyName, slot);
+    RETURN_IF_EXCEPTION(scope, false);
+    return hasProperty && !(slot.attributes() & PropertyAttribute::DontEnum);
 }
 
@@ -2372 +2381 @@
 }
 
+// FIXME: Assert that properties returned by getOwnPropertyNames() are reported enumerable by getOwnPropertySlot().
+// https://bugs.webkit.org/show_bug.cgi?id=219926
 void JSObject::getPropertyNames(JSObject* object, JSGlobalObject* globalObject, PropertyNameArray& propertyNames, EnumerationMode mode)
 {

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -656 +656 @@
     JS_EXPORT_PRIVATE bool hasProperty(JSGlobalObject*, unsigned propertyName) const;
     bool hasProperty(JSGlobalObject*, uint64_t propertyName) const;
-    bool hasPropertyGeneric(JSGlobalObject*, PropertyName, PropertySlot::InternalMethodType) const;
-    bool hasPropertyGeneric(JSGlobalObject*, unsigned propertyName, PropertySlot::InternalMethodType) const;
+    bool hasEnumerableProperty(JSGlobalObject*, PropertyName) const;
+    bool hasEnumerableProperty(JSGlobalObject*, unsigned propertyName) const;
     bool hasOwnProperty(JSGlobalObject*, PropertyName, PropertySlot&) const;
     bool hasOwnProperty(JSGlobalObject*, PropertyName) const;

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-12-15  Alexey Shvayka  <shvaikalesh@gmail.com>
+
+        Non-enumerable property fails to shadow inherited enumerable property from for-in
+        https://bugs.webkit.org/show_bug.cgi?id=38970
+
+        Reviewed by Keith Miller.
+
+        Report RuntimeArray indices as [[Enumerable]].
+
+        Test: platform/mac/fast/dom/wrapper-classes-objc.html
+
+        * bridge/runtime_array.cpp:
+        (JSC::RuntimeArray::getOwnPropertySlot):
+        (JSC::RuntimeArray::getOwnPropertySlotByIndex):
+
 2020-12-15  Jer Noble  <jer.noble@apple.com>
 

trunk/Source/WebCore/bridge/runtime_array.cpp

@@ -101 +101 @@
     Optional<uint32_t> index = parseIndex(propertyName);
     if (index && index.value() < thisObject->getLength()) {
-        slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::DontEnum,
+        slot.setValue(thisObject, static_cast<unsigned>(PropertyAttribute::DontDelete),
             thisObject->getConcreteArray()->valueAt(lexicalGlobalObject, index.value()));
         return true;
@@ -113 +113 @@
     RuntimeArray* thisObject = jsCast<RuntimeArray*>(object);
     if (index < thisObject->getLength()) {
-        slot.setValue(thisObject, PropertyAttribute::DontDelete | PropertyAttribute::DontEnum,
+        slot.setValue(thisObject, static_cast<unsigned>(PropertyAttribute::DontDelete),
             thisObject->getConcreteArray()->valueAt(lexicalGlobalObject, index));
         return true;