Changeset 193974 in webkit

Timestamp:

Dec 11, 2015 1:43:45 PM (8 years ago)

Author:

keith_miller@apple.com

Message:

[ES6] Add support for Symbol.hasInstance
​https://bugs.webkit.org/show_bug.cgi?id=151839

Reviewed by Saam Barati.

Source/JavaScriptCore:

This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
emits a call to slow path code that computes the result.

In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
it into a CheckTypeInfoFlags followed by a JSConstant.

• API/JSCallbackObject.h:
• builtins/FunctionPrototype.js:

(symbolHasInstance):

• bytecode/BytecodeBasicBlock.cpp:

(JSC::isBranch): Deleted.

• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):

• bytecode/ExitKind.cpp:

(JSC::exitKindToString):

• bytecode/ExitKind.h:
• bytecode/PreciseJumpTargets.cpp:

(JSC::getJumpTargetsForBytecodeOffset): Deleted.

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitOverridesHasInstance):
(JSC::BytecodeGenerator::emitInstanceOfCustom):
(JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.

• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp:

(JSC::InstanceOfNode::emitBytecode):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGHeapLocation.cpp:

(WTF::printInternal):

• dfg/DFGHeapLocation.h:
• dfg/DFGNode.h:

(JSC::DFG::Node::hasCellOperand):
(JSC::DFG::Node::hasTypeInfoOperand):
(JSC::DFG::Node::typeInfoOperand):

• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
(JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLIntrinsicRepository.h:
• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
(JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
(JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
(JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
(JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:
• jit/JITInlines.h:

(JSC::JIT::callOperation):

• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_overrides_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_instanceof_custom):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emitSlow_op_instanceof_custom):
(JSC::JIT::emit_op_check_has_instance): Deleted.
(JSC::JIT::emitSlow_op_check_has_instance): Deleted.

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_overrides_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_instanceof_custom):
(JSC::JIT::emitSlow_op_instanceof_custom):
(JSC::JIT::emit_op_check_has_instance): Deleted.
(JSC::JIT::emitSlow_op_check_has_instance): Deleted.

• jit/JITOperations.cpp:
• jit/JITOperations.h:
• llint/LLIntData.cpp:

(JSC::LLInt::Data::performAssertions):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• llint/LLIntSlowPaths.h:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonIdentifiers.h:
• runtime/ExceptionHelpers.cpp:

(JSC::invalidParameterInstanceofSourceAppender):
(JSC::invalidParameterInstanceofNotFunctionSourceAppender):
(JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
(JSC::createInvalidInstanceofParameterErrorNotFunction):
(JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
(JSC::createInvalidInstanceofParameterError): Deleted.

• runtime/ExceptionHelpers.h:
• runtime/FunctionPrototype.cpp:

(JSC::FunctionPrototype::addFunctionProperties):

• runtime/FunctionPrototype.h:
• runtime/JSBoundFunction.cpp:

(JSC::isBoundFunction):
(JSC::hasInstanceBoundFunction):

• runtime/JSBoundFunction.h:
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):

• runtime/JSObject.cpp:

(JSC::JSObject::hasInstance):
(JSC::objectPrivateFuncInstanceOf):

• runtime/JSObject.h:
• runtime/JSTypeInfo.h:

(JSC::TypeInfo::TypeInfo):
(JSC::TypeInfo::overridesHasInstance):

• runtime/WriteBarrier.h:

(JSC::WriteBarrierBase<Unknown>::slot):

• tests/es6.yaml:
• tests/stress/instanceof-custom-hasinstancesymbol.js: Added.

(Constructor):
(value):
(instanceOf):
(body):

• tests/stress/symbol-hasInstance.js: Added.

(Constructor):
(value):
(ObjectClass.Symbol.hasInstance):
(NumberClass.Symbol.hasInstance):

LayoutTests:

Fix tests to reflect the changes to instanceof in ES6.

Added a new regression test for bound functions in instanceof
as the perfomance on bound functions should, to some degree,
reflect the performance on C-API users.

• js/Object-getOwnPropertyNames-expected.txt:
• js/exception-for-nonobject-expected.txt:
• js/exception-instanceof-expected.txt:
• js/instance-of-immediates-expected.txt:
• js/regress/instanceof-bound-expected.txt: Added.
• js/regress/instanceof-bound.html: Added.
• js/regress/script-tests/instanceof-bound.js: Added.

(Constructor):
(test):

• js/script-tests/Object-getOwnPropertyNames.js:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/Object-getOwnPropertyNames-expected.txt (modified) (1 diff)
• LayoutTests/js/exception-for-nonobject-expected.txt (modified) (1 diff)
• LayoutTests/js/exception-instanceof-expected.txt (modified) (1 diff)
• LayoutTests/js/instance-of-immediates-expected.txt (modified) (1 diff)
• LayoutTests/js/regress/instanceof-bound-expected.txt (added)
• LayoutTests/js/regress/instanceof-bound.html (added)
• LayoutTests/js/regress/script-tests/instanceof-bound.js (added)
• LayoutTests/js/script-tests/Object-getOwnPropertyNames.js (modified) (1 diff)
• Source/JavaScriptCore/API/JSCallbackObject.h (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/builtins/FunctionPrototype.js (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeList.json (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeUseDef.h (modified) (3 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/ExitKind.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecode/ExitKind.h (modified) (1 diff)
• Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (2 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGHeapLocation.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGHeapLocation.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JIT.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JIT.h (modified) (4 diffs)
• Source/JavaScriptCore/jit/JITInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (5 diffs)
• Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (4 diffs)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOperations.h (modified) (3 diffs)
• Source/JavaScriptCore/llint/LLIntData.cpp (modified) (2 diffs)
• Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (2 diffs)
• Source/JavaScriptCore/llint/LLIntSlowPaths.h (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (2 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (2 diffs)
• Source/JavaScriptCore/runtime/CommonIdentifiers.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/ExceptionHelpers.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/ExceptionHelpers.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/FunctionPrototype.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/FunctionPrototype.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSBoundFunction.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSBoundFunction.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (5 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSTypeInfo.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/WriteBarrier.h (modified) (1 diff)
• Source/JavaScriptCore/tests/es6.yaml (modified) (1 diff)
• Source/JavaScriptCore/tests/stress/instanceof-custom-hasinstancesymbol.js (added)
• Source/JavaScriptCore/tests/stress/symbol-hasInstance.js (added)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2015-12-11  Keith Miller  <keith_miller@apple.com>
+
+        [ES6] Add support for Symbol.hasInstance
+        https://bugs.webkit.org/show_bug.cgi?id=151839
+
+        Reviewed by Saam Barati.
+
+        Fix tests to reflect the changes to instanceof in ES6.
+
+        Added a new regression test for bound functions in instanceof
+        as the perfomance on bound functions should, to some degree,
+        reflect the performance on C-API users.
+
+        * js/Object-getOwnPropertyNames-expected.txt:
+        * js/exception-for-nonobject-expected.txt:
+        * js/exception-instanceof-expected.txt:
+        * js/instance-of-immediates-expected.txt:
+        * js/regress/instanceof-bound-expected.txt: Added.
+        * js/regress/instanceof-bound.html: Added.
+        * js/regress/script-tests/instanceof-bound.js: Added.
+        (Constructor):
+        (test):
+        * js/script-tests/Object-getOwnPropertyNames.js:
+
 2015-12-11  Ryan Haddad  <ryanhaddad@apple.com>
 

trunk/LayoutTests/js/Object-getOwnPropertyNames-expected.txt

@@ -62 +62 @@
 PASS getSortedOwnPropertyNames(Math) is ['E','LN10','LN2','LOG10E','LOG2E','PI','SQRT1_2','SQRT2','abs','acos','acosh','asin','asinh','atan','atan2','atanh','cbrt','ceil','clz32','cos','cosh','exp','expm1','floor','fround','hypot','imul','log','log10','log1p','log2','max','min','pow','random','round','sign','sin','sinh','sqrt','tan','tanh','trunc']
 PASS getSortedOwnPropertyNames(JSON) is ['parse', 'stringify']
-PASS getSortedOwnPropertyNames(Symbol) is ['for', 'iterator', 'keyFor', 'length', 'name', 'prototype', 'toStringTag', 'unscopables']
+PASS getSortedOwnPropertyNames(Symbol) is ['for', 'hasInstance', 'iterator', 'keyFor', 'length', 'name', 'prototype', 'toStringTag', 'unscopables']
 PASS getSortedOwnPropertyNames(Symbol.prototype) is ['constructor', 'toString', 'valueOf']
 PASS globalPropertyNames.indexOf('NaN') != -1 is true

trunk/LayoutTests/js/exception-for-nonobject-expected.txt

@@ -5 +5 @@
 
 PASS new {}.undefined threw exception TypeError: undefined is not a constructor (evaluating 'new {}.undefined').
-PASS 1 instanceof {}.undefined threw exception TypeError: {}.undefined is not a function. (evaluating '1 instanceof {}.undefined').
+PASS 1 instanceof {}.undefined threw exception TypeError: Right hand side of instanceof is not an object.
 PASS successfullyParsed is true
 

trunk/LayoutTests/js/exception-instanceof-expected.txt

@@ -4 +4 @@
 
 
-PASS 'instanceof' instanceof    'instanceof' threw exception TypeError: "instanceof" is not a function. (evaluating ''instanceof' instanceof    'instanceof'').
-PASS 20 instanceof     'hello'   threw exception TypeError: 'hello' is not a function. (evaluating '20 instanceof     'hello'').
+PASS 'instanceof' instanceof    'instanceof' threw exception TypeError: Right hand side of instanceof is not an object.
+PASS 20 instanceof     'hello'   threw exception TypeError: Right hand side of instanceof is not an object.
 PASS 20 instanceof     {}   threw exception TypeError: {} is not a function. (evaluating '20 instanceof     {}').
-PASS 20 instanceof     {}.foo  threw exception TypeError: {}.foo is not a function. (evaluating '20 instanceof     {}.foo').
-PASS 20 instanceof     true       threw exception TypeError: true is not a function. (evaluating '20 instanceof     true').
+PASS 20 instanceof     {}.foo  threw exception TypeError: Right hand side of instanceof is not an object.
+PASS 20 instanceof     true       threw exception TypeError: Right hand side of instanceof is not an object.
 PASS successfullyParsed is true
 

trunk/LayoutTests/js/instance-of-immediates-expected.txt

@@ -4 +4 @@
 
 
-PASS (1 instanceof 1) threw exception TypeError: 1 is not a function. (evaluating '1 instanceof 1').
-PASS ({} instanceof 1) threw exception TypeError: 1 is not a function. (evaluating '{} instanceof 1').
-PASS (obj instanceof 1) threw exception TypeError: 1 is not a function. (evaluating 'obj instanceof 1').
+PASS (1 instanceof 1) threw exception TypeError: Right hand side of instanceof is not an object.
+PASS ({} instanceof 1) threw exception TypeError: Right hand side of instanceof is not an object.
+PASS (obj instanceof 1) threw exception TypeError: Right hand side of instanceof is not an object.
 PASS (1 instanceof {}) threw exception TypeError: {} is not a function. (evaluating '1 instanceof {}').
 PASS ({} instanceof {}) threw exception TypeError: {} is not a function. (evaluating '{} instanceof {}').

trunk/LayoutTests/js/script-tests/Object-getOwnPropertyNames.js

@@ -71 +71 @@
     "Math": "['E','LN10','LN2','LOG10E','LOG2E','PI','SQRT1_2','SQRT2','abs','acos','acosh','asin','asinh','atan','atan2','atanh','cbrt','ceil','clz32','cos','cosh','exp','expm1','floor','fround','hypot','imul','log','log10','log1p','log2','max','min','pow','random','round','sign','sin','sinh','sqrt','tan','tanh','trunc']",
     "JSON": "['parse', 'stringify']",
-    "Symbol": "['for', 'iterator', 'keyFor', 'length', 'name', 'prototype', 'toStringTag', 'unscopables']",
+    "Symbol": "['for', 'hasInstance', 'iterator', 'keyFor', 'length', 'name', 'prototype', 'toStringTag', 'unscopables']",
     "Symbol.prototype": "['constructor', 'toString', 'valueOf']"
 };

trunk/Source/JavaScriptCore/API/JSCallbackObject.h

@@ -128 +128 @@
 public:
     typedef Parent Base;
-    static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesHasInstance | OverridesGetPropertyNames | TypeOfShouldCallGetCallData;
+    static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesHasInstanceFlag | OverridesGetPropertyNames | TypeOfShouldCallGetCallData;
 
     ~JSCallbackObject();

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-12-11  Keith Miller  <keith_miller@apple.com>
+
+        [ES6] Add support for Symbol.hasInstance
+        https://bugs.webkit.org/show_bug.cgi?id=151839
+
+        Reviewed by Saam Barati.
+
+        This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
+        regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
+        when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
+        then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
+        new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
+        a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
+        needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
+        Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
+        we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
+        emits a call to slow path code that computes the result.
+
+        In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
+        OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
+        it into a CheckTypeInfoFlags followed by a JSConstant.
+
+        * API/JSCallbackObject.h:
+        * builtins/FunctionPrototype.js:
+        (symbolHasInstance):
+        * bytecode/BytecodeBasicBlock.cpp:
+        (JSC::isBranch): Deleted.
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpBytecode):
+        * bytecode/ExitKind.cpp:
+        (JSC::exitKindToString):
+        * bytecode/ExitKind.h:
+        * bytecode/PreciseJumpTargets.cpp:
+        (JSC::getJumpTargetsForBytecodeOffset): Deleted.
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitOverridesHasInstance):
+        (JSC::BytecodeGenerator::emitInstanceOfCustom):
+        (JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::InstanceOfNode::emitBytecode):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGHeapLocation.cpp:
+        (WTF::printInternal):
+        * dfg/DFGHeapLocation.h:
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::hasCellOperand):
+        (JSC::DFG::Node::hasTypeInfoOperand):
+        (JSC::DFG::Node::typeInfoOperand):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLIntrinsicRepository.h:
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        * jit/JITInlines.h:
+        (JSC::JIT::callOperation):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_overrides_has_instance):
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emit_op_instanceof_custom):
+        (JSC::JIT::emitSlow_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof_custom):
+        (JSC::JIT::emit_op_check_has_instance): Deleted.
+        (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_overrides_has_instance):
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emit_op_instanceof_custom):
+        (JSC::JIT::emitSlow_op_instanceof_custom):
+        (JSC::JIT::emit_op_check_has_instance): Deleted.
+        (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * llint/LLIntData.cpp:
+        (JSC::LLInt::Data::performAssertions):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LLIntSlowPaths.h:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonIdentifiers.h:
+        * runtime/ExceptionHelpers.cpp:
+        (JSC::invalidParameterInstanceofSourceAppender):
+        (JSC::invalidParameterInstanceofNotFunctionSourceAppender):
+        (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
+        (JSC::createInvalidInstanceofParameterErrorNotFunction):
+        (JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
+        (JSC::createInvalidInstanceofParameterError): Deleted.
+        * runtime/ExceptionHelpers.h:
+        * runtime/FunctionPrototype.cpp:
+        (JSC::FunctionPrototype::addFunctionProperties):
+        * runtime/FunctionPrototype.h:
+        * runtime/JSBoundFunction.cpp:
+        (JSC::isBoundFunction):
+        (JSC::hasInstanceBoundFunction):
+        * runtime/JSBoundFunction.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::hasInstance):
+        (JSC::objectPrivateFuncInstanceOf):
+        * runtime/JSObject.h:
+        * runtime/JSTypeInfo.h:
+        (JSC::TypeInfo::TypeInfo):
+        (JSC::TypeInfo::overridesHasInstance):
+        * runtime/WriteBarrier.h:
+        (JSC::WriteBarrierBase<Unknown>::slot):
+        * tests/es6.yaml:
+        * tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
+        (Constructor):
+        (value):
+        (instanceOf):
+        (body):
+        * tests/stress/symbol-hasInstance.js: Added.
+        (Constructor):
+        (value):
+        (ObjectClass.Symbol.hasInstance):
+        (NumberClass.Symbol.hasInstance):
+
 2015-12-11  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/JavaScriptCore/builtins/FunctionPrototype.js

@@ -37 +37 @@
     return this.@apply(thisValue, argumentValues);
 }
+
+// FIXME: this should have a different name: https://bugs.webkit.org/show_bug.cgi?id=151363
+function symbolHasInstance(value)
+{
+    "use strict";
+
+    if (typeof this !== "function")
+        return false;
+
+    if (@isBoundFunction(this))
+        return @hasInstanceBoundFunction(this, value);
+
+    let target = this.prototype;
+    return @instanceOf(value, target);
+}

trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp

@@ -59 +59 @@
     case op_switch_char:
     case op_switch_string:
-    case op_check_has_instance:
     case op_save:
         return true;

trunk/Source/JavaScriptCore/bytecode/BytecodeList.json

@@ -46 +46 @@
             { "name" : "op_bitxor", "length" : 5 },
             { "name" : "op_bitor", "length" : 5 },
-            { "name" : "op_check_has_instance", "length" : 5 },
+            { "name" : "op_overrides_has_instance", "length" : 4 },
             { "name" : "op_instanceof", "length" : 4 },
+            { "name" : "op_instanceof_custom", "length" : 5 },
             { "name" : "op_typeof", "length" : 3 },
             { "name" : "op_is_undefined", "length" : 3 },

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h

@@ -170 +170 @@
     case op_in:
     case op_instanceof:
-    case op_check_has_instance:
     case op_add:
     case op_mul:
@@ -196 +195 @@
         return;
     }
+    case op_overrides_has_instance:
+    case op_instanceof_custom:
     case op_has_structure_property:
     case op_construct_varargs:
@@ -351 +352 @@
     case op_get_by_id:
     case op_get_array_length:
-    case op_check_has_instance:
+    case op_overrides_has_instance:
     case op_instanceof:
+    case op_instanceof_custom:
     case op_get_by_val:
     case op_typeof:

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1014 +1014 @@
             break;
         }
-        case op_check_has_instance: {
+        case op_overrides_has_instance: {
             int r0 = (++it)->u.operand;
             int r1 = (++it)->u.operand;
             int r2 = (++it)->u.operand;
-            int offset = (++it)->u.operand;
-            printLocationAndOp(out, exec, location, it, "check_has_instance");
-            out.printf("%s, %s, %s, %d(->%d)", registerName(r0).data(), registerName(r1).data(), registerName(r2).data(), offset, location + offset);
+            printLocationAndOp(out, exec, location, it, "overrides_has_instance");
+            out.printf("%s, %s, %s", registerName(r0).data(), registerName(r1).data(), registerName(r2).data());
             break;
         }
@@ -1029 +1028 @@
             printLocationAndOp(out, exec, location, it, "instanceof");
             out.printf("%s, %s, %s", registerName(r0).data(), registerName(r1).data(), registerName(r2).data());
+            break;
+        }
+        case op_instanceof_custom: {
+            int r0 = (++it)->u.operand;
+            int r1 = (++it)->u.operand;
+            int r2 = (++it)->u.operand;
+            int r3 = (++it)->u.operand;
+            printLocationAndOp(out, exec, location, it, "instanceof_custom");
+            out.printf("%s, %s, %s, %s", registerName(r0).data(), registerName(r1).data(), registerName(r2).data(), registerName(r3).data());
             break;
         }

trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp

@@ -51 +51 @@
     case BadIndexingType:
         return "BadIndexingType";
+    case BadTypeInfoFlags:
+        return "BadTypeInfoFlags";
     case Overflow:
         return "Overflow";

trunk/Source/JavaScriptCore/bytecode/ExitKind.h

@@ -38 +38 @@
     BadConstantCache, // We exited because a cache on a weak constant (usually a prototype) was wrong.
     BadIndexingType, // We exited because an indexing type was wrong.
+    BadTypeInfoFlags, // We exited because we made an incorrect assumption about what TypeInfo flags we would see.
     Overflow, // We exited because of overflow.
     NegativeZero, // We exited because we encountered negative zero.

trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp

@@ -75 +75 @@
         break;
     }
-    case op_check_has_instance:
-        out.append(bytecodeOffset + current[4].u.operand);
-        break;
     case op_loop_hint:
         out.append(bytecodeOffset);

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -2100 +2100 @@
 }
 
-void BytecodeGenerator::emitCheckHasInstance(RegisterID* dst, RegisterID* value, RegisterID* base, Label* target)
-{
-    size_t begin = instructions().size();
-    emitOpcode(op_check_has_instance);
+RegisterID* BytecodeGenerator::emitOverridesHasInstance(RegisterID* dst, RegisterID* constructor, RegisterID* hasInstanceValue)
+{
+    emitOpcode(op_overrides_has_instance);
     instructions().append(dst->index());
-    instructions().append(value->index());
-    instructions().append(base->index());
-    instructions().append(target->bind(begin, instructions().size()));
+    instructions().append(constructor->index());
+    instructions().append(hasInstanceValue->index());
+    return dst;
 }
 
@@ -2271 +2270 @@
     instructions().append(value->index());
     instructions().append(basePrototype->index());
+    return dst;
+}
+
+RegisterID* BytecodeGenerator::emitInstanceOfCustom(RegisterID* dst, RegisterID* value, RegisterID* constructor, RegisterID* hasInstanceValue)
+{
+    emitOpcode(op_instanceof_custom);
+    instructions().append(dst->index());
+    instructions().append(value->index());
+    instructions().append(constructor->index());
+    instructions().append(hasInstanceValue->index());
     return dst;
 }

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -535 +535 @@
         RegisterID* emitDec(RegisterID* srcDst);
 
-        void emitCheckHasInstance(RegisterID* dst, RegisterID* value, RegisterID* base, Label* target);
+        RegisterID* emitOverridesHasInstance(RegisterID* dst, RegisterID* constructor, RegisterID* hasInstanceValue);
         RegisterID* emitInstanceOf(RegisterID* dst, RegisterID* value, RegisterID* basePrototype);
+        RegisterID* emitInstanceOfCustom(RegisterID* dst, RegisterID* value, RegisterID* constructor, RegisterID* hasInstanceValue);
         RegisterID* emitTypeOf(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_typeof, dst, src); }
         RegisterID* emitIn(RegisterID* dst, RegisterID* property, RegisterID* base) { return emitBinaryOp(op_in, dst, property, base, OperandTypes()); }

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -1660 +1660 @@
 RegisterID* InstanceOfNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
 {
-    RefPtr<RegisterID> src1 = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
-    RefPtr<RegisterID> src2 = generator.emitNode(m_expr2);
+    RefPtr<RegisterID> hasInstanceValue = generator.newTemporary();
+    RefPtr<RegisterID> isObject = generator.newTemporary();
+    RefPtr<RegisterID> isCustom = generator.newTemporary();
     RefPtr<RegisterID> prototype = generator.newTemporary();
-    RefPtr<RegisterID> dstReg = generator.finalDestination(dst, src1.get());
-    RefPtr<Label> target = generator.newLabel();
+    RefPtr<RegisterID> value = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
+    RefPtr<RegisterID> constructor = generator.emitNode(m_expr2);
+    RefPtr<RegisterID> dstReg = generator.finalDestination(dst, value.get());
+    RefPtr<Label> custom = generator.newLabel();
+    RefPtr<Label> done = generator.newLabel();
+    RefPtr<Label> typeError = generator.newLabel();
 
     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
-    generator.emitCheckHasInstance(dstReg.get(), src1.get(), src2.get(), target.get());
+    generator.emitIsObject(isObject.get(), constructor.get());
+    generator.emitJumpIfFalse(isObject.get(), typeError.get());
 
     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
-    generator.emitGetById(prototype.get(), src2.get(), generator.vm()->propertyNames->prototype);
+    generator.emitGetById(hasInstanceValue.get(), constructor.get(), generator.vm()->propertyNames->hasInstanceSymbol);
 
     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
-    RegisterID* result = generator.emitInstanceOf(dstReg.get(), src1.get(), prototype.get());
-    generator.emitLabel(target.get());
-    return result;
+    generator.emitOverridesHasInstance(isCustom.get(), constructor.get(), hasInstanceValue.get());
+
+    generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
+    generator.emitJumpIfTrue(isCustom.get(), custom.get());
+
+    generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
+    generator.emitGetById(prototype.get(), constructor.get(), generator.vm()->propertyNames->prototype);
+
+    generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
+    generator.emitInstanceOf(dstReg.get(), value.get(), prototype.get());
+
+    generator.emitJump(done.get());
+
+    generator.emitLabel(typeError.get());
+    generator.emitThrowTypeError("Right hand side of instanceof is not an object");
+
+    generator.emitLabel(custom.get());
+
+    generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
+    generator.emitInstanceOfCustom(dstReg.get(), value.get(), constructor.get(), hasInstanceValue.get());
+
+    generator.emitLabel(done.get());
+
+    return dstReg.get();
 }
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -2449 +2449 @@
         break;
             
-    case CheckHasInstance:
-        // Sadly, we don't propagate the fact that we've done CheckHasInstance
+    case OverridesHasInstance:
+        forNode(node).setType(SpecBoolean);
         break;
             
     case InstanceOf:
-        // Again, sadly, we don't propagate the fact that we've done InstanceOf
+        // Sadly, we don't propagate the fact that we've done InstanceOf
+        forNode(node).setType(SpecBoolean);
+        break;
+
+    case InstanceOfCustom:
+        clobberWorld(node->origin.semantic, clobberLimit);
         forNode(node).setType(SpecBoolean);
         break;
@@ -2511 +2516 @@
     case CheckTierUpInLoop:
     case CheckTierUpAtReturn:
+    case CheckTypeInfoFlags:
         break;
 

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -3498 +3498 @@
         }
 
-        case op_check_has_instance:
-            addToGraph(CheckHasInstance, get(VirtualRegister(currentInstruction[3].u.operand)));
-            NEXT_OPCODE(op_check_has_instance);
+        case op_overrides_has_instance: {
+            JSFunction* defaultHasInstanceSymbolFunction = m_inlineStackTop->m_codeBlock->globalObjectFor(currentCodeOrigin())->functionProtoHasInstanceSymbolFunction();
+
+            Node* constructor = get(VirtualRegister(currentInstruction[2].u.operand));
+            Node* hasInstanceValue = get(VirtualRegister(currentInstruction[3].u.operand));
+
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(OverridesHasInstance, OpInfo(m_graph.freeze(defaultHasInstanceSymbolFunction)), constructor, hasInstanceValue));
+            NEXT_OPCODE(op_overrides_has_instance);
+        }
 
         case op_instanceof: {
@@ -3508 +3514 @@
             NEXT_OPCODE(op_instanceof);
         }
-            
+
+        case op_instanceof_custom: {
+            Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
+            Node* constructor = get(VirtualRegister(currentInstruction[3].u.operand));
+            Node* hasInstanceValue = get(VirtualRegister(currentInstruction[4].u.operand));
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(InstanceOfCustom, value, constructor, hasInstanceValue));
+            NEXT_OPCODE(op_instanceof_custom);
+        }
+
         case op_is_undefined: {
             Node* value = get(VirtualRegister(currentInstruction[2].u.operand));

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

@@ -129 +129 @@
     case op_profile_control_flow:
     case op_mov:
-    case op_check_has_instance:
+    case op_overrides_has_instance:
     case op_instanceof:
+    case op_instanceof_custom:
     case op_is_undefined:
     case op_is_boolean:

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -728 +728 @@
         return;
 
-    case CheckHasInstance:
+    case CheckTypeInfoFlags:
         read(JSCell_typeInfoFlags);
-        def(HeapLocation(CheckHasInstanceLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
+        def(HeapLocation(CheckTypeInfoFlagsLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
+        return;
+
+    case OverridesHasInstance:
+        read(JSCell_typeInfoFlags);
+        def(HeapLocation(OverridesHasInstanceLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
         return;
 
@@ -736 +741 @@
         read(JSCell_structureID);
         def(HeapLocation(InstanceOfLoc, JSCell_structureID, node->child1(), node->child2()), LazyNode(node));
+        return;
+
+    case InstanceOfCustom:
+        read(World);
+        write(Heap);
         return;
 

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -142 +142 @@
     case ProfileType:
     case ProfileControlFlow:
-    case CheckHasInstance:
+    case OverridesHasInstance:
     case InstanceOf:
+    case InstanceOfCustom:
     case IsUndefined:
     case IsBoolean:
@@ -181 +182 @@
     case ConstantStoragePointer:
     case Check:
+    case CheckTypeInfoFlags:
     case MultiGetByOffset:
     case ValueRep:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1101 +1101 @@
             break;
         }
+
+        case OverridesHasInstance: {
+            if (node->child2().node()->isCellConstant()) {
+                if (node->child2().node()->asCell() != m_graph.globalObjectFor(node->origin.semantic)->functionProtoHasInstanceSymbolFunction()) {
+
+                    m_graph.convertToConstant(node, jsBoolean(true));
+                    break;
+                }
+
+                if (!m_graph.hasExitSite(node->origin.semantic, BadTypeInfoFlags)) {
+                    // Here we optimistically assume that we will not see an bound/C-API function here.
+                    m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckTypeInfoFlags, node->origin, OpInfo(ImplementsDefaultHasInstance), Edge(node->child1().node(), CellUse));
+                    m_graph.convertToConstant(node, jsBoolean(false));
+                    break;
+                }
+            }
+
+            fixEdge<CellUse>(node->child1());
+            break;
+        }
             
         case CheckStructure:
         case CheckCell:
-        case CheckHasInstance:
         case CreateThis:
         case GetButterfly:
@@ -1165 +1184 @@
             break;
         }
-            
+
+        case InstanceOfCustom:
+            fixEdge<CellUse>(node->child2());
+            break;
+
         case In: {
             // FIXME: We should at some point have array profiling on op_in, in which
@@ -1411 +1434 @@
         case VarInjectionWatchpoint:
         case Call:
+        case CheckTypeInfoFlags:
         case TailCallInlinedCaller:
         case Construct:

trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp

@@ -96 +96 @@
         out.print("ButterflyReadOnlyLoc");
         return;
-        
-    case CheckHasInstanceLoc:
-        out.print("CheckHasInstanceLoc");
+
+    case CheckTypeInfoFlagsLoc:
+        out.print("CheckTypeInfoFlagsLoc");
+        return;
+
+    case OverridesHasInstanceLoc:
+        out.print("OverridesHasInstanceLoc");
         return;
         

trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h

@@ -41 +41 @@
     ButterflyLoc,
     ButterflyReadOnlyLoc,
-    CheckHasInstanceLoc,
+    CheckTypeInfoFlagsLoc,
+    OverridesHasInstanceLoc,
     ClosureVariableLoc,
     DirectArgumentsLoc,

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -1355 +1355 @@
         switch (op()) {
         case CheckCell:
+        case OverridesHasInstance:
         case NewFunction:
         case NewArrowFunction:
@@ -1414 +1415 @@
         ASSERT(hasUidOperand());
         return reinterpret_cast<UniquedStringImpl*>(m_opInfo);
+    }
+
+    bool hasTypeInfoOperand()
+    {
+        return op() == CheckTypeInfoFlags;
+    }
+
+    unsigned typeInfoOperand()
+    {
+        ASSERT(hasTypeInfoOperand() && m_opInfo <= UCHAR_MAX);
+        return static_cast<unsigned>(m_opInfo);
     }
 

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -222 +222 @@
     macro(CheckInBounds, NodeMustGenerate) \
     macro(CheckIdent, NodeMustGenerate) \
+    macro(CheckTypeInfoFlags, NodeMustGenerate) /* Takes an OpInfo with the flags you want to test are set */\
     \
     /* Optimizations for array mutation. */\
@@ -279 +280 @@
     macro(ProfileWillCall, NodeMustGenerate) \
     macro(ProfileDidCall, NodeMustGenerate) \
-    macro(CheckHasInstance, NodeMustGenerate) \
+    macro(OverridesHasInstance, NodeMustGenerate | NodeResultBoolean) \
     macro(InstanceOf, NodeResultBoolean) \
+    macro(InstanceOfCustom, NodeMustGenerate | NodeResultBoolean) \
     macro(IsUndefined, NodeResultBoolean) \
     macro(IsBoolean, NodeResultBoolean) \

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -403 +403 @@
         case CompareEq:
         case CompareStrictEq:
+        case OverridesHasInstance:
         case InstanceOf:
+        case InstanceOfCustom:
         case IsUndefined:
         case IsBoolean:
@@ -570 +572 @@
         case GetLocalUnlinked:
         case CheckArray:
+        case CheckTypeInfoFlags:
         case Arrayify:
         case ArrayifyToStructure:
@@ -681 +684 @@
         case ProfileType:
         case ProfileControlFlow:
-        case CheckHasInstance:
         case ThrowReferenceError:
         case ForceOSRExit:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -242 +242 @@
     case ProfileType:
     case ProfileControlFlow:
-    case CheckHasInstance:
+    case CheckTypeInfoFlags:
+    case OverridesHasInstance:
     case InstanceOf:
+    case InstanceOfCustom:
     case IsUndefined:
     case IsBoolean:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -2739 +2739 @@
 }
 
+void SpeculativeJIT::compileCheckTypeInfoFlags(Node* node)
+{
+    SpeculateCellOperand base(this, node->child1());
+
+    GPRReg baseGPR = base.gpr();
+
+    speculationCheck(BadTypeInfoFlags, JSValueRegs(), 0, m_jit.branchTest8(MacroAssembler::Zero, MacroAssembler::Address(baseGPR, JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(node->typeInfoOperand())));
+
+    noResult(node);
+}
+
 void SpeculativeJIT::compileInstanceOf(Node* node)
 {
@@ -2949 +2960 @@
     jsValueResult(resultRegs, node);
     return;
+}
+
+void SpeculativeJIT::compileInstanceOfCustom(Node* node)
+{
+    // We could do something smarter here but this case is currently super rare and unless
+    // Symbol.hasInstance becomes popular will likely remain that way.
+
+    JSValueOperand value(this, node->child1());
+    SpeculateCellOperand constructor(this, node->child2());
+    JSValueOperand hasInstanceValue(this, node->child3());
+    GPRTemporary result(this);
+
+    JSValueRegs valueRegs = value.jsValueRegs();
+    GPRReg constructorGPR = constructor.gpr();
+    JSValueRegs hasInstanceRegs = hasInstanceValue.jsValueRegs();
+    GPRReg resultGPR = result.gpr();
+
+    MacroAssembler::Jump slowCase = m_jit.jump();
+
+    addSlowPathGenerator(slowPathCall(slowCase, this, operationInstanceOfCustom, resultGPR, valueRegs, constructorGPR, hasInstanceRegs));
+
+    unblessedBooleanResult(resultGPR, node);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -728 +728 @@
     void compileInstanceOfForObject(Node*, GPRReg valueReg, GPRReg prototypeReg, GPRReg scratchAndResultReg, GPRReg scratch2Reg);
     void compileInstanceOf(Node*);
+    void compileInstanceOfCustom(Node*);
     
     void emitCall(Node*);
@@ -1512 +1513 @@
         return appendCallSetResult(operation, result);
     }
+
+    JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+        return appendCallSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, JSValueRegs arg1, GPRReg arg2, JSValueRegs arg3)
+    {
+        return callOperation(operation, result, arg1.payloadGPR(), arg2, arg3.payloadGPR());
+    }
+
     JITCompiler::Call callOperation(Z_JITOperation_EJZ operation, GPRReg result, GPRReg arg1, unsigned arg2)
     {
@@ -1831 +1843 @@
         m_jit.setupArgumentsWithExecState(arg1, arg2, EABI_32BIT_DUMMY_ARG SH4_32BIT_DUMMY_ARG arg3Payload, arg3Tag);
         return appendCall(operation);
+    }
+
+    JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2, GPRReg arg3Tag, GPRReg arg3Payload)
+    {
+        m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2, EABI_32BIT_DUMMY_ARG arg3Payload, arg3Tag);
+        return appendCallSetResult(operation, result);
+    }
+    JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, JSValueRegs arg1, GPRReg arg2, JSValueRegs arg3)
+    {
+        return callOperation(operation, result, arg1.tagGPR(), arg1.payloadGPR(), arg2, arg3.tagGPR(), arg3.payloadGPR());
     }
 
@@ -2205 +2227 @@
     void compileGetArrayLength(Node*);
 
+    void compileCheckTypeInfoFlags(Node*);
     void compileCheckIdent(Node*);
     

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -4160 +4160 @@
     }
 
-    case CheckHasInstance: {
+    case CheckTypeInfoFlags: {
+        compileCheckTypeInfoFlags(node);
+        break;
+    }
+
+    case OverridesHasInstance: {
+
+        Node* hasInstanceValueNode = node->child2().node();
+        JSFunction* defaultHasInstanceFunction = jsCast<JSFunction*>(node->cellOperand()->value());
+
+        MacroAssembler::Jump notDefaulthasInstanceValue;
+        MacroAssembler::Jump hasInstanceValueNotCell;
         SpeculateCellOperand base(this, node->child1());
-        GPRTemporary structure(this);
-
-        // Speculate that base 'ImplementsDefaultHasInstance'.
-        speculationCheck(Uncountable, JSValueRegs(), 0, m_jit.branchTest8(
-            MacroAssembler::Zero, 
-            MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), 
-            MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
-
-        noResult(node);
+        JSValueOperand hasInstanceValue(this, node->child2());
+        GPRTemporary result(this);
+
+        GPRReg resultGPR = result.gpr();
+
+        // If we have proven that the constructor's Symbol.hasInstance will always be the one on
+        // Function.prototype[Symbol.hasInstance] then we don't need a runtime check here. We don't worry
+        // about the case where the constructor's Symbol.hasInstance is a constant but is not the default
+        // one as fixup should have converted this check to true.
+        ASSERT(!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell());
+        if (!hasInstanceValueNode->isCellConstant()) {
+
+            JSValueRegs hasInstanceValueRegs = hasInstanceValue.jsValueRegs();
+            hasInstanceValueNotCell = m_jit.branchIfNotCell(hasInstanceValueRegs);
+            notDefaulthasInstanceValue = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValueRegs.payloadGPR(), TrustedImmPtr(defaultHasInstanceFunction));
+        }
+
+        // Check that constructor 'ImplementsDefaultHasInstance'.
+        m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);
+        MacroAssembler::Jump done = m_jit.jump();
+
+        if (!hasInstanceValueNode->isCellConstant()) {
+            hasInstanceValueNotCell.link(&m_jit);
+            notDefaulthasInstanceValue.link(&m_jit);
+            moveTrueTo(resultGPR);
+        }
+
+        done.link(&m_jit);
+        booleanResult(resultGPR, node);
         break;
     }
@@ -4176 +4207 @@
     case InstanceOf: {
         compileInstanceOf(node);
+        break;
+    }
+
+    case InstanceOfCustom: {
+        compileInstanceOfCustom(node);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -4150 +4150 @@
     }
 
-    case CheckHasInstance: {
+    case CheckTypeInfoFlags: {
+        compileCheckTypeInfoFlags(node);
+        break;
+    }
+
+    case OverridesHasInstance: {
+
+        Node* hasInstanceValueNode = node->child2().node();
+        JSFunction* defaultHasInstanceFunction = jsCast<JSFunction*>(node->cellOperand()->value());
+
+        MacroAssembler::Jump notDefault;
         SpeculateCellOperand base(this, node->child1());
-        GPRTemporary structure(this);
-
-        // Speculate that base 'ImplementsDefaultHasInstance'.
-        speculationCheck(Uncountable, JSValueRegs(), 0, m_jit.branchTest8(
-            MacroAssembler::Zero, 
-            MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), 
-            MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
-
-        noResult(node);
+        JSValueOperand hasInstanceValue(this, node->child2());
+        GPRTemporary result(this);
+
+        GPRReg resultGPR = result.gpr();
+
+        // If we have proven that the constructor's Symbol.hasInstance will always be the one on Function.prototype[Symbol.hasInstance]
+        // then we don't need a runtime check here. We don't worry about the case where the constructor's Symbol.hasInstance is a constant
+        // but is not the default one as fixup should have converted this check to true.
+        ASSERT(!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell());
+        if (!hasInstanceValueNode->isCellConstant())
+            notDefault = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValue.gpr(), TrustedImmPtr(defaultHasInstanceFunction));
+
+        // Check that base 'ImplementsDefaultHasInstance'.
+        m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);
+        m_jit.or32(TrustedImm32(ValueFalse), resultGPR);
+        MacroAssembler::Jump done = m_jit.jump();
+
+        if (notDefault.isSet()) {
+            notDefault.link(&m_jit);
+            moveTrueTo(resultGPR);
+        }
+
+        done.link(&m_jit);
+        jsValueResult(resultGPR, node, DataFormatJSBoolean);
         break;
     }
@@ -4166 +4191 @@
     case InstanceOf: {
         compileInstanceOf(node);
+        break;
+    }
+
+    case InstanceOfCustom: {
+        compileInstanceOfCustom(node);
         break;
     }

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -175 +175 @@
     case IsObjectOrNull:
     case IsFunction:
-    case CheckHasInstance:
+    case CheckTypeInfoFlags:
+    case OverridesHasInstance:
     case InstanceOf:
+    case InstanceOfCustom:
     case DoubleRep:
     case ValueRep:

trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h

@@ -129 +129 @@
     macro(Z_JITOperation_EC, functionType(int32, intPtr, intPtr)) \
     macro(Z_JITOperation_EGC, functionType(int32, intPtr, intPtr, intPtr)) \
+    macro(Z_JITOperation_EJOJ, functionType(int32, intPtr, int64, intPtr, int64)) \
     macro(Z_JITOperation_EJZ, functionType(int32, intPtr, int64, int32)) \
     macro(Z_JITOperation_ESJss, functionType(int32, intPtr, intPtr, int64)) \

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -942 +942 @@
             compileTypeOf();
             break;
-        case CheckHasInstance:
-            compileCheckHasInstance();
+        case CheckTypeInfoFlags:
+            compileCheckTypeInfoFlags();
+            break;
+        case OverridesHasInstance:
+            compileOverridesHasInstance();
             break;
         case InstanceOf:
             compileInstanceOf();
+            break;
+        case InstanceOfCustom:
+            compileInstanceOfCustom();
             break;
         case CountExecution:
@@ -5716 +5722 @@
     }
 
-    void compileCheckHasInstance()
+    void compileOverridesHasInstance()
+    {
+        JSFunction* defaultHasInstanceFunction = jsCast<JSFunction*>(m_node->cellOperand()->value());
+
+        LValue constructor = lowCell(m_node->child1());
+        LValue hasInstance = lowJSValue(m_node->child2());
+
+        LBasicBlock defaultHasInstance = FTL_NEW_BLOCK(m_out, ("OverridesHasInstance Symbol.hasInstance is default"));
+        LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("OverridesHasInstance continuation"));
+
+        // Unlike in the DFG, we don't worry about cleaning this code up for the case where we have proven the hasInstanceValue is a constant as LLVM should fix it for us.
+
+        ASSERT(!m_node->child2().node()->isCellConstant() || defaultHasInstanceFunction == m_node->child2().node()->asCell());
+
+        ValueFromBlock notDefaultHasInstanceResult = m_out.anchor(m_out.booleanTrue);
+        m_out.branch(m_out.notEqual(hasInstance, m_out.constIntPtr(defaultHasInstanceFunction)), unsure(continuation), unsure(defaultHasInstance));
+
+        LBasicBlock lastNext = m_out.appendTo(defaultHasInstance, continuation);
+        ValueFromBlock implementsDefaultHasInstanceResult = m_out.anchor(m_out.testIsZero32(
+            m_out.load8ZeroExt32(constructor, m_heaps.JSCell_typeInfoFlags),
+            m_out.constInt32(ImplementsDefaultHasInstance)));
+        m_out.jump(continuation);
+
+        m_out.appendTo(continuation, lastNext);
+        setBoolean(m_out.phi(m_out.boolean, implementsDefaultHasInstanceResult, notDefaultHasInstanceResult));
+    }
+
+    void compileCheckTypeInfoFlags()
     {
         speculate(
-            Uncountable, noValue(), 0,
+            BadTypeInfoFlags, noValue(), 0,
             m_out.testIsZero32(
                 m_out.load8ZeroExt32(lowCell(m_node->child1()), m_heaps.JSCell_typeInfoFlags),
-                m_out.constInt32(ImplementsDefaultHasInstance)));
+                m_out.constInt32(m_node->typeInfoOperand())));
     }
     
@@ -5774 +5807 @@
         setBoolean(
             m_out.phi(m_out.boolean, notCellResult, isInstanceResult, notInstanceResult));
+    }
+
+    void compileInstanceOfCustom()
+    {
+        LValue value = lowJSValue(m_node->child1());
+        LValue constructor = lowCell(m_node->child2());
+        LValue hasInstance = lowJSValue(m_node->child3());
+
+        setBoolean(m_out.bitNot(m_out.equal(m_out.constInt32(0), vmCall(m_out.int32, m_out.operation(operationInstanceOfCustom), m_callFrame, value, constructor, hasInstance))));
     }
     

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -229 +229 @@
         DEFINE_OP(op_get_by_id)
         DEFINE_OP(op_get_by_val)
-        DEFINE_OP(op_check_has_instance)
+        DEFINE_OP(op_overrides_has_instance)
         DEFINE_OP(op_instanceof)
+        DEFINE_OP(op_instanceof_custom)
         DEFINE_OP(op_is_undefined)
         DEFINE_OP(op_is_boolean)
@@ -400 +401 @@
         DEFINE_SLOWCASE_OP(op_get_by_id)
         DEFINE_SLOWCASE_OP(op_get_by_val)
-        DEFINE_SLOWCASE_OP(op_check_has_instance)
         DEFINE_SLOWCASE_OP(op_instanceof)
+        DEFINE_SLOWCASE_OP(op_instanceof_custom)
         DEFINE_SLOWCASE_OP(op_jfalse)
         DEFINE_SLOWCASE_OP(op_jless)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -510 +510 @@
         void emit_op_get_argument_by_val(Instruction*);
         void emit_op_init_lazy_reg(Instruction*);
-        void emit_op_check_has_instance(Instruction*);
+        void emit_op_overrides_has_instance(Instruction*);
         void emit_op_instanceof(Instruction*);
+        void emit_op_instanceof_custom(Instruction*);
         void emit_op_is_undefined(Instruction*);
         void emit_op_is_boolean(Instruction*);
@@ -617 +618 @@
         void emitSlow_op_get_by_val(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_get_argument_by_val(Instruction*, Vector<SlowCaseEntry>::iterator&);
-        void emitSlow_op_check_has_instance(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_instanceof(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_instanceof_custom(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_jfalse(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_jless(Instruction*, Vector<SlowCaseEntry>::iterator&);
@@ -745 +746 @@
         MacroAssembler::Call callOperation(J_JITOperation_EJJAp, int, GPRReg, GPRReg, ArrayProfile*);
         MacroAssembler::Call callOperation(J_JITOperation_EJJBy, int, GPRReg, GPRReg, ByValInfo*);
+        MacroAssembler::Call callOperation(Z_JITOperation_EJOJ, GPRReg, GPRReg, GPRReg);
         MacroAssembler::Call callOperation(C_JITOperation_EJsc, GPRReg);
         MacroAssembler::Call callOperation(J_JITOperation_EJscC, int, GPRReg, JSCell*);
@@ -812 +814 @@
         MacroAssembler::Call callOperation(J_JITOperation_EJIdc, int, GPRReg, GPRReg, const Identifier*);
         MacroAssembler::Call callOperation(J_JITOperation_EJJ, int, GPRReg, GPRReg, GPRReg, GPRReg);
+        MacroAssembler::Call callOperation(Z_JITOperation_EJOJ, GPRReg, GPRReg, GPRReg, GPRReg, GPRReg);
         MacroAssembler::Call callOperation(J_JITOperation_EJJAp, int, GPRReg, GPRReg, GPRReg, GPRReg, ArrayProfile*);
         MacroAssembler::Call callOperation(J_JITOperation_EJJBy, int, GPRReg, GPRReg, GPRReg, GPRReg, ByValInfo*);

trunk/Source/JavaScriptCore/jit/JITInlines.h

@@ -504 +504 @@
 }
 
+ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(Z_JITOperation_EJOJ operation, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+{
+    setupArgumentsWithExecState(arg1, arg2, arg3);
+    return appendCallWithExceptionCheck(operation);
+}
+
 ALWAYS_INLINE MacroAssembler::Call JIT::callOperationNoExceptionCheck(V_JITOperation_EJ operation, GPRReg arg1)
 {
@@ -595 +601 @@
     updateTopCallFrame();
     return appendCall(operation);
+}
+
+ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(Z_JITOperation_EJOJ operation, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2, GPRReg arg3Tag, GPRReg arg3Payload)
+{
+    setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2, EABI_32BIT_DUMMY_ARG arg3Payload, arg3Tag);
+    return appendCallWithExceptionCheck(operation);
 }
 

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -106 +106 @@
 }
 
-void JIT::emit_op_check_has_instance(Instruction* currentInstruction)
-{
-    int baseVal = currentInstruction[3].u.operand;
-
-    emitGetVirtualRegister(baseVal, regT0);
-
-    // Check that baseVal is a cell.
-    emitJumpSlowCaseIfNotJSCell(regT0, baseVal);
-
-    // Check that baseVal 'ImplementsHasInstance'.
-    addSlowCase(branchTest8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance)));
+void JIT::emit_op_overrides_has_instance(Instruction* currentInstruction)
+{
+    int dst = currentInstruction[1].u.operand;
+    int constructor = currentInstruction[2].u.operand;
+    int hasInstanceValue = currentInstruction[3].u.operand;
+
+    emitGetVirtualRegister(hasInstanceValue, regT0);
+
+    // We don't jump if we know what Symbol.hasInstance would do.
+    Jump customhasInstanceValue = branchPtr(NotEqual, regT0, TrustedImmPtr(m_codeBlock->globalObject()->functionProtoHasInstanceSymbolFunction()));
+
+    emitGetVirtualRegister(constructor, regT0);
+
+    // Check that constructor 'ImplementsHasInstance' i.e. the object is a C-API user or a bound function.
+    test8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance), regT0);
+    emitTagBool(regT0);
+    Jump done = jump();
+
+    customhasInstanceValue.link(this);
+    move(TrustedImm32(ValueTrue), regT0);
+
+    done.link(this);
+    emitPutVirtualRegister(dst);
 }
 
@@ -130 +142 @@
     emitGetVirtualRegister(proto, regT1);
 
-    // Check that proto are cells.  baseVal must be a cell - this is checked by op_check_has_instance.
+    // Check that proto are cells. baseVal must be a cell - this is checked by the get_by_id for Symbol.hasInstance.
     emitJumpSlowCaseIfNotJSCell(regT2, value);
     emitJumpSlowCaseIfNotJSCell(regT1, proto);
@@ -156 +168 @@
     isInstance.link(this);
     emitPutVirtualRegister(dst);
+}
+
+void JIT::emit_op_instanceof_custom(Instruction*)
+{
+    // This always goes to slow path since we expect it to be rare.
+    addSlowCase(jump());
 }
 
@@ -830 +848 @@
 }
 
-void JIT::emitSlow_op_check_has_instance(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
-    int dst = currentInstruction[1].u.operand;
-    int value = currentInstruction[2].u.operand;
-    int baseVal = currentInstruction[3].u.operand;
-
-    linkSlowCaseIfNotJSCell(iter, baseVal);
-    linkSlowCase(iter);
-    emitGetVirtualRegister(value, regT0);
-    emitGetVirtualRegister(baseVal, regT1);
-    callOperation(operationCheckHasInstance, dst, regT0, regT1);
-
-    emitJumpSlowToHot(jump(), currentInstruction[4].u.operand);
-}
-
 void JIT::emitSlow_op_instanceof(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
 {
@@ -857 +860 @@
     emitGetVirtualRegister(proto, regT1);
     callOperation(operationInstanceOf, dst, regT0, regT1);
+}
+
+void JIT::emitSlow_op_instanceof_custom(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    int dst = currentInstruction[1].u.operand;
+    int value = currentInstruction[2].u.operand;
+    int constructor = currentInstruction[3].u.operand;
+    int hasInstanceValue = currentInstruction[4].u.operand;
+
+    linkSlowCase(iter);
+    emitGetVirtualRegister(value, regT0);
+    emitGetVirtualRegister(constructor, regT1);
+    emitGetVirtualRegister(hasInstanceValue, regT2);
+    callOperation(operationInstanceOfCustom, regT0, regT1, regT2);
+    emitTagBool(returnValueGPR);
+    emitPutVirtualRegister(dst, returnValueGPR);
 }
 

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -184 +184 @@
 }
 
-void JIT::emit_op_check_has_instance(Instruction* currentInstruction)
-{
-    int baseVal = currentInstruction[3].u.operand;
-
-    emitLoadPayload(baseVal, regT0);
-
-    // Check that baseVal is a cell.
-    emitJumpSlowCaseIfNotJSCell(baseVal);
-    
-    // Check that baseVal 'ImplementsHasInstance'.
-    addSlowCase(branchTest8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance)));
+void JIT::emit_op_overrides_has_instance(Instruction* currentInstruction)
+{
+    int dst = currentInstruction[1].u.operand;
+    int constructor = currentInstruction[2].u.operand;
+    int hasInstanceValue = currentInstruction[3].u.operand;
+
+    emitLoadPayload(hasInstanceValue, regT0);
+    // We don't jump if we know what Symbol.hasInstance would do.
+    Jump hasInstanceValueNotCell = emitJumpIfNotJSCell(hasInstanceValue);
+    Jump customhasInstanceValue = branchPtr(NotEqual, regT0, TrustedImmPtr(m_codeBlock->globalObject()->functionProtoHasInstanceSymbolFunction()));
+
+    // We know that constructor is an object from the way bytecode is emitted for instanceof expressions.
+    emitLoadPayload(constructor, regT0);
+
+    // Check that constructor 'ImplementsHasInstance' i.e. the object is a C-API user or a bound function.
+    test8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance), regT0);
+    Jump done = jump();
+
+    hasInstanceValueNotCell.link(this);
+    customhasInstanceValue.link(this);
+    move(TrustedImm32(1), regT0);
+
+    done.link(this);
+    emitStoreBool(dst, regT0);
+
 }
 
@@ -208 +222 @@
     emitLoadPayload(proto, regT1);
 
-    // Check that proto are cells.  baseVal must be a cell - this is checked by op_check_has_instance.
+    // Check that proto are cells. baseVal must be a cell - this is checked by the get_by_id for Symbol.hasInstance.
     emitJumpSlowCaseIfNotJSCell(value);
     emitJumpSlowCaseIfNotJSCell(proto);
@@ -236 +250 @@
 }
 
-void JIT::emitSlow_op_check_has_instance(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
-{
-    int dst = currentInstruction[1].u.operand;
-    int value = currentInstruction[2].u.operand;
-    int baseVal = currentInstruction[3].u.operand;
-
-    linkSlowCaseIfNotJSCell(iter, baseVal);
-    linkSlowCase(iter);
-
-    emitLoad(value, regT1, regT0);
-    emitLoad(baseVal, regT3, regT2);
-    callOperation(operationCheckHasInstance, dst, regT1, regT0, regT3, regT2);
-
-    emitJumpSlowToHot(jump(), currentInstruction[4].u.operand);
+void JIT::emit_op_instanceof_custom(Instruction*)
+{
+    // This always goes to slow path since we expect it to be rare.
+    addSlowCase(jump());
 }
 
@@ -265 +269 @@
     emitLoad(proto, regT3, regT2);
     callOperation(operationInstanceOf, dst, regT1, regT0, regT3, regT2);
+}
+
+void JIT::emitSlow_op_instanceof_custom(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    int dst = currentInstruction[1].u.operand;
+    int value = currentInstruction[2].u.operand;
+    int constructor = currentInstruction[3].u.operand;
+    int hasInstanceValue = currentInstruction[4].u.operand;
+
+    linkSlowCase(iter);
+
+    emitLoad(value, regT1, regT0);
+    emitLoadPayload(constructor, regT2);
+    emitLoad(hasInstanceValue, regT4, regT3);
+    callOperation(operationInstanceOfCustom, regT1, regT0, regT2, regT4, regT3);
+    emitStoreBool(dst, returnValueGPR);
 }
 

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -1488 +1488 @@
 }
 
-EncodedJSValue JIT_OPERATION operationCheckHasInstance(ExecState* exec, EncodedJSValue encodedValue, EncodedJSValue encodedBaseVal)
+int32_t JIT_OPERATION operationInstanceOfCustom(ExecState* exec, EncodedJSValue encodedValue, JSObject* constructor, EncodedJSValue encodedHasInstance)
 {
     VM& vm = exec->vm();
@@ -1494 +1494 @@
 
     JSValue value = JSValue::decode(encodedValue);
-    JSValue baseVal = JSValue::decode(encodedBaseVal);
-
-    if (baseVal.isObject()) {
-        JSObject* baseObject = asObject(baseVal);
-        ASSERT(!baseObject->structure(vm)->typeInfo().implementsDefaultHasInstance());
-        if (baseObject->structure(vm)->typeInfo().implementsHasInstance()) {
-            bool result = baseObject->methodTable(vm)->customHasInstance(baseObject, exec, value);
-            return JSValue::encode(jsBoolean(result));
-        }
-    }
-
-    vm.throwException(exec, createInvalidInstanceofParameterError(exec, baseVal));
-    return JSValue::encode(JSValue());
+    JSValue hasInstanceValue = JSValue::decode(encodedHasInstance);
+
+    ASSERT(hasInstanceValue != exec->lexicalGlobalObject()->functionProtoHasInstanceSymbolFunction() || !constructor->structure()->typeInfo().implementsDefaultHasInstance());
+
+    if (constructor->hasInstance(exec, value, hasInstanceValue))
+        return 1;
+    return 0;
 }
 

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -176 +176 @@
 typedef int32_t JIT_OPERATION (*Z_JITOperation_ESJss)(ExecState*, size_t, JSString*);
 typedef int32_t JIT_OPERATION (*Z_JITOperation_EJ)(ExecState*, EncodedJSValue);
+typedef int32_t JIT_OPERATION (*Z_JITOperation_EJOJ)(ExecState*, EncodedJSValue, JSObject*, EncodedJSValue);
 typedef int32_t JIT_OPERATION (*Z_JITOperation_EJZ)(ExecState*, EncodedJSValue, int32_t);
 typedef int32_t JIT_OPERATION (*Z_JITOperation_EJZZ)(ExecState*, EncodedJSValue, int32_t, int32_t);
@@ -329 +330 @@
 void JIT_OPERATION operationProfileDidCall(ExecState*, EncodedJSValue) WTF_INTERNAL;
 void JIT_OPERATION operationProfileWillCall(ExecState*, EncodedJSValue) WTF_INTERNAL;
-EncodedJSValue JIT_OPERATION operationCheckHasInstance(ExecState*, EncodedJSValue, EncodedJSValue baseVal) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationGetByValOptimize(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo*) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationGetByValGeneric(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo*) WTF_INTERNAL;
@@ -358 +358 @@
 
 int32_t JIT_OPERATION operationCheckIfExceptionIsUncatchableAndNotifyProfiler(ExecState*);
+int32_t JIT_OPERATION operationInstanceOfCustom(ExecState*, EncodedJSValue encodedValue, JSObject* constructor, EncodedJSValue encodedHasInstance) WTF_INTERNAL;
 
 EncodedJSValue JIT_OPERATION operationHasGenericProperty(ExecState*, EncodedJSValue, JSCell*);

trunk/Source/JavaScriptCore/llint/LLIntData.cpp

@@ -35 +35 @@
 #include "Opcode.h"
 #include "PropertyOffset.h"
+#include "WriteBarrier.h"
 
 namespace JSC { namespace LLInt {
@@ -155 +156 @@
     ASSERT(ModuleCode == 3);
 
+    ASSERT(!(reinterpret_cast<ptrdiff_t>((reinterpret_cast<WriteBarrier<JSCell>*>(0x4000)->slot())) - 0x4000));
     static_assert(PutByIdPrimaryTypeMask == 0x6, "LLInt assumes PutByIdPrimaryTypeMask is == 0x6");
     static_assert(PutByIdPrimaryTypeSecondary == 0x0, "LLInt assumes PutByIdPrimaryTypeSecondary is == 0x0");

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -523 +523 @@
 }
 
-LLINT_SLOW_PATH_DECL(slow_path_check_has_instance)
-{
-    LLINT_BEGIN();
-    
-    JSValue value = LLINT_OP_C(2).jsValue();
-    JSValue baseVal = LLINT_OP_C(3).jsValue();
-    if (baseVal.isObject()) {
-        JSObject* baseObject = asObject(baseVal);
-        ASSERT(!baseObject->structure()->typeInfo().implementsDefaultHasInstance());
-        if (baseObject->structure()->typeInfo().implementsHasInstance()) {
-            JSValue result = jsBoolean(baseObject->methodTable()->customHasInstance(baseObject, exec, value));
-            LLINT_RETURN_WITH_PC_ADJUSTMENT(result, pc[4].u.operand);
-        }
-    }
-    LLINT_THROW(createInvalidInstanceofParameterError(exec, baseVal));
-}
-
 LLINT_SLOW_PATH_DECL(slow_path_instanceof)
 {
@@ -547 +530 @@
     ASSERT(!value.isObject() || !proto.isObject());
     LLINT_RETURN(jsBoolean(JSObject::defaultHasInstance(exec, value, proto)));
+}
+
+LLINT_SLOW_PATH_DECL(slow_path_instanceof_custom)
+{
+    LLINT_BEGIN();
+
+    JSValue value = LLINT_OP_C(2).jsValue();
+    JSValue constructor = LLINT_OP_C(3).jsValue();
+    JSValue hasInstanceValue = LLINT_OP_C(4).jsValue();
+
+    ASSERT(constructor.isObject());
+    ASSERT(hasInstanceValue != exec->lexicalGlobalObject()->functionProtoHasInstanceSymbolFunction() || !constructor.getObject()->structure()->typeInfo().implementsDefaultHasInstance());
+
+    JSValue result = jsBoolean(constructor.getObject()->hasInstance(exec, value, hasInstanceValue));
+    LLINT_RETURN(result);
 }
 

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h

@@ -68 +68 @@
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_new_array_buffer);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_new_regexp);
-LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_check_has_instance);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_instanceof);
+LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_instanceof_custom);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_by_id);
 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_arguments_length);

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -1176 +1176 @@
 
 
-_llint_op_check_has_instance:
-    traceExecution()
-    loadi 12[PC], t1
-    loadConstantOrVariablePayload(t1, CellTag, t0, .opCheckHasInstanceSlow)
-    btbz JSCell::m_flags[t0], ImplementsDefaultHasInstance, .opCheckHasInstanceSlow
-    dispatch(5)
-
-.opCheckHasInstanceSlow:
-    callSlowPath(_llint_slow_path_check_has_instance)
-    dispatch(0)
-
+_llint_op_overrides_has_instance:
+    traceExecution()
+
+    loadisFromInstruction(1, t3)
+    storei BooleanTag, TagOffset[cfr, t3, 8]
+
+    # First check if hasInstanceValue is the one on Function.prototype[Symbol.hasInstance]
+    loadisFromInstruction(3, t0)
+    loadConstantOrVariablePayload(t0, CellTag, t2, .opOverrideshasInstanceValueNotCell)
+    loadConstantOrVariable(t0, t1, t2)
+    bineq t1, CellTag, .opOverrideshasInstanceValueNotCell
+
+    # We don't need hasInstanceValue's tag register anymore.
+    loadp CodeBlock[cfr], t1
+    loadp CodeBlock::m_globalObject[t1], t1
+    loadp JSGlobalObject::m_functionProtoHasInstanceSymbolFunction[t1], t1
+    bineq t1, t2, .opOverrideshasInstanceValueNotDefault
+
+    # We know the constructor is a cell.
+    loadisFromInstruction(2, t0)
+    loadConstantOrVariablePayloadUnchecked(t0, t1)
+    tbz JSCell::m_flags[t1], ImplementsDefaultHasInstance, t0
+    storei t0, PayloadOffset[cfr, t3, 8]
+    dispatch(4)
+
+.opOverrideshasInstanceValueNotCell:
+.opOverrideshasInstanceValueNotDefault:
+    storei 1, PayloadOffset[cfr, t3, 8]
+    dispatch(4)
 
 _llint_op_instanceof:
@@ -1215 +1233 @@
     callSlowPath(_llint_slow_path_instanceof)
     dispatch(4)
+
+_llint_op_instanceof_custom:
+    traceExecution()
+    callSlowPath(_llint_slow_path_instanceof_custom)
+    dispatch(5)
 
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -1070 +1070 @@
 
 
-_llint_op_check_has_instance:
-    traceExecution()
+_llint_op_overrides_has_instance:
+    traceExecution()
+    loadisFromInstruction(1, t3)
+
     loadisFromInstruction(3, t1)
-    loadConstantOrVariableCell(t1, t0, .opCheckHasInstanceSlow)
-    btbz JSCell::m_flags[t0], ImplementsDefaultHasInstance, .opCheckHasInstanceSlow
-    dispatch(5)
-
-.opCheckHasInstanceSlow:
-    callSlowPath(_llint_slow_path_check_has_instance)
-    dispatch(0)
+    loadConstantOrVariable(t1, t0)
+    loadp CodeBlock[cfr], t2
+    loadp CodeBlock::m_globalObject[t2], t2
+    loadp JSGlobalObject::m_functionProtoHasInstanceSymbolFunction[t2], t2
+    bqneq t0, t2, .opOverridesHasInstanceNotDefaultSymbol
+
+    loadisFromInstruction(2, t1)
+    loadConstantOrVariable(t1, t0)
+    tbz JSCell::m_flags[t0], ImplementsDefaultHasInstance, t1
+    orq ValueFalse, t1
+    storeq t1, [cfr, t3, 8]
+    dispatch(4)
+
+.opOverridesHasInstanceNotDefaultSymbol:
+    storeq ValueTrue, t1
+    storeq t1, [cfr, t3, 8]
+    dispatch(4)
 
 
@@ -1110 +1122 @@
     dispatch(4)
 
+_llint_op_instanceof_custom:
+    traceExecution()
+    callSlowPath(_llint_slow_path_instanceof_custom)
+    dispatch(5)
 
 _llint_op_is_undefined:

trunk/Source/JavaScriptCore/runtime/CommonIdentifiers.h

@@ -251 +251 @@
 
 #define JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL_NOT_IMPLEMENTED_YET(macro)\
-    macro(hasInstance) \
     macro(isConcatSpreadable) \
     macro(match) \
@@ -261 +260 @@
 
 #define JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL(macro) \
+    macro(hasInstance) \
     macro(iterator) \
     macro(unscopables) \
@@ -346 +346 @@
     macro(newTargetLocal) \
     macro(derivedConstructor) \
+    macro(isBoundFunction) \
+    macro(hasInstanceBoundFunction) \
+    macro(instanceOf) \
 
 

trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp

@@ -210 +210 @@
 }
 
-static String invalidParameterInstanceofSourceAppender(const String& originalMessage, const String& sourceText, RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
+inline String invalidParameterInstanceofSourceAppender(const String& content, const String& originalMessage, const String& sourceText, RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
 {
     if (occurrence == ErrorInstance::FoundApproximateSource)
@@ -223 +223 @@
     static const unsigned instanceofLength = 10;
     String rightHandSide = sourceText.substring(instanceofIndex + instanceofLength).simplifyWhiteSpace();
-    return makeString(rightHandSide, " is not a function. (evaluating '", sourceText, "')");
+    return makeString(rightHandSide, content, ". (evaluating '", sourceText, "')");
+}
+
+static String invalidParameterInstanceofNotFunctionSourceAppender(const String& originalMessage, const String& sourceText, RuntimeType runtimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
+{
+    return invalidParameterInstanceofSourceAppender(WTF::makeString(" is not a function"), originalMessage, sourceText, runtimeType, occurrence);
+}
+
+static String invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender(const String& originalMessage, const String& sourceText, RuntimeType runtimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
+{
+    return invalidParameterInstanceofSourceAppender(WTF::makeString("[Symbol.hasInstance] is not a function, undefined, or null"), originalMessage, sourceText, runtimeType, occurrence);
 }
 
@@ -246 +256 @@
 }
 
-JSObject* createInvalidInstanceofParameterError(ExecState* exec, JSValue value)
-{
-    return createError(exec, value, makeString("is not a function."), invalidParameterInstanceofSourceAppender);
+JSObject* createInvalidInstanceofParameterErrorNotFunction(ExecState* exec, JSValue value)
+{
+    return createError(exec, value, makeString(" is not a function"), invalidParameterInstanceofNotFunctionSourceAppender);
+}
+
+JSObject* createInvalidInstanceofParameterErrorhasInstanceValueNotFunction(ExecState* exec, JSValue value)
+{
+    return createError(exec, value, makeString("[Symbol.hasInstance] is not a function, undefined, or null"), invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender);
 }
 

trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.h

@@ -46 +46 @@
 JSObject* createInvalidFunctionApplyParameterError(ExecState*, JSValue);
 JSObject* createInvalidInParameterError(ExecState*, JSValue);
-JSObject* createInvalidInstanceofParameterError(ExecState*, JSValue);
+JSObject* createInvalidInstanceofParameterErrorNotFunction(ExecState*, JSValue);
+JSObject* createInvalidInstanceofParameterErrorhasInstanceValueNotFunction(ExecState*, JSValue);
 JSObject* createNotAConstructorError(ExecState*, JSValue);
 JSObject* createNotAFunctionError(ExecState*, JSValue);

trunk/Source/JavaScriptCore/runtime/FunctionPrototype.cpp

@@ -54 +54 @@
 }
 
-void FunctionPrototype::addFunctionProperties(ExecState* exec, JSGlobalObject* globalObject, JSFunction** callFunction, JSFunction** applyFunction)
+void FunctionPrototype::addFunctionProperties(ExecState* exec, JSGlobalObject* globalObject, JSFunction** callFunction, JSFunction** applyFunction, JSFunction** hasInstanceSymbolFunction)
 {
     VM& vm = exec->vm();
@@ -63 +63 @@
     *applyFunction = putDirectBuiltinFunctionWithoutTransition(vm, globalObject, vm.propertyNames->builtinNames().applyPublicName(), functionPrototypeApplyCodeGenerator(vm), DontEnum);
     *callFunction = putDirectBuiltinFunctionWithoutTransition(vm, globalObject, vm.propertyNames->builtinNames().callPublicName(), functionPrototypeCallCodeGenerator(vm), DontEnum);
+    *hasInstanceSymbolFunction = putDirectBuiltinFunction(vm, globalObject, vm.propertyNames->hasInstanceSymbol, functionPrototypeSymbolHasInstanceCodeGenerator(vm), DontDelete | ReadOnly | DontEnum);
 
     JSFunction* bindFunction = JSFunction::create(vm, globalObject, 1, vm.propertyNames->bind.string(), functionProtoFuncBind);

trunk/Source/JavaScriptCore/runtime/FunctionPrototype.h

@@ -37 +37 @@
     }
 
-    void addFunctionProperties(ExecState*, JSGlobalObject*, JSFunction** callFunction, JSFunction** applyFunction);
+    void addFunctionProperties(ExecState*, JSGlobalObject*, JSFunction** callFunction, JSFunction** applyFunction, JSFunction** hasInstanceSymbolFunction);
 
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto)

trunk/Source/JavaScriptCore/runtime/JSBoundFunction.cpp

@@ -75 +75 @@
 }
 
+EncodedJSValue JSC_HOST_CALL isBoundFunction(ExecState* exec)
+{
+    return JSValue::encode(JSValue(static_cast<bool>(jsDynamicCast<JSBoundFunction*>(exec->uncheckedArgument(0)))));
+}
+
+EncodedJSValue JSC_HOST_CALL hasInstanceBoundFunction(ExecState* exec)
+{
+    JSBoundFunction* boundObject = jsCast<JSBoundFunction*>(exec->uncheckedArgument(0));
+    JSValue value = exec->uncheckedArgument(1);
+
+    return JSValue::encode(jsBoolean(boundObject->targetFunction()->hasInstance(exec, value)));
+}
+
+
 JSBoundFunction* JSBoundFunction::create(VM& vm, JSGlobalObject* globalObject, JSObject* targetFunction, JSValue boundThis, JSValue boundArgs, int length, const String& name)
 {

trunk/Source/JavaScriptCore/runtime/JSBoundFunction.h

@@ -33 +33 @@
 EncodedJSValue JSC_HOST_CALL boundFunctionCall(ExecState*);
 EncodedJSValue JSC_HOST_CALL boundFunctionConstruct(ExecState*);
+EncodedJSValue JSC_HOST_CALL isBoundFunction(ExecState*);
+EncodedJSValue JSC_HOST_CALL hasInstanceBoundFunction(ExecState*);
 
 class JSBoundFunction : public JSFunction {
 public:
     typedef JSFunction Base;
-    const static unsigned StructureFlags = OverridesHasInstance | Base::StructureFlags;
+    const static unsigned StructureFlags = OverridesHasInstanceFlag | Base::StructureFlags;
 
     static JSBoundFunction* create(VM&, JSGlobalObject*, JSObject* targetFunction, JSValue boundThis, JSValue boundArgs, int, const String&);

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -287 +287 @@
     JSFunction* callFunction = 0;
     JSFunction* applyFunction = 0;
-    m_functionPrototype->addFunctionProperties(exec, this, &callFunction, &applyFunction);
+    JSFunction* hasInstanceSymbolFunction = 0;
+    m_functionPrototype->addFunctionProperties(exec, this, &callFunction, &applyFunction, &hasInstanceSymbolFunction);
     m_callFunction.set(vm, this, callFunction);
     m_applyFunction.set(vm, this, applyFunction);
@@ -293 +294 @@
     m_initializePromiseFunction.set(vm, this, JSFunction::createBuiltinFunction(vm, promiseOperationsInitializePromiseCodeGenerator(vm), this));
     m_newPromiseCapabilityFunction.set(vm, this, JSFunction::createBuiltinFunction(vm, promiseOperationsNewPromiseCapabilityCodeGenerator(vm), this));
+    m_functionProtoHasInstanceSymbolFunction.set(vm, this, hasInstanceSymbolFunction);
     m_nullGetterFunction.set(vm, this, NullGetterFunction::create(vm, NullGetterFunction::createStructure(vm, this, m_functionPrototype.get())));
     m_nullSetterFunction.set(vm, this, NullSetterFunction::create(vm, NullSetterFunction::createStructure(vm, this, m_functionPrototype.get())));
@@ -522 +524 @@
     JSFunction* privateFuncTypedArrayLength = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncLength);
     JSFunction* privateFuncTypedArraySort = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncSort);
+    JSFunction* privateFuncIsBoundFunction = JSFunction::create(vm, this, 0, String(), isBoundFunction);
+    JSFunction* privateFuncHasInstanceBoundFunction = JSFunction::create(vm, this, 0, String(), hasInstanceBoundFunction);
+    JSFunction* privateFuncInstanceOf = JSFunction::create(vm, this, 0, String(), objectPrivateFuncInstanceOf);
 
     GlobalPropertyInfo staticGlobals[] = {
@@ -536 +541 @@
         GlobalPropertyInfo(vm.propertyNames->typedArrayLengthPrivateName, privateFuncTypedArrayLength, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->typedArraySortPrivateName, privateFuncTypedArraySort, DontEnum | DontDelete | ReadOnly),
+        GlobalPropertyInfo(vm.propertyNames->isBoundFunctionPrivateName, privateFuncIsBoundFunction, DontEnum | DontDelete | ReadOnly),
+        GlobalPropertyInfo(vm.propertyNames->hasInstanceBoundFunctionPrivateName, privateFuncHasInstanceBoundFunction, DontEnum | DontDelete | ReadOnly),
+        GlobalPropertyInfo(vm.propertyNames->instanceOfPrivateName, privateFuncInstanceOf, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->BuiltinLogPrivateName, builtinLog, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->ArrayPrivateName, arrayConstructor, DontEnum | DontDelete | ReadOnly),
@@ -833 +841 @@
     visitor.append(&thisObject->m_initializePromiseFunction);
     visitor.append(&thisObject->m_newPromiseCapabilityFunction);
+    visitor.append(&thisObject->m_functionProtoHasInstanceSymbolFunction);
     visitor.append(&thisObject->m_throwTypeErrorGetterSetter);
     visitor.append(&thisObject->m_moduleLoader);

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -223 +223 @@
     WriteBarrier<JSFunction> m_initializePromiseFunction;
     WriteBarrier<JSFunction> m_newPromiseCapabilityFunction;
+    WriteBarrier<JSFunction> m_functionProtoHasInstanceSymbolFunction;
     WriteBarrier<GetterSetter> m_throwTypeErrorGetterSetter;
 
@@ -439 +440 @@
     JSFunction* initializePromiseFunction() const { return m_initializePromiseFunction.get(); }
     JSFunction* newPromiseCapabilityFunction() const { return m_newPromiseCapabilityFunction.get(); }
+    JSFunction* functionProtoHasInstanceSymbolFunction() const { return m_functionProtoHasInstanceSymbolFunction.get(); }
     GetterSetter* throwTypeErrorGetterSetter(VM& vm)
     {

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -1458 +1458 @@
 }
 
-bool JSObject::hasInstance(ExecState* exec, JSValue value)
+bool JSObject::hasInstance(ExecState* exec, JSValue value, JSValue hasInstanceValue)
 {
     VM& vm = exec->vm();
+
+    if (!hasInstanceValue.isUndefinedOrNull() && hasInstanceValue != exec->lexicalGlobalObject()->functionProtoHasInstanceSymbolFunction()) {
+        CallData callData;
+        CallType callType = JSC::getCallData(hasInstanceValue, callData);
+        if (callType == CallTypeNone) {
+            vm.throwException(exec, createInvalidInstanceofParameterErrorhasInstanceValueNotFunction(exec, this));
+            return false;
+        }
+
+        MarkedArgumentBuffer args;
+        args.append(value);
+        JSValue result = call(exec, hasInstanceValue, callType, callData, this, args);
+        return result.toBoolean(exec);
+    }
+
     TypeInfo info = structure(vm)->typeInfo();
     if (info.implementsDefaultHasInstance())
@@ -1466 +1481 @@
     if (info.implementsHasInstance())
         return methodTable(vm)->customHasInstance(this, exec, value);
-    vm.throwException(exec, createInvalidInstanceofParameterError(exec, this));
+    vm.throwException(exec, createInvalidInstanceofParameterErrorNotFunction(exec, this));
     return false;
+}
+
+bool JSObject::hasInstance(ExecState* exec, JSValue value)
+{
+    JSValue hasInstanceValue = get(exec, exec->propertyNames().hasInstanceSymbol);
+
+    return hasInstance(exec, value, hasInstanceValue);
 }
 
@@ -1486 +1508 @@
     }
     return false;
+}
+
+EncodedJSValue JSC_HOST_CALL objectPrivateFuncInstanceOf(ExecState* exec)
+{
+    JSValue value = exec->uncheckedArgument(0);
+    JSValue proto = exec->uncheckedArgument(1);
+
+    return JSValue::encode(jsBoolean(JSObject::defaultHasInstance(exec, value, proto)));
 }
 

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -486 +486 @@
     JS_EXPORT_PRIVATE static JSValue defaultValue(const JSObject*, ExecState*, PreferredPrimitiveType);
 
+    JS_EXPORT_PRIVATE bool hasInstance(ExecState*, JSValue value, JSValue hasInstanceValue);
     bool hasInstance(ExecState*, JSValue);
     static bool defaultHasInstance(ExecState*, JSValue, JSValue prototypeProperty);
@@ -974 +975 @@
     }
 };
+
+JS_EXPORT_PRIVATE EncodedJSValue JSC_HOST_CALL objectPrivateFuncInstanceOf(ExecState*);
 
 inline JSFinalObject* JSFinalObject::create(

trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h

@@ -39 +39 @@
 static const unsigned MasqueradesAsUndefined = 1; // WebCore uses MasqueradesAsUndefined to make document.all undetectable.
 static const unsigned ImplementsHasInstance = 1 << 1;
-static const unsigned OverridesHasInstance = 1 << 2;
+static const unsigned OverridesHasInstanceFlag = 1 << 2; // FIXME: This is only trivially used by the runtime and should be removed: https://bugs.webkit.org/show_bug.cgi?id=152005
 static const unsigned ImplementsDefaultHasInstance = 1 << 3;
 static const unsigned TypeOfShouldCallGetCallData = 1 << 4; // Need this flag if you override getCallData() and you want typeof to use this to determine if it should say "function". Currently we always set this flag when we override getCallData().
@@ -69 +69 @@
     {
         // No object that doesn't ImplementsHasInstance should override it!
-        ASSERT((m_flags & (ImplementsHasInstance | OverridesHasInstance)) != OverridesHasInstance);
+        ASSERT((m_flags & (ImplementsHasInstance | OverridesHasInstanceFlag)) != OverridesHasInstanceFlag);
         // ImplementsDefaultHasInstance means (ImplementsHasInstance & !OverridesHasInstance)
-        if ((m_flags & (ImplementsHasInstance | OverridesHasInstance)) == ImplementsHasInstance)
+        if ((m_flags & (ImplementsHasInstance | OverridesHasInstanceFlag)) == ImplementsHasInstance)
             m_flags |= ImplementsDefaultHasInstance;
     }
@@ -84 +84 @@
     bool masqueradesAsUndefined() const { return isSetOnFlags1(MasqueradesAsUndefined); }
     bool implementsHasInstance() const { return isSetOnFlags1(ImplementsHasInstance); }
-    bool overridesHasInstance() const { return isSetOnFlags1(OverridesHasInstance); }
+    bool overridesHasInstance() const { return isSetOnFlags1(OverridesHasInstanceFlag); }
     bool implementsDefaultHasInstance() const { return isSetOnFlags1(ImplementsDefaultHasInstance); }
     bool typeOfShouldCallGetCallData() const { return isSetOnFlags1(TypeOfShouldCallGetCallData); }

trunk/Source/JavaScriptCore/runtime/WriteBarrier.h

@@ -153 +153 @@
     bool isCustomGetterSetter() const { return get().isCustomGetterSetter(); }
     
-    JSValue* slot()
+    JSValue* slot() const
     { 
-        union {
-            EncodedJSValue* v;
-            JSValue* slot;
-        } u;
-        u.v = &m_value;
-        return u.slot;
+        return bitwise_cast<JSValue*>(&m_value);
     }
     

trunk/Source/JavaScriptCore/tests/es6.yaml

@@ -1184 +1184 @@
   cmd: runES6 :fail
 - path: es6/well-known_symbols_Symbol.hasInstance.js
-  cmd: runES6 :fail
+  cmd: runES6 :normal
 - path: es6/well-known_symbols_Symbol.isConcatSpreadable.js
   cmd: runES6 :fail