Changeset 194036 in webkit


Ignore:
Timestamp:
Dec 14, 2015 9:37:59 AM (8 years ago)
Author:
Chris Dumez
Message:

Roll out r193974 and follow-up fixes as it caused JSC crashes
https://bugs.webkit.org/show_bug.cgi?id=152256

Source/JavaScriptCore:

Unreviewed, Roll out r193974 and follow-up fixes as it caused JSC crashes.

  • API/JSCallbackObject.h:
  • builtins/FunctionPrototype.js:
  • bytecode/BytecodeBasicBlock.cpp:

(JSC::isBranch):

  • bytecode/BytecodeList.json:
  • bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

  • bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):

  • bytecode/ExitKind.cpp:

(JSC::exitKindToString): Deleted.

  • bytecode/ExitKind.h:
  • bytecode/PreciseJumpTargets.cpp:

(JSC::getJumpTargetsForBytecodeOffset):

  • bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitCheckHasInstance):
(JSC::BytecodeGenerator::emitGetById): Deleted.

  • bytecompiler/BytecodeGenerator.h:

(JSC::BytecodeGenerator::emitTypeOf): Deleted.

  • bytecompiler/NodesCodegen.cpp:

(JSC::InstanceOfNode::emitBytecode):
(JSC::LogicalOpNode::emitBytecode): Deleted.
(JSC::LogicalOpNode::emitBytecodeInConditionContext): Deleted.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

  • dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

  • dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

  • dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

  • dfg/DFGHeapLocation.cpp:

(WTF::printInternal):

  • dfg/DFGHeapLocation.h:
  • dfg/DFGNode.h:

(JSC::DFG::Node::hasCellOperand): Deleted.
(JSC::DFG::Node::hasTransition): Deleted.

  • dfg/DFGNodeType.h:
  • dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

  • dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileInstanceOf): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithAdd): Deleted.

  • dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation): Deleted.

  • dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

  • ftl/FTLIntrinsicRepository.h:
  • ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
(JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance):
(JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOf): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty): Deleted.

  • jit/CCallHelpers.h:

(JSC::CCallHelpers::setupArguments): Deleted.
(JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.

  • jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

  • jit/JIT.h:
  • jit/JITInlines.h:

(JSC::JIT::callOperationNoExceptionCheck): Deleted.
(JSC::JIT::callOperation): Deleted.

  • jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_check_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_check_has_instance):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emit_op_is_undefined): Deleted.
(JSC::JIT::emitSlow_op_to_number): Deleted.
(JSC::JIT::emitSlow_op_to_string): Deleted.

  • jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_check_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_check_has_instance):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emit_op_is_undefined): Deleted.

  • jit/JITOperations.cpp:
  • jit/JITOperations.h:
  • llint/LLIntData.cpp:

(JSC::LLInt::Data::performAssertions): Deleted.

  • llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

  • llint/LLIntSlowPaths.h:
  • llint/LowLevelInterpreter32_64.asm:
  • llint/LowLevelInterpreter64.asm:
  • runtime/CommonIdentifiers.h:
  • runtime/ExceptionHelpers.cpp:

(JSC::invalidParameterInstanceofSourceAppender):
(JSC::createInvalidInstanceofParameterError):
(JSC::createError): Deleted.
(JSC::createNotAFunctionError): Deleted.
(JSC::createNotAnObjectError): Deleted.

  • runtime/ExceptionHelpers.h:
  • runtime/FunctionPrototype.cpp:

(JSC::FunctionPrototype::addFunctionProperties):

  • runtime/FunctionPrototype.h:
  • runtime/JSBoundFunction.cpp:

(JSC::JSBoundFunction::create): Deleted.
(JSC::JSBoundFunction::customHasInstance): Deleted.

  • runtime/JSBoundFunction.h:
  • runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren): Deleted.

  • runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::throwTypeErrorGetterSetter): Deleted.

  • runtime/JSObject.cpp:

(JSC::JSObject::hasInstance):
(JSC::JSObject::defaultHasInstance): Deleted.
(JSC::JSObject::getPropertyNames): Deleted.
(JSC::JSObject::getOwnPropertyNames): Deleted.

  • runtime/JSObject.h:

(JSC::JSFinalObject::create): Deleted.

  • runtime/JSTypeInfo.h:

(JSC::TypeInfo::TypeInfo):
(JSC::TypeInfo::overridesHasInstance):

  • runtime/WriteBarrier.h:

(JSC::WriteBarrierBase<Unknown>::slot):

  • tests/es6.yaml:
  • tests/stress/instanceof-custom-hasinstancesymbol.js: Removed.
  • tests/stress/symbol-hasInstance.js: Removed.

LayoutTests:

Unreviewed, roll out r193974 and follow-up fixes as it caused JSC crashes.

  • inspector/model/remote-object-get-properties-expected.txt:
  • js/Object-getOwnPropertyNames-expected.txt:
  • js/exception-for-nonobject-expected.txt:
  • js/exception-instanceof-expected.txt:
  • js/instance-of-immediates-expected.txt:
  • js/regress/instanceof-bound-expected.txt: Removed.
  • js/regress/instanceof-bound.html: Removed.
  • js/regress/script-tests/instanceof-bound.js: Removed.
  • js/script-tests/Object-getOwnPropertyNames.js:
Location:
trunk
Files:
5 deleted
66 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r194033 r194036  
     12015-12-14  Chris Dumez  <cdumez@apple.com>
     2
     3        Roll out r193974 and follow-up fixes as it caused JSC crashes
     4        https://bugs.webkit.org/show_bug.cgi?id=152256
     5
     6        Unreviewed, roll out r193974 and follow-up fixes as it caused JSC crashes.
     7
     8        * inspector/model/remote-object-get-properties-expected.txt:
     9        * js/Object-getOwnPropertyNames-expected.txt:
     10        * js/exception-for-nonobject-expected.txt:
     11        * js/exception-instanceof-expected.txt:
     12        * js/instance-of-immediates-expected.txt:
     13        * js/regress/instanceof-bound-expected.txt: Removed.
     14        * js/regress/instanceof-bound.html: Removed.
     15        * js/regress/script-tests/instanceof-bound.js: Removed.
     16        * js/script-tests/Object-getOwnPropertyNames.js:
     17
    1182015-12-14  Youenn Fablet  <youenn.fablet@crf.canon.fr>
    219
  • trunk/LayoutTests/inspector/model/remote-object-get-properties-expected.txt

    r193986 r194036  
    203203    bind
    204204    constructor
    205     Symbol(Symbol.hasInstance)
    206205    toLocaleString
    207206    valueOf
     
    253252    bind
    254253    constructor
    255     Symbol(Symbol.hasInstance)
    256254    toLocaleString
    257255    valueOf
  • trunk/LayoutTests/js/Object-getOwnPropertyNames-expected.txt

    r193974 r194036  
    6262PASS getSortedOwnPropertyNames(Math) is ['E','LN10','LN2','LOG10E','LOG2E','PI','SQRT1_2','SQRT2','abs','acos','acosh','asin','asinh','atan','atan2','atanh','cbrt','ceil','clz32','cos','cosh','exp','expm1','floor','fround','hypot','imul','log','log10','log1p','log2','max','min','pow','random','round','sign','sin','sinh','sqrt','tan','tanh','trunc']
    6363PASS getSortedOwnPropertyNames(JSON) is ['parse', 'stringify']
    64 PASS getSortedOwnPropertyNames(Symbol) is ['for', 'hasInstance', 'iterator', 'keyFor', 'length', 'name', 'prototype', 'toStringTag', 'unscopables']
     64PASS getSortedOwnPropertyNames(Symbol) is ['for', 'iterator', 'keyFor', 'length', 'name', 'prototype', 'toStringTag', 'unscopables']
    6565PASS getSortedOwnPropertyNames(Symbol.prototype) is ['constructor', 'toString', 'valueOf']
    6666PASS globalPropertyNames.indexOf('NaN') != -1 is true
  • trunk/LayoutTests/js/exception-for-nonobject-expected.txt

    r193974 r194036  
    55
    66PASS new {}.undefined threw exception TypeError: undefined is not a constructor (evaluating 'new {}.undefined').
    7 PASS 1 instanceof {}.undefined threw exception TypeError: Right hand side of instanceof is not an object.
     7PASS 1 instanceof {}.undefined threw exception TypeError: {}.undefined is not a function. (evaluating '1 instanceof {}.undefined').
    88PASS successfullyParsed is true
    99
  • trunk/LayoutTests/js/exception-instanceof-expected.txt

    r193974 r194036  
    44
    55
    6 PASS 'instanceof' instanceof    'instanceof' threw exception TypeError: Right hand side of instanceof is not an object.
    7 PASS 20 instanceof     'hello'   threw exception TypeError: Right hand side of instanceof is not an object.
     6PASS 'instanceof' instanceof    'instanceof' threw exception TypeError: "instanceof" is not a function. (evaluating ''instanceof' instanceof    'instanceof'').
     7PASS 20 instanceof     'hello'   threw exception TypeError: 'hello' is not a function. (evaluating '20 instanceof     'hello'').
    88PASS 20 instanceof     {}   threw exception TypeError: {} is not a function. (evaluating '20 instanceof     {}').
    9 PASS 20 instanceof     {}.foo  threw exception TypeError: Right hand side of instanceof is not an object.
    10 PASS 20 instanceof     true       threw exception TypeError: Right hand side of instanceof is not an object.
     9PASS 20 instanceof     {}.foo  threw exception TypeError: {}.foo is not a function. (evaluating '20 instanceof     {}.foo').
     10PASS 20 instanceof     true       threw exception TypeError: true is not a function. (evaluating '20 instanceof     true').
    1111PASS successfullyParsed is true
    1212
  • trunk/LayoutTests/js/instance-of-immediates-expected.txt

    r193974 r194036  
    44
    55
    6 PASS (1 instanceof 1) threw exception TypeError: Right hand side of instanceof is not an object.
    7 PASS ({} instanceof 1) threw exception TypeError: Right hand side of instanceof is not an object.
    8 PASS (obj instanceof 1) threw exception TypeError: Right hand side of instanceof is not an object.
     6PASS (1 instanceof 1) threw exception TypeError: 1 is not a function. (evaluating '1 instanceof 1').
     7PASS ({} instanceof 1) threw exception TypeError: 1 is not a function. (evaluating '{} instanceof 1').
     8PASS (obj instanceof 1) threw exception TypeError: 1 is not a function. (evaluating 'obj instanceof 1').
    99PASS (1 instanceof {}) threw exception TypeError: {} is not a function. (evaluating '1 instanceof {}').
    1010PASS ({} instanceof {}) threw exception TypeError: {} is not a function. (evaluating '{} instanceof {}').
  • trunk/LayoutTests/js/script-tests/Object-getOwnPropertyNames.js

    r193974 r194036  
    7171    "Math": "['E','LN10','LN2','LOG10E','LOG2E','PI','SQRT1_2','SQRT2','abs','acos','acosh','asin','asinh','atan','atan2','atanh','cbrt','ceil','clz32','cos','cosh','exp','expm1','floor','fround','hypot','imul','log','log10','log1p','log2','max','min','pow','random','round','sign','sin','sinh','sqrt','tan','tanh','trunc']",
    7272    "JSON": "['parse', 'stringify']",
    73     "Symbol": "['for', 'hasInstance', 'iterator', 'keyFor', 'length', 'name', 'prototype', 'toStringTag', 'unscopables']",
     73    "Symbol": "['for', 'iterator', 'keyFor', 'length', 'name', 'prototype', 'toStringTag', 'unscopables']",
    7474    "Symbol.prototype": "['constructor', 'toString', 'valueOf']"
    7575};
  • trunk/Source/JavaScriptCore/API/JSCallbackObject.h

    r193974 r194036  
    128128public:
    129129    typedef Parent Base;
    130     static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesHasInstanceFlag | OverridesGetPropertyNames | TypeOfShouldCallGetCallData;
     130    static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesHasInstance | OverridesGetPropertyNames | TypeOfShouldCallGetCallData;
    131131
    132132    ~JSCallbackObject();
  • trunk/Source/JavaScriptCore/ChangeLog

    r194024 r194036  
     12015-12-14  Chris Dumez  <cdumez@apple.com>
     2
     3        Roll out r193974 and follow-up fixes as it caused JSC crashes
     4        https://bugs.webkit.org/show_bug.cgi?id=152256
     5
     6        Unreviewed, Roll out r193974 and follow-up fixes as it caused JSC crashes.
     7
     8        * API/JSCallbackObject.h:
     9        * builtins/FunctionPrototype.js:
     10        * bytecode/BytecodeBasicBlock.cpp:
     11        (JSC::isBranch):
     12        * bytecode/BytecodeList.json:
     13        * bytecode/BytecodeUseDef.h:
     14        (JSC::computeUsesForBytecodeOffset):
     15        (JSC::computeDefsForBytecodeOffset):
     16        * bytecode/CodeBlock.cpp:
     17        (JSC::CodeBlock::dumpBytecode):
     18        * bytecode/ExitKind.cpp:
     19        (JSC::exitKindToString): Deleted.
     20        * bytecode/ExitKind.h:
     21        * bytecode/PreciseJumpTargets.cpp:
     22        (JSC::getJumpTargetsForBytecodeOffset):
     23        * bytecompiler/BytecodeGenerator.cpp:
     24        (JSC::BytecodeGenerator::emitCheckHasInstance):
     25        (JSC::BytecodeGenerator::emitGetById): Deleted.
     26        * bytecompiler/BytecodeGenerator.h:
     27        (JSC::BytecodeGenerator::emitTypeOf): Deleted.
     28        * bytecompiler/NodesCodegen.cpp:
     29        (JSC::InstanceOfNode::emitBytecode):
     30        (JSC::LogicalOpNode::emitBytecode): Deleted.
     31        (JSC::LogicalOpNode::emitBytecodeInConditionContext): Deleted.
     32        * dfg/DFGAbstractInterpreterInlines.h:
     33        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
     34        * dfg/DFGByteCodeParser.cpp:
     35        (JSC::DFG::ByteCodeParser::parseBlock):
     36        * dfg/DFGCapabilities.cpp:
     37        (JSC::DFG::capabilityLevel):
     38        * dfg/DFGClobberize.h:
     39        (JSC::DFG::clobberize):
     40        * dfg/DFGDoesGC.cpp:
     41        (JSC::DFG::doesGC):
     42        * dfg/DFGFixupPhase.cpp:
     43        (JSC::DFG::FixupPhase::fixupNode):
     44        * dfg/DFGHeapLocation.cpp:
     45        (WTF::printInternal):
     46        * dfg/DFGHeapLocation.h:
     47        * dfg/DFGNode.h:
     48        (JSC::DFG::Node::hasCellOperand): Deleted.
     49        (JSC::DFG::Node::hasTransition): Deleted.
     50        * dfg/DFGNodeType.h:
     51        * dfg/DFGPredictionPropagationPhase.cpp:
     52        (JSC::DFG::PredictionPropagationPhase::propagate):
     53        * dfg/DFGSafeToExecute.h:
     54        (JSC::DFG::safeToExecute):
     55        * dfg/DFGSpeculativeJIT.cpp:
     56        (JSC::DFG::SpeculativeJIT::compileInstanceOf): Deleted.
     57        (JSC::DFG::SpeculativeJIT::compileArithAdd): Deleted.
     58        * dfg/DFGSpeculativeJIT.h:
     59        (JSC::DFG::SpeculativeJIT::callOperation): Deleted.
     60        * dfg/DFGSpeculativeJIT32_64.cpp:
     61        (JSC::DFG::SpeculativeJIT::compile):
     62        * dfg/DFGSpeculativeJIT64.cpp:
     63        (JSC::DFG::SpeculativeJIT::compile):
     64        * ftl/FTLCapabilities.cpp:
     65        (JSC::FTL::canCompile):
     66        * ftl/FTLIntrinsicRepository.h:
     67        * ftl/FTLLowerDFGToLLVM.cpp:
     68        (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
     69        (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance):
     70        (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOf): Deleted.
     71        (JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty): Deleted.
     72        * jit/CCallHelpers.h:
     73        (JSC::CCallHelpers::setupArguments): Deleted.
     74        (JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.
     75        * jit/JIT.cpp:
     76        (JSC::JIT::privateCompileMainPass):
     77        (JSC::JIT::privateCompileSlowCases):
     78        * jit/JIT.h:
     79        * jit/JITInlines.h:
     80        (JSC::JIT::callOperationNoExceptionCheck): Deleted.
     81        (JSC::JIT::callOperation): Deleted.
     82        * jit/JITOpcodes.cpp:
     83        (JSC::JIT::emit_op_check_has_instance):
     84        (JSC::JIT::emit_op_instanceof):
     85        (JSC::JIT::emitSlow_op_check_has_instance):
     86        (JSC::JIT::emitSlow_op_instanceof):
     87        (JSC::JIT::emit_op_is_undefined): Deleted.
     88        (JSC::JIT::emitSlow_op_to_number): Deleted.
     89        (JSC::JIT::emitSlow_op_to_string): Deleted.
     90        * jit/JITOpcodes32_64.cpp:
     91        (JSC::JIT::emit_op_check_has_instance):
     92        (JSC::JIT::emit_op_instanceof):
     93        (JSC::JIT::emitSlow_op_check_has_instance):
     94        (JSC::JIT::emitSlow_op_instanceof):
     95        (JSC::JIT::emit_op_is_undefined): Deleted.
     96        * jit/JITOperations.cpp:
     97        * jit/JITOperations.h:
     98        * llint/LLIntData.cpp:
     99        (JSC::LLInt::Data::performAssertions): Deleted.
     100        * llint/LLIntSlowPaths.cpp:
     101        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
     102        * llint/LLIntSlowPaths.h:
     103        * llint/LowLevelInterpreter32_64.asm:
     104        * llint/LowLevelInterpreter64.asm:
     105        * runtime/CommonIdentifiers.h:
     106        * runtime/ExceptionHelpers.cpp:
     107        (JSC::invalidParameterInstanceofSourceAppender):
     108        (JSC::createInvalidInstanceofParameterError):
     109        (JSC::createError): Deleted.
     110        (JSC::createNotAFunctionError): Deleted.
     111        (JSC::createNotAnObjectError): Deleted.
     112        * runtime/ExceptionHelpers.h:
     113        * runtime/FunctionPrototype.cpp:
     114        (JSC::FunctionPrototype::addFunctionProperties):
     115        * runtime/FunctionPrototype.h:
     116        * runtime/JSBoundFunction.cpp:
     117        (JSC::JSBoundFunction::create): Deleted.
     118        (JSC::JSBoundFunction::customHasInstance): Deleted.
     119        * runtime/JSBoundFunction.h:
     120        * runtime/JSGlobalObject.cpp:
     121        (JSC::JSGlobalObject::init):
     122        (JSC::JSGlobalObject::visitChildren): Deleted.
     123        * runtime/JSGlobalObject.h:
     124        (JSC::JSGlobalObject::throwTypeErrorGetterSetter): Deleted.
     125        * runtime/JSObject.cpp:
     126        (JSC::JSObject::hasInstance):
     127        (JSC::JSObject::defaultHasInstance): Deleted.
     128        (JSC::JSObject::getPropertyNames): Deleted.
     129        (JSC::JSObject::getOwnPropertyNames): Deleted.
     130        * runtime/JSObject.h:
     131        (JSC::JSFinalObject::create): Deleted.
     132        * runtime/JSTypeInfo.h:
     133        (JSC::TypeInfo::TypeInfo):
     134        (JSC::TypeInfo::overridesHasInstance):
     135        * runtime/WriteBarrier.h:
     136        (JSC::WriteBarrierBase<Unknown>::slot):
     137        * tests/es6.yaml:
     138        * tests/stress/instanceof-custom-hasinstancesymbol.js: Removed.
     139        * tests/stress/symbol-hasInstance.js: Removed.
     140
    11412015-12-13  Benjamin Poulain  <bpoulain@apple.com>
    2142
  • trunk/Source/JavaScriptCore/builtins/FunctionPrototype.js

    r193974 r194036  
    3737    return this.@apply(thisValue, argumentValues);
    3838}
    39 
    40 // FIXME: this should have a different name: https://bugs.webkit.org/show_bug.cgi?id=151363
    41 function symbolHasInstance(value)
    42 {
    43     "use strict";
    44 
    45     if (typeof this !== "function")
    46         return false;
    47 
    48     if (@isBoundFunction(this))
    49         return @hasInstanceBoundFunction(this, value);
    50 
    51     let target = this.prototype;
    52     return @instanceOf(value, target);
    53 }
  • trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp

    r193974 r194036  
    5959    case op_switch_char:
    6060    case op_switch_string:
     61    case op_check_has_instance:
    6162    case op_save:
    6263        return true;
  • trunk/Source/JavaScriptCore/bytecode/BytecodeList.json

    r193974 r194036  
    4646            { "name" : "op_bitxor", "length" : 5 },
    4747            { "name" : "op_bitor", "length" : 5 },
    48             { "name" : "op_overrides_has_instance", "length" : 4 },
     48            { "name" : "op_check_has_instance", "length" : 5 },
    4949            { "name" : "op_instanceof", "length" : 4 },
    50             { "name" : "op_instanceof_custom", "length" : 5 },
    5150            { "name" : "op_typeof", "length" : 3 },
    5251            { "name" : "op_is_undefined", "length" : 3 },
  • trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h

    r193974 r194036  
    170170    case op_in:
    171171    case op_instanceof:
     172    case op_check_has_instance:
    172173    case op_add:
    173174    case op_mul:
     
    195196        return;
    196197    }
    197     case op_overrides_has_instance:
    198     case op_instanceof_custom:
    199198    case op_has_structure_property:
    200199    case op_construct_varargs:
     
    352351    case op_get_by_id:
    353352    case op_get_array_length:
    354     case op_overrides_has_instance:
     353    case op_check_has_instance:
    355354    case op_instanceof:
    356     case op_instanceof_custom:
    357355    case op_get_by_val:
    358356    case op_typeof:
  • trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

    r194017 r194036  
    10141014            break;
    10151015        }
    1016         case op_overrides_has_instance: {
     1016        case op_check_has_instance: {
    10171017            int r0 = (++it)->u.operand;
    10181018            int r1 = (++it)->u.operand;
    10191019            int r2 = (++it)->u.operand;
    1020             printLocationAndOp(out, exec, location, it, "overrides_has_instance");
    1021             out.printf("%s, %s, %s", registerName(r0).data(), registerName(r1).data(), registerName(r2).data());
     1020            int offset = (++it)->u.operand;
     1021            printLocationAndOp(out, exec, location, it, "check_has_instance");
     1022            out.printf("%s, %s, %s, %d(->%d)", registerName(r0).data(), registerName(r1).data(), registerName(r2).data(), offset, location + offset);
    10221023            break;
    10231024        }
     
    10281029            printLocationAndOp(out, exec, location, it, "instanceof");
    10291030            out.printf("%s, %s, %s", registerName(r0).data(), registerName(r1).data(), registerName(r2).data());
    1030             break;
    1031         }
    1032         case op_instanceof_custom: {
    1033             int r0 = (++it)->u.operand;
    1034             int r1 = (++it)->u.operand;
    1035             int r2 = (++it)->u.operand;
    1036             int r3 = (++it)->u.operand;
    1037             printLocationAndOp(out, exec, location, it, "instanceof_custom");
    1038             out.printf("%s, %s, %s, %s", registerName(r0).data(), registerName(r1).data(), registerName(r2).data(), registerName(r3).data());
    10391031            break;
    10401032        }
  • trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp

    r193974 r194036  
    5151    case BadIndexingType:
    5252        return "BadIndexingType";
    53     case BadTypeInfoFlags:
    54         return "BadTypeInfoFlags";
    5553    case Overflow:
    5654        return "Overflow";
  • trunk/Source/JavaScriptCore/bytecode/ExitKind.h

    r193974 r194036  
    3838    BadConstantCache, // We exited because a cache on a weak constant (usually a prototype) was wrong.
    3939    BadIndexingType, // We exited because an indexing type was wrong.
    40     BadTypeInfoFlags, // We exited because we made an incorrect assumption about what TypeInfo flags we would see.
    4140    Overflow, // We exited because of overflow.
    4241    NegativeZero, // We exited because we encountered negative zero.
  • trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp

    r193974 r194036  
    7575        break;
    7676    }
     77    case op_check_has_instance:
     78        out.append(bytecodeOffset + current[4].u.operand);
     79        break;
    7780    case op_loop_hint:
    7881        out.append(bytecodeOffset);
  • trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

    r194021 r194036  
    21002100}
    21012101
    2102 RegisterID* BytecodeGenerator::emitOverridesHasInstance(RegisterID* dst, RegisterID* constructor, RegisterID* hasInstanceValue)
    2103 {
    2104     emitOpcode(op_overrides_has_instance);
     2102void BytecodeGenerator::emitCheckHasInstance(RegisterID* dst, RegisterID* value, RegisterID* base, Label* target)
     2103{
     2104    size_t begin = instructions().size();
     2105    emitOpcode(op_check_has_instance);
    21052106    instructions().append(dst->index());
    2106     instructions().append(constructor->index());
    2107     instructions().append(hasInstanceValue->index());
    2108     return dst;
     2107    instructions().append(value->index());
     2108    instructions().append(base->index());
     2109    instructions().append(target->bind(begin, instructions().size()));
    21092110}
    21102111
     
    22702271    instructions().append(value->index());
    22712272    instructions().append(basePrototype->index());
    2272     return dst;
    2273 }
    2274 
    2275 RegisterID* BytecodeGenerator::emitInstanceOfCustom(RegisterID* dst, RegisterID* value, RegisterID* constructor, RegisterID* hasInstanceValue)
    2276 {
    2277     emitOpcode(op_instanceof_custom);
    2278     instructions().append(dst->index());
    2279     instructions().append(value->index());
    2280     instructions().append(constructor->index());
    2281     instructions().append(hasInstanceValue->index());
    22822273    return dst;
    22832274}
  • trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

    r193974 r194036  
    535535        RegisterID* emitDec(RegisterID* srcDst);
    536536
    537         RegisterID* emitOverridesHasInstance(RegisterID* dst, RegisterID* constructor, RegisterID* hasInstanceValue);
     537        void emitCheckHasInstance(RegisterID* dst, RegisterID* value, RegisterID* base, Label* target);
    538538        RegisterID* emitInstanceOf(RegisterID* dst, RegisterID* value, RegisterID* basePrototype);
    539         RegisterID* emitInstanceOfCustom(RegisterID* dst, RegisterID* value, RegisterID* constructor, RegisterID* hasInstanceValue);
    540539        RegisterID* emitTypeOf(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_typeof, dst, src); }
    541540        RegisterID* emitIn(RegisterID* dst, RegisterID* property, RegisterID* base) { return emitBinaryOp(op_in, dst, property, base, OperandTypes()); }
  • trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

    r194021 r194036  
    16651665RegisterID* InstanceOfNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    16661666{
    1667     RefPtr<RegisterID> hasInstanceValue = generator.newTemporary();
    1668     RefPtr<RegisterID> isObject = generator.newTemporary();
    1669     RefPtr<RegisterID> isCustom = generator.newTemporary();
     1667    RefPtr<RegisterID> src1 = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
     1668    RefPtr<RegisterID> src2 = generator.emitNode(m_expr2);
    16701669    RefPtr<RegisterID> prototype = generator.newTemporary();
    1671     RefPtr<RegisterID> value = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
    1672     RefPtr<RegisterID> constructor = generator.emitNode(m_expr2);
    1673     RefPtr<RegisterID> dstReg = generator.finalDestination(dst, value.get());
    1674     RefPtr<Label> custom = generator.newLabel();
    1675     RefPtr<Label> done = generator.newLabel();
    1676     RefPtr<Label> typeError = generator.newLabel();
     1670    RefPtr<RegisterID> dstReg = generator.finalDestination(dst, src1.get());
     1671    RefPtr<Label> target = generator.newLabel();
    16771672
    16781673    generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1679     generator.emitIsObject(isObject.get(), constructor.get());
    1680     generator.emitJumpIfFalse(isObject.get(), typeError.get());
     1674    generator.emitCheckHasInstance(dstReg.get(), src1.get(), src2.get(), target.get());
    16811675
    16821676    generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1683     generator.emitGetById(hasInstanceValue.get(), constructor.get(), generator.vm()->propertyNames->hasInstanceSymbol);
     1677    generator.emitGetById(prototype.get(), src2.get(), generator.vm()->propertyNames->prototype);
    16841678
    16851679    generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1686     generator.emitOverridesHasInstance(isCustom.get(), constructor.get(), hasInstanceValue.get());
    1687 
    1688     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1689     generator.emitJumpIfTrue(isCustom.get(), custom.get());
    1690 
    1691     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1692     generator.emitGetById(prototype.get(), constructor.get(), generator.vm()->propertyNames->prototype);
    1693 
    1694     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1695     generator.emitInstanceOf(dstReg.get(), value.get(), prototype.get());
    1696 
    1697     generator.emitJump(done.get());
    1698 
    1699     generator.emitLabel(typeError.get());
    1700     generator.emitThrowTypeError("Right hand side of instanceof is not an object");
    1701 
    1702     generator.emitLabel(custom.get());
    1703 
    1704     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1705     generator.emitInstanceOfCustom(dstReg.get(), value.get(), constructor.get(), hasInstanceValue.get());
    1706 
    1707     generator.emitLabel(done.get());
    1708 
    1709     return dstReg.get();
     1680    RegisterID* result = generator.emitInstanceOf(dstReg.get(), src1.get(), prototype.get());
     1681    generator.emitLabel(target.get());
     1682    return result;
    17101683}
    17111684
  • trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

    r193974 r194036  
    24492449        break;
    24502450           
    2451     case OverridesHasInstance:
    2452         forNode(node).setType(SpecBoolean);
     2451    case CheckHasInstance:
     2452        // Sadly, we don't propagate the fact that we've done CheckHasInstance
    24532453        break;
    24542454           
    24552455    case InstanceOf:
    2456         // Sadly, we don't propagate the fact that we've done InstanceOf
    2457         forNode(node).setType(SpecBoolean);
    2458         break;
    2459 
    2460     case InstanceOfCustom:
    2461         clobberWorld(node->origin.semantic, clobberLimit);
     2456        // Again, sadly, we don't propagate the fact that we've done InstanceOf
    24622457        forNode(node).setType(SpecBoolean);
    24632458        break;
     
    25162511    case CheckTierUpInLoop:
    25172512    case CheckTierUpAtReturn:
    2518     case CheckTypeInfoFlags:
    25192513        break;
    25202514
  • trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

    r193974 r194036  
    34983498        }
    34993499
    3500         case op_overrides_has_instance: {
    3501             JSFunction* defaultHasInstanceSymbolFunction = m_inlineStackTop->m_codeBlock->globalObjectFor(currentCodeOrigin())->functionProtoHasInstanceSymbolFunction();
    3502 
    3503             Node* constructor = get(VirtualRegister(currentInstruction[2].u.operand));
    3504             Node* hasInstanceValue = get(VirtualRegister(currentInstruction[3].u.operand));
    3505 
    3506             set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(OverridesHasInstance, OpInfo(m_graph.freeze(defaultHasInstanceSymbolFunction)), constructor, hasInstanceValue));
    3507             NEXT_OPCODE(op_overrides_has_instance);
    3508         }
     3500        case op_check_has_instance:
     3501            addToGraph(CheckHasInstance, get(VirtualRegister(currentInstruction[3].u.operand)));
     3502            NEXT_OPCODE(op_check_has_instance);
    35093503
    35103504        case op_instanceof: {
     
    35143508            NEXT_OPCODE(op_instanceof);
    35153509        }
    3516 
    3517         case op_instanceof_custom: {
    3518             Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
    3519             Node* constructor = get(VirtualRegister(currentInstruction[3].u.operand));
    3520             Node* hasInstanceValue = get(VirtualRegister(currentInstruction[4].u.operand));
    3521             set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(InstanceOfCustom, value, constructor, hasInstanceValue));
    3522             NEXT_OPCODE(op_instanceof_custom);
    3523         }
    3524 
     3510           
    35253511        case op_is_undefined: {
    35263512            Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
  • trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

    r193974 r194036  
    129129    case op_profile_control_flow:
    130130    case op_mov:
    131     case op_overrides_has_instance:
     131    case op_check_has_instance:
    132132    case op_instanceof:
    133     case op_instanceof_custom:
    134133    case op_is_undefined:
    135134    case op_is_boolean:
  • trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

    r193974 r194036  
    728728        return;
    729729
    730     case CheckTypeInfoFlags:
     730    case CheckHasInstance:
    731731        read(JSCell_typeInfoFlags);
    732         def(HeapLocation(CheckTypeInfoFlagsLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
    733         return;
    734 
    735     case OverridesHasInstance:
    736         read(JSCell_typeInfoFlags);
    737         def(HeapLocation(OverridesHasInstanceLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
     732        def(HeapLocation(CheckHasInstanceLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
    738733        return;
    739734
     
    741736        read(JSCell_structureID);
    742737        def(HeapLocation(InstanceOfLoc, JSCell_structureID, node->child1(), node->child2()), LazyNode(node));
    743         return;
    744 
    745     case InstanceOfCustom:
    746         read(World);
    747         write(Heap);
    748738        return;
    749739
  • trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

    r193974 r194036  
    142142    case ProfileType:
    143143    case ProfileControlFlow:
    144     case OverridesHasInstance:
     144    case CheckHasInstance:
    145145    case InstanceOf:
    146     case InstanceOfCustom:
    147146    case IsUndefined:
    148147    case IsBoolean:
     
    182181    case ConstantStoragePointer:
    183182    case Check:
    184     case CheckTypeInfoFlags:
    185183    case MultiGetByOffset:
    186184    case ValueRep:
  • trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

    r193974 r194036  
    11011101            break;
    11021102        }
    1103 
    1104         case OverridesHasInstance: {
    1105             if (node->child2().node()->isCellConstant()) {
    1106                 if (node->child2().node()->asCell() != m_graph.globalObjectFor(node->origin.semantic)->functionProtoHasInstanceSymbolFunction()) {
    1107 
    1108                     m_graph.convertToConstant(node, jsBoolean(true));
    1109                     break;
    1110                 }
    1111 
    1112                 if (!m_graph.hasExitSite(node->origin.semantic, BadTypeInfoFlags)) {
    1113                     // Here we optimistically assume that we will not see an bound/C-API function here.
    1114                     m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckTypeInfoFlags, node->origin, OpInfo(ImplementsDefaultHasInstance), Edge(node->child1().node(), CellUse));
    1115                     m_graph.convertToConstant(node, jsBoolean(false));
    1116                     break;
    1117                 }
    1118             }
    1119 
    1120             fixEdge<CellUse>(node->child1());
    1121             break;
    1122         }
    11231103           
    11241104        case CheckStructure:
    11251105        case CheckCell:
     1106        case CheckHasInstance:
    11261107        case CreateThis:
    11271108        case GetButterfly:
     
    11841165            break;
    11851166        }
    1186 
    1187         case InstanceOfCustom:
    1188             fixEdge<CellUse>(node->child2());
    1189             break;
    1190 
     1167           
    11911168        case In: {
    11921169            // FIXME: We should at some point have array profiling on op_in, in which
     
    14341411        case VarInjectionWatchpoint:
    14351412        case Call:
    1436         case CheckTypeInfoFlags:
    14371413        case TailCallInlinedCaller:
    14381414        case Construct:
  • trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp

    r193974 r194036  
    9696        out.print("ButterflyReadOnlyLoc");
    9797        return;
    98 
    99     case CheckTypeInfoFlagsLoc:
    100         out.print("CheckTypeInfoFlagsLoc");
    101         return;
    102 
    103     case OverridesHasInstanceLoc:
    104         out.print("OverridesHasInstanceLoc");
     98       
     99    case CheckHasInstanceLoc:
     100        out.print("CheckHasInstanceLoc");
    105101        return;
    106102       
  • trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h

    r193974 r194036  
    4141    ButterflyLoc,
    4242    ButterflyReadOnlyLoc,
    43     CheckTypeInfoFlagsLoc,
    44     OverridesHasInstanceLoc,
     43    CheckHasInstanceLoc,
    4544    ClosureVariableLoc,
    4645    DirectArgumentsLoc,
  • trunk/Source/JavaScriptCore/dfg/DFGNode.h

    r193974 r194036  
    13551355        switch (op()) {
    13561356        case CheckCell:
    1357         case OverridesHasInstance:
    13581357        case NewFunction:
    13591358        case NewArrowFunction:
     
    14151414        ASSERT(hasUidOperand());
    14161415        return reinterpret_cast<UniquedStringImpl*>(m_opInfo);
    1417     }
    1418 
    1419     bool hasTypeInfoOperand()
    1420     {
    1421         return op() == CheckTypeInfoFlags;
    1422     }
    1423 
    1424     unsigned typeInfoOperand()
    1425     {
    1426         ASSERT(hasTypeInfoOperand() && m_opInfo <= UCHAR_MAX);
    1427         return static_cast<unsigned>(m_opInfo);
    14281416    }
    14291417
  • trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

    r193974 r194036  
    222222    macro(CheckInBounds, NodeMustGenerate) \
    223223    macro(CheckIdent, NodeMustGenerate) \
    224     macro(CheckTypeInfoFlags, NodeMustGenerate) /* Takes an OpInfo with the flags you want to test are set */\
    225224    \
    226225    /* Optimizations for array mutation. */\
     
    280279    macro(ProfileWillCall, NodeMustGenerate) \
    281280    macro(ProfileDidCall, NodeMustGenerate) \
    282     macro(OverridesHasInstance, NodeMustGenerate | NodeResultBoolean) \
     281    macro(CheckHasInstance, NodeMustGenerate) \
    283282    macro(InstanceOf, NodeResultBoolean) \
    284     macro(InstanceOfCustom, NodeMustGenerate | NodeResultBoolean) \
    285283    macro(IsUndefined, NodeResultBoolean) \
    286284    macro(IsBoolean, NodeResultBoolean) \
  • trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

    r193974 r194036  
    403403        case CompareEq:
    404404        case CompareStrictEq:
    405         case OverridesHasInstance:
    406405        case InstanceOf:
    407         case InstanceOfCustom:
    408406        case IsUndefined:
    409407        case IsBoolean:
     
    572570        case GetLocalUnlinked:
    573571        case CheckArray:
    574         case CheckTypeInfoFlags:
    575572        case Arrayify:
    576573        case ArrayifyToStructure:
     
    684681        case ProfileType:
    685682        case ProfileControlFlow:
     683        case CheckHasInstance:
    686684        case ThrowReferenceError:
    687685        case ForceOSRExit:
  • trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

    r193974 r194036  
    242242    case ProfileType:
    243243    case ProfileControlFlow:
    244     case CheckTypeInfoFlags:
    245     case OverridesHasInstance:
     244    case CheckHasInstance:
    246245    case InstanceOf:
    247     case InstanceOfCustom:
    248246    case IsUndefined:
    249247    case IsBoolean:
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r193989 r194036  
    27392739}
    27402740
    2741 void SpeculativeJIT::compileCheckTypeInfoFlags(Node* node)
    2742 {
    2743     SpeculateCellOperand base(this, node->child1());
    2744 
    2745     GPRReg baseGPR = base.gpr();
    2746 
    2747     speculationCheck(BadTypeInfoFlags, JSValueRegs(), 0, m_jit.branchTest8(MacroAssembler::Zero, MacroAssembler::Address(baseGPR, JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(node->typeInfoOperand())));
    2748 
    2749     noResult(node);
    2750 }
    2751 
    27522741void SpeculativeJIT::compileInstanceOf(Node* node)
    27532742{
     
    29602949    jsValueResult(resultRegs, node);
    29612950    return;
    2962 }
    2963 
    2964 void SpeculativeJIT::compileInstanceOfCustom(Node* node)
    2965 {
    2966     // We could do something smarter here but this case is currently super rare and unless
    2967     // Symbol.hasInstance becomes popular will likely remain that way.
    2968 
    2969     JSValueOperand value(this, node->child1());
    2970     SpeculateCellOperand constructor(this, node->child2());
    2971     JSValueOperand hasInstanceValue(this, node->child3());
    2972     GPRTemporary result(this);
    2973 
    2974     JSValueRegs valueRegs = value.jsValueRegs();
    2975     GPRReg constructorGPR = constructor.gpr();
    2976     JSValueRegs hasInstanceRegs = hasInstanceValue.jsValueRegs();
    2977     GPRReg resultGPR = result.gpr();
    2978 
    2979     MacroAssembler::Jump slowCase = m_jit.jump();
    2980 
    2981     addSlowPathGenerator(slowPathCall(slowCase, this, operationInstanceOfCustom, resultGPR, valueRegs, constructorGPR, hasInstanceRegs));
    2982 
    2983     unblessedBooleanResult(resultGPR, node);
    29842951}
    29852952
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

    r193974 r194036  
    728728    void compileInstanceOfForObject(Node*, GPRReg valueReg, GPRReg prototypeReg, GPRReg scratchAndResultReg, GPRReg scratch2Reg);
    729729    void compileInstanceOf(Node*);
    730     void compileInstanceOfCustom(Node*);
    731730   
    732731    void emitCall(Node*);
     
    15131512        return appendCallSetResult(operation, result);
    15141513    }
    1515 
    1516     JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
    1517     {
    1518         m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
    1519         return appendCallSetResult(operation, result);
    1520     }
    1521     JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, JSValueRegs arg1, GPRReg arg2, JSValueRegs arg3)
    1522     {
    1523         return callOperation(operation, result, arg1.payloadGPR(), arg2, arg3.payloadGPR());
    1524     }
    1525 
    15261514    JITCompiler::Call callOperation(Z_JITOperation_EJZ operation, GPRReg result, GPRReg arg1, unsigned arg2)
    15271515    {
     
    18431831        m_jit.setupArgumentsWithExecState(arg1, arg2, EABI_32BIT_DUMMY_ARG SH4_32BIT_DUMMY_ARG arg3Payload, arg3Tag);
    18441832        return appendCall(operation);
    1845     }
    1846 
    1847     JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2, GPRReg arg3Tag, GPRReg arg3Payload)
    1848     {
    1849         m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2, EABI_32BIT_DUMMY_ARG arg3Payload, arg3Tag);
    1850         return appendCallSetResult(operation, result);
    1851     }
    1852     JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, JSValueRegs arg1, GPRReg arg2, JSValueRegs arg3)
    1853     {
    1854         return callOperation(operation, result, arg1.tagGPR(), arg1.payloadGPR(), arg2, arg3.tagGPR(), arg3.payloadGPR());
    18551833    }
    18561834
     
    22272205    void compileGetArrayLength(Node*);
    22282206
    2229     void compileCheckTypeInfoFlags(Node*);
    22302207    void compileCheckIdent(Node*);
    22312208   
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

    r193974 r194036  
    41604160    }
    41614161
    4162     case CheckTypeInfoFlags: {
    4163         compileCheckTypeInfoFlags(node);
    4164         break;
    4165     }
    4166 
    4167     case OverridesHasInstance: {
    4168 
    4169         Node* hasInstanceValueNode = node->child2().node();
    4170         JSFunction* defaultHasInstanceFunction = jsCast<JSFunction*>(node->cellOperand()->value());
    4171 
    4172         MacroAssembler::Jump notDefaulthasInstanceValue;
    4173         MacroAssembler::Jump hasInstanceValueNotCell;
     4162    case CheckHasInstance: {
    41744163        SpeculateCellOperand base(this, node->child1());
    4175         JSValueOperand hasInstanceValue(this, node->child2());
    4176         GPRTemporary result(this);
    4177 
    4178         GPRReg resultGPR = result.gpr();
    4179 
    4180         // If we have proven that the constructor's Symbol.hasInstance will always be the one on
    4181         // Function.prototype[Symbol.hasInstance] then we don't need a runtime check here. We don't worry
    4182         // about the case where the constructor's Symbol.hasInstance is a constant but is not the default
    4183         // one as fixup should have converted this check to true.
    4184         ASSERT(!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell());
    4185         if (!hasInstanceValueNode->isCellConstant()) {
    4186 
    4187             JSValueRegs hasInstanceValueRegs = hasInstanceValue.jsValueRegs();
    4188             hasInstanceValueNotCell = m_jit.branchIfNotCell(hasInstanceValueRegs);
    4189             notDefaulthasInstanceValue = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValueRegs.payloadGPR(), TrustedImmPtr(defaultHasInstanceFunction));
    4190         }
    4191 
    4192         // Check that constructor 'ImplementsDefaultHasInstance'.
    4193         m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);
    4194         MacroAssembler::Jump done = m_jit.jump();
    4195 
    4196         if (!hasInstanceValueNode->isCellConstant()) {
    4197             hasInstanceValueNotCell.link(&m_jit);
    4198             notDefaulthasInstanceValue.link(&m_jit);
    4199             moveTrueTo(resultGPR);
    4200         }
    4201 
    4202         done.link(&m_jit);
    4203         booleanResult(resultGPR, node);
     4164        GPRTemporary structure(this);
     4165
     4166        // Speculate that base 'ImplementsDefaultHasInstance'.
     4167        speculationCheck(Uncountable, JSValueRegs(), 0, m_jit.branchTest8(
     4168            MacroAssembler::Zero,
     4169            MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()),
     4170            MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
     4171
     4172        noResult(node);
    42044173        break;
    42054174    }
     
    42074176    case InstanceOf: {
    42084177        compileInstanceOf(node);
    4209         break;
    4210     }
    4211 
    4212     case InstanceOfCustom: {
    4213         compileInstanceOfCustom(node);
    42144178        break;
    42154179    }
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

    r193974 r194036  
    41504150    }
    41514151
    4152     case CheckTypeInfoFlags: {
    4153         compileCheckTypeInfoFlags(node);
    4154         break;
    4155     }
    4156 
    4157     case OverridesHasInstance: {
    4158 
    4159         Node* hasInstanceValueNode = node->child2().node();
    4160         JSFunction* defaultHasInstanceFunction = jsCast<JSFunction*>(node->cellOperand()->value());
    4161 
    4162         MacroAssembler::Jump notDefault;
     4152    case CheckHasInstance: {
    41634153        SpeculateCellOperand base(this, node->child1());
    4164         JSValueOperand hasInstanceValue(this, node->child2());
    4165         GPRTemporary result(this);
    4166 
    4167         GPRReg resultGPR = result.gpr();
    4168 
    4169         // If we have proven that the constructor's Symbol.hasInstance will always be the one on Function.prototype[Symbol.hasInstance]
    4170         // then we don't need a runtime check here. We don't worry about the case where the constructor's Symbol.hasInstance is a constant
    4171         // but is not the default one as fixup should have converted this check to true.
    4172         ASSERT(!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell());
    4173         if (!hasInstanceValueNode->isCellConstant())
    4174             notDefault = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValue.gpr(), TrustedImmPtr(defaultHasInstanceFunction));
    4175 
    4176         // Check that base 'ImplementsDefaultHasInstance'.
    4177         m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);
    4178         m_jit.or32(TrustedImm32(ValueFalse), resultGPR);
    4179         MacroAssembler::Jump done = m_jit.jump();
    4180 
    4181         if (notDefault.isSet()) {
    4182             notDefault.link(&m_jit);
    4183             moveTrueTo(resultGPR);
    4184         }
    4185 
    4186         done.link(&m_jit);
    4187         jsValueResult(resultGPR, node, DataFormatJSBoolean);
     4154        GPRTemporary structure(this);
     4155
     4156        // Speculate that base 'ImplementsDefaultHasInstance'.
     4157        speculationCheck(Uncountable, JSValueRegs(), 0, m_jit.branchTest8(
     4158            MacroAssembler::Zero,
     4159            MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()),
     4160            MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
     4161
     4162        noResult(node);
    41884163        break;
    41894164    }
     
    41914166    case InstanceOf: {
    41924167        compileInstanceOf(node);
    4193         break;
    4194     }
    4195 
    4196     case InstanceOfCustom: {
    4197         compileInstanceOfCustom(node);
    41984168        break;
    41994169    }
  • trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

    r193974 r194036  
    175175    case IsObjectOrNull:
    176176    case IsFunction:
    177     case CheckTypeInfoFlags:
    178     case OverridesHasInstance:
     177    case CheckHasInstance:
    179178    case InstanceOf:
    180     case InstanceOfCustom:
    181179    case DoubleRep:
    182180    case ValueRep:
  • trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h

    r193974 r194036  
    129129    macro(Z_JITOperation_EC, functionType(int32, intPtr, intPtr)) \
    130130    macro(Z_JITOperation_EGC, functionType(int32, intPtr, intPtr, intPtr)) \
    131     macro(Z_JITOperation_EJOJ, functionType(int32, intPtr, int64, intPtr, int64)) \
    132131    macro(Z_JITOperation_EJZ, functionType(int32, intPtr, int64, int32)) \
    133132    macro(Z_JITOperation_ESJss, functionType(int32, intPtr, intPtr, int64)) \
  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

    r193985 r194036  
    942942            compileTypeOf();
    943943            break;
    944         case CheckTypeInfoFlags:
    945             compileCheckTypeInfoFlags();
    946             break;
    947         case OverridesHasInstance:
    948             compileOverridesHasInstance();
     944        case CheckHasInstance:
     945            compileCheckHasInstance();
    949946            break;
    950947        case InstanceOf:
    951948            compileInstanceOf();
    952             break;
    953         case InstanceOfCustom:
    954             compileInstanceOfCustom();
    955949            break;
    956950        case CountExecution:
     
    56115605    }
    56125606
    5613     void compileOverridesHasInstance()
    5614     {
    5615         JSFunction* defaultHasInstanceFunction = jsCast<JSFunction*>(m_node->cellOperand()->value());
    5616 
    5617         LValue constructor = lowCell(m_node->child1());
    5618         LValue hasInstance = lowJSValue(m_node->child2());
    5619 
    5620         LBasicBlock defaultHasInstance = FTL_NEW_BLOCK(m_out, ("OverridesHasInstance Symbol.hasInstance is default"));
    5621         LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("OverridesHasInstance continuation"));
    5622 
    5623         // Unlike in the DFG, we don't worry about cleaning this code up for the case where we have proven the hasInstanceValue is a constant as LLVM should fix it for us.
    5624 
    5625         ASSERT(!m_node->child2().node()->isCellConstant() || defaultHasInstanceFunction == m_node->child2().node()->asCell());
    5626 
    5627         ValueFromBlock notDefaultHasInstanceResult = m_out.anchor(m_out.booleanTrue);
    5628         m_out.branch(m_out.notEqual(hasInstance, m_out.constIntPtr(defaultHasInstanceFunction)), unsure(continuation), unsure(defaultHasInstance));
    5629 
    5630         LBasicBlock lastNext = m_out.appendTo(defaultHasInstance, continuation);
    5631         ValueFromBlock implementsDefaultHasInstanceResult = m_out.anchor(m_out.testIsZero32(
    5632             m_out.load8ZeroExt32(constructor, m_heaps.JSCell_typeInfoFlags),
    5633             m_out.constInt32(ImplementsDefaultHasInstance)));
    5634         m_out.jump(continuation);
    5635 
    5636         m_out.appendTo(continuation, lastNext);
    5637         setBoolean(m_out.phi(m_out.boolean, implementsDefaultHasInstanceResult, notDefaultHasInstanceResult));
    5638     }
    5639 
    5640     void compileCheckTypeInfoFlags()
     5607    void compileCheckHasInstance()
    56415608    {
    56425609        speculate(
    5643             BadTypeInfoFlags, noValue(), 0,
     5610            Uncountable, noValue(), 0,
    56445611            m_out.testIsZero32(
    56455612                m_out.load8ZeroExt32(lowCell(m_node->child1()), m_heaps.JSCell_typeInfoFlags),
    5646                 m_out.constInt32(m_node->typeInfoOperand())));
     5613                m_out.constInt32(ImplementsDefaultHasInstance)));
    56475614    }
    56485615   
     
    56965663        setBoolean(
    56975664            m_out.phi(m_out.boolean, notCellResult, isInstanceResult, notInstanceResult));
    5698     }
    5699 
    5700     void compileInstanceOfCustom()
    5701     {
    5702         LValue value = lowJSValue(m_node->child1());
    5703         LValue constructor = lowCell(m_node->child2());
    5704         LValue hasInstance = lowJSValue(m_node->child3());
    5705 
    5706         setBoolean(m_out.bitNot(m_out.equal(m_out.constInt32(0), vmCall(m_out.int32, m_out.operation(operationInstanceOfCustom), m_callFrame, value, constructor, hasInstance))));
    57075665    }
    57085666   
  • trunk/Source/JavaScriptCore/jit/CCallHelpers.h

    r194007 r194036  
    18951895    }
    18961896
    1897     ALWAYS_INLINE void setupArgumentsWithExecState(TrustedImm32 arg1, GPRReg arg2, GPRReg arg3, GPRReg arg4, TrustedImm32 arg5, GPRReg arg6, GPRReg arg7)
    1898     {
    1899         poke(arg7, POKE_ARGUMENT_OFFSET + 3);
    1900         poke(arg6, POKE_ARGUMENT_OFFSET + 2);
    1901         poke(arg5, POKE_ARGUMENT_OFFSET + 1);
    1902         poke(arg4, POKE_ARGUMENT_OFFSET);
    1903         setupArgumentsWithExecState(arg1, arg2, arg3);
    1904     }
    1905 
    19061897    ALWAYS_INLINE void setupArguments(GPRReg arg1, GPRReg arg2, TrustedImmPtr arg3, TrustedImm32 arg4, GPRReg arg5)
    19071898    {
  • trunk/Source/JavaScriptCore/jit/JIT.cpp

    r193974 r194036  
    229229        DEFINE_OP(op_get_by_id)
    230230        DEFINE_OP(op_get_by_val)
    231         DEFINE_OP(op_overrides_has_instance)
     231        DEFINE_OP(op_check_has_instance)
    232232        DEFINE_OP(op_instanceof)
    233         DEFINE_OP(op_instanceof_custom)
    234233        DEFINE_OP(op_is_undefined)
    235234        DEFINE_OP(op_is_boolean)
     
    401400        DEFINE_SLOWCASE_OP(op_get_by_id)
    402401        DEFINE_SLOWCASE_OP(op_get_by_val)
     402        DEFINE_SLOWCASE_OP(op_check_has_instance)
    403403        DEFINE_SLOWCASE_OP(op_instanceof)
    404         DEFINE_SLOWCASE_OP(op_instanceof_custom)
    405404        DEFINE_SLOWCASE_OP(op_jfalse)
    406405        DEFINE_SLOWCASE_OP(op_jless)
  • trunk/Source/JavaScriptCore/jit/JIT.h

    r193998 r194036  
    510510        void emit_op_get_argument_by_val(Instruction*);
    511511        void emit_op_init_lazy_reg(Instruction*);
    512         void emit_op_overrides_has_instance(Instruction*);
     512        void emit_op_check_has_instance(Instruction*);
    513513        void emit_op_instanceof(Instruction*);
    514         void emit_op_instanceof_custom(Instruction*);
    515514        void emit_op_is_undefined(Instruction*);
    516515        void emit_op_is_boolean(Instruction*);
     
    618617        void emitSlow_op_get_by_val(Instruction*, Vector<SlowCaseEntry>::iterator&);
    619618        void emitSlow_op_get_argument_by_val(Instruction*, Vector<SlowCaseEntry>::iterator&);
     619        void emitSlow_op_check_has_instance(Instruction*, Vector<SlowCaseEntry>::iterator&);
    620620        void emitSlow_op_instanceof(Instruction*, Vector<SlowCaseEntry>::iterator&);
    621         void emitSlow_op_instanceof_custom(Instruction*, Vector<SlowCaseEntry>::iterator&);
    622621        void emitSlow_op_jfalse(Instruction*, Vector<SlowCaseEntry>::iterator&);
    623622        void emitSlow_op_jless(Instruction*, Vector<SlowCaseEntry>::iterator&);
     
    746745        MacroAssembler::Call callOperation(J_JITOperation_EJJAp, int, GPRReg, GPRReg, ArrayProfile*);
    747746        MacroAssembler::Call callOperation(J_JITOperation_EJJBy, int, GPRReg, GPRReg, ByValInfo*);
    748         MacroAssembler::Call callOperation(Z_JITOperation_EJOJ, GPRReg, GPRReg, GPRReg);
    749747        MacroAssembler::Call callOperation(C_JITOperation_EJsc, GPRReg);
    750748        MacroAssembler::Call callOperation(J_JITOperation_EJscC, int, GPRReg, JSCell*);
     
    814812        MacroAssembler::Call callOperation(J_JITOperation_EJIdc, int, GPRReg, GPRReg, const Identifier*);
    815813        MacroAssembler::Call callOperation(J_JITOperation_EJJ, int, GPRReg, GPRReg, GPRReg, GPRReg);
    816         MacroAssembler::Call callOperation(Z_JITOperation_EJOJ, GPRReg, GPRReg, GPRReg, GPRReg, GPRReg);
    817814        MacroAssembler::Call callOperation(J_JITOperation_EJJAp, int, GPRReg, GPRReg, GPRReg, GPRReg, ArrayProfile*);
    818815        MacroAssembler::Call callOperation(J_JITOperation_EJJBy, int, GPRReg, GPRReg, GPRReg, GPRReg, ByValInfo*);
  • trunk/Source/JavaScriptCore/jit/JITInlines.h

    r193974 r194036  
    504504}
    505505
    506 ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(Z_JITOperation_EJOJ operation, GPRReg arg1, GPRReg arg2, GPRReg arg3)
    507 {
    508     setupArgumentsWithExecState(arg1, arg2, arg3);
    509     return appendCallWithExceptionCheck(operation);
    510 }
    511 
    512506ALWAYS_INLINE MacroAssembler::Call JIT::callOperationNoExceptionCheck(V_JITOperation_EJ operation, GPRReg arg1)
    513507{
     
    601595    updateTopCallFrame();
    602596    return appendCall(operation);
    603 }
    604 
    605 ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(Z_JITOperation_EJOJ operation, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2, GPRReg arg3Tag, GPRReg arg3Payload)
    606 {
    607     setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2, EABI_32BIT_DUMMY_ARG arg3Payload, arg3Tag);
    608     return appendCallWithExceptionCheck(operation);
    609597}
    610598
  • trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

    r193974 r194036  
    106106}
    107107
    108 void JIT::emit_op_overrides_has_instance(Instruction* currentInstruction)
    109 {
    110     int dst = currentInstruction[1].u.operand;
    111     int constructor = currentInstruction[2].u.operand;
    112     int hasInstanceValue = currentInstruction[3].u.operand;
    113 
    114     emitGetVirtualRegister(hasInstanceValue, regT0);
    115 
    116     // We don't jump if we know what Symbol.hasInstance would do.
    117     Jump customhasInstanceValue = branchPtr(NotEqual, regT0, TrustedImmPtr(m_codeBlock->globalObject()->functionProtoHasInstanceSymbolFunction()));
    118 
    119     emitGetVirtualRegister(constructor, regT0);
    120 
    121     // Check that constructor 'ImplementsHasInstance' i.e. the object is a C-API user or a bound function.
    122     test8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance), regT0);
    123     emitTagBool(regT0);
    124     Jump done = jump();
    125 
    126     customhasInstanceValue.link(this);
    127     move(TrustedImm32(ValueTrue), regT0);
    128 
    129     done.link(this);
    130     emitPutVirtualRegister(dst);
     108void JIT::emit_op_check_has_instance(Instruction* currentInstruction)
     109{
     110    int baseVal = currentInstruction[3].u.operand;
     111
     112    emitGetVirtualRegister(baseVal, regT0);
     113
     114    // Check that baseVal is a cell.
     115    emitJumpSlowCaseIfNotJSCell(regT0, baseVal);
     116
     117    // Check that baseVal 'ImplementsHasInstance'.
     118    addSlowCase(branchTest8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance)));
    131119}
    132120
     
    142130    emitGetVirtualRegister(proto, regT1);
    143131
    144     // Check that proto are cells. baseVal must be a cell - this is checked by the get_by_id for Symbol.hasInstance.
     132    // Check that proto are cells.  baseVal must be a cell - this is checked by op_check_has_instance.
    145133    emitJumpSlowCaseIfNotJSCell(regT2, value);
    146134    emitJumpSlowCaseIfNotJSCell(regT1, proto);
     
    168156    isInstance.link(this);
    169157    emitPutVirtualRegister(dst);
    170 }
    171 
    172 void JIT::emit_op_instanceof_custom(Instruction*)
    173 {
    174     // This always goes to slow path since we expect it to be rare.
    175     addSlowCase(jump());
    176158}
    177159
     
    848830}
    849831
     832void JIT::emitSlow_op_check_has_instance(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
     833{
     834    int dst = currentInstruction[1].u.operand;
     835    int value = currentInstruction[2].u.operand;
     836    int baseVal = currentInstruction[3].u.operand;
     837
     838    linkSlowCaseIfNotJSCell(iter, baseVal);
     839    linkSlowCase(iter);
     840    emitGetVirtualRegister(value, regT0);
     841    emitGetVirtualRegister(baseVal, regT1);
     842    callOperation(operationCheckHasInstance, dst, regT0, regT1);
     843
     844    emitJumpSlowToHot(jump(), currentInstruction[4].u.operand);
     845}
     846
    850847void JIT::emitSlow_op_instanceof(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
    851848{
     
    860857    emitGetVirtualRegister(proto, regT1);
    861858    callOperation(operationInstanceOf, dst, regT0, regT1);
    862 }
    863 
    864 void JIT::emitSlow_op_instanceof_custom(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
    865 {
    866     int dst = currentInstruction[1].u.operand;
    867     int value = currentInstruction[2].u.operand;
    868     int constructor = currentInstruction[3].u.operand;
    869     int hasInstanceValue = currentInstruction[4].u.operand;
    870 
    871     linkSlowCase(iter);
    872     emitGetVirtualRegister(value, regT0);
    873     emitGetVirtualRegister(constructor, regT1);
    874     emitGetVirtualRegister(hasInstanceValue, regT2);
    875     callOperation(operationInstanceOfCustom, regT0, regT1, regT2);
    876     emitTagBool(returnValueGPR);
    877     emitPutVirtualRegister(dst, returnValueGPR);
    878859}
    879860
  • trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

    r193974 r194036  
    184184}
    185185
    186 void JIT::emit_op_overrides_has_instance(Instruction* currentInstruction)
    187 {
    188     int dst = currentInstruction[1].u.operand;
    189     int constructor = currentInstruction[2].u.operand;
    190     int hasInstanceValue = currentInstruction[3].u.operand;
    191 
    192     emitLoadPayload(hasInstanceValue, regT0);
    193     // We don't jump if we know what Symbol.hasInstance would do.
    194     Jump hasInstanceValueNotCell = emitJumpIfNotJSCell(hasInstanceValue);
    195     Jump customhasInstanceValue = branchPtr(NotEqual, regT0, TrustedImmPtr(m_codeBlock->globalObject()->functionProtoHasInstanceSymbolFunction()));
    196 
    197     // We know that constructor is an object from the way bytecode is emitted for instanceof expressions.
    198     emitLoadPayload(constructor, regT0);
    199 
    200     // Check that constructor 'ImplementsHasInstance' i.e. the object is a C-API user or a bound function.
    201     test8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance), regT0);
    202     Jump done = jump();
    203 
    204     hasInstanceValueNotCell.link(this);
    205     customhasInstanceValue.link(this);
    206     move(TrustedImm32(1), regT0);
    207 
    208     done.link(this);
    209     emitStoreBool(dst, regT0);
    210 
     186void JIT::emit_op_check_has_instance(Instruction* currentInstruction)
     187{
     188    int baseVal = currentInstruction[3].u.operand;
     189
     190    emitLoadPayload(baseVal, regT0);
     191
     192    // Check that baseVal is a cell.
     193    emitJumpSlowCaseIfNotJSCell(baseVal);
     194   
     195    // Check that baseVal 'ImplementsHasInstance'.
     196    addSlowCase(branchTest8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance)));
    211197}
    212198
     
    222208    emitLoadPayload(proto, regT1);
    223209
    224     // Check that proto are cells. baseVal must be a cell - this is checked by the get_by_id for Symbol.hasInstance.
     210    // Check that proto are cells.  baseVal must be a cell - this is checked by op_check_has_instance.
    225211    emitJumpSlowCaseIfNotJSCell(value);
    226212    emitJumpSlowCaseIfNotJSCell(proto);
     
    250236}
    251237
    252 void JIT::emit_op_instanceof_custom(Instruction*)
    253 {
    254     // This always goes to slow path since we expect it to be rare.
    255     addSlowCase(jump());
     238void JIT::emitSlow_op_check_has_instance(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
     239{
     240    int dst = currentInstruction[1].u.operand;
     241    int value = currentInstruction[2].u.operand;
     242    int baseVal = currentInstruction[3].u.operand;
     243
     244    linkSlowCaseIfNotJSCell(iter, baseVal);
     245    linkSlowCase(iter);
     246
     247    emitLoad(value, regT1, regT0);
     248    emitLoad(baseVal, regT3, regT2);
     249    callOperation(operationCheckHasInstance, dst, regT1, regT0, regT3, regT2);
     250
     251    emitJumpSlowToHot(jump(), currentInstruction[4].u.operand);
    256252}
    257253
     
    269265    emitLoad(proto, regT3, regT2);
    270266    callOperation(operationInstanceOf, dst, regT1, regT0, regT3, regT2);
    271 }
    272 
    273 void JIT::emitSlow_op_instanceof_custom(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
    274 {
    275     int dst = currentInstruction[1].u.operand;
    276     int value = currentInstruction[2].u.operand;
    277     int constructor = currentInstruction[3].u.operand;
    278     int hasInstanceValue = currentInstruction[4].u.operand;
    279 
    280     linkSlowCase(iter);
    281 
    282     emitLoad(value, regT1, regT0);
    283     emitLoadPayload(constructor, regT2);
    284     emitLoad(hasInstanceValue, regT4, regT3);
    285     callOperation(operationInstanceOfCustom, regT1, regT0, regT2, regT4, regT3);
    286     emitStoreBool(dst, returnValueGPR);
    287267}
    288268
  • trunk/Source/JavaScriptCore/jit/JITOperations.cpp

    r193974 r194036  
    14881488}
    14891489
    1490 int32_t JIT_OPERATION operationInstanceOfCustom(ExecState* exec, EncodedJSValue encodedValue, JSObject* constructor, EncodedJSValue encodedHasInstance)
     1490EncodedJSValue JIT_OPERATION operationCheckHasInstance(ExecState* exec, EncodedJSValue encodedValue, EncodedJSValue encodedBaseVal)
    14911491{
    14921492    VM& vm = exec->vm();
     
    14941494
    14951495    JSValue value = JSValue::decode(encodedValue);
    1496     JSValue hasInstanceValue = JSValue::decode(encodedHasInstance);
    1497 
    1498     ASSERT(hasInstanceValue != exec->lexicalGlobalObject()->functionProtoHasInstanceSymbolFunction() || !constructor->structure()->typeInfo().implementsDefaultHasInstance());
    1499 
    1500     if (constructor->hasInstance(exec, value, hasInstanceValue))
    1501         return 1;
    1502     return 0;
     1496    JSValue baseVal = JSValue::decode(encodedBaseVal);
     1497
     1498    if (baseVal.isObject()) {
     1499        JSObject* baseObject = asObject(baseVal);
     1500        ASSERT(!baseObject->structure(vm)->typeInfo().implementsDefaultHasInstance());
     1501        if (baseObject->structure(vm)->typeInfo().implementsHasInstance()) {
     1502            bool result = baseObject->methodTable(vm)->customHasInstance(baseObject, exec, value);
     1503            return JSValue::encode(jsBoolean(result));
     1504        }
     1505    }
     1506
     1507    vm.throwException(exec, createInvalidInstanceofParameterError(exec, baseVal));
     1508    return JSValue::encode(JSValue());
    15031509}
    15041510
  • trunk/Source/JavaScriptCore/jit/JITOperations.h

    r193974 r194036  
    176176typedef int32_t JIT_OPERATION (*Z_JITOperation_ESJss)(ExecState*, size_t, JSString*);
    177177typedef int32_t JIT_OPERATION (*Z_JITOperation_EJ)(ExecState*, EncodedJSValue);
    178 typedef int32_t JIT_OPERATION (*Z_JITOperation_EJOJ)(ExecState*, EncodedJSValue, JSObject*, EncodedJSValue);
    179178typedef int32_t JIT_OPERATION (*Z_JITOperation_EJZ)(ExecState*, EncodedJSValue, int32_t);
    180179typedef int32_t JIT_OPERATION (*Z_JITOperation_EJZZ)(ExecState*, EncodedJSValue, int32_t, int32_t);
     
    330329void JIT_OPERATION operationProfileDidCall(ExecState*, EncodedJSValue) WTF_INTERNAL;
    331330void JIT_OPERATION operationProfileWillCall(ExecState*, EncodedJSValue) WTF_INTERNAL;
     331EncodedJSValue JIT_OPERATION operationCheckHasInstance(ExecState*, EncodedJSValue, EncodedJSValue baseVal) WTF_INTERNAL;
    332332EncodedJSValue JIT_OPERATION operationGetByValOptimize(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo*) WTF_INTERNAL;
    333333EncodedJSValue JIT_OPERATION operationGetByValGeneric(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo*) WTF_INTERNAL;
     
    358358
    359359int32_t JIT_OPERATION operationCheckIfExceptionIsUncatchableAndNotifyProfiler(ExecState*);
    360 int32_t JIT_OPERATION operationInstanceOfCustom(ExecState*, EncodedJSValue encodedValue, JSObject* constructor, EncodedJSValue encodedHasInstance) WTF_INTERNAL;
    361360
    362361EncodedJSValue JIT_OPERATION operationHasGenericProperty(ExecState*, EncodedJSValue, JSCell*);
  • trunk/Source/JavaScriptCore/llint/LLIntData.cpp

    r193974 r194036  
    3535#include "Opcode.h"
    3636#include "PropertyOffset.h"
    37 #include "WriteBarrier.h"
    3837
    3938namespace JSC { namespace LLInt {
     
    156155    ASSERT(ModuleCode == 3);
    157156
    158     ASSERT(!(reinterpret_cast<ptrdiff_t>((reinterpret_cast<WriteBarrier<JSCell>*>(0x4000)->slot())) - 0x4000));
    159157    static_assert(PutByIdPrimaryTypeMask == 0x6, "LLInt assumes PutByIdPrimaryTypeMask is == 0x6");
    160158    static_assert(PutByIdPrimaryTypeSecondary == 0x0, "LLInt assumes PutByIdPrimaryTypeSecondary is == 0x0");
  • trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

    r193974 r194036  
    523523}
    524524
     525LLINT_SLOW_PATH_DECL(slow_path_check_has_instance)
     526{
     527    LLINT_BEGIN();
     528   
     529    JSValue value = LLINT_OP_C(2).jsValue();
     530    JSValue baseVal = LLINT_OP_C(3).jsValue();
     531    if (baseVal.isObject()) {
     532        JSObject* baseObject = asObject(baseVal);
     533        ASSERT(!baseObject->structure()->typeInfo().implementsDefaultHasInstance());
     534        if (baseObject->structure()->typeInfo().implementsHasInstance()) {
     535            JSValue result = jsBoolean(baseObject->methodTable()->customHasInstance(baseObject, exec, value));
     536            LLINT_RETURN_WITH_PC_ADJUSTMENT(result, pc[4].u.operand);
     537        }
     538    }
     539    LLINT_THROW(createInvalidInstanceofParameterError(exec, baseVal));
     540}
     541
    525542LLINT_SLOW_PATH_DECL(slow_path_instanceof)
    526543{
     
    530547    ASSERT(!value.isObject() || !proto.isObject());
    531548    LLINT_RETURN(jsBoolean(JSObject::defaultHasInstance(exec, value, proto)));
    532 }
    533 
    534 LLINT_SLOW_PATH_DECL(slow_path_instanceof_custom)
    535 {
    536     LLINT_BEGIN();
    537 
    538     JSValue value = LLINT_OP_C(2).jsValue();
    539     JSValue constructor = LLINT_OP_C(3).jsValue();
    540     JSValue hasInstanceValue = LLINT_OP_C(4).jsValue();
    541 
    542     ASSERT(constructor.isObject());
    543     ASSERT(hasInstanceValue != exec->lexicalGlobalObject()->functionProtoHasInstanceSymbolFunction() || !constructor.getObject()->structure()->typeInfo().implementsDefaultHasInstance());
    544 
    545     JSValue result = jsBoolean(constructor.getObject()->hasInstance(exec, value, hasInstanceValue));
    546     LLINT_RETURN(result);
    547549}
    548550
  • trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h

    r193974 r194036  
    6868LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_new_array_buffer);
    6969LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_new_regexp);
     70LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_check_has_instance);
    7071LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_instanceof);
    71 LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_instanceof_custom);
    7272LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_by_id);
    7373LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_arguments_length);
  • trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

    r193974 r194036  
    11761176
    11771177
    1178 _llint_op_overrides_has_instance:
    1179     traceExecution()
    1180 
    1181     loadisFromInstruction(1, t3)
    1182     storei BooleanTag, TagOffset[cfr, t3, 8]
    1183 
    1184     # First check if hasInstanceValue is the one on Function.prototype[Symbol.hasInstance]
    1185     loadisFromInstruction(3, t0)
    1186     loadConstantOrVariablePayload(t0, CellTag, t2, .opOverrideshasInstanceValueNotCell)
    1187     loadConstantOrVariable(t0, t1, t2)
    1188     bineq t1, CellTag, .opOverrideshasInstanceValueNotCell
    1189 
    1190     # We don't need hasInstanceValue's tag register anymore.
    1191     loadp CodeBlock[cfr], t1
    1192     loadp CodeBlock::m_globalObject[t1], t1
    1193     loadp JSGlobalObject::m_functionProtoHasInstanceSymbolFunction[t1], t1
    1194     bineq t1, t2, .opOverrideshasInstanceValueNotDefault
    1195 
    1196     # We know the constructor is a cell.
    1197     loadisFromInstruction(2, t0)
    1198     loadConstantOrVariablePayloadUnchecked(t0, t1)
    1199     tbz JSCell::m_flags[t1], ImplementsDefaultHasInstance, t0
    1200     storei t0, PayloadOffset[cfr, t3, 8]
    1201     dispatch(4)
    1202 
    1203 .opOverrideshasInstanceValueNotCell:
    1204 .opOverrideshasInstanceValueNotDefault:
    1205     storei 1, PayloadOffset[cfr, t3, 8]
    1206     dispatch(4)
     1178_llint_op_check_has_instance:
     1179    traceExecution()
     1180    loadi 12[PC], t1
     1181    loadConstantOrVariablePayload(t1, CellTag, t0, .opCheckHasInstanceSlow)
     1182    btbz JSCell::m_flags[t0], ImplementsDefaultHasInstance, .opCheckHasInstanceSlow
     1183    dispatch(5)
     1184
     1185.opCheckHasInstanceSlow:
     1186    callSlowPath(_llint_slow_path_check_has_instance)
     1187    dispatch(0)
     1188
    12071189
    12081190_llint_op_instanceof:
     
    12331215    callSlowPath(_llint_slow_path_instanceof)
    12341216    dispatch(4)
    1235 
    1236 _llint_op_instanceof_custom:
    1237     traceExecution()
    1238     callSlowPath(_llint_slow_path_instanceof_custom)
    1239     dispatch(5)
    12401217
    12411218
  • trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

    r193983 r194036  
    10701070
    10711071
    1072 _llint_op_overrides_has_instance:
    1073     traceExecution()
    1074     loadisFromInstruction(1, t3)
    1075 
     1072_llint_op_check_has_instance:
     1073    traceExecution()
    10761074    loadisFromInstruction(3, t1)
    1077     loadConstantOrVariable(t1, t0)
    1078     loadp CodeBlock[cfr], t2
    1079     loadp CodeBlock::m_globalObject[t2], t2
    1080     loadp JSGlobalObject::m_functionProtoHasInstanceSymbolFunction[t2], t2
    1081     bqneq t0, t2, .opOverridesHasInstanceNotDefaultSymbol
    1082 
    1083     loadisFromInstruction(2, t1)
    1084     loadConstantOrVariable(t1, t0)
    1085     tbz JSCell::m_flags[t0], ImplementsDefaultHasInstance, t1
    1086     orq ValueFalse, t1
    1087     storeq t1, [cfr, t3, 8]
    1088     dispatch(4)
    1089 
    1090 .opOverridesHasInstanceNotDefaultSymbol:
    1091     storeq ValueTrue, [cfr, t3, 8]
    1092     dispatch(4)
     1075    loadConstantOrVariableCell(t1, t0, .opCheckHasInstanceSlow)
     1076    btbz JSCell::m_flags[t0], ImplementsDefaultHasInstance, .opCheckHasInstanceSlow
     1077    dispatch(5)
     1078
     1079.opCheckHasInstanceSlow:
     1080    callSlowPath(_llint_slow_path_check_has_instance)
     1081    dispatch(0)
    10931082
    10941083
     
    11211110    dispatch(4)
    11221111
    1123 _llint_op_instanceof_custom:
    1124     traceExecution()
    1125     callSlowPath(_llint_slow_path_instanceof_custom)
    1126     dispatch(5)
    11271112
    11281113_llint_op_is_undefined:
  • trunk/Source/JavaScriptCore/runtime/CommonIdentifiers.h

    r193974 r194036  
    251251
    252252#define JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL_NOT_IMPLEMENTED_YET(macro)\
     253    macro(hasInstance) \
    253254    macro(isConcatSpreadable) \
    254255    macro(match) \
     
    260261
    261262#define JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL(macro) \
    262     macro(hasInstance) \
    263263    macro(iterator) \
    264264    macro(unscopables) \
     
    346346    macro(newTargetLocal) \
    347347    macro(derivedConstructor) \
    348     macro(isBoundFunction) \
    349     macro(hasInstanceBoundFunction) \
    350     macro(instanceOf) \
    351348
    352349
  • trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp

    r193974 r194036  
    210210}
    211211
    212 inline String invalidParameterInstanceofSourceAppender(const String& content, const String& originalMessage, const String& sourceText, RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
     212static String invalidParameterInstanceofSourceAppender(const String& originalMessage, const String& sourceText, RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
    213213{
    214214    if (occurrence == ErrorInstance::FoundApproximateSource)
     
    223223    static const unsigned instanceofLength = 10;
    224224    String rightHandSide = sourceText.substring(instanceofIndex + instanceofLength).simplifyWhiteSpace();
    225     return makeString(rightHandSide, content, ". (evaluating '", sourceText, "')");
    226 }
    227 
    228 static String invalidParameterInstanceofNotFunctionSourceAppender(const String& originalMessage, const String& sourceText, RuntimeType runtimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
    229 {
    230     return invalidParameterInstanceofSourceAppender(WTF::makeString(" is not a function"), originalMessage, sourceText, runtimeType, occurrence);
    231 }
    232 
    233 static String invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender(const String& originalMessage, const String& sourceText, RuntimeType runtimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
    234 {
    235     return invalidParameterInstanceofSourceAppender(WTF::makeString("[Symbol.hasInstance] is not a function, undefined, or null"), originalMessage, sourceText, runtimeType, occurrence);
     225    return makeString(rightHandSide, " is not a function. (evaluating '", sourceText, "')");
    236226}
    237227
     
    256246}
    257247
    258 JSObject* createInvalidInstanceofParameterErrorNotFunction(ExecState* exec, JSValue value)
    259 {
    260     return createError(exec, value, makeString(" is not a function"), invalidParameterInstanceofNotFunctionSourceAppender);
    261 }
    262 
    263 JSObject* createInvalidInstanceofParameterErrorhasInstanceValueNotFunction(ExecState* exec, JSValue value)
    264 {
    265     return createError(exec, value, makeString("[Symbol.hasInstance] is not a function, undefined, or null"), invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender);
     248JSObject* createInvalidInstanceofParameterError(ExecState* exec, JSValue value)
     249{
     250    return createError(exec, value, makeString("is not a function."), invalidParameterInstanceofSourceAppender);
    266251}
    267252
  • trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.h

    r193974 r194036  
    4646JSObject* createInvalidFunctionApplyParameterError(ExecState*, JSValue);
    4747JSObject* createInvalidInParameterError(ExecState*, JSValue);
    48 JSObject* createInvalidInstanceofParameterErrorNotFunction(ExecState*, JSValue);
    49 JSObject* createInvalidInstanceofParameterErrorhasInstanceValueNotFunction(ExecState*, JSValue);
     48JSObject* createInvalidInstanceofParameterError(ExecState*, JSValue);
    5049JSObject* createNotAConstructorError(ExecState*, JSValue);
    5150JSObject* createNotAFunctionError(ExecState*, JSValue);
  • trunk/Source/JavaScriptCore/runtime/FunctionPrototype.cpp

    r194017 r194036  
    5454}
    5555
    56 void FunctionPrototype::addFunctionProperties(ExecState* exec, JSGlobalObject* globalObject, JSFunction** callFunction, JSFunction** applyFunction, JSFunction** hasInstanceSymbolFunction)
     56void FunctionPrototype::addFunctionProperties(ExecState* exec, JSGlobalObject* globalObject, JSFunction** callFunction, JSFunction** applyFunction)
    5757{
    5858    VM& vm = exec->vm();
     
    6363    *applyFunction = putDirectBuiltinFunctionWithoutTransition(vm, globalObject, vm.propertyNames->builtinNames().applyPublicName(), functionPrototypeApplyCodeGenerator(vm), DontEnum);
    6464    *callFunction = putDirectBuiltinFunctionWithoutTransition(vm, globalObject, vm.propertyNames->builtinNames().callPublicName(), functionPrototypeCallCodeGenerator(vm), DontEnum);
    65     *hasInstanceSymbolFunction = putDirectBuiltinFunction(vm, globalObject, vm.propertyNames->hasInstanceSymbol, functionPrototypeSymbolHasInstanceCodeGenerator(vm), DontDelete | ReadOnly | DontEnum);
    6665
    6766    JSFunction* bindFunction = JSFunction::create(vm, globalObject, 1, vm.propertyNames->bind.string(), functionProtoFuncBind);
  • trunk/Source/JavaScriptCore/runtime/FunctionPrototype.h

    r193974 r194036  
    3737    }
    3838
    39     void addFunctionProperties(ExecState*, JSGlobalObject*, JSFunction** callFunction, JSFunction** applyFunction, JSFunction** hasInstanceSymbolFunction);
     39    void addFunctionProperties(ExecState*, JSGlobalObject*, JSFunction** callFunction, JSFunction** applyFunction);
    4040
    4141    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto)
  • trunk/Source/JavaScriptCore/runtime/JSBoundFunction.cpp

    r193974 r194036  
    7575}
    7676
    77 EncodedJSValue JSC_HOST_CALL isBoundFunction(ExecState* exec)
    78 {
    79     return JSValue::encode(JSValue(static_cast<bool>(jsDynamicCast<JSBoundFunction*>(exec->uncheckedArgument(0)))));
    80 }
    81 
    82 EncodedJSValue JSC_HOST_CALL hasInstanceBoundFunction(ExecState* exec)
    83 {
    84     JSBoundFunction* boundObject = jsCast<JSBoundFunction*>(exec->uncheckedArgument(0));
    85     JSValue value = exec->uncheckedArgument(1);
    86 
    87     return JSValue::encode(jsBoolean(boundObject->targetFunction()->hasInstance(exec, value)));
    88 }
    89 
    90 
    9177JSBoundFunction* JSBoundFunction::create(VM& vm, JSGlobalObject* globalObject, JSObject* targetFunction, JSValue boundThis, JSValue boundArgs, int length, const String& name)
    9278{
  • trunk/Source/JavaScriptCore/runtime/JSBoundFunction.h

    r193974 r194036  
    3333EncodedJSValue JSC_HOST_CALL boundFunctionCall(ExecState*);
    3434EncodedJSValue JSC_HOST_CALL boundFunctionConstruct(ExecState*);
    35 EncodedJSValue JSC_HOST_CALL isBoundFunction(ExecState*);
    36 EncodedJSValue JSC_HOST_CALL hasInstanceBoundFunction(ExecState*);
    3735
    3836class JSBoundFunction : public JSFunction {
    3937public:
    4038    typedef JSFunction Base;
    41     const static unsigned StructureFlags = OverridesHasInstanceFlag | Base::StructureFlags;
     39    const static unsigned StructureFlags = OverridesHasInstance | Base::StructureFlags;
    4240
    4341    static JSBoundFunction* create(VM&, JSGlobalObject*, JSObject* targetFunction, JSValue boundThis, JSValue boundArgs, int, const String&);
  • trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

    r193974 r194036  
    287287    JSFunction* callFunction = 0;
    288288    JSFunction* applyFunction = 0;
    289     JSFunction* hasInstanceSymbolFunction = 0;
    290     m_functionPrototype->addFunctionProperties(exec, this, &callFunction, &applyFunction, &hasInstanceSymbolFunction);
     289    m_functionPrototype->addFunctionProperties(exec, this, &callFunction, &applyFunction);
    291290    m_callFunction.set(vm, this, callFunction);
    292291    m_applyFunction.set(vm, this, applyFunction);
     
    294293    m_initializePromiseFunction.set(vm, this, JSFunction::createBuiltinFunction(vm, promiseOperationsInitializePromiseCodeGenerator(vm), this));
    295294    m_newPromiseCapabilityFunction.set(vm, this, JSFunction::createBuiltinFunction(vm, promiseOperationsNewPromiseCapabilityCodeGenerator(vm), this));
    296     m_functionProtoHasInstanceSymbolFunction.set(vm, this, hasInstanceSymbolFunction);
    297295    m_nullGetterFunction.set(vm, this, NullGetterFunction::create(vm, NullGetterFunction::createStructure(vm, this, m_functionPrototype.get())));
    298296    m_nullSetterFunction.set(vm, this, NullSetterFunction::create(vm, NullSetterFunction::createStructure(vm, this, m_functionPrototype.get())));
     
    524522    JSFunction* privateFuncTypedArrayLength = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncLength);
    525523    JSFunction* privateFuncTypedArraySort = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncSort);
    526     JSFunction* privateFuncIsBoundFunction = JSFunction::create(vm, this, 0, String(), isBoundFunction);
    527     JSFunction* privateFuncHasInstanceBoundFunction = JSFunction::create(vm, this, 0, String(), hasInstanceBoundFunction);
    528     JSFunction* privateFuncInstanceOf = JSFunction::create(vm, this, 0, String(), objectPrivateFuncInstanceOf);
    529524
    530525    GlobalPropertyInfo staticGlobals[] = {
     
    541536        GlobalPropertyInfo(vm.propertyNames->typedArrayLengthPrivateName, privateFuncTypedArrayLength, DontEnum | DontDelete | ReadOnly),
    542537        GlobalPropertyInfo(vm.propertyNames->typedArraySortPrivateName, privateFuncTypedArraySort, DontEnum | DontDelete | ReadOnly),
    543         GlobalPropertyInfo(vm.propertyNames->isBoundFunctionPrivateName, privateFuncIsBoundFunction, DontEnum | DontDelete | ReadOnly),
    544         GlobalPropertyInfo(vm.propertyNames->hasInstanceBoundFunctionPrivateName, privateFuncHasInstanceBoundFunction, DontEnum | DontDelete | ReadOnly),
    545         GlobalPropertyInfo(vm.propertyNames->instanceOfPrivateName, privateFuncInstanceOf, DontEnum | DontDelete | ReadOnly),
    546538        GlobalPropertyInfo(vm.propertyNames->BuiltinLogPrivateName, builtinLog, DontEnum | DontDelete | ReadOnly),
    547539        GlobalPropertyInfo(vm.propertyNames->ArrayPrivateName, arrayConstructor, DontEnum | DontDelete | ReadOnly),
     
    841833    visitor.append(&thisObject->m_initializePromiseFunction);
    842834    visitor.append(&thisObject->m_newPromiseCapabilityFunction);
    843     visitor.append(&thisObject->m_functionProtoHasInstanceSymbolFunction);
    844835    visitor.append(&thisObject->m_throwTypeErrorGetterSetter);
    845836    visitor.append(&thisObject->m_moduleLoader);
  • trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

    r193974 r194036  
    223223    WriteBarrier<JSFunction> m_initializePromiseFunction;
    224224    WriteBarrier<JSFunction> m_newPromiseCapabilityFunction;
    225     WriteBarrier<JSFunction> m_functionProtoHasInstanceSymbolFunction;
    226225    WriteBarrier<GetterSetter> m_throwTypeErrorGetterSetter;
    227226
     
    440439    JSFunction* initializePromiseFunction() const { return m_initializePromiseFunction.get(); }
    441440    JSFunction* newPromiseCapabilityFunction() const { return m_newPromiseCapabilityFunction.get(); }
    442     JSFunction* functionProtoHasInstanceSymbolFunction() const { return m_functionProtoHasInstanceSymbolFunction.get(); }
    443441    GetterSetter* throwTypeErrorGetterSetter(VM& vm)
    444442    {
  • trunk/Source/JavaScriptCore/runtime/JSObject.cpp

    r193974 r194036  
    14581458}
    14591459
    1460 bool JSObject::hasInstance(ExecState* exec, JSValue value, JSValue hasInstanceValue)
     1460bool JSObject::hasInstance(ExecState* exec, JSValue value)
    14611461{
    14621462    VM& vm = exec->vm();
    1463 
    1464     if (!hasInstanceValue.isUndefinedOrNull() && hasInstanceValue != exec->lexicalGlobalObject()->functionProtoHasInstanceSymbolFunction()) {
    1465         CallData callData;
    1466         CallType callType = JSC::getCallData(hasInstanceValue, callData);
    1467         if (callType == CallTypeNone) {
    1468             vm.throwException(exec, createInvalidInstanceofParameterErrorhasInstanceValueNotFunction(exec, this));
    1469             return false;
    1470         }
    1471 
    1472         MarkedArgumentBuffer args;
    1473         args.append(value);
    1474         JSValue result = call(exec, hasInstanceValue, callType, callData, this, args);
    1475         return result.toBoolean(exec);
    1476     }
    1477 
    14781463    TypeInfo info = structure(vm)->typeInfo();
    14791464    if (info.implementsDefaultHasInstance())
     
    14811466    if (info.implementsHasInstance())
    14821467        return methodTable(vm)->customHasInstance(this, exec, value);
    1483     vm.throwException(exec, createInvalidInstanceofParameterErrorNotFunction(exec, this));
     1468    vm.throwException(exec, createInvalidInstanceofParameterError(exec, this));
    14841469    return false;
    1485 }
    1486 
    1487 bool JSObject::hasInstance(ExecState* exec, JSValue value)
    1488 {
    1489     JSValue hasInstanceValue = get(exec, exec->propertyNames().hasInstanceSymbol);
    1490 
    1491     return hasInstance(exec, value, hasInstanceValue);
    14921470}
    14931471
     
    15081486    }
    15091487    return false;
    1510 }
    1511 
    1512 EncodedJSValue JSC_HOST_CALL objectPrivateFuncInstanceOf(ExecState* exec)
    1513 {
    1514     JSValue value = exec->uncheckedArgument(0);
    1515     JSValue proto = exec->uncheckedArgument(1);
    1516 
    1517     return JSValue::encode(jsBoolean(JSObject::defaultHasInstance(exec, value, proto)));
    15181488}
    15191489
  • trunk/Source/JavaScriptCore/runtime/JSObject.h

    r193974 r194036  
    486486    JS_EXPORT_PRIVATE static JSValue defaultValue(const JSObject*, ExecState*, PreferredPrimitiveType);
    487487
    488     JS_EXPORT_PRIVATE bool hasInstance(ExecState*, JSValue value, JSValue hasInstanceValue);
    489488    bool hasInstance(ExecState*, JSValue);
    490489    static bool defaultHasInstance(ExecState*, JSValue, JSValue prototypeProperty);
     
    975974    }
    976975};
    977 
    978 JS_EXPORT_PRIVATE EncodedJSValue JSC_HOST_CALL objectPrivateFuncInstanceOf(ExecState*);
    979976
    980977inline JSFinalObject* JSFinalObject::create(
  • trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h

    r193974 r194036  
    3939static const unsigned MasqueradesAsUndefined = 1; // WebCore uses MasqueradesAsUndefined to make document.all undetectable.
    4040static const unsigned ImplementsHasInstance = 1 << 1;
    41 static const unsigned OverridesHasInstanceFlag = 1 << 2; // FIXME: This is only trivially used by the runtime and should be removed: https://bugs.webkit.org/show_bug.cgi?id=152005
     41static const unsigned OverridesHasInstance = 1 << 2;
    4242static const unsigned ImplementsDefaultHasInstance = 1 << 3;
    4343static const unsigned TypeOfShouldCallGetCallData = 1 << 4; // Need this flag if you override getCallData() and you want typeof to use this to determine if it should say "function". Currently we always set this flag when we override getCallData().
     
    6969    {
    7070        // No object that doesn't ImplementsHasInstance should override it!
    71         ASSERT((m_flags & (ImplementsHasInstance | OverridesHasInstanceFlag)) != OverridesHasInstanceFlag);
     71        ASSERT((m_flags & (ImplementsHasInstance | OverridesHasInstance)) != OverridesHasInstance);
    7272        // ImplementsDefaultHasInstance means (ImplementsHasInstance & !OverridesHasInstance)
    73         if ((m_flags & (ImplementsHasInstance | OverridesHasInstanceFlag)) == ImplementsHasInstance)
     73        if ((m_flags & (ImplementsHasInstance | OverridesHasInstance)) == ImplementsHasInstance)
    7474            m_flags |= ImplementsDefaultHasInstance;
    7575    }
     
    8484    bool masqueradesAsUndefined() const { return isSetOnFlags1(MasqueradesAsUndefined); }
    8585    bool implementsHasInstance() const { return isSetOnFlags1(ImplementsHasInstance); }
    86     bool overridesHasInstance() const { return isSetOnFlags1(OverridesHasInstanceFlag); }
     86    bool overridesHasInstance() const { return isSetOnFlags1(OverridesHasInstance); }
    8787    bool implementsDefaultHasInstance() const { return isSetOnFlags1(ImplementsDefaultHasInstance); }
    8888    bool typeOfShouldCallGetCallData() const { return isSetOnFlags1(TypeOfShouldCallGetCallData); }
  • trunk/Source/JavaScriptCore/runtime/WriteBarrier.h

    r193974 r194036  
    153153    bool isCustomGetterSetter() const { return get().isCustomGetterSetter(); }
    154154   
    155     JSValue* slot() const
     155    JSValue* slot()
    156156    {
    157         return bitwise_cast<JSValue*>(&m_value);
     157        union {
     158            EncodedJSValue* v;
     159            JSValue* slot;
     160        } u;
     161        u.v = &m_value;
     162        return u.slot;
    158163    }
    159164   
  • trunk/Source/JavaScriptCore/tests/es6.yaml

    r193974 r194036  
    11841184  cmd: runES6 :fail
    11851185- path: es6/well-known_symbols_Symbol.hasInstance.js
    1186   cmd: runES6 :normal
     1186  cmd: runES6 :fail
    11871187- path: es6/well-known_symbols_Symbol.isConcatSpreadable.js
    11881188  cmd: runES6 :fail
Note: See TracChangeset for help on using the changeset viewer.