Changeset 224280 in webkit

Timestamp:

Nov 1, 2017 10:32:08 AM (6 years ago)

Author:

Yusuke Suzuki

Message:

[JSC] Introduce @toObject
​https://bugs.webkit.org/show_bug.cgi?id=178726

Reviewed by Saam Barati.

JSTests:

• stress/array-copywithin.js:

(shouldThrow):

• stress/object-constructor-boolean-edge.js: Added.

(shouldBe):
(test):

• stress/object-constructor-global.js: Added.

(shouldBe):

• stress/object-constructor-null-edge.js: Added.

(shouldBe):
(test):

• stress/object-constructor-number-edge.js: Added.

(shouldBe):
(test):

• stress/object-constructor-object-edge.js: Added.

(shouldBe):
(test):
(i.arg):

• stress/object-constructor-string-edge.js: Added.

(shouldBe):
(test):

• stress/object-constructor-symbol-edge.js: Added.

(shouldBe):
(test):

• stress/object-constructor-undefined-edge.js: Added.

(shouldBe):
(test):

• stress/symbol-array-from.js: Added.

(shouldBe):

• stress/to-object-intrinsic-boolean-edge.js: Added.

(shouldBe):
(builtin.createBuiltin):

• stress/to-object-intrinsic-null-or-undefined-edge.js: Added.

(shouldThrow):

• stress/to-object-intrinsic-number-edge.js: Added.

(shouldBe):
(builtin.createBuiltin):

• stress/to-object-intrinsic-object-edge.js: Added.

(shouldBe):
(builtin.createBuiltin):
(i.arg):

• stress/to-object-intrinsic-string-edge.js: Added.

(shouldBe):
(builtin.createBuiltin):

• stress/to-object-intrinsic-symbol-edge.js: Added.

(shouldBe):
(builtin.createBuiltin):

• stress/to-object-intrinsic.js: Added.

(shouldBe):
(shouldThrow):
(builtin.createBuiltin):

Source/JavaScriptCore:

This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
ObjectConstructor in LLInt and Baseline.

We add a new intrinsic @toObject(target, "error message"). It takes an error message string constant to
offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation

if (this === @undefined

this === null)

@throwTypeError("error message");

var object = @Object(this);

with

var object = @toObject(this, "error message");

And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.

It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.

• builtins/ArrayConstructor.js:

(from):

• builtins/ArrayPrototype.js:

(values):
(keys):
(entries):
(reduce):
(reduceRight):
(every):
(forEach):
(filter):
(map):
(some):
(fill):
(find):
(findIndex):
(includes):
(sort):
(globalPrivate.concatSlowPath):
(copyWithin):

• builtins/DatePrototype.js:

(toLocaleString.toDateTimeOptionsAnyAll):
(toLocaleString):
(toLocaleDateString.toDateTimeOptionsDateDate):
(toLocaleDateString):
(toLocaleTimeString.toDateTimeOptionsTimeTime):
(toLocaleTimeString):

• builtins/GlobalOperations.js:

(globalPrivate.copyDataProperties):
(globalPrivate.copyDataPropertiesNoExclusions):

• builtins/ObjectConstructor.js:

(entries):

• builtins/StringConstructor.js:

(raw):

• builtins/TypedArrayConstructor.js:

(from):

• builtins/TypedArrayPrototype.js:

(map):
(filter):

• bytecode/BytecodeDumper.cpp:

(JSC::BytecodeDumper<Block>::dumpBytecode):

• bytecode/BytecodeIntrinsicRegistry.h:
• bytecode/BytecodeList.json:
• bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitToObject):

• bytecompiler/BytecodeGenerator.h:
• bytecompiler/NodesCodegen.cpp:

(JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToObject):
(JSC::DFG::FixupPhase::fixupCallObjectConstructor):

• dfg/DFGNode.h:

(JSC::DFG::Node::convertToCallObjectConstructor):
(JSC::DFG::Node::convertToNewStringObject):
(JSC::DFG::Node::convertToNewObject):
(JSC::DFG::Node::hasIdentifier):
(JSC::DFG::Node::hasHeapPrediction):
(JSC::DFG::Node::hasCellOperand):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
(JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
(JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.

• jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

• jit/JIT.h:
• jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_to_object):
(JSC::JIT::emitSlow_op_to_object):

• jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_to_object):
(JSC::JIT::emitSlow_op_to_object):

• jit/JITOperations.cpp:
• jit/JITOperations.h:
• llint/LowLevelInterpreter32_64.asm:
• llint/LowLevelInterpreter64.asm:
• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

• runtime/CommonSlowPaths.h:

Source/WebCore:

Use @isObject instead. It is more efficient.

• Modules/mediastream/NavigatorUserMedia.js:

(getUserMedia):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/array-copywithin.js (modified) (1 diff)
• JSTests/stress/object-constructor-boolean-edge.js (added)
• JSTests/stress/object-constructor-global.js (added)
• JSTests/stress/object-constructor-null-edge.js (added)
• JSTests/stress/object-constructor-number-edge.js (added)
• JSTests/stress/object-constructor-object-edge.js (added)
• JSTests/stress/object-constructor-string-edge.js (added)
• JSTests/stress/object-constructor-symbol-edge.js (added)
• JSTests/stress/object-constructor-undefined-edge.js (added)
• JSTests/stress/symbol-array-from.js (added)
• JSTests/stress/to-object-intrinsic-boolean-edge.js (added)
• JSTests/stress/to-object-intrinsic-null-or-undefined-edge.js (added)
• JSTests/stress/to-object-intrinsic-number-edge.js (added)
• JSTests/stress/to-object-intrinsic-object-edge.js (added)
• JSTests/stress/to-object-intrinsic-string-edge.js (added)
• JSTests/stress/to-object-intrinsic-symbol-edge.js (added)
• JSTests/stress/to-object-intrinsic.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/builtins/ArrayConstructor.js (modified) (2 diffs)
• Source/JavaScriptCore/builtins/ArrayPrototype.js (modified) (17 diffs)
• Source/JavaScriptCore/builtins/DatePrototype.js (modified) (3 diffs)
• Source/JavaScriptCore/builtins/GlobalOperations.js (modified) (2 diffs)
• Source/JavaScriptCore/builtins/ObjectConstructor.js (modified) (1 diff)
• Source/JavaScriptCore/builtins/StringConstructor.js (modified) (1 diff)
• Source/JavaScriptCore/builtins/TypedArrayConstructor.js (modified) (2 diffs)
• Source/JavaScriptCore/builtins/TypedArrayPrototype.js (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/BytecodeDumper.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeList.json (modified) (1 diff)
• Source/JavaScriptCore/bytecode/BytecodeUseDef.h (modified) (2 diffs)
• Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGNode.h (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JIT.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JIT.h (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/jit/JITOperations.h (modified) (2 diffs)
• Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (modified) (1 diff)
• Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (modified) (1 diff)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/CommonSlowPaths.h (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/mediastream/NavigatorUserMedia.js (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [JSC] Introduce @toObject
+        https://bugs.webkit.org/show_bug.cgi?id=178726
+
+        Reviewed by Saam Barati.
+
+        * stress/array-copywithin.js:
+        (shouldThrow):
+        * stress/object-constructor-boolean-edge.js: Added.
+        (shouldBe):
+        (test):
+        * stress/object-constructor-global.js: Added.
+        (shouldBe):
+        * stress/object-constructor-null-edge.js: Added.
+        (shouldBe):
+        (test):
+        * stress/object-constructor-number-edge.js: Added.
+        (shouldBe):
+        (test):
+        * stress/object-constructor-object-edge.js: Added.
+        (shouldBe):
+        (test):
+        (i.arg):
+        * stress/object-constructor-string-edge.js: Added.
+        (shouldBe):
+        (test):
+        * stress/object-constructor-symbol-edge.js: Added.
+        (shouldBe):
+        (test):
+        * stress/object-constructor-undefined-edge.js: Added.
+        (shouldBe):
+        (test):
+        * stress/symbol-array-from.js: Added.
+        (shouldBe):
+        * stress/to-object-intrinsic-boolean-edge.js: Added.
+        (shouldBe):
+        (builtin.createBuiltin):
+        * stress/to-object-intrinsic-null-or-undefined-edge.js: Added.
+        (shouldThrow):
+        * stress/to-object-intrinsic-number-edge.js: Added.
+        (shouldBe):
+        (builtin.createBuiltin):
+        * stress/to-object-intrinsic-object-edge.js: Added.
+        (shouldBe):
+        (builtin.createBuiltin):
+        (i.arg):
+        * stress/to-object-intrinsic-string-edge.js: Added.
+        (shouldBe):
+        (builtin.createBuiltin):
+        * stress/to-object-intrinsic-symbol-edge.js: Added.
+        (shouldBe):
+        (builtin.createBuiltin):
+        * stress/to-object-intrinsic.js: Added.
+        (shouldBe):
+        (shouldThrow):
+        (builtin.createBuiltin):
+
 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
 

trunk/JSTests/stress/array-copywithin.js

@@ -239 +239 @@
 shouldThrow(function () {
     Array.prototype.copyWithin.call(undefined);
-}, 'TypeError: Array.copyWithin requires that |this| not be null or undefined');
+}, 'TypeError: Array.prototype.copyWithin requires that |this| not be null or undefined');
 
 shouldThrow(function () {
     Array.prototype.copyWithin.call(null);
-}, 'TypeError: Array.copyWithin requires that |this| not be null or undefined');
+}, 'TypeError: Array.prototype.copyWithin requires that |this| not be null or undefined');
 
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [JSC] Introduce @toObject
+        https://bugs.webkit.org/show_bug.cgi?id=178726
+
+        Reviewed by Saam Barati.
+
+        This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
+        Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
+        is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
+        ObjectConstructor in LLInt and Baseline.
+
+        We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
+        offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
+
+            if (this === @undefined || this === null)
+                @throwTypeError("error message");
+            var object = @Object(this);
+
+        with
+
+            var object = @toObject(this, "error message");
+
+        And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
+        ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
+        In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
+
+        It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
+
+        * builtins/ArrayConstructor.js:
+        (from):
+        * builtins/ArrayPrototype.js:
+        (values):
+        (keys):
+        (entries):
+        (reduce):
+        (reduceRight):
+        (every):
+        (forEach):
+        (filter):
+        (map):
+        (some):
+        (fill):
+        (find):
+        (findIndex):
+        (includes):
+        (sort):
+        (globalPrivate.concatSlowPath):
+        (copyWithin):
+        * builtins/DatePrototype.js:
+        (toLocaleString.toDateTimeOptionsAnyAll):
+        (toLocaleString):
+        (toLocaleDateString.toDateTimeOptionsDateDate):
+        (toLocaleDateString):
+        (toLocaleTimeString.toDateTimeOptionsTimeTime):
+        (toLocaleTimeString):
+        * builtins/GlobalOperations.js:
+        (globalPrivate.copyDataProperties):
+        (globalPrivate.copyDataPropertiesNoExclusions):
+        * builtins/ObjectConstructor.js:
+        (entries):
+        * builtins/StringConstructor.js:
+        (raw):
+        * builtins/TypedArrayConstructor.js:
+        (from):
+        * builtins/TypedArrayPrototype.js:
+        (map):
+        (filter):
+        * bytecode/BytecodeDumper.cpp:
+        (JSC::BytecodeDumper<Block>::dumpBytecode):
+        * bytecode/BytecodeIntrinsicRegistry.h:
+        * bytecode/BytecodeList.json:
+        * bytecode/BytecodeUseDef.h:
+        (JSC::computeUsesForBytecodeOffset):
+        (JSC::computeDefsForBytecodeOffset):
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitToObject):
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGCapabilities.cpp:
+        (JSC::DFG::capabilityLevel):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupToObject):
+        (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
+        * dfg/DFGNode.h:
+        (JSC::DFG::Node::convertToCallObjectConstructor):
+        (JSC::DFG::Node::convertToNewStringObject):
+        (JSC::DFG::Node::convertToNewObject):
+        (JSC::DFG::Node::hasIdentifier):
+        (JSC::DFG::Node::hasHeapPrediction):
+        (JSC::DFG::Node::hasCellOperand):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
+        (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
+        * jit/JIT.cpp:
+        (JSC::JIT::privateCompileMainPass):
+        (JSC::JIT::privateCompileSlowCases):
+        * jit/JIT.h:
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_to_object):
+        (JSC::JIT::emitSlow_op_to_object):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_to_object):
+        (JSC::JIT::emitSlow_op_to_object):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.h:
+
 2017-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
 

trunk/Source/JavaScriptCore/builtins/ArrayConstructor.js

@@ -53 +53 @@
     }
 
-    if (items == null)
-        @throwTypeError("Array.from requires an array-like object - not null or undefined");
+    var arrayLike = @toObject(items, "Array.from requires an array-like object - not null or undefined");
 
     var iteratorMethod = items.@iteratorSymbol;
@@ -84 +83 @@
     }
 
-    var arrayLike = @Object(items);
     var arrayLikeLength = @toLength(arrayLike.length);
 

trunk/Source/JavaScriptCore/builtins/ArrayPrototype.js

@@ -42 +42 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.values requires that |this| not be null or undefined");
-
-    return new @createArrayIterator(@Object(this), "value", @arrayIteratorValueNext);
+    return new @createArrayIterator(@toObject(this, "Array.prototype.values requires that |this| not be null or undefined"), "value", @arrayIteratorValueNext);
 }
 
@@ -52 +49 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.keys requires that |this| not be null or undefined");
-
-    return new @createArrayIterator(@Object(this), "key", @arrayIteratorKeyNext);
+    return new @createArrayIterator(@toObject(this, "Array.prototype.keys requires that |this| not be null or undefined"), "key", @arrayIteratorKeyNext);
 }
 
@@ -62 +56 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.entries requires that |this| not be null or undefined");
-
-    return new @createArrayIterator(@Object(this), "key+value", @arrayIteratorKeyValueNext);
+    return new @createArrayIterator(@toObject(this, "Array.prototype.entries requires that |this| not be null or undefined"), "key+value", @arrayIteratorKeyValueNext);
 }
 
@@ -72 +63 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.reduce requires that |this| not be null or undefined");
-
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.reduce requires that |this| not be null or undefined");
     var length = @toLength(array.length);
 
@@ -108 +96 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.reduceRight requires that |this| not be null or undefined");
-
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.reduceRight requires that |this| not be null or undefined");
     var length = @toLength(array.length);
 
@@ -144 +129 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.every requires that |this| not be null or undefined");
-    
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.every requires that |this| not be null or undefined");
     var length = @toLength(array.length);
 
@@ -169 +151 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.forEach requires that |this| not be null or undefined");
-    
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.forEach requires that |this| not be null or undefined");
     var length = @toLength(array.length);
 
@@ -190 +169 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.filter requires that |this| not be null or undefined");
-    
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.filter requires that |this| not be null or undefined");
     var length = @toLength(array.length);
 
@@ -239 +215 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.map requires that |this| not be null or undefined");
-    
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.map requires that |this| not be null or undefined");
     var length = @toLength(array.length);
 
@@ -284 +257 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.some requires that |this| not be null or undefined");
-    
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.some requires that |this| not be null or undefined");
     var length = @toLength(array.length);
 
@@ -307 +277 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.fill requires that |this| not be null or undefined");
-
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.fill requires that |this| not be null or undefined");
     var length = @toLength(array.length);
 
@@ -347 +314 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.find requires that |this| not be null or undefined");
-    
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.find requires that |this| not be null or undefined");
     var length = @toLength(array.length);
 
@@ -369 +333 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.findIndex requires that |this| not be null or undefined");
-    
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.findIndex requires that |this| not be null or undefined");
     var length = @toLength(array.length);
 
@@ -390 +351 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.includes requires that |this| not be null or undefined");
-
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.includes requires that |this| not be null or undefined");
     var length = @toLength(array.length);
 
@@ -634 +592 @@
     }
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.sort requires that |this| not be null or undefined");
-
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.sort requires that |this| not be null or undefined");
 
     var length = array.length >>> 0;
@@ -661 +616 @@
     "use strict";
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.prototype.concat requires that |this| not be null or undefined");
-
-    var currentElement = @Object(this);
+    var currentElement = @toObject(this, "Array.prototype.concat requires that |this| not be null or undefined");
 
     var constructor;
@@ -751 +703 @@
     }
 
-    if (this === null || this === @undefined)
-        @throwTypeError("Array.copyWithin requires that |this| not be null or undefined");
-
-    var array = @Object(this);
+    var array = @toObject(this, "Array.prototype.copyWithin requires that |this| not be null or undefined");
     var length = @toLength(array.length);
 

trunk/Source/JavaScriptCore/builtins/DatePrototype.js

@@ -41 +41 @@
             @throwTypeError("null is not an object");
         else
-            options = @Object(opts);
+            options = @toObject(opts);
 
         // Check original instead of descendant to reduce lookups up the prototype chain.
@@ -98 +98 @@
             @throwTypeError("null is not an object");
         else
-            options = @Object(opts);
+            options = @toObject(opts);
 
         // Check original instead of descendant to reduce lookups up the prototype chain.
@@ -148 +148 @@
             @throwTypeError("null is not an object");
         else
-            options = @Object(opts);
+            options = @toObject(opts);
 
         // Check original instead of descendant to reduce lookups up the prototype chain.

trunk/Source/JavaScriptCore/builtins/GlobalOperations.js

@@ -91 +91 @@
         return target;
 
-    let from = @Object(source); 
+    let from = @toObject(source);
     let keys = @Reflect.@ownKeys(from); 
     let keysLength = keys.length;
@@ -116 +116 @@
         return target;
 
-    let from = @Object(source); 
+    let from = @toObject(source);
     let keys = @Reflect.@ownKeys(from); 
     let keysLength = keys.length;

trunk/Source/JavaScriptCore/builtins/ObjectConstructor.js

@@ -29 +29 @@
     "use strict";
 
-    if (object == null)
-        @throwTypeError("Object.entries requires that input parameter not be null or undefined");
-
-    var obj = @Object(object);
+    var obj = @toObject(object, "Object.entries requires that input parameter not be null or undefined");
     var names = @getOwnPropertyNames(obj);
     var properties = [];

trunk/Source/JavaScriptCore/builtins/StringConstructor.js

@@ -28 +28 @@
     "use strict";
 
-    if (template === null || template === @undefined)
-        @throwTypeError("String.raw requires template not be null or undefined");
-    var cookedSegments = @Object(template);
+    var cookedSegments = @toObject(template, "String.raw requires template not be null or undefined");
 
-    var rawValue = cookedSegments.raw;
-    if (rawValue === null || rawValue === @undefined)
-        @throwTypeError("String.raw requires template.raw not be null or undefined");
-    var rawSegments = @Object(rawValue);
+    var rawSegments = @toObject(cookedSegments.raw, "String.raw requires template.raw not be null or undefined");
 
     var numberOfSubstitutions = arguments.length - 1;

trunk/Source/JavaScriptCore/builtins/TypedArrayConstructor.js

@@ -60 +60 @@
     }
 
-    if (items == null)
-        @throwTypeError("TypedArray.from requires an array-like object - not null or undefined");
+    let arrayLike = @toObject(items, "TypedArray.from requires an array-like object - not null or undefined");
 
     let iteratorMethod = items.@iteratorSymbol;
@@ -100 +99 @@
     }
 
-    let arrayLike = @Object(items);
     let arrayLikeLength = @toLength(arrayLike.length);
 

trunk/Source/JavaScriptCore/builtins/TypedArrayPrototype.js

@@ -340 +340 @@
         result = new (@typedArrayGetOriginalConstructor(this))(length);
     else {
-        var speciesConstructor = @Object(constructor).@speciesSymbol;
+        var speciesConstructor = constructor.@speciesSymbol;
         if (speciesConstructor === null || speciesConstructor === @undefined)
             result = new (@typedArrayGetOriginalConstructor(this))(length);
@@ -381 +381 @@
         result = new (@typedArrayGetOriginalConstructor(this))(resultLength);
     else {
-        var speciesConstructor = @Object(constructor).@speciesSymbol;
+        var speciesConstructor = constructor.@speciesSymbol;
         if (speciesConstructor === null || speciesConstructor === @undefined)
             result = new (@typedArrayGetOriginalConstructor(this))(resultLength);

trunk/Source/JavaScriptCore/bytecode/BytecodeDumper.cpp

@@ -872 +872 @@
         break;
     }
+    case op_to_object: {
+        printUnaryOp(out, location, it, "to_object");
+        int id0 = (++it)->u.operand;
+        out.printf(" %s", idName(id0, identifier(id0)).data());
+        dumpValueProfiling(out, it, hasPrintedProfiling);
+        break;
+    }
     case op_negate: {
         printUnaryOp(out, location, it, "negate");

trunk/Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h

@@ -58 +58 @@
     macro(toNumber) \
     macro(toString) \
+    macro(toObject) \
     macro(newArrayWithSize) \
     macro(defineEnumerableWritableConfigurableDataProperty) \

trunk/Source/JavaScriptCore/bytecode/BytecodeList.json

@@ -43 +43 @@
             { "name" : "op_to_number", "length" : 4 },
             { "name" : "op_to_string", "length" : 3 },
+            { "name" : "op_to_object", "length" : 5 },
             { "name" : "op_negate", "length" : 4 },
             { "name" : "op_add", "length" : 5 },

trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h

@@ -194 +194 @@
     case op_to_number:
     case op_to_string:
+    case op_to_object:
     case op_negate:
     case op_neq_null:
@@ -447 +448 @@
     case op_to_number:
     case op_to_string:
+    case op_to_object:
     case op_negate:
     case op_add:

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -577 +577 @@
         case op_get_from_arguments:
         case op_to_number:
+        case op_to_object:
         case op_get_argument: {
             linkValueProfile(i, opLength);

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -1683 +1683 @@
     instructions().append(dst->index());
     instructions().append(src->index());
+    instructions().append(profile);
+    return dst;
+}
+
+RegisterID* BytecodeGenerator::emitToObject(RegisterID* dst, RegisterID* src, const Identifier& message)
+{
+    UnlinkedValueProfile profile = emitProfiledOpcode(op_to_object);
+    instructions().append(dst->index());
+    instructions().append(src->index());
+    instructions().append(addConstant(message));
     instructions().append(profile);
     return dst;

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -665 +665 @@
         RegisterID* emitToNumber(RegisterID* dst, RegisterID* src) { return emitUnaryOpProfiled(op_to_number, dst, src); }
         RegisterID* emitToString(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_to_string, dst, src); }
+        RegisterID* emitToObject(RegisterID* dst, RegisterID* src, const Identifier& message);
         RegisterID* emitInc(RegisterID* srcDst);
         RegisterID* emitDec(RegisterID* srcDst);

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -1030 +1030 @@
 
     return generator.moveToDestinationIfNeeded(dst, generator.emitToString(generator.tempDestination(dst), src.get()));
+}
+
+RegisterID* BytecodeIntrinsicNode::emit_intrinsic_toObject(BytecodeGenerator& generator, RegisterID* dst)
+{
+    ArgumentListNode* node = m_args->m_listNode;
+    RefPtr<RegisterID> src = generator.emitNode(node);
+    node = node->m_next;
+
+    RefPtr<RegisterID> temp = generator.tempDestination(dst);
+    if (node) {
+        ASSERT(node->m_expr->isString());
+        const Identifier& message = static_cast<StringNode*>(node->m_expr)->value();
+        ASSERT(!node->m_next);
+        return generator.moveToDestinationIfNeeded(dst, generator.emitToObject(temp.get(), src.get(), message));
+    }
+    return generator.moveToDestinationIfNeeded(dst, generator.emitToObject(temp.get(), src.get(), generator.vm()->propertyNames->emptyIdentifier));
 }
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -2188 +2188 @@
         break;
 
+    case ToObject:
     case CallObjectConstructor: {
         AbstractValue& source = forNode(node->child1());
@@ -2198 +2199 @@
         }
 
+        if (node->op() == ToObject)
+            clobberWorld(node->origin.semantic, clobberLimit);
         forNode(node).setType(m_graph, SpecObject);
         break;

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -3300 +3300 @@
             result = addToGraph(NewObject, OpInfo(m_graph.registerStructure(function->globalObject()->objectStructureForObjectConstructor())));
         else
-            result = addToGraph(CallObjectConstructor, get(virtualRegisterForArgument(1, registerOffset)));
+            result = addToGraph(CallObjectConstructor, OpInfo(m_graph.freeze(function->globalObject())), OpInfo(prediction), get(virtualRegisterForArgument(1, registerOffset)));
         set(VirtualRegister(resultOperand), result);
         return true;
@@ -6070 +6070 @@
         }
 
+        case op_to_object: {
+            SpeculatedType prediction = getPrediction();
+            Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
+            unsigned identifierNumber = m_inlineStackTop->m_identifierRemap[currentInstruction[3].u.operand];
+            set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(ToObject, OpInfo(identifierNumber), OpInfo(prediction), value));
+            NEXT_OPCODE(op_to_object);
+        }
+
         case op_in: {
             ArrayMode arrayMode = getArrayMode(currentInstruction[OPCODE_LENGTH(op_in) - 1].u.arrayProfile);

trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp

@@ -229 +229 @@
     case op_to_number:
     case op_to_string:
+    case op_to_object:
     case op_switch_imm:
     case op_switch_char:

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -523 +523 @@
         return;
 
+    case ToObject:
+        read(World);
+        write(Heap);
+        return;
+
     case CallObjectConstructor:
+        read(HeapObjectCount);
+        write(HeapObjectCount);
+        return;
+
     case ToThis:
     case CreateThis:

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -302 +302 @@
     case CreateClonedArguments:
     case CallObjectConstructor:
+    case ToObject:
     case ToThis:
     case CreateThis:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1294 +1294 @@
         }
 
+        case ToObject: {
+            fixupToObject(node);
+            break;
+        }
+
         case CallObjectConstructor: {
-            if (node->child1()->shouldSpeculateObject()) {
-                fixEdge<ObjectUse>(node->child1());
-                node->convertToIdentity();
-                break;
-            }
-
-            fixEdge<UntypedUse>(node->child1());
+            fixupCallObjectConstructor(node);
             break;
         }
@@ -2510 +2509 @@
         node->setResult(NodeResultJS);
     }
+
+    void fixupToObject(Node* node)
+    {
+        if (node->child1()->shouldSpeculateObject()) {
+            fixEdge<ObjectUse>(node->child1());
+            node->convertToIdentity();
+            return;
+        }
+
+        // ToObject(Null/Undefined) can throw an error. We can emit filters to convert ToObject to CallObjectConstructor.
+
+        JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
+
+        if (node->child1()->shouldSpeculateString()) {
+            insertCheck<StringUse>(node->child1().node());
+            fixEdge<KnownStringUse>(node->child1());
+            node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
+            return;
+        }
+
+        if (node->child1()->shouldSpeculateSymbol()) {
+            insertCheck<SymbolUse>(node->child1().node());
+            node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
+            return;
+        }
+
+        if (node->child1()->shouldSpeculateNumber()) {
+            insertCheck<NumberUse>(node->child1().node());
+            node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
+            return;
+        }
+
+        if (node->child1()->shouldSpeculateBoolean()) {
+            insertCheck<BooleanUse>(node->child1().node());
+            node->convertToCallObjectConstructor(m_graph.freeze(globalObject));
+            return;
+        }
+
+        fixEdge<UntypedUse>(node->child1());
+    }
+
+    void fixupCallObjectConstructor(Node* node)
+    {
+        if (node->child1()->shouldSpeculateObject()) {
+            fixEdge<ObjectUse>(node->child1());
+            node->convertToIdentity();
+            return;
+        }
+
+        if (node->child1()->shouldSpeculateString()) {
+            auto* globalObject = jsCast<JSGlobalObject*>(node->cellOperand()->cell());
+            insertCheck<StringUse>(node->child1().node());
+            fixEdge<KnownStringUse>(node->child1());
+            node->convertToNewStringObject(m_graph.registerStructure(globalObject->stringObjectStructure()));
+            return;
+        }
+
+        // While ToObject(Null/Undefined) throws an error, CallObjectConstructor(Null/Undefined) generates a new empty object.
+        if (node->child1()->shouldSpeculateOther()) {
+            insertCheck<OtherUse>(node->child1().node());
+            node->convertToNewObject(m_graph.registerStructure(jsCast<JSGlobalObject*>(node->cellOperand()->cell())->objectStructureForObjectConstructor()));
+            return;
+        }
+
+        fixEdge<UntypedUse>(node->child1());
+    }
     
     void fixupToStringOrCallStringConstructor(Node* node)

trunk/Source/JavaScriptCore/dfg/DFGNode.h

@@ -719 +719 @@
         children.setChild1(Edge());
     }
+
+    void convertToCallObjectConstructor(FrozenValue* globalObject)
+    {
+        ASSERT(m_op == ToObject);
+        setOpAndDefaultFlags(CallObjectConstructor);
+        m_opInfo = globalObject;
+    }
+
+    void convertToNewStringObject(RegisteredStructure structure)
+    {
+        ASSERT(m_op == CallObjectConstructor || m_op == ToObject);
+        setOpAndDefaultFlags(NewStringObject);
+        m_opInfo = structure;
+        m_opInfo2 = OpInfoWrapper();
+    }
+
+    void convertToNewObject(RegisteredStructure structure)
+    {
+        ASSERT(m_op == CallObjectConstructor);
+        setOpAndDefaultFlags(NewObject);
+        children.reset();
+        m_opInfo = structure;
+        m_opInfo2 = OpInfoWrapper();
+    }
     
     void convertToDirectCall(FrozenValue*);
@@ -1004 +1028 @@
         case ResolveScopeForHoistingFuncDeclInEval:
         case ResolveScope:
+        case ToObject:
             return true;
         default:
@@ -1579 +1604 @@
         case StringReplaceRegExp:
         case ToNumber:
+        case ToObject:
+        case CallObjectConstructor:
         case LoadKeyFromMapBucket:
         case LoadValueFromMapBucket:
@@ -1644 +1671 @@
         case NewRegexp:
         case CompareEqPtr:
+        case CallObjectConstructor:
         case DirectCall:
         case DirectTailCall:

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -357 +357 @@
     macro(ToString, NodeResultJS | NodeMustGenerate) \
     macro(ToNumber, NodeResultJS | NodeMustGenerate) \
+    macro(ToObject, NodeResultJS | NodeMustGenerate) \
     macro(CallObjectConstructor, NodeResultJS) \
     macro(CallStringConstructor, NodeResultJS | NodeMustGenerate) \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -264 +264 @@
 }
 
-JSCell* JIT_OPERATION operationObjectConstructor(ExecState* exec, JSGlobalObject* globalObject, EncodedJSValue encodedTarget)
+JSCell* JIT_OPERATION operationCallObjectConstructor(ExecState* exec, JSGlobalObject* globalObject, EncodedJSValue encodedTarget)
 {
     VM* vm = &exec->vm();
@@ -274 +274 @@
     if (value.isUndefinedOrNull())
         return constructEmptyObject(exec, globalObject->objectPrototype());
+    return value.toObject(exec, globalObject);
+}
+
+JSCell* JIT_OPERATION operationToObject(ExecState* exec, JSGlobalObject* globalObject, EncodedJSValue encodedTarget, UniquedStringImpl* errorMessage)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    auto scope = DECLARE_THROW_SCOPE(*vm);
+
+    JSValue value = JSValue::decode(encodedTarget);
+    ASSERT(!value.isObject());
+
+    if (UNLIKELY(value.isUndefinedOrNull())) {
+        if (errorMessage->length()) {
+            throwVMTypeError(exec, scope, errorMessage);
+            return nullptr;
+        }
+    }
+
     return value.toObject(exec, globalObject);
 }

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -42 +42 @@
 
 // These routines provide callbacks out to C++ implementations of operations too complex to JIT.
-JSCell* JIT_OPERATION operationObjectConstructor(ExecState*, JSGlobalObject*, EncodedJSValue encodedTarget) WTF_INTERNAL;
+JSCell* JIT_OPERATION operationCallObjectConstructor(ExecState*, JSGlobalObject*, EncodedJSValue encodedTarget) WTF_INTERNAL;
+JSCell* JIT_OPERATION operationToObject(ExecState*, JSGlobalObject*, EncodedJSValue encodedTarget, UniquedStringImpl*) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationCreateThis(ExecState*, JSObject* constructor, int32_t inlineCapacity) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationToThis(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -721 +721 @@
         case LoadValueFromMapBucket:
         case ToNumber:
+        case ToObject:
+        case CallObjectConstructor:
         case GetArgument:
         case CallDOMGetter:
@@ -858 +860 @@
             break;
 
-        case CallObjectConstructor: {
-            setPrediction(SpecObject);
-            break;
-        }
         case SkipScope:
         case GetGlobalObject: {

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -315 +315 @@
     case ToString:
     case ToNumber:
+    case ToObject:
     case NumberToStringWithRadix:
     case NumberToStringWithValidRadixConstant:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -4089 +4089 @@
 }
 
-void SpeculativeJIT::compileCallObjectConstructor(Node* node)
+void SpeculativeJIT::compileToObjectOrCallObjectConstructor(Node* node)
 {
     RELEASE_ASSERT(node->child1().useKind() == UntypedUse);
+
     JSValueOperand value(this, node->child1());
 #if USE(JSVALUE64)
@@ -4107 +4108 @@
     m_jit.move(valueRegs.payloadGPR(), resultGPR);
 
-    addSlowPathGenerator(slowPathCall(slowCases, this, operationObjectConstructor, resultGPR, m_jit.globalObjectFor(node->origin.semantic), valueRegs));
+    if (node->op() == ToObject)
+        addSlowPathGenerator(slowPathCall(slowCases, this, operationToObject, resultGPR, m_jit.graph().globalObjectFor(node->origin.semantic), valueRegs, identifierUID(node->identifierNumber())));
+    else
+        addSlowPathGenerator(slowPathCall(slowCases, this, operationCallObjectConstructor, resultGPR, TrustedImmPtr(node->cellOperand()), valueRegs));
+
     cellResult(resultGPR, node);
 }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1190 +1190 @@
     }
 
+    JITCompiler::Call callOperation(C_JITOperation_EGC operation, GPRReg result, TrustedImmPtr globalObject, GPRReg arg2)
+    {
+        m_jit.setupArgumentsWithExecState(globalObject, arg2);
+        return appendCallSetResult(operation, result);
+    }
+
     JITCompiler::Call callOperation(C_JITOperation_EGC operation, GPRReg result, JSGlobalObject* globalObject, GPRReg arg2)
     {
@@ -1683 +1689 @@
     }
 
+    JITCompiler::Call callOperation(C_JITOperation_EGJ operation, GPRReg result, TrustedImmPtr globalObject, GPRReg arg1)
+    {
+        m_jit.setupArgumentsWithExecState(globalObject, arg1);
+        return appendCallSetResult(operation, result);
+    }
+
+    JITCompiler::Call callOperation(C_JITOperation_EGJ operation, GPRReg result, TrustedImmPtr globalObject, JSValueRegs arg1)
+    {
+        return callOperation(operation, result, globalObject, arg1.gpr());
+    }
+
     JITCompiler::Call callOperation(C_JITOperation_EGJ operation, GPRReg result, JSGlobalObject* globalObject, GPRReg arg1)
     {
-        m_jit.setupArgumentsWithExecState(TrustedImmPtr::weakPointer(m_jit.graph(), globalObject), arg1);
-        return appendCallSetResult(operation, result);
+        return callOperation(operation, result, TrustedImmPtr::weakPointer(m_jit.graph(), globalObject), arg1);
     }
 
@@ -1692 +1708 @@
     {
         return callOperation(operation, result, globalObject, arg1.gpr());
+    }
+
+    JITCompiler::Call callOperation(C_JITOperation_EGJI operation, GPRReg result, JSGlobalObject* globalObject, JSValueRegs arg1, UniquedStringImpl* arg2)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr::weakPointer(m_jit.graph(), globalObject), arg1.gpr(), TrustedImmPtr(arg2));
+        return appendCallSetResult(operation, result);
     }
 
@@ -2339 +2361 @@
     }
 
+    JITCompiler::Call callOperation(C_JITOperation_EGJ operation, GPRReg result, TrustedImmPtr globalObject, JSValueRegs arg1)
+    {
+        m_jit.setupArgumentsWithExecState(globalObject, arg1.payloadGPR(), arg1.tagGPR());
+        return appendCallSetResult(operation, result);
+    }
+
     JITCompiler::Call callOperation(C_JITOperation_EGJ operation, GPRReg result, JSGlobalObject* globalObject, JSValueRegs arg1)
     {
         m_jit.setupArgumentsWithExecState(TrustedImmPtr::weakPointer(m_jit.graph(), globalObject), arg1.payloadGPR(), arg1.tagGPR());
+        return appendCallSetResult(operation, result);
+    }
+
+    JITCompiler::Call callOperation(C_JITOperation_EGJI operation, GPRReg result, JSGlobalObject* globalObject, JSValueRegs arg1, UniquedStringImpl* arg2)
+    {
+        m_jit.setupArgumentsWithExecState(TrustedImmPtr::weakPointer(m_jit.graph(), globalObject), arg1.payloadGPR(), arg1.tagGPR(), TrustedImmPtr(arg2));
         return appendCallSetResult(operation, result);
     }
@@ -2976 +3010 @@
     void compileMaterializeNewObject(Node*);
     void compileRecordRegExpCachedResult(Node*);
-    void compileCallObjectConstructor(Node*);
+    void compileToObjectOrCallObjectConstructor(Node*);
     void compileResolveScope(Node*);
     void compileResolveScopeForHoistingFuncDeclInEval(Node*);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -4029 +4029 @@
     }
 
+    case ToObject:
     case CallObjectConstructor: {
-        compileCallObjectConstructor(node);
+        compileToObjectOrCallObjectConstructor(node);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -4238 +4238 @@
     }
 
+    case ToObject:
     case CallObjectConstructor: {
-        compileCallObjectConstructor(node);
+        compileToObjectOrCallObjectConstructor(node);
         break;
     }

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -181 +181 @@
     case ToNumber:
     case ToString:
+    case ToObject:
     case CallObjectConstructor:
     case CallStringConstructor:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -556 +556 @@
             compileNoOp();
             break;
+        case ToObject:
         case CallObjectConstructor:
-            compileCallObjectConstructor();
+            compileToObjectOrCallObjectConstructor();
             break;
         case ToThis:
@@ -1662 +1663 @@
     }
 
-    void compileCallObjectConstructor()
-    {
-        JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
+    void compileToObjectOrCallObjectConstructor()
+    {
         LValue value = lowJSValue(m_node->child1());
 
@@ -1678 +1678 @@
 
         m_out.appendTo(slowCase, continuation);
-        ValueFromBlock slowResult = m_out.anchor(vmCall(Int64, m_out.operation(operationObjectConstructor), m_callFrame, weakPointer(globalObject), value));
+
+        ValueFromBlock slowResult;
+        if (m_node->op() == ToObject) {
+            auto* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
+            slowResult = m_out.anchor(vmCall(Int64, m_out.operation(operationToObject), m_callFrame, weakPointer(globalObject), value, m_out.constIntPtr(m_graph.identifiers()[m_node->identifierNumber()])));
+        } else
+            slowResult = m_out.anchor(vmCall(Int64, m_out.operation(operationCallObjectConstructor), m_callFrame, frozenPointer(m_node->cellOperand()), value));
         m_out.jump(continuation);
 

trunk/Source/JavaScriptCore/jit/JIT.cpp

@@ -398 +398 @@
         DEFINE_OP(op_to_number)
         DEFINE_OP(op_to_string)
+        DEFINE_OP(op_to_object)
         DEFINE_OP(op_to_primitive)
 
@@ -533 +534 @@
         DEFINE_SLOWCASE_OP(op_to_number)
         DEFINE_SLOWCASE_OP(op_to_string)
+        DEFINE_SLOWCASE_OP(op_to_object)
         DEFINE_SLOWCASE_OP(op_to_primitive)
         DEFINE_SLOWCASE_OP(op_has_indexed_property)

trunk/Source/JavaScriptCore/jit/JIT.h

@@ -576 +576 @@
         void emit_op_to_number(Instruction*);
         void emit_op_to_string(Instruction*);
+        void emit_op_to_object(Instruction*);
         void emit_op_to_primitive(Instruction*);
         void emit_op_unexpected_load(Instruction*);
@@ -642 +643 @@
         void emitSlow_op_to_number(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_to_string(Instruction*, Vector<SlowCaseEntry>::iterator&);
+        void emitSlow_op_to_object(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_to_primitive(Instruction*, Vector<SlowCaseEntry>::iterator&);
         void emitSlow_op_unsigned(Instruction*, Vector<SlowCaseEntry>::iterator&);

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -520 +520 @@
 }
 
+void JIT::emit_op_to_object(Instruction* currentInstruction)
+{
+    int dstVReg = currentInstruction[1].u.operand;
+    int srcVReg = currentInstruction[2].u.operand;
+    emitGetVirtualRegister(srcVReg, regT0);
+
+    addSlowCase(emitJumpIfNotJSCell(regT0));
+    addSlowCase(branch8(Below, Address(regT0, JSCell::typeInfoTypeOffset()), TrustedImm32(ObjectType)));
+
+    emitValueProfilingSite();
+    if (srcVReg != dstVReg)
+        emitPutVirtualRegister(dstVReg);
+}
+
 void JIT::emit_op_catch(Instruction* currentInstruction)
 {
@@ -898 +912 @@
 
     JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_to_string);
+    slowPathCall.call();
+}
+
+void JIT::emitSlow_op_to_object(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkAllSlowCases(iter);
+
+    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_to_object);
     slowPathCall.call();
 }

trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

@@ -724 +724 @@
 }
 
+void JIT::emit_op_to_object(Instruction* currentInstruction)
+{
+    int dst = currentInstruction[1].u.operand;
+    int src = currentInstruction[2].u.operand;
+
+    emitLoad(src, regT1, regT0);
+
+    addSlowCase(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)));
+    addSlowCase(branch8(Below, Address(regT0, JSCell::typeInfoTypeOffset()), TrustedImm32(ObjectType)));
+
+    emitValueProfilingSite();
+    if (src != dst)
+        emitStore(dst, regT1, regT0);
+}
+
+void JIT::emitSlow_op_to_object(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+    linkAllSlowCases(iter);
+
+    JITSlowPathCall slowPathCall(this, currentInstruction, slow_path_to_object);
+    slowPathCall.call();
+}
+
 void JIT::emit_op_catch(Instruction* currentInstruction)
 {

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -2136 +2136 @@
 }
 
-EncodedJSValue JIT_OPERATION operationToObject(ExecState* exec, EncodedJSValue value)
-{
-    VM& vm = exec->vm();
-    NativeCallFrameTracer tracer(&vm, exec);
-    JSObject* obj = JSValue::decode(value).toObject(exec);
-    if (!obj)
-        return JSValue::encode(JSValue());
-    return JSValue::encode(obj);
-}
-
 char* JIT_OPERATION operationSwitchCharWithUnknownKeyType(ExecState* exec, EncodedJSValue encodedKey, size_t tableIndex)
 {

trunk/Source/JavaScriptCore/jit/JITOperations.h

@@ -189 +189 @@
 typedef JSCell* (JIT_OPERATION *C_JITOperation_EGC)(ExecState*, JSGlobalObject*, JSCell*);
 typedef JSCell* (JIT_OPERATION *C_JITOperation_EGJ)(ExecState*, JSGlobalObject*, EncodedJSValue);
+typedef JSCell* (JIT_OPERATION *C_JITOperation_EGJI)(ExecState*, JSGlobalObject*, EncodedJSValue, UniquedStringImpl*);
 typedef JSCell* (JIT_OPERATION *C_JITOperation_EIcf)(ExecState*, InlineCallFrame*);
 typedef JSCell* (JIT_OPERATION *C_JITOperation_EJ)(ExecState*, EncodedJSValue);
@@ -440 +441 @@
 CallFrame* JIT_OPERATION operationSetupForwardArgumentsFrame(ExecState*, CallFrame*, EncodedJSValue, int32_t, int32_t length) WTF_INTERNAL;
 CallFrame* JIT_OPERATION operationSetupVarargsFrame(ExecState*, CallFrame*, EncodedJSValue arguments, int32_t firstVarArgOffset, int32_t length) WTF_INTERNAL;
-EncodedJSValue JIT_OPERATION operationToObject(ExecState*, EncodedJSValue) WTF_INTERNAL;
 
 char* JIT_OPERATION operationSwitchCharWithUnknownKeyType(ExecState*, EncodedJSValue key, size_t tableIndex) WTF_INTERNAL;

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm

@@ -943 +943 @@
     callOpcodeSlowPath(_slow_path_to_string)
     dispatch(constexpr op_to_string_length)
+
+
+_llint_op_to_object:
+    traceExecution()
+    loadi 8[PC], t0
+    loadi 4[PC], t1
+    loadConstantOrVariable(t0, t2, t3)
+    bineq t2, CellTag, .opToObjectSlow
+    bbb JSCell::m_type[t3], ObjectType, .opToObjectSlow
+    storei t2, TagOffset[cfr, t1, 8]
+    storei t3, PayloadOffset[cfr, t1, 8]
+    valueProfile(t2, t3, 16, t1)
+    dispatch(constexpr op_to_object_length)
+
+.opToObjectSlow:
+    callOpcodeSlowPath(_slow_path_to_object)
+    dispatch(constexpr op_to_object_length)
 
 

trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

@@ -848 +848 @@
 
 
+_llint_op_to_object:
+    traceExecution()
+    loadisFromInstruction(2, t0)
+    loadisFromInstruction(1, t1)
+    loadConstantOrVariable(t0, t2)
+    btqnz t2, tagMask, .opToObjectSlow
+    bbb JSCell::m_type[t2], ObjectType, .opToObjectSlow
+    storeq t2, [cfr, t1, 8]
+    valueProfile(t2, 4, t0)
+    dispatch(constexpr op_to_object_length)
+
+.opToObjectSlow:
+    callOpcodeSlowPath(_slow_path_to_object)
+    dispatch(constexpr op_to_object_length)
+
+
 _llint_op_negate:
     traceExecution()

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -436 +436 @@
 }
 
+SLOW_PATH_DECL(slow_path_to_object)
+{
+    BEGIN();
+    JSValue argument = OP_C(2).jsValue();
+    if (UNLIKELY(argument.isUndefinedOrNull())) {
+        const Identifier& ident = exec->codeBlock()->identifier(pc[3].u.operand);
+        if (!ident.isEmpty())
+            THROW(createTypeError(exec, ident.impl()));
+    }
+    JSObject* result = argument.toObject(exec);
+    RETURN_PROFILED(op_to_object, result);
+}
+
 SLOW_PATH_DECL(slow_path_add)
 {

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h

@@ -235 +235 @@
 SLOW_PATH_HIDDEN_DECL(slow_path_to_number);
 SLOW_PATH_HIDDEN_DECL(slow_path_to_string);
+SLOW_PATH_HIDDEN_DECL(slow_path_to_object);
 SLOW_PATH_HIDDEN_DECL(slow_path_negate);
 SLOW_PATH_HIDDEN_DECL(slow_path_add);

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [JSC] Introduce @toObject
+        https://bugs.webkit.org/show_bug.cgi?id=178726
+
+        Reviewed by Saam Barati.
+
+        Use @isObject instead. It is more efficient.
+
+        * Modules/mediastream/NavigatorUserMedia.js:
+        (getUserMedia):
+
 2017-11-01  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/WebCore/Modules/mediastream/NavigatorUserMedia.js

@@ -38 +38 @@
         @throwTypeError("Not enough arguments");
 
-    if (options !== @Object(options))
+    if (!@isObject(options))
         @throwTypeError("Argument 1 (options) to Navigator.getUserMedia must be an object");