Changeset 277926 in webkit

Timestamp:

May 22, 2021 8:50:06 PM (14 months ago)

Author:

Ross Kirsling

Message:

Support Ergonomic Brand Checks proposal (#x in obj)
​https://bugs.webkit.org/show_bug.cgi?id=221093

Reviewed by Caio Araujo Neponoceno de Lima.

JSTests:

• stress/private-in.js: Added.
• test262/config.yaml: Add feature flag.

Source/JavaScriptCore:

This patch implements the following Stage 3 proposal (behind a runtime option):
​https://github.com/tc39/proposal-private-fields-in-in

Specifically, it extends the in keyword to allow the LHS to be a private name,
thereby allowing users to implement Array.isArray-esque brand checks for their own classes
*without* having to wrap a private member get in a try-catch.

For example:
`
class C {

#x;
static isC(obj) { return #x in obj; }

}
`

This is done by adding two new bytecode ops, HasPrivateName and HasPrivateBrand. For the moment,
these are implemented without fast paths, as we should do so for InByVal first and then have these follow suit.

• bytecode/BytecodeList.rb:
• bytecode/BytecodeUseDef.cpp:

(JSC::computeUsesForBytecodeIndexImpl):
(JSC::computeDefsForBytecodeIndexImpl):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitHasPrivateName):
(JSC::BytecodeGenerator::emitHasPrivateBrand):
(JSC::BytecodeGenerator::emitCheckPrivateBrand):

• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp:

(JSC::InNode::emitBytecode):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileHasPrivateName):
(JSC::DFG::SpeculativeJIT::compileHasPrivateBrand):

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileHasPrivateName):
(JSC::FTL::DFG::LowerDFGToB3::compileHasPrivateBrand):

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):

• jit/JITOperations.cpp:

(JSC::JSC_DEFINE_JIT_OPERATION):

• jit/JITOperations.h:
• llint/LowLevelInterpreter.asm:
• parser/ASTBuilder.h:

(JSC::ASTBuilder::createPrivateIdentifierNode):

• parser/NodeConstructors.h:

(JSC::PrivateIdentifierNode::PrivateIdentifierNode):

• parser/Nodes.h:

(JSC::ExpressionNode::isPrivateIdentifier const):

• parser/Parser.cpp:

(JSC::Parser<LexerType>::parseBinaryExpression):

• parser/SyntaxChecker.h:

(JSC::SyntaxChecker::createPrivateIdentifierNode):

• parser/VariableEnvironment.h:
• runtime/CommonSlowPaths.cpp:

(JSC::JSC_DEFINE_COMMON_SLOW_PATH):

• runtime/CommonSlowPaths.h:
• runtime/JSObject.h:
• runtime/JSObjectInlines.h:

(JSC::JSObject::hasPrivateField):
(JSC::JSObject::hasPrivateBrand):
(JSC::JSObject::checkPrivateBrand):

• runtime/OptionsList.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/private-in.js (added)
• JSTests/test262/config.yaml (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeList.rb (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (3 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (2 diffs)
• Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOperations.h (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter.asm (modified) (1 diff)
• Source/JavaScriptCore/parser/ASTBuilder.h (modified) (1 diff)
• Source/JavaScriptCore/parser/NodeConstructors.h (modified) (1 diff)
• Source/JavaScriptCore/parser/Nodes.h (modified) (2 diffs)
• Source/JavaScriptCore/parser/Parser.cpp (modified) (1 diff)
• Source/JavaScriptCore/parser/SyntaxChecker.h (modified) (2 diffs)
• Source/JavaScriptCore/parser/VariableEnvironment.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/CommonSlowPaths.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObjectInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/OptionsList.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2021-05-22  Ross Kirsling  <ross.kirsling@sony.com>
+
+        Support Ergonomic Brand Checks proposal (`#x in obj`)
+        https://bugs.webkit.org/show_bug.cgi?id=221093
+
+        Reviewed by Caio Araujo Neponoceno de Lima.
+
+        * stress/private-in.js: Added.
+        * test262/config.yaml: Add feature flag.
+
 2021-05-21  Angelos Oikonomopoulos  <angelos@igalia.com>
 

trunk/JSTests/test262/config.yaml

@@ -6 +6 @@
   class-fields-private: usePrivateClassFields
   class-methods-private: usePrivateMethods
+  class-fields-private-in: usePrivateIn
   class-static-fields-public: usePublicStaticClassFields
   class-static-fields-private: usePrivateStaticClassFields
@@ -24 +25 @@
     - legacy-regexp
     - cleanupSome
-    # https://bugs.webkit.org/show_bug.cgi?id=221093
-    - class-fields-private-in
   paths:
   files:

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2021-05-22  Ross Kirsling  <ross.kirsling@sony.com>
+
+        Support Ergonomic Brand Checks proposal (`#x in obj`)
+        https://bugs.webkit.org/show_bug.cgi?id=221093
+
+        Reviewed by Caio Araujo Neponoceno de Lima.
+
+        This patch implements the following Stage 3 proposal (behind a runtime option):
+        https://github.com/tc39/proposal-private-fields-in-in
+
+        Specifically, it extends the `in` keyword to allow the LHS to be a private name,
+        thereby allowing users to implement Array.isArray-esque brand checks for their own classes
+        *without* having to wrap a private member get in a try-catch.
+
+        For example:
+        ```
+        class C {
+            #x;
+            static isC(obj) { return #x in obj; }
+        }
+        ```
+
+        This is done by adding two new bytecode ops, HasPrivateName and HasPrivateBrand. For the moment,
+        these are implemented without fast paths, as we should do so for InByVal first and then have these follow suit.
+
+        * bytecode/BytecodeList.rb:
+        * bytecode/BytecodeUseDef.cpp:
+        (JSC::computeUsesForBytecodeIndexImpl):
+        (JSC::computeDefsForBytecodeIndexImpl):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitHasPrivateName):
+        (JSC::BytecodeGenerator::emitHasPrivateBrand):
+        (JSC::BytecodeGenerator::emitCheckPrivateBrand):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::InNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileHasPrivateName):
+        (JSC::DFG::SpeculativeJIT::compileHasPrivateBrand):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasPrivateName):
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasPrivateBrand):
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        * jit/JITOperations.cpp:
+        (JSC::JSC_DEFINE_JIT_OPERATION):
+        * jit/JITOperations.h:
+        * llint/LowLevelInterpreter.asm:
+        * parser/ASTBuilder.h:
+        (JSC::ASTBuilder::createPrivateIdentifierNode):
+        * parser/NodeConstructors.h:
+        (JSC::PrivateIdentifierNode::PrivateIdentifierNode):
+        * parser/Nodes.h:
+        (JSC::ExpressionNode::isPrivateIdentifier const):
+        * parser/Parser.cpp:
+        (JSC::Parser<LexerType>::parseBinaryExpression):
+        * parser/SyntaxChecker.h:
+        (JSC::SyntaxChecker::createPrivateIdentifierNode):
+        * parser/VariableEnvironment.h:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::JSC_DEFINE_COMMON_SLOW_PATH):
+        * runtime/CommonSlowPaths.h:
+        * runtime/JSObject.h:
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::hasPrivateField):
+        (JSC::JSObject::hasPrivateBrand):
+        (JSC::JSObject::checkPrivateBrand):
+        * runtime/OptionsList.h:
+
 2021-05-22  Chris Dumez  <cdumez@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/BytecodeList.rb

@@ -455 +455 @@
     }
 
+op :has_private_name,
+    args: {
+        dst: VirtualRegister,
+        base: VirtualRegister,
+        property: VirtualRegister,
+    }
+
+op :has_private_brand,
+    args: {
+        dst: VirtualRegister,
+        base: VirtualRegister,
+        brand: VirtualRegister,
+    }
+
 op :get_by_id,
     args: {
@@ -609 +623 @@
         brand: WriteBarrier[JSCell],
     }
-    
 
 op :put_by_val,

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp

@@ -233 +233 @@
     USES(OpCheckPrivateBrand, base, brand)
     USES(OpInByVal, base, property)
+    USES(OpHasPrivateName, base, property)
+    USES(OpHasPrivateBrand, base, brand)
     USES(OpOverridesHasInstance, constructor, hasInstanceValue)
     USES(OpInstanceof, value, prototype)
@@ -510 +512 @@
     DEFS(OpInById, dst)
     DEFS(OpInByVal, dst)
+    DEFS(OpHasPrivateName, dst)
+    DEFS(OpHasPrivateBrand, dst)
     DEFS(OpToNumber, dst)
     DEFS(OpToNumeric, dst)

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -2725 +2725 @@
 }
 
+RegisterID* BytecodeGenerator::emitHasPrivateName(RegisterID* dst, RegisterID* base, RegisterID* property)
+{
+    OpHasPrivateName::emit(this, dst, base, property);
+    return dst;
+}
+
 RegisterID* BytecodeGenerator::emitDirectPutByVal(RegisterID* base, RegisterID* property, RegisterID* value)
 {
@@ -2797 +2803 @@
 }
 
+RegisterID* BytecodeGenerator::emitHasPrivateBrand(RegisterID* dst, RegisterID* base, RegisterID* brand, bool isStatic)
+{
+    if (isStatic) {
+        Ref<Label> isObjectLabel = newLabel();
+        emitJumpIfTrue(emitIsObject(newTemporary(), base), isObjectLabel.get());
+        emitThrowTypeError("Cannot access static private method or accessor of a non-Object");
+        emitLabel(isObjectLabel.get());
+        emitEqualityOp<OpStricteq>(dst, base, brand);
+    } else
+        OpHasPrivateBrand::emit(this, dst, base, brand);
+    return dst;
+}
+
 void BytecodeGenerator::emitCheckPrivateBrand(RegisterID* base, RegisterID* brand, bool isStatic)
 {
@@ -2802 +2821 @@
         Ref<Label> brandCheckOkLabel = newLabel();
         emitJumpIfTrue(emitEqualityOp<OpStricteq>(newTemporary(), base, brand), brandCheckOkLabel.get());
-        emitThrowTypeError("Cannot access static private method or acessor");
+        emitThrowTypeError("Cannot access static private method or accessor");
         emitLabel(brandCheckOkLabel.get());
         return;

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -841 +841 @@
         RegisterID* emitPrivateFieldPut(RegisterID* base, RegisterID* property, RegisterID* value);
         RegisterID* emitGetPrivateName(RegisterID* dst, RegisterID* base, RegisterID* property);
+        RegisterID* emitHasPrivateName(RegisterID* dst, RegisterID* base, RegisterID* property);
 
         void emitCreatePrivateBrand(RegisterID* dst, const JSTextPosition& divot, const JSTextPosition& divotStart, const JSTextPosition& divotEnd);
@@ -847 +848 @@
 
         RegisterID* emitGetPrivateBrand(RegisterID* dst, RegisterID* scope, bool isStatic);
+        RegisterID* emitHasPrivateBrand(RegisterID* dst, RegisterID* base, RegisterID* brand, bool isStatic);
         void emitCheckPrivateBrand(RegisterID* base, RegisterID* brand, bool isStatic);
 

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -3207 +3207 @@
 RegisterID* InNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
 {
+    if (m_expr1->isPrivateIdentifier()) {
+        RefPtr<RegisterID> base = generator.emitNode(m_expr2);
+
+        auto identifier = static_cast<PrivateIdentifierNode*>(m_expr1)->value();
+        auto privateTraits = generator.getPrivateTraits(identifier);
+        Variable var = generator.variable(identifier);
+        RefPtr<RegisterID> scope = generator.emitResolveScope(nullptr, var);
+
+        if (privateTraits.isField()) {
+            RefPtr<RegisterID> privateName = generator.emitGetFromScope(generator.newTemporary(), scope.get(), var, DoNotThrowIfNotFound);
+            return generator.emitHasPrivateName(generator.finalDestination(dst, base.get()), base.get(), privateName.get());
+        }
+
+        ASSERT(privateTraits.isPrivateMethodOrAccessor());
+        RefPtr<RegisterID> privateBrand = generator.emitGetPrivateBrand(generator.newTemporary(), scope.get(), privateTraits.isStatic());
+        return generator.emitHasPrivateBrand(generator.finalDestination(dst, base.get()), base.get(), privateBrand.get(), privateTraits.isStatic());
+    }
+
     if (isNonIndexStringElement(*m_expr1)) {
         RefPtr<RegisterID> base = generator.emitNode(m_expr2);

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -4213 +4213 @@
     }
 
+    case HasPrivateName:
+    case HasPrivateBrand: {
+        clobberWorld();
+        filter(node->child1(), SpecObject);
+        filter(node->child2(), SpecSymbol);
+        setNonCellTypeForNode(node, SpecBoolean);
+        break;
+    }
+
     case HasOwnProperty: {
         clobberWorld();

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -8258 +8258 @@
             NEXT_OPCODE(op_in_by_id);
         }
+        
+        case op_has_private_name: {
+            // FIXME: Improve this once InByVal has been optimized.
+            // https://bugs.webkit.org/show_bug.cgi?id=226146
+            auto bytecode = currentInstruction->as<OpHasPrivateName>();
+            set(bytecode.m_dst, addToGraph(HasPrivateName, get(bytecode.m_base), get(bytecode.m_property)));
+            NEXT_OPCODE(op_has_private_name);
+        }
+
+        case op_has_private_brand: {
+            // FIXME: Improve this once InByVal has been optimized.
+            // https://bugs.webkit.org/show_bug.cgi?id=226146
+            auto bytecode = currentInstruction->as<OpHasPrivateBrand>();
+            set(bytecode.m_dst, addToGraph(HasPrivateBrand, get(bytecode.m_base), get(bytecode.m_brand)));
+            NEXT_OPCODE(op_has_private_brand);
+        }
 
         case op_get_enumerable_length: {

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

@@ -251 +251 @@
     case op_in_by_val:
     case op_in_by_id:
+    case op_has_private_name:
+    case op_has_private_brand:
     case op_get_scope:
     case op_get_from_scope:

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -707 +707 @@
     case InByVal:
     case InById:
+    case HasPrivateName:
+    case HasPrivateBrand:
     case HasOwnProperty:
     case ValueNegate:

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -308 +308 @@
     case InById:
     case InByVal:
+    case HasPrivateName:
+    case HasPrivateBrand:
     case InstanceOf:
     case InstanceOfCustom:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -2104 +2104 @@
 
             fixEdge<CellUse>(node->child1());
+            break;
+        }
+
+        case HasPrivateName:
+        case HasPrivateBrand: {
+            fixEdge<CellUse>(node->child1());
+            fixEdge<SymbolUse>(node->child2());
             break;
         }

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -432 +432 @@
     macro(InByVal, NodeResultBoolean | NodeMustGenerate) \
     macro(InById, NodeResultBoolean | NodeMustGenerate) \
+    macro(HasPrivateName, NodeResultBoolean | NodeMustGenerate) \
+    macro(HasPrivateBrand, NodeResultBoolean | NodeMustGenerate) \
     macro(ProfileType, NodeMustGenerate) \
     macro(ProfileControlFlow, NodeMustGenerate) \

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -1205 +1205 @@
             break;
 
+        case GetEnumerableLength: {
+            setPrediction(SpecInt32Only);
+            break;
+        }
         case InByVal:
         case InById:
-            setPrediction(SpecBoolean);
-            break;
-
+        case HasPrivateName:
+        case HasPrivateBrand:
         case HasOwnProperty:
-            setPrediction(SpecBoolean);
-            break;
-
-        case GetEnumerableLength: {
-            setPrediction(SpecInt32Only);
-            break;
-        }
         case HasOwnStructureProperty:
         case InStructureProperty:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -592 +592 @@
     case InByVal:
     case InById:
+    case HasPrivateName:
+    case HasPrivateBrand:
     case HasOwnProperty:
     case PushWithScope:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -1279 +1279 @@
     JSValueRegs resultRegs = result.regs();
     callOperation(operationInByVal, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseGPR, regs);
+    m_jit.exceptionCheck();
+    blessedBooleanResult(resultRegs.payloadGPR(), node, UseChildrenCalledExplicitly);
+}
+
+void SpeculativeJIT::compileHasPrivateName(Node* node)
+{
+    SpeculateCellOperand base(this, node->child1());
+    SpeculateCellOperand key(this, node->child2());
+
+    GPRReg baseGPR = base.gpr();
+    GPRReg keyGPR = key.gpr();
+
+    speculateSymbol(node->child2(), keyGPR);
+
+    base.use();
+    key.use();
+
+    flushRegisters();
+    JSValueRegsFlushedCallResult result(this);
+    JSValueRegs resultRegs = result.regs();
+    callOperation(operationHasPrivateName, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseGPR, CCallHelpers::CellValue(keyGPR));
+    m_jit.exceptionCheck();
+    blessedBooleanResult(resultRegs.payloadGPR(), node, UseChildrenCalledExplicitly);
+}
+
+void SpeculativeJIT::compileHasPrivateBrand(Node* node)
+{
+    SpeculateCellOperand base(this, node->child1());
+    SpeculateCellOperand brand(this, node->child2());
+
+    GPRReg baseGPR = base.gpr();
+    GPRReg brandGPR = brand.gpr();
+
+    speculateSymbol(node->child2(), brandGPR);
+
+    base.use();
+    brand.use();
+
+    flushRegisters();
+    JSValueRegsFlushedCallResult result(this);
+    JSValueRegs resultRegs = result.regs();
+    callOperation(operationHasPrivateBrand, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseGPR, CCallHelpers::CellValue(brandGPR));
     m_jit.exceptionCheck();
     blessedBooleanResult(resultRegs.payloadGPR(), node, UseChildrenCalledExplicitly);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -739 +739 @@
     void compileInById(Node*);
     void compileInByVal(Node*);
+    void compileHasPrivateName(Node*);
+    void compileHasPrivateBrand(Node*);
     
     void nonSpeculativeNonPeepholeCompareNullOrUndefined(Edge operand);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3984 +3984 @@
     case InByVal:
         compileInByVal(node);
+        break;
+
+    case HasPrivateName:
+        compileHasPrivateName(node);
+        break;
+
+    case HasPrivateBrand:
+        compileHasPrivateBrand(node);
         break;
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -4951 +4951 @@
     case InByVal:
         compileInByVal(node);
+        break;
+
+    case HasPrivateName:
+        compileHasPrivateName(node);
+        break;
+
+    case HasPrivateBrand:
+        compileHasPrivateBrand(node);
         break;
 

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -244 +244 @@
     case InByVal:
     case InById:
+    case HasPrivateName:
+    case HasPrivateBrand:
     case HasOwnProperty:
     case IsCellWithType:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -963 +963 @@
             compileInByVal();
             break;
+        case HasPrivateName:
+            compileHasPrivateName();
+            break;
+        case HasPrivateBrand:
+            compileHasPrivateBrand();
+            break;
         case CheckPrivateBrand:
             compileCheckPrivateBrand();
@@ -12213 +12219 @@
         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
         setJSValue(vmCall(Int64, operationInByVal, weakPointer(globalObject), lowCell(m_node->child1()), lowJSValue(m_node->child2())));
+    }
+    
+    void compileHasPrivateName()
+    {
+        JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
+        setJSValue(vmCall(Int64, operationHasPrivateName, weakPointer(globalObject), lowCell(m_node->child1()), lowSymbol(m_node->child2())));
+    }
+
+    void compileHasPrivateBrand()
+    {
+        JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
+        setJSValue(vmCall(Int64, operationHasPrivateBrand, weakPointer(globalObject), lowCell(m_node->child1()), lowSymbol(m_node->child2())));
     }
 

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -282 +282 @@
         switch (opcodeID) {
         DEFINE_SLOW_OP(in_by_val)
+        DEFINE_SLOW_OP(has_private_name)
+        DEFINE_SLOW_OP(has_private_brand)
         DEFINE_SLOW_OP(less)
         DEFINE_SLOW_OP(lesseq)

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -463 +463 @@
 
     return JSValue::encode(jsBoolean(CommonSlowPaths::opInByVal(globalObject, base, JSValue::decode(key))));
+}
+
+JSC_DEFINE_JIT_OPERATION(operationHasPrivateName, EncodedJSValue, (JSGlobalObject* globalObject, JSCell* base, EncodedJSValue key))
+{
+    SuperSamplerScope superSamplerScope(false);
+    
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    if (!base->isObject()) {
+        throwException(globalObject, scope, createInvalidInParameterError(globalObject, base));
+        return encodedJSValue();
+    }
+
+    JSValue propertyValue = JSValue::decode(key);
+    ASSERT(propertyValue.isSymbol());
+    auto property = propertyValue.toPropertyKey(globalObject);
+    EXCEPTION_ASSERT(!scope.exception());
+
+    return JSValue::encode(jsBoolean(asObject(base)->hasPrivateField(globalObject, property)));
+}
+
+JSC_DEFINE_JIT_OPERATION(operationHasPrivateBrand, EncodedJSValue, (JSGlobalObject* globalObject, JSCell* base, EncodedJSValue brand))
+{
+    SuperSamplerScope superSamplerScope(false);
+    
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+
+    auto scope = DECLARE_THROW_SCOPE(vm);
+    if (!base->isObject()) {
+        throwException(globalObject, scope, createInvalidInParameterError(globalObject, base));
+        return encodedJSValue();
+    }
+
+    return JSValue::encode(jsBoolean(asObject(base)->hasPrivateBrand(globalObject, JSValue::decode(brand))));
 }
 

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -179 +179 @@
 
 JSC_DECLARE_JIT_OPERATION(operationInByVal, EncodedJSValue, (JSGlobalObject*, JSCell*, EncodedJSValue));
+JSC_DECLARE_JIT_OPERATION(operationHasPrivateName, EncodedJSValue, (JSGlobalObject*, JSCell*, EncodedJSValue));
+JSC_DECLARE_JIT_OPERATION(operationHasPrivateBrand, EncodedJSValue, (JSGlobalObject*, JSCell*, EncodedJSValue));
 
 JSC_DECLARE_JIT_OPERATION(operationPutByIdStrict, void, (JSGlobalObject*, StructureStubInfo*, EncodedJSValue encodedValue, EncodedJSValue encodedBase, uintptr_t));

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter.asm

@@ -2012 +2012 @@
 
 slowPathOp(in_by_val)
+slowPathOp(has_private_name)
+slowPathOp(has_private_brand)
 slowPathOp(is_callable)
 slowPathOp(is_constructor)

trunk/Source/JavaScriptCore/parser/ASTBuilder.h

@@ -208 +208 @@
         return new (m_parserArena) ResolveNode(location, ident, start);
     }
+    ExpressionNode* createPrivateIdentifierNode(const JSTokenLocation& location, const Identifier& ident)
+    {
+        return new (m_parserArena) PrivateIdentifierNode(location, ident);
+    }
     ExpressionNode* createObjectLiteral(const JSTokenLocation& location) { return new (m_parserArena) ObjectLiteralNode(location); }
     ExpressionNode* createObjectLiteral(const JSTokenLocation& location, PropertyListNode* properties) { return new (m_parserArena) ObjectLiteralNode(location, properties); }

trunk/Source/JavaScriptCore/parser/NodeConstructors.h

@@ -210 +210 @@
     }
 
+    inline PrivateIdentifierNode::PrivateIdentifierNode(const JSTokenLocation& location, const Identifier& ident)
+        : ExpressionNode(location)
+        , m_ident(ident)
+    {
+    }
+
     inline ElementNode::ElementNode(int elision, ExpressionNode* node)
         : m_node(node)

trunk/Source/JavaScriptCore/parser/Nodes.h

@@ -214 +214 @@
         virtual bool isDeleteNode() const { return false; }
         virtual bool isOptionalChain() const { return false; }
+        virtual bool isPrivateIdentifier() const { return false; }
 
         virtual void emitBytecodeInConditionContext(BytecodeGenerator&, Label&, Label&, FallThroughMode);
@@ -682 +683 @@
         const Identifier& m_ident;
         JSTextPosition m_start;
+    };
+
+    // Dummy expression to hold the LHS of `#x in obj`.
+    class PrivateIdentifierNode final : public ExpressionNode {
+    public:
+        PrivateIdentifierNode(const JSTokenLocation&, const Identifier&);
+
+        const Identifier& value() const { return m_ident; }
+
+    private:
+        RegisterID* emitBytecode(BytecodeGenerator&, RegisterID* = nullptr) final { RELEASE_ASSERT_NOT_REACHED(); }
+
+        bool isPrivateIdentifier() const final { return true; }
+
+        const Identifier& m_ident;
     };
 

trunk/Source/JavaScriptCore/parser/Parser.cpp

@@ -4234 +4234 @@
         int initialAssignments = m_parserState.assignmentCount;
         JSTokenType leadingTokenTypeForUnaryExpression = m_token.m_type;
-        TreeExpression current = parseUnaryExpression(context);
+
+        TreeExpression current = 0;
+        if (Options::usePrivateIn() && match(PRIVATENAME)) {
+            const Identifier* ident = m_token.m_data.ident;
+            ASSERT(ident);
+            semanticFailIfFalse(usePrivateName(ident), "Cannot reference private names outside of class");
+            currentScope()->useVariable(ident, false);
+            next();
+            semanticFailIfTrue(m_token.m_type != INTOKEN, "Bare private name can only be used as the left-hand side of an `in` expression");
+            current = context.createPrivateIdentifierNode(location, *ident);
+        } else
+            current = parseUnaryExpression(context);
         failIfFalse(current, "Cannot parse expression");
 

trunk/Source/JavaScriptCore/parser/SyntaxChecker.h

@@ -86 +86 @@
         TemplateExpressionListResult, TemplateExpr,
         TaggedTemplateExpr, YieldExpr, AwaitExpr,
-        ModuleNameResult,
+        ModuleNameResult, PrivateIdentifier,
         ImportSpecifierResult, ImportSpecifierListResult,
         ExportSpecifierResult, ExportSpecifierListResult,
@@ -169 +169 @@
     ALWAYS_INLINE bool isImportMeta(ExpressionType type) { return type == ImportMetaExpr; }
     ExpressionType createResolve(const JSTokenLocation&, const Identifier&, int, int) { return ResolveExpr; }
+    ExpressionType createPrivateIdentifierNode(const JSTokenLocation&, const Identifier&) { return PrivateIdentifier; }
     ExpressionType createObjectLiteral(const JSTokenLocation&) { return ObjectLiteralExpr; }
     ExpressionType createObjectLiteral(const JSTokenLocation&, int) { return ObjectLiteralExpr; }

trunk/Source/JavaScriptCore/parser/VariableEnvironment.h

@@ -110 +110 @@
     ALWAYS_INLINE bool isSetter() const { return m_bits & IsSetter; }
     ALWAYS_INLINE bool isGetter() const { return m_bits & IsGetter; }
-    ALWAYS_INLINE bool isField() const { return !isPrivateMethodOrAcessor(); }
+    ALWAYS_INLINE bool isField() const { return !isPrivateMethodOrAccessor(); }
     ALWAYS_INLINE bool isStatic() const { return m_bits & IsStatic; }
 
-    bool isPrivateMethodOrAcessor() const { return isMethod() || isSetter() || isGetter(); }
+    bool isPrivateMethodOrAccessor() const { return isMethod() || isSetter() || isGetter(); }
 
     ALWAYS_INLINE void setIsUsed() { m_bits |= IsUsed; }
@@ -275 +275 @@
 
         for (auto entry : privateNames()) {
-            if (entry.value.isPrivateMethodOrAcessor() && entry.value.isStatic())
+            if (entry.value.isPrivateMethodOrAccessor() && entry.value.isStatic())
                 return true;
         }
@@ -288 +288 @@
         
         for (auto entry : privateNames()) {
-            if (entry.value.isPrivateMethodOrAcessor() && !entry.value.isStatic())
+            if (entry.value.isPrivateMethodOrAccessor() && !entry.value.isStatic())
                 return true;
         }

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -839 +839 @@
 }
 
+JSC_DEFINE_COMMON_SLOW_PATH(slow_path_has_private_name)
+{
+    BEGIN();
+
+    auto bytecode = pc->as<OpHasPrivateName>();
+    auto baseValue = GET_C(bytecode.m_base).jsValue();
+    if (!baseValue.isObject())
+        THROW(createInvalidInParameterError(globalObject, baseValue));
+
+    auto propertyValue = GET_C(bytecode.m_property).jsValue();
+    ASSERT(propertyValue.isSymbol());
+    auto property = propertyValue.toPropertyKey(globalObject);
+    EXCEPTION_ASSERT(!throwScope.exception());
+
+    RETURN(jsBoolean(asObject(baseValue)->hasPrivateField(globalObject, property)));
+}
+
+JSC_DEFINE_COMMON_SLOW_PATH(slow_path_has_private_brand)
+{
+    BEGIN();
+
+    auto bytecode = pc->as<OpHasPrivateBrand>();
+    auto baseValue = GET_C(bytecode.m_base).jsValue();
+    if (!baseValue.isObject())
+        THROW(createInvalidInParameterError(globalObject, baseValue));
+
+    RETURN(jsBoolean(asObject(baseValue)->hasPrivateBrand(globalObject, GET_C(bytecode.m_brand).jsValue())));
+}
+
 template<OpcodeSize width>
 ALWAYS_INLINE SlowPathReturnType iteratorOpenTryFastImpl(VM& vm, JSGlobalObject* globalObject, CodeBlock* codeBlock, CallFrame* callFrame, const Instruction* pc)

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h

@@ -253 +253 @@
 JSC_DECLARE_COMMON_SLOW_PATH(slow_path_is_constructor);
 JSC_DECLARE_COMMON_SLOW_PATH(slow_path_in_by_val);
+JSC_DECLARE_COMMON_SLOW_PATH(slow_path_has_private_name);
+JSC_DECLARE_COMMON_SLOW_PATH(slow_path_has_private_brand);
 JSC_DECLARE_COMMON_SLOW_PATH(slow_path_strcat);
 JSC_DECLARE_COMMON_SLOW_PATH(slow_path_to_primitive);

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -180 +180 @@
 
     static bool getPrivateFieldSlot(JSObject*, JSGlobalObject*, PropertyName, PropertySlot&);
+    inline bool hasPrivateField(JSGlobalObject*, PropertyName);
     inline bool getPrivateField(JSGlobalObject*, PropertyName, PropertySlot&);
     inline void setPrivateField(JSGlobalObject*, PropertyName, JSValue, PutPropertySlot&);
     inline void definePrivateField(JSGlobalObject*, PropertyName, JSValue, PutPropertySlot&);
-    inline bool checkPrivateBrand(JSGlobalObject*, JSValue brand);
+    inline bool hasPrivateBrand(JSGlobalObject*, JSValue brand);
+    inline void checkPrivateBrand(JSGlobalObject*, JSValue brand);
     inline void setPrivateBrand(JSGlobalObject*, JSValue brand);
 

trunk/Source/JavaScriptCore/runtime/JSObjectInlines.h

@@ -616 +616 @@
 }
 
+inline bool JSObject::hasPrivateField(JSGlobalObject* globalObject, PropertyName propertyName)
+{
+    ASSERT(propertyName.isPrivateName());
+    VM& vm = getVM(globalObject);
+    unsigned attributes;
+    return structure(vm)->get(vm, propertyName, attributes) != invalidOffset;
+}
+
 inline bool JSObject::getPrivateField(JSGlobalObject* globalObject, PropertyName propertyName, PropertySlot& slot)
 {
@@ -677 +685 @@
 }
 
-inline bool JSObject::checkPrivateBrand(JSGlobalObject* globalObject, JSValue brand)
-{
-    ASSERT(brand.isSymbol());
-    VM& vm = getVM(globalObject);
-    auto scope = DECLARE_THROW_SCOPE(vm);
-
+inline bool JSObject::hasPrivateBrand(JSGlobalObject* globalObject, JSValue brand)
+{
+    ASSERT(brand.isSymbol() && asSymbol(brand)->uid().isPrivate());
+    VM& vm = getVM(globalObject);
     Structure* structure = this->structure(vm);
-    if (!structure->isBrandedStructure() || !jsCast<BrandedStructure*>(structure)->checkBrand(asSymbol(brand))) {
+    return structure->isBrandedStructure() && jsCast<BrandedStructure*>(structure)->checkBrand(asSymbol(brand));
+}
+
+inline void JSObject::checkPrivateBrand(JSGlobalObject* globalObject, JSValue brand)
+{
+    ASSERT(brand.isSymbol() && asSymbol(brand)->uid().isPrivate());
+    VM& vm = getVM(globalObject);
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    Structure* structure = this->structure(vm);
+    if (!structure->isBrandedStructure() || !jsCast<BrandedStructure*>(structure)->checkBrand(asSymbol(brand)))
         throwException(globalObject, scope, createPrivateMethodAccessError(globalObject));
-        RELEASE_AND_RETURN(scope, false);
-    }
-    EXCEPTION_ASSERT(!scope.exception());
-
-    return true;
 }
 
 inline void JSObject::setPrivateBrand(JSGlobalObject* globalObject, JSValue brand)
 {
-    ASSERT(brand.isSymbol());
+    ASSERT(brand.isSymbol() && asSymbol(brand)->uid().isPrivate());
     VM& vm = getVM(globalObject);
     auto scope = DECLARE_THROW_SCOPE(vm);

trunk/Source/JavaScriptCore/runtime/OptionsList.h

@@ -522 +522 @@
     v(Bool, usePrivateClassFields, true, Normal, "If true, the parser will understand private data fields inside classes.") \
     v(Bool, usePrivateMethods, true, Normal, "If true, the parser will understand private methods inside classes.") \
+    v(Bool, usePrivateIn, false, Normal, "If true, the parser will understand private member existence checks with the `in` operator.") \
     v(Bool, useWebAssemblyStreaming, true, Normal, "Allow to run WebAssembly's Streaming API") \
     v(Bool, useWebAssemblyReferences, true, Normal, "Allow types from the wasm references spec.") \