Changeset 223584 in webkit
- Timestamp:
- Oct 17, 2017 4:34:29 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 13 deleted
- 36 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r223523 r223584 1 2017-10-17 Ryan Haddad <ryanhaddad@apple.com> 2 3 Unreviewed, rolling out r223523. 4 5 A test for this change is failing on debug JSC bots. 6 7 Reverted changeset: 8 9 "[JSC] __proto__ getter should be fast" 10 https://bugs.webkit.org/show_bug.cgi?id=178067 11 https://trac.webkit.org/changeset/223523 12 1 13 2017-10-10 Yusuke Suzuki <utatane.tea@gmail.com> 2 14 -
trunk/JSTests/stress/object-prototype-proto-accessors-should-throw-on-undefined-this.js
r223523 r223584 35 35 } 36 36 37 runTest(10000, testInvokeGetter, undefined, "TypeError: undefined is not an object (evaluating 'getter()')");37 runTest(10000, testInvokeGetter, undefined, "TypeError: Object.prototype.__proto__ called on null or undefined"); 38 38 runTest(10100, testInvokeSetter, undefined, "TypeError: Object.prototype.__proto__ called on null or undefined"); -
trunk/LayoutTests/ChangeLog
r223582 r223584 1 2017-10-17 Ryan Haddad <ryanhaddad@apple.com> 2 3 Unreviewed, rolling out r223523. 4 5 A test for this change is failing on debug JSC bots. 6 7 Reverted changeset: 8 9 "[JSC] __proto__ getter should be fast" 10 https://bugs.webkit.org/show_bug.cgi?id=178067 11 https://trac.webkit.org/changeset/223523 12 1 13 2017-10-17 Per Arne Vollan <pvollan@apple.com> 2 14 -
trunk/LayoutTests/js/object-literal-shorthand-construction-expected.txt
r223523 r223584 65 65 PASS ({__proto__: this.__proto__}) instanceof Array is false 66 66 PASS __proto__ = [] threw exception TypeError: Object.prototype.__proto__ called on null or undefined. 67 PASS ({__proto__: __proto__}) instanceof Array threw exception TypeError: undefined is not an object (evaluating '__proto__').67 PASS ({__proto__: __proto__}) instanceof Array threw exception TypeError: Object.prototype.__proto__ called on null or undefined. 68 68 SyntaxErrors 69 69 PASS ({break}) threw exception SyntaxError: Cannot use the keyword 'break' as a shorthand property name.. -
trunk/LayoutTests/js/script-tests/object-literal-shorthand-construction.js
r223523 r223584 114 114 shouldBeFalse("({__proto__: this.__proto__}) instanceof Array"); 115 115 shouldThrow("__proto__ = []", '"TypeError: Object.prototype.__proto__ called on null or undefined"'); 116 shouldThrow("({__proto__: __proto__}) instanceof Array", '"TypeError: undefined is not an object (evaluating \'__proto__\')"');116 shouldThrow("({__proto__: __proto__}) instanceof Array", '"TypeError: Object.prototype.__proto__ called on null or undefined"'); 117 117 118 118 // Keywords - Syntax Errors -
trunk/LayoutTests/js/script-tests/sloppy-getter-setter-global-object.js
r223523 r223584 26 26 shouldNotThrow("Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set(['foo'])"); 27 27 28 shouldThrow("(0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)()", "\"TypeError: undefined is not an object (evaluating '(0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)()')\"");28 shouldThrow("(0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)()", "\"TypeError: Object.prototype.__proto__ called on null or undefined\""); 29 29 shouldThrow("(0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set)(['foo'])", "\"TypeError: Object.prototype.__proto__ called on null or undefined\""); 30 30 31 31 32 32 var top_level_sloppy_getter = Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get; 33 shouldThrow("top_level_sloppy_getter();", "\"TypeError: undefined is not an object (evaluating 'top_level_sloppy_getter()')\"");33 shouldThrow("top_level_sloppy_getter();", "\"TypeError: Object.prototype.__proto__ called on null or undefined\""); 34 34 35 35 var top_level_sloppy_setter = Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set; -
trunk/LayoutTests/js/sloppy-getter-setter-global-object-expected.txt
r223523 r223584 9 9 PASS Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get() did not throw exception. 10 10 PASS Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set(['foo']) did not throw exception. 11 PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)() threw exception TypeError: undefined is not an object (evaluating '(0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)()').11 PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').get)() threw exception TypeError: Object.prototype.__proto__ called on null or undefined. 12 12 PASS (0,Object.getOwnPropertyDescriptor(Object.prototype,'__proto__').set)(['foo']) threw exception TypeError: Object.prototype.__proto__ called on null or undefined. 13 PASS top_level_sloppy_getter(); threw exception TypeError: undefined is not an object (evaluating 'top_level_sloppy_getter()').13 PASS top_level_sloppy_getter(); threw exception TypeError: Object.prototype.__proto__ called on null or undefined. 14 14 PASS top_level_sloppy_setter(['foo']); threw exception TypeError: Object.prototype.__proto__ called on null or undefined. 15 15 PASS successfullyParsed is true -
trunk/Source/JavaScriptCore/ChangeLog
r223562 r223584 1 2017-10-17 Ryan Haddad <ryanhaddad@apple.com> 2 3 Unreviewed, rolling out r223523. 4 5 A test for this change is failing on debug JSC bots. 6 7 Reverted changeset: 8 9 "[JSC] __proto__ getter should be fast" 10 https://bugs.webkit.org/show_bug.cgi?id=178067 11 https://trac.webkit.org/changeset/223523 12 1 13 2017-10-17 Youenn Fablet <youenn@apple.com> 2 14 -
trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
r223523 r223584 2741 2741 break; 2742 2742 } 2743 2744 case GetPrototypeOf: {2745 AbstractValue& value = forNode(node->child1());2746 if ((value.m_type && !(value.m_type & ~SpecObject)) && value.m_structure.isFinite()) {2747 bool canFold = !value.m_structure.isClear();2748 JSValue prototype;2749 value.m_structure.forEach([&] (RegisteredStructure structure) {2750 auto getPrototypeMethod = structure->classInfo()->methodTable.getPrototype;2751 MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;2752 if (getPrototypeMethod != defaultGetPrototype) {2753 canFold = false;2754 return;2755 }2756 2757 if (structure->hasPolyProto()) {2758 canFold = false;2759 return;2760 }2761 if (!prototype)2762 prototype = structure->storedPrototype();2763 else if (prototype != structure->storedPrototype())2764 canFold = false;2765 });2766 2767 if (prototype && canFold) {2768 setConstant(node, *m_graph.freeze(prototype));2769 break;2770 }2771 }2772 2773 switch (node->child1().useKind()) {2774 case ArrayUse:2775 case FunctionUse:2776 case FinalObjectUse:2777 break;2778 default:2779 clobberWorld(node->origin.semantic, clobberLimit);2780 break;2781 }2782 forNode(node).setType(m_graph, SpecObject | SpecOther);2783 break;2784 }2785 2743 2786 2744 case GetByOffset: { -
trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
r223523 r223584 239 239 bool handleDOMJITCall(Node* callee, int resultOperand, const DOMJIT::Signature*, int registerOffset, int argumentCountIncludingThis, SpeculatedType prediction, const ChecksFunctor& insertChecks); 240 240 template<typename ChecksFunctor> 241 bool handleIntrinsicGetter(int resultOperand, SpeculatedType prediction,const GetByIdVariant& intrinsicVariant, Node* thisNode, const ChecksFunctor& insertChecks);241 bool handleIntrinsicGetter(int resultOperand, const GetByIdVariant& intrinsicVariant, Node* thisNode, const ChecksFunctor& insertChecks); 242 242 template<typename ChecksFunctor> 243 243 bool handleTypedArrayConstructor(int resultOperand, InternalFunction*, int registerOffset, int argumentCountIncludingThis, TypedArrayType, const ChecksFunctor& insertChecks); … … 2600 2600 } 2601 2601 2602 case ObjectGetPrototypeOfIntrinsic: {2603 if (argumentCountIncludingThis != 2)2604 return false;2605 2606 insertChecks();2607 set(VirtualRegister(resultOperand), addToGraph(GetPrototypeOf, OpInfo(0), OpInfo(prediction), get(virtualRegisterForArgument(1, registerOffset))));2608 return true;2609 }2610 2611 case ReflectGetPrototypeOfIntrinsic: {2612 if (argumentCountIncludingThis != 2)2613 return false;2614 2615 insertChecks();2616 set(VirtualRegister(resultOperand), addToGraph(GetPrototypeOf, OpInfo(0), OpInfo(prediction), Edge(get(virtualRegisterForArgument(1, registerOffset)), ObjectUse)));2617 return true;2618 }2619 2620 2602 case IsTypedArrayViewIntrinsic: { 2621 2603 ASSERT(argumentCountIncludingThis == 2); … … 2965 2947 2966 2948 template<typename ChecksFunctor> 2967 bool ByteCodeParser::handleIntrinsicGetter(int resultOperand, SpeculatedType prediction,const GetByIdVariant& variant, Node* thisNode, const ChecksFunctor& insertChecks)2949 bool ByteCodeParser::handleIntrinsicGetter(int resultOperand, const GetByIdVariant& variant, Node* thisNode, const ChecksFunctor& insertChecks) 2968 2950 { 2969 2951 switch (variant.intrinsic()) { … … 3029 3011 set(VirtualRegister(resultOperand), addToGraph(GetTypedArrayByteOffset, OpInfo(ArrayMode(arrayType).asWord()), thisNode)); 3030 3012 3031 return true;3032 }3033 3034 case UnderscoreProtoIntrinsic: {3035 insertChecks();3036 3037 bool canFold = !variant.structureSet().isEmpty();3038 JSValue prototype;3039 variant.structureSet().forEach([&] (Structure* structure) {3040 auto getPrototypeMethod = structure->classInfo()->methodTable.getPrototype;3041 MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;3042 if (getPrototypeMethod != defaultGetPrototype) {3043 canFold = false;3044 return;3045 }3046 3047 if (structure->hasPolyProto()) {3048 canFold = false;3049 return;3050 }3051 if (!prototype)3052 prototype = structure->storedPrototype();3053 else if (prototype != structure->storedPrototype())3054 canFold = false;3055 });3056 3057 // OK, only one prototype is found. We perform constant folding here.3058 // This information is important for super's constructor call to get new.target constant.3059 if (prototype && canFold) {3060 set(VirtualRegister(resultOperand), weakJSConstant(prototype));3061 return true;3062 }3063 3064 set(VirtualRegister(resultOperand), addToGraph(GetPrototypeOf, OpInfo(0), OpInfo(prediction), thisNode));3065 3013 return true; 3066 3014 } … … 3849 3797 Node* getter = addToGraph(GetGetter, loadedValue); 3850 3798 3851 if (handleIntrinsicGetter(destinationOperand, prediction,variant, base,3799 if (handleIntrinsicGetter(destinationOperand, variant, base, 3852 3800 [&] () { 3853 3801 addToGraph(CheckCell, OpInfo(m_graph.freeze(variant.intrinsicFunction())), getter); -
trunk/Source/JavaScriptCore/dfg/DFGClobberize.h
r223523 r223584 1115 1115 def(HeapLocation(TypedArrayByteOffsetLoc, MiscFields, node->child1()), LazyNode(node)); 1116 1116 return; 1117 1118 case GetPrototypeOf: {1119 switch (node->child1().useKind()) {1120 case ArrayUse:1121 case FunctionUse:1122 case FinalObjectUse:1123 read(JSCell_structureID);1124 read(JSObject_butterfly);1125 read(NamedProperties); // Poly proto could load prototype from its slot.1126 def(HeapLocation(PrototypeLoc, NamedProperties, node->child1()), LazyNode(node));1127 return;1128 default:1129 read(World);1130 write(Heap);1131 return;1132 }1133 }1134 1117 1135 1118 case GetByOffset: -
trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
r223523 r223584 239 239 case StringCharCodeAt: 240 240 case GetTypedArrayByteOffset: 241 case GetPrototypeOf:242 241 case PutByValDirect: 243 242 case PutByVal: -
trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
r223523 r223584 1601 1601 fixEdge<Int32Use>(node->child1()); 1602 1602 fixEdge<Int32Use>(node->child2()); 1603 break;1604 }1605 1606 case GetPrototypeOf: {1607 fixupGetPrototypeOf(node);1608 1603 break; 1609 1604 } … … 2308 2303 } 2309 2304 2310 void fixupGetPrototypeOf(Node* node)2311 {2312 // Reflect.getPrototypeOf only accepts Objects. For Reflect.getPrototypeOf, ByteCodeParser attaches ObjectUse edge filter before fixup phase.2313 if (node->child1().useKind() != ObjectUse) {2314 if (node->child1()->shouldSpeculateString()) {2315 insertCheck<StringUse>(node->child1().node());2316 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->stringPrototype()));2317 return;2318 }2319 if (node->child1()->shouldSpeculateInt32()) {2320 insertCheck<Int32Use>(node->child1().node());2321 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));2322 return;2323 }2324 if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {2325 insertCheck<Int52RepUse>(node->child1().node());2326 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));2327 return;2328 }2329 if (node->child1()->shouldSpeculateNumber()) {2330 insertCheck<NumberUse>(node->child1().node());2331 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));2332 return;2333 }2334 if (node->child1()->shouldSpeculateSymbol()) {2335 insertCheck<SymbolUse>(node->child1().node());2336 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->symbolPrototype()));2337 return;2338 }2339 if (node->child1()->shouldSpeculateBoolean()) {2340 insertCheck<BooleanUse>(node->child1().node());2341 m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->booleanPrototype()));2342 return;2343 }2344 }2345 2346 if (node->child1()->shouldSpeculateFinalObject()) {2347 fixEdge<FinalObjectUse>(node->child1());2348 node->clearFlags(NodeMustGenerate);2349 return;2350 }2351 if (node->child1()->shouldSpeculateArray()) {2352 fixEdge<ArrayUse>(node->child1());2353 node->clearFlags(NodeMustGenerate);2354 return;2355 }2356 if (node->child1()->shouldSpeculateFunction()) {2357 fixEdge<FunctionUse>(node->child1());2358 node->clearFlags(NodeMustGenerate);2359 return;2360 }2361 }2362 2363 2305 void fixupToThis(Node* node) 2364 2306 { -
trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
r223523 r223584 152 152 out.print("TypedArrayByteOffsetLoc"); 153 153 return; 154 155 case PrototypeLoc:156 out.print("PrototypeLoc");157 return;158 154 159 155 case StructureLoc: -
trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h
r223523 r223584 61 61 StructureLoc, 62 62 TypedArrayByteOffsetLoc, 63 PrototypeLoc,64 63 StackLoc, 65 64 StackPayloadLoc, -
trunk/Source/JavaScriptCore/dfg/DFGNode.h
r223523 r223584 1549 1549 case GetByIdFlush: 1550 1550 case GetByIdWithThis: 1551 case GetPrototypeOf:1552 1551 case TryGetById: 1553 1552 case GetByVal: … … 2313 2312 } 2314 2313 2315 bool shouldSpeculateFunction()2316 {2317 return isFunctionSpeculation(prediction());2318 }2319 2320 2314 bool shouldSpeculateProxyObject() 2321 2315 { -
trunk/Source/JavaScriptCore/dfg/DFGNodeType.h
r223523 r223584 252 252 macro(CheckSubClass, NodeMustGenerate) \ 253 253 macro(ParseInt, NodeMustGenerate | NodeResultJS) \ 254 macro(GetPrototypeOf, NodeMustGenerate | NodeResultJS) \255 254 \ 256 255 /* Atomics object functions. */\ -
trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp
r223523 r223584 53 53 #include "JSFixedArray.h" 54 54 #include "JSGenericTypedArrayViewConstructorInlines.h" 55 #include "JSGlobalObjectFunctions.h"56 55 #include "JSLexicalEnvironment.h" 57 56 #include "JSMap.h" … … 2520 2519 } 2521 2520 2522 EncodedJSValue JIT_OPERATION operationGetPrototypeOfObject(ExecState* exec, JSObject* thisObject)2523 {2524 VM& vm = exec->vm();2525 NativeCallFrameTracer tracer(&vm, exec);2526 return JSValue::encode(thisObject->getPrototype(vm, exec));2527 }2528 2529 EncodedJSValue JIT_OPERATION operationGetPrototypeOf(ExecState* exec, EncodedJSValue encodedValue)2530 {2531 VM& vm = exec->vm();2532 NativeCallFrameTracer tracer(&vm, exec);2533 auto scope = DECLARE_THROW_SCOPE(vm);2534 2535 JSValue thisValue = JSValue::decode(encodedValue).toThis(exec, StrictMode);2536 if (thisValue.isUndefinedOrNull())2537 return throwVMError(exec, scope, createNotAnObjectError(exec, thisValue));2538 2539 JSObject* thisObject = jsDynamicCast<JSObject*>(vm, thisValue);2540 if (!thisObject) {2541 JSObject* prototype = thisValue.synthesizePrototype(exec);2542 EXCEPTION_ASSERT(!!scope.exception() == !prototype);2543 if (UNLIKELY(!prototype))2544 return JSValue::encode(JSValue());2545 return JSValue::encode(prototype);2546 }2547 2548 scope.release();2549 return JSValue::encode(thisObject->getPrototype(vm, exec));2550 }2551 2552 2521 void JIT_OPERATION operationThrowDFG(ExecState* exec, EncodedJSValue valueToThrow) 2553 2522 { -
trunk/Source/JavaScriptCore/dfg/DFGOperations.h
r223523 r223584 78 78 EncodedJSValue JIT_OPERATION operationGetByIdWithThis(ExecState*, EncodedJSValue, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL; 79 79 EncodedJSValue JIT_OPERATION operationGetByValWithThis(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue) WTF_INTERNAL; 80 EncodedJSValue JIT_OPERATION operationGetPrototypeOf(ExecState*, EncodedJSValue) WTF_INTERNAL;81 EncodedJSValue JIT_OPERATION operationGetPrototypeOfObject(ExecState*, JSObject*) WTF_INTERNAL;82 80 char* JIT_OPERATION operationNewArray(ExecState*, Structure*, void*, size_t) WTF_INTERNAL; 83 81 char* JIT_OPERATION operationNewArrayBuffer(ExecState*, Structure*, size_t, size_t) WTF_INTERNAL; -
trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
r223523 r223584 724 724 case CallDOMGetter: 725 725 case GetDynamicVar: 726 case WeakMapGet: 727 case GetPrototypeOf: { 726 case WeakMapGet: { 728 727 setPrediction(m_currentNode->getHeapPrediction()); 729 728 break; -
trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
r223523 r223584 402 402 case ForwardVarargs: 403 403 case CreateRest: 404 case GetPrototypeOf:405 404 case StringReplace: 406 405 case StringReplaceRegExp: -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r223523 r223584 9187 9187 } 9188 9188 9189 void SpeculativeJIT::speculateFunction(Edge edge, GPRReg cell)9190 {9191 speculateCellType(edge, cell, SpecFunction, JSFunctionType);9192 }9193 9194 9189 void SpeculativeJIT::speculateFunction(Edge edge) 9195 9190 { … … 9198 9193 9199 9194 SpeculateCellOperand operand(this, edge); 9200 speculateFunction(edge, operand.gpr()); 9201 } 9202 9203 void SpeculativeJIT::speculateFinalObject(Edge edge, GPRReg cell) 9204 { 9205 speculateCellType(edge, cell, SpecFinalObject, FinalObjectType); 9195 speculateCellType(edge, operand.gpr(), SpecFunction, JSFunctionType); 9206 9196 } 9207 9197 … … 9212 9202 9213 9203 SpeculateCellOperand operand(this, edge); 9214 speculate FinalObject(edge, operand.gpr());9204 speculateCellType(edge, operand.gpr(), SpecFinalObject, FinalObjectType); 9215 9205 } 9216 9206 … … 10778 10768 } 10779 10769 10780 void SpeculativeJIT::compileGetPrototypeOf(Node* node)10781 {10782 switch (node->child1().useKind()) {10783 case ArrayUse:10784 case FunctionUse:10785 case FinalObjectUse: {10786 SpeculateCellOperand object(this, node->child1());10787 GPRTemporary temp(this);10788 GPRTemporary temp2(this);10789 10790 GPRReg objectGPR = object.gpr();10791 GPRReg tempGPR = temp.gpr();10792 GPRReg temp2GPR = temp2.gpr();10793 10794 switch (node->child1().useKind()) {10795 case ArrayUse:10796 speculateArray(node->child1(), objectGPR);10797 break;10798 case FunctionUse:10799 speculateFunction(node->child1(), objectGPR);10800 break;10801 case FinalObjectUse:10802 speculateFinalObject(node->child1(), objectGPR);10803 break;10804 default:10805 RELEASE_ASSERT_NOT_REACHED();10806 break;10807 }10808 10809 m_jit.emitLoadStructure(*m_jit.vm(), objectGPR, tempGPR, temp2GPR);10810 10811 AbstractValue& value = m_state.forNode(node->child1());10812 if ((value.m_type && !(value.m_type & ~SpecObject)) && value.m_structure.isFinite()) {10813 bool hasPolyProto = false;10814 bool hasMonoProto = false;10815 value.m_structure.forEach([&] (RegisteredStructure structure) {10816 if (structure->hasPolyProto())10817 hasPolyProto = true;10818 else10819 hasMonoProto = true;10820 });10821 10822 if (hasMonoProto && !hasPolyProto) {10823 #if USE(JSVALUE64)10824 m_jit.load64(MacroAssembler::Address(tempGPR, Structure::prototypeOffset()), tempGPR);10825 jsValueResult(tempGPR, node);10826 #else10827 m_jit.load32(MacroAssembler::Address(tempGPR, Structure::prototypeOffset() + TagOffset), temp2GPR);10828 m_jit.load32(MacroAssembler::Address(tempGPR, Structure::prototypeOffset() + PayloadOffset), tempGPR);10829 jsValueResult(temp2GPR, tempGPR, node);10830 #endif10831 return;10832 }10833 10834 if (hasPolyProto && !hasMonoProto) {10835 #if USE(JSVALUE64)10836 m_jit.load64(MacroAssembler::Address(tempGPR, Structure::prototypeOffset()), tempGPR);10837 m_jit.zeroExtend32ToPtr(tempGPR, tempGPR);10838 m_jit.load64(JITCompiler::BaseIndex(objectGPR, tempGPR, JITCompiler::TimesEight, JSObject::offsetOfInlineStorage()), tempGPR);10839 jsValueResult(tempGPR, node);10840 #else10841 m_jit.load32(MacroAssembler::Address(tempGPR, Structure::prototypeOffset() + PayloadOffset), tempGPR);10842 m_jit.load32(JITCompiler::BaseIndex(objectGPR, tempGPR, JITCompiler::TimesEight, JSObject::offsetOfInlineStorage() + TagOffset), temp2GPR);10843 m_jit.load32(JITCompiler::BaseIndex(objectGPR, tempGPR, JITCompiler::TimesEight, JSObject::offsetOfInlineStorage() + PayloadOffset), tempGPR);10844 jsValueResult(temp2GPR, tempGPR, node);10845 #endif10846 return;10847 }10848 }10849 10850 #if USE(JSVALUE64)10851 m_jit.load64(MacroAssembler::Address(tempGPR, Structure::prototypeOffset()), tempGPR);10852 auto isMonoProto = m_jit.branchIfNotInt32(JSValueRegs(tempGPR));10853 m_jit.zeroExtend32ToPtr(tempGPR, tempGPR);10854 m_jit.load64(JITCompiler::BaseIndex(objectGPR, tempGPR, JITCompiler::TimesEight, JSObject::offsetOfInlineStorage()), tempGPR);10855 isMonoProto.link(&m_jit);10856 jsValueResult(tempGPR, node);10857 #else10858 m_jit.load32(MacroAssembler::Address(tempGPR, Structure::prototypeOffset() + TagOffset), temp2GPR);10859 m_jit.load32(MacroAssembler::Address(tempGPR, Structure::prototypeOffset() + PayloadOffset), tempGPR);10860 auto isMonoProto = m_jit.branch32(CCallHelpers::NotEqual, temp2GPR, TrustedImm32(JSValue::Int32Tag));10861 m_jit.load32(JITCompiler::BaseIndex(objectGPR, tempGPR, JITCompiler::TimesEight, JSObject::offsetOfInlineStorage() + TagOffset), temp2GPR);10862 m_jit.load32(JITCompiler::BaseIndex(objectGPR, tempGPR, JITCompiler::TimesEight, JSObject::offsetOfInlineStorage() + PayloadOffset), tempGPR);10863 isMonoProto.link(&m_jit);10864 jsValueResult(temp2GPR, tempGPR, node);10865 #endif10866 return;10867 }10868 case ObjectUse: {10869 SpeculateCellOperand value(this, node->child1());10870 JSValueRegsTemporary result(this);10871 10872 GPRReg valueGPR = value.gpr();10873 JSValueRegs resultRegs = result.regs();10874 10875 speculateObject(node->child1(), valueGPR);10876 10877 flushRegisters();10878 callOperation(operationGetPrototypeOfObject, resultRegs, valueGPR);10879 m_jit.exceptionCheck();10880 jsValueResult(resultRegs, node);10881 return;10882 }10883 default: {10884 JSValueOperand value(this, node->child1());10885 JSValueRegsTemporary result(this);10886 10887 JSValueRegs valueRegs = value.jsValueRegs();10888 JSValueRegs resultRegs = result.regs();10889 10890 flushRegisters();10891 callOperation(operationGetPrototypeOf, resultRegs, valueRegs);10892 m_jit.exceptionCheck();10893 jsValueResult(resultRegs, node);10894 return;10895 }10896 }10897 }10898 10899 10770 } } // namespace JSC::DFG 10900 10771 -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
r223523 r223584 988 988 return appendCallSetResult(operation, result); 989 989 } 990 JITCompiler::Call callOperation(J_JITOperation_EO operation, JSValueRegs result, GPRReg object)991 {992 m_jit.setupArgumentsWithExecState(object);993 return appendCallSetResult(operation, result);994 }995 990 JITCompiler::Call callOperation(P_JITOperation_EPS operation, GPRReg result, GPRReg old, size_t size) 996 991 { … … 2841 2836 void compileLoadKeyFromMapBucket(Node*); 2842 2837 void compileLoadValueFromMapBucket(Node*); 2843 void compileGetPrototypeOf(Node*);2844 2838 2845 2839 #if USE(JSVALUE32_64) … … 3091 3085 void speculateArray(Edge, GPRReg cell); 3092 3086 void speculateArray(Edge); 3093 void speculateFunction(Edge, GPRReg cell);3094 3087 void speculateFunction(Edge); 3095 void speculateFinalObject(Edge, GPRReg cell);3096 3088 void speculateFinalObject(Edge); 3097 3089 void speculateRegExpObject(Edge, GPRReg cell); -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
r223523 r223584 4433 4433 case GetTypedArrayByteOffset: { 4434 4434 compileGetTypedArrayByteOffset(node); 4435 break;4436 }4437 4438 case GetPrototypeOf: {4439 compileGetPrototypeOf(node);4440 4435 break; 4441 4436 } -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
r223523 r223584 4651 4651 break; 4652 4652 } 4653 4654 case GetPrototypeOf: {4655 compileGetPrototypeOf(node);4656 break;4657 }4658 4653 4659 4654 case GetByOffset: -
trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp
r223523 r223584 145 145 case NukeStructureAndSetButterfly: 146 146 case GetTypedArrayByteOffset: 147 case GetPrototypeOf:148 147 case NotifyWrite: 149 148 case StoreBarrier: -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r223523 r223584 822 822 compileGetTypedArrayByteOffset(); 823 823 break; 824 case GetPrototypeOf:825 compileGetPrototypeOf();826 break;827 824 case AllocatePropertyStorage: 828 825 compileAllocatePropertyStorage(); … … 3432 3429 3433 3430 setInt32(m_out.castToInt32(m_out.phi(pointerType(), simpleOut, wastefulOut))); 3434 }3435 3436 void compileGetPrototypeOf()3437 {3438 switch (m_node->child1().useKind()) {3439 case ArrayUse:3440 case FunctionUse:3441 case FinalObjectUse: {3442 LValue object = lowCell(m_node->child1());3443 switch (m_node->child1().useKind()) {3444 case ArrayUse:3445 speculateArray(m_node->child1(), object);3446 break;3447 case FunctionUse:3448 speculateFunction(m_node->child1(), object);3449 break;3450 case FinalObjectUse:3451 speculateFinalObject(m_node->child1(), object);3452 break;3453 default:3454 RELEASE_ASSERT_NOT_REACHED();3455 break;3456 }3457 3458 LValue structure = loadStructure(object);3459 3460 AbstractValue& value = m_state.forNode(m_node->child1());3461 if ((value.m_type && !(value.m_type & ~SpecObject)) && value.m_structure.isFinite()) {3462 bool hasPolyProto = false;3463 bool hasMonoProto = false;3464 value.m_structure.forEach([&] (RegisteredStructure structure) {3465 if (structure->hasPolyProto())3466 hasPolyProto = true;3467 else3468 hasMonoProto = true;3469 });3470 3471 if (hasMonoProto && !hasPolyProto) {3472 setJSValue(m_out.load64(structure, m_heaps.Structure_prototype));3473 return;3474 }3475 3476 if (hasPolyProto && !hasMonoProto) {3477 LValue prototypeBits = m_out.load64(structure, m_heaps.Structure_prototype);3478 LValue index = m_out.bitAnd(prototypeBits, m_out.constInt64(UINT_MAX));3479 setJSValue(m_out.load64(m_out.baseIndex(m_heaps.properties.atAnyNumber(), object, index, ScaleEight, JSObject::offsetOfInlineStorage())));3480 return;3481 }3482 }3483 3484 LBasicBlock continuation = m_out.newBlock();3485 LBasicBlock loadPolyProto = m_out.newBlock();3486 3487 LValue prototypeBits = m_out.load64(structure, m_heaps.Structure_prototype);3488 ValueFromBlock directPrototype = m_out.anchor(prototypeBits);3489 m_out.branch(isInt32(prototypeBits), unsure(loadPolyProto), unsure(continuation));3490 3491 LBasicBlock lastNext = m_out.appendTo(loadPolyProto, continuation);3492 LValue index = m_out.bitAnd(prototypeBits, m_out.constInt64(UINT_MAX));3493 ValueFromBlock polyProto = m_out.anchor(3494 m_out.load64(m_out.baseIndex(m_heaps.properties.atAnyNumber(), object, index, ScaleEight, JSObject::offsetOfInlineStorage())));3495 m_out.jump(continuation);3496 3497 m_out.appendTo(continuation, lastNext);3498 setJSValue(m_out.phi(Int64, directPrototype, polyProto));3499 return;3500 }3501 case ObjectUse: {3502 setJSValue(vmCall(Int64, m_out.operation(operationGetPrototypeOfObject), m_callFrame, lowObject(m_node->child1())));3503 return;3504 }3505 default: {3506 setJSValue(vmCall(Int64, m_out.operation(operationGetPrototypeOf), m_callFrame, lowJSValue(m_node->child1())));3507 return;3508 }3509 }3510 3431 } 3511 3432 … … 9083 9004 9084 9005 LValue prototypeBits = m_out.load64(structure, m_heaps.Structure_prototype); 9085 ValueFromBlock directProto type = m_out.anchor(prototypeBits);9006 ValueFromBlock directProtoype = m_out.anchor(prototypeBits); 9086 9007 m_out.branch(isInt32(prototypeBits), unsure(loadPolyProto), unsure(comparePrototype)); 9087 9008 … … 9093 9014 9094 9015 m_out.appendTo(comparePrototype, notYetInstance); 9095 LValue currentPrototype = m_out.phi(Int64, directProto type, polyProto);9016 LValue currentPrototype = m_out.phi(Int64, directProtoype, polyProto); 9096 9017 ValueFromBlock isInstanceResult = m_out.anchor(m_out.booleanTrue); 9097 9018 m_out.branch( -
trunk/Source/JavaScriptCore/jit/IntrinsicEmitter.cpp
r223523 r223584 64 64 return true; 65 65 } 66 case UnderscoreProtoIntrinsic: {67 auto getPrototypeMethod = structure->classInfo()->methodTable.getPrototype;68 MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;69 return getPrototypeMethod == defaultGetPrototype;70 }71 66 default: 72 67 return false; … … 131 126 } 132 127 133 case UnderscoreProtoIntrinsic: {134 if (structure()->hasMonoProto()) {135 jit.moveValue(structure()->storedPrototype(), valueRegs);136 state.succeed();137 return;138 }139 // FIXME: Support poly proto for intrinsic getters.140 // https://bugs.webkit.org/show_bug.cgi?id=177318141 jit.loadValue(MacroAssembler::Address(baseGPR, sizeof(EncodedJSValue) * structure()->polyProtoOffset() + JSObject::offsetOfInlineStorage()), valueRegs);142 state.succeed();143 return;144 }145 146 128 default: 147 129 break; -
trunk/Source/JavaScriptCore/jit/JITOperations.h
r223523 r223584 177 177 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EZZ)(ExecState*, int32_t, int32_t); 178 178 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EZSymtabJ)(ExecState*, int32_t, SymbolTable*, EncodedJSValue); 179 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EO)(ExecState*, JSObject*);180 179 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EOIUi)(ExecState*, JSObject*, UniquedStringImpl*, uint32_t); 181 180 typedef EncodedJSValue (JIT_OPERATION *J_JITOperation_EJJI)(ExecState*, EncodedJSValue, EncodedJSValue, UniquedStringImpl*); -
trunk/Source/JavaScriptCore/runtime/Intrinsic.cpp
r223523 r223584 112 112 case RegExpTestFastIntrinsic: 113 113 return "RegExpTestFastIntrinsic"; 114 case ObjectGetPrototypeOfIntrinsic:115 return "ObjectGetPrototypeOfIntrinsic";116 case ReflectGetPrototypeOfIntrinsic:117 return "ReflectGetPrototypeOfIntrinsic";118 114 case StringPrototypeValueOfIntrinsic: 119 115 return "StringPrototypeValueOfIntrinsic"; … … 194 190 case TypedArrayByteOffsetIntrinsic: 195 191 return "TypedArrayByteOffsetIntrinsic"; 196 case UnderscoreProtoIntrinsic:197 return "UnderscoreProtoIntrinsic";198 192 case DFGTrueIntrinsic: 199 193 return "DFGTrueIntrinsic"; -
trunk/Source/JavaScriptCore/runtime/Intrinsic.h
r223523 r223584 69 69 RegExpTestIntrinsic, 70 70 RegExpTestFastIntrinsic, 71 ObjectGetPrototypeOfIntrinsic,72 ReflectGetPrototypeOfIntrinsic,73 71 StringPrototypeValueOfIntrinsic, 74 72 StringPrototypeReplaceIntrinsic, … … 112 110 TypedArrayByteLengthIntrinsic, 113 111 TypedArrayByteOffsetIntrinsic, 114 UnderscoreProtoIntrinsic,115 112 116 113 // Debugging intrinsics. These are meant to be used as testing hacks within -
trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
r223523 r223584 450 450 m_objectPrototype.set(vm, this, ObjectPrototype::create(vm, this, ObjectPrototype::createStructure(vm, this, jsNull()))); 451 451 GetterSetter* protoAccessor = GetterSetter::create(vm, this); 452 protoAccessor->setGetter(vm, this, JSFunction::create(vm, this, 0, makeString("get ", vm.propertyNames->underscoreProto.string()), globalFuncProtoGetter , UnderscoreProtoIntrinsic));452 protoAccessor->setGetter(vm, this, JSFunction::create(vm, this, 0, makeString("get ", vm.propertyNames->underscoreProto.string()), globalFuncProtoGetter)); 453 453 protoAccessor->setSetter(vm, this, JSFunction::create(vm, this, 0, makeString("set ", vm.propertyNames->underscoreProto.string()), globalFuncProtoSetter)); 454 454 m_objectPrototype->putDirectNonIndexAccessor(vm, vm.propertyNames->underscoreProto, protoAccessor, PropertyAttribute::Accessor | PropertyAttribute::DontEnum); -
trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
r223523 r223584 65 65 namespace JSC { 66 66 67 const char* const ObjectProtoCalledOnNullOrUndefinedError = "Object.prototype.__proto__ called on null or undefined";67 static const char* const ObjectProtoCalledOnNullOrUndefinedError = "Object.prototype.__proto__ called on null or undefined"; 68 68 69 69 template<unsigned charactersCount> … … 707 707 JSValue thisValue = exec->thisValue().toThis(exec, StrictMode); 708 708 if (thisValue.isUndefinedOrNull()) 709 return throwVM Error(exec, scope, createNotAnObjectError(exec, thisValue));709 return throwVMTypeError(exec, scope, ASCIILiteral(ObjectProtoCalledOnNullOrUndefinedError)); 710 710 711 711 JSObject* thisObject = jsDynamicCast<JSObject*>(vm, thisValue); 712 712 if (!thisObject) { 713 JSObject* prototype = thisValue.synthesizePrototype(exec);713 JSObject* prototype = exec->thisValue().synthesizePrototype(exec); 714 714 EXCEPTION_ASSERT(!!scope.exception() == !prototype); 715 715 if (UNLIKELY(!prototype)) -
trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h
r223523 r223584 36 36 // is a 0.5% reduction. 37 37 38 extern const char* const ObjectProtoCalledOnNullOrUndefinedError;39 40 38 EncodedJSValue JSC_HOST_CALL globalFuncEval(ExecState*); 41 39 EncodedJSValue JSC_HOST_CALL globalFuncParseInt(ExecState*); -
trunk/Source/JavaScriptCore/runtime/ObjectConstructor.cpp
r223523 r223584 68 68 /* Source for ObjectConstructor.lut.h 69 69 @begin objectConstructorTable 70 getPrototypeOf objectConstructorGetPrototypeOf DontEnum|Function 1 ObjectGetPrototypeOfIntrinsic70 getPrototypeOf objectConstructorGetPrototypeOf DontEnum|Function 1 71 71 setPrototypeOf objectConstructorSetPrototypeOf DontEnum|Function 2 72 72 getOwnPropertyDescriptor objectConstructorGetOwnPropertyDescriptor DontEnum|Function 2 -
trunk/Source/JavaScriptCore/runtime/ReflectObject.cpp
r223523 r223584 64 64 get reflectObjectGet DontEnum|Function 2 65 65 getOwnPropertyDescriptor reflectObjectGetOwnPropertyDescriptor DontEnum|Function 2 66 getPrototypeOf reflectObjectGetPrototypeOf DontEnum|Function 1 ReflectGetPrototypeOfIntrinsic66 getPrototypeOf reflectObjectGetPrototypeOf DontEnum|Function 1 67 67 has JSBuiltin DontEnum|Function 2 68 68 isExtensible reflectObjectIsExtensible DontEnum|Function 1
Note: See TracChangeset
for help on using the changeset viewer.