Changeset 246041 in webkit

Timestamp:

Jun 3, 2019 11:42:34 AM (5 years ago)

Author:

Caio Lima

Message:

[ESNext][BigInt] Implement support for ""
​https://bugs.webkit.org/show_bug.cgi?id=190799

Reviewed by Saam Barati.

JSTests:

• stress/big-int-exp-basic.js: Added.
• stress/big-int-exp-jit-osr.js: Added.
• stress/big-int-exp-jit-untyped.js: Added.
• stress/big-int-exp-jit.js: Added.
• stress/big-int-exp-negative-exponent.js: Added.
• stress/big-int-exp-to-primitive.js: Added.
• stress/big-int-exp-type-error.js: Added.
• stress/big-int-exp-wrapped-value.js: Added.
• stress/value-pow-ai-rule.js: Added.

Source/JavaScriptCore:

We are introducing support for BigInt into "" operator. This Patch
also includes changes into DFG, introducing a new node "ValuePow" that
is responsible to handle UntypedUse and BigIntUse.

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

ValuePow(Untyped, Untyped) still can propagate constant if AI proves
it. We are doing so if AI proves rhs and lhs as numbers.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

When compiling op_pow, we first verify if rhs and lhs can be any Int
or number. If this happen, we emit ArithPow, otherwise we fallback to
ValuePow and rely on fixup to convert it to ArithPow if possible.

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

We only clobberize world if ValuePow is UntypedUse. Otherwise, we can
properly support CSE.

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

JSBigInt::exponentiate allocates JSBigInts to perform calculation and
it can trigger GC. ValuePow(UntypedUse) can trigger GC because it can
execute user code.

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupArithPow):
(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGNodeType.h:
• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileValuePow):

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGValidate.cpp:
• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileValuePow):

• runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

We are adding proper support to BigInt on op_pow. The specification
defines that we can only apply pow when both operands have the same
type after calling ToNumeric().

• runtime/JSBigInt.cpp:

(JSC::JSBigInt::exponentiate):

• runtime/JSBigInt.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/big-int-exp-basic.js (added)
• JSTests/stress/big-int-exp-jit-osr.js (added)
• JSTests/stress/big-int-exp-jit-untyped.js (added)
• JSTests/stress/big-int-exp-jit.js (added)
• JSTests/stress/big-int-exp-negative-exponent.js (added)
• JSTests/stress/big-int-exp-to-primitive.js (added)
• JSTests/stress/big-int-exp-type-error.js (added)
• JSTests/stress/big-int-exp-wrapped-value.js (added)
• JSTests/stress/value-pow-ai-rule.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSafeToExecute.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGValidate.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSBigInt.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSBigInt.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-06-03  Caio Lima  <ticaiolima@gmail.com>
+
+        [ESNext][BigInt] Implement support for "**"
+        https://bugs.webkit.org/show_bug.cgi?id=190799
+
+        Reviewed by Saam Barati.
+
+        * stress/big-int-exp-basic.js: Added.
+        * stress/big-int-exp-jit-osr.js: Added.
+        * stress/big-int-exp-jit-untyped.js: Added.
+        * stress/big-int-exp-jit.js: Added.
+        * stress/big-int-exp-negative-exponent.js: Added.
+        * stress/big-int-exp-to-primitive.js: Added.
+        * stress/big-int-exp-type-error.js: Added.
+        * stress/big-int-exp-wrapped-value.js: Added.
+        * stress/value-pow-ai-rule.js: Added.
+
 2019-05-30  Tadeu Zagallo  <tzagallo@apple.com> and Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-06-03  Caio Lima  <ticaiolima@gmail.com>
+
+        [ESNext][BigInt] Implement support for "**"
+        https://bugs.webkit.org/show_bug.cgi?id=190799
+
+        Reviewed by Saam Barati.
+
+        We are introducing support for BigInt into "**" operator. This Patch
+        also includes changes into DFG, introducing a new node "ValuePow" that
+        is responsible to handle UntypedUse and BigIntUse.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
+        ValuePow(Untyped, Untyped) still can propagate constant if AI proves
+        it. We are doing so if AI proves rhs and lhs as numbers.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+
+        When compiling op_pow, we first verify if rhs and lhs can be any Int
+        or number. If this happen, we emit ArithPow, otherwise we fallback to
+        ValuePow and rely on fixup to convert it to ArithPow if possible.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
+        We only clobberize world if ValuePow is UntypedUse. Otherwise, we can
+        properly support CSE.
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
+        JSBigInt::exponentiate allocates JSBigInts to perform calculation and
+        it can trigger GC. ValuePow(UntypedUse) can trigger GC because it can
+        execute user code.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupArithPow):
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGNodeType.h:
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValuePow):
+        * dfg/DFGSpeculativeJIT.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGValidate.cpp:
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        (JSC::FTL::DFG::LowerDFGToB3::compileValuePow):
+        * runtime/CommonSlowPaths.cpp:
+        (JSC::SLOW_PATH_DECL):
+
+        We are adding proper support to BigInt on op_pow. The specification
+        defines that we can only apply pow when both operands have the same
+        type after calling ToNumeric().
+
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::exponentiate):
+        * runtime/JSBigInt.h:
+
 2019-06-03  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -903 +903 @@
     }
         
+    case ValuePow: {
+        JSValue childX = forNode(node->child1()).value();
+        JSValue childY = forNode(node->child2()).value();
+        if (childX && childY && childX.isNumber() && childY.isNumber()) {
+            // We need to call `didFoldClobberWorld` here because this path is only possible
+            // when node->useKind is UntypedUse. In the case of BigIntUse, children will be
+            // cleared by `AbstractInterpreter::executeEffects`.
+            didFoldClobberWorld();
+            setConstant(node, jsDoubleNumber(operationMathPow(childX.asNumber(), childY.asNumber())));
+            break;
+        }
+
+        if (node->binaryUseKind() == BigIntUse)
+            setTypeForNode(node, SpecBigInt);
+        else {
+            clobberWorld();
+            setTypeForNode(node, SpecBytecodeNumber | SpecBigInt);
+        }
+        break;
+    }
+
     case ValueMul: {
         if (node->binaryUseKind() == BigIntUse)

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -5126 +5126 @@
 
         case op_pow: {
-            // FIXME: ArithPow(Untyped, Untyped) should be supported as the same to ArithMul, ArithSub etc.
-            // https://bugs.webkit.org/show_bug.cgi?id=160012
             auto bytecode = currentInstruction->as<OpPow>();
             Node* op1 = get(bytecode.m_lhs);
             Node* op2 = get(bytecode.m_rhs);
-            set(bytecode.m_dst, addToGraph(ArithPow, op1, op2));
+            if (op1->hasNumberOrAnyIntResult() && op2->hasNumberOrAnyIntResult())
+                set(bytecode.m_dst, addToGraph(ArithPow, op1, op2));
+            else
+                set(bytecode.m_dst, addToGraph(ValuePow, op1, op2));
             NEXT_OPCODE(op_pow);
         }

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -682 +682 @@
     case ValueDiv:
     case ValueMod:
+    case ValuePow:
         if (node->isBinaryUseKind(BigIntUse)) {
             def(PureValue(node));

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -381 +381 @@
     case ValueDiv:
     case ValueMod:
+    case ValuePow:
     case ValueBitNot:
     case ValueNegate:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -109 +109 @@
     }
 
+    void fixupArithPow(Node* node)
+    {
+        if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
+            fixDoubleOrBooleanEdge(node->child1());
+            fixIntOrBooleanEdge(node->child2());
+            return;
+        }
+
+        fixDoubleOrBooleanEdge(node->child1());
+        fixDoubleOrBooleanEdge(node->child2());
+    }
+
     void fixupArithDiv(Node* node, Edge& leftChild, Edge& rightChild)
     {
@@ -590 +602 @@
         }
 
+        case ValuePow: {
+            if (Node::shouldSpeculateBigInt(node->child1().node(), node->child2().node())) {
+                fixEdge<BigIntUse>(node->child1());
+                fixEdge<BigIntUse>(node->child2());
+                node->clearFlags(NodeMustGenerate);
+                break;
+            }
+
+            if (Node::shouldSpeculateUntypedForArithmetic(node->child1().node(), node->child2().node())) {
+                fixEdge<UntypedUse>(node->child1());
+                fixEdge<UntypedUse>(node->child2());
+                break;
+            }
+
+            node->setOp(ArithPow);
+            node->clearFlags(NodeMustGenerate);
+            node->setResult(NodeResultDouble);
+
+            fixupArithPow(node);
+            break;
+        }
+
         case ArithPow: {
-            if (node->child2()->shouldSpeculateInt32OrBooleanForArithmetic()) {
-                fixDoubleOrBooleanEdge(node->child1());
-                fixIntOrBooleanEdge(node->child2());
-                break;
-            }
-
-            fixDoubleOrBooleanEdge(node->child1());
-            fixDoubleOrBooleanEdge(node->child2());
+            fixupArithPow(node);
             break;
         }

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -180 +180 @@
     macro(ValueMul, NodeResultJS | NodeMustGenerate) \
     macro(ValueDiv, NodeResultJS | NodeMustGenerate) \
+    macro(ValuePow, NodeResultJS | NodeMustGenerate) \
     macro(ValueMod, NodeResultJS | NodeMustGenerate) \
     \

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -549 +549 @@
 }
 
+EncodedJSValue JIT_OPERATION operationValuePow(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
+{
+    auto bigIntOp = [] (ExecState* exec, JSBigInt* left, JSBigInt* right) -> JSBigInt* {
+        return JSBigInt::exponentiate(exec, left, right);
+    };
+
+    auto numberOp = [] (double left, double right) -> double {
+        return operationMathPow(left, right);
+    };
+
+    return binaryOp(exec, encodedOp1, encodedOp2, bigIntOp, numberOp, "Invalid mix of BigInt and other type in exponentiation operation."_s);
+}
+
 double JIT_OPERATION operationArithAbs(ExecState* exec, EncodedJSValue encodedOp1)
 {
@@ -1395 +1408 @@
     
     return JSBigInt::divide(exec, leftOperand, rightOperand);
+}
+
+JSCell* JIT_OPERATION operationPowBigInt(ExecState* exec, JSCell* op1, JSCell* op2)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    
+    JSBigInt* leftOperand = jsCast<JSBigInt*>(op1);
+    JSBigInt* rightOperand = jsCast<JSBigInt*>(op2);
+    
+    return JSBigInt::exponentiate(exec, leftOperand, rightOperand);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -61 +61 @@
 EncodedJSValue JIT_OPERATION operationValueAddNotNumber(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationValueDiv(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
+EncodedJSValue JIT_OPERATION operationValuePow(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 double JIT_OPERATION operationArithAbs(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
 uint32_t JIT_OPERATION operationArithClz32(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
@@ -172 +173 @@
 JSCell* JIT_OPERATION operationModBigInt(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationDivBigInt(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;
+JSCell* JIT_OPERATION operationPowBigInt(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationBitAndBigInt(ExecState*, JSCell* op1, JSCell* op2) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationBitNotBigInt(ExecState*, JSCell* op1) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -275 +275 @@
             }
 
+            break;
+        }
+
+        case ValuePow: {
+            SpeculatedType left = node->child1()->prediction();
+            SpeculatedType right = node->child2()->prediction();
+
+            if (left && right) {
+                if (node->child1()->shouldSpeculateBigInt() && node->child2()->shouldSpeculateBigInt())          
+                    changed |= mergePrediction(SpecBigInt);
+                else if (isFullNumberOrBooleanSpeculationExpectingDefined(left)
+                    && isFullNumberOrBooleanSpeculationExpectingDefined(right))
+                    setPrediction(SpecBytecodeDouble);
+                else
+                    setPrediction(SpecBytecodeDouble | SpecBigInt);
+            }
             break;
         }
@@ -1121 +1137 @@
         case ValueDiv:
         case ValueMod:
+        case ValuePow:
         case ArithAdd:
         case ArithSub:

trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h

@@ -240 +240 @@
     case ValueDiv:
     case ValueMod:
+    case ValuePow:
     case TryGetById:
     case DeleteById:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -5797 +5797 @@
 }
 
+void SpeculativeJIT::compileValuePow(Node* node)
+{
+    Edge& leftChild = node->child1();
+    Edge& rightChild = node->child2();
+
+    if (node->binaryUseKind() == BigIntUse) {
+        SpeculateCellOperand left(this, leftChild);
+        SpeculateCellOperand right(this, rightChild);
+        GPRReg leftGPR = left.gpr();
+        GPRReg rightGPR = right.gpr();
+
+        speculateBigInt(leftChild, leftGPR);
+        speculateBigInt(rightChild, rightGPR);
+
+        flushRegisters();
+        GPRFlushedCallResult result(this);
+        GPRReg resultGPR = result.gpr();
+
+        callOperation(operationPowBigInt, resultGPR, leftGPR, rightGPR);
+
+        m_jit.exceptionCheck();
+        cellResult(resultGPR, node);
+        return;
+    }
+
+    DFG_ASSERT(m_jit.graph(), node, node->binaryUseKind() == UntypedUse, node->binaryUseKind());
+
+    JSValueOperand left(this, leftChild);
+    JSValueOperand right(this, rightChild);
+    JSValueRegs leftRegs = left.jsValueRegs();
+    JSValueRegs rightRegs = right.jsValueRegs();
+
+    flushRegisters();
+    JSValueRegsFlushedCallResult result(this);
+    JSValueRegs resultRegs = result.regs();
+    callOperation(operationValuePow, resultRegs, leftRegs, rightRegs);
+    m_jit.exceptionCheck();
+
+    jsValueResult(resultRegs, node);
+}
+
 void SpeculativeJIT::compileArithPow(Node* node)
 {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1360 +1360 @@
     void compileArithMod(Node*);
     void compileArithPow(Node*);
+    void compileValuePow(Node*);
     void compileArithRounding(Node*);
     void compileArithRandom(Node*);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -2095 +2095 @@
     case ArithMod: {
         compileArithMod(node);
+        break;
+    }
+
+    case ValuePow: {
+        compileValuePow(node);
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -2253 +2253 @@
         break;
     }
+
+    case ValuePow:
+        compileValuePow(node);
+        break;
 
     case ArithPow:

trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

@@ -259 +259 @@
                 case ValueDiv:
                 case ValueMod:
+                case ValuePow:
                 case ArithAdd:
                 case ArithSub:

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -100 +100 @@
     case ValueDiv:
     case ValueMod:
+    case ValuePow:
     case StrCat:
     case ArithAdd:

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -794 +794 @@
             compileArithAbs();
             break;
+        case ValuePow:
+            compileValuePow();
+            break;
         case ArithPow:
             compileArithPow();
@@ -2717 +2720 @@
         LValue result = vmCall(Double, m_out.operation(DFG::arithUnaryOperation(m_node->arithUnaryType())), m_callFrame, argument);
         setDouble(result);
+    }
+
+    void compileValuePow()
+    {
+        if (m_node->isBinaryUseKind(BigIntUse)) {
+            LValue base = lowBigInt(m_node->child1());
+            LValue exponent = lowBigInt(m_node->child2());
+            
+            LValue result = vmCall(pointerType(), m_out.operation(operationPowBigInt), m_callFrame, base, exponent);
+            setJSValue(result);
+            return;
+        }
+
+        LValue base = lowJSValue(m_node->child1());
+        LValue exponent = lowJSValue(m_node->child2());
+        LValue result = vmCall(Int64, m_out.operation(operationValuePow), m_callFrame, base, exponent);
+        setJSValue(result);
     }
 

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -637 +637 @@
     BEGIN();
     auto bytecode = pc->as<OpPow>();
-    double a = GET_C(bytecode.m_lhs).jsValue().toNumber(exec);
-    if (UNLIKELY(throwScope.exception()))
-        RETURN(JSValue());
-    double b = GET_C(bytecode.m_rhs).jsValue().toNumber(exec);
-    if (UNLIKELY(throwScope.exception()))
-        RETURN(JSValue());
+    JSValue left = GET_C(bytecode.m_lhs).jsValue();
+    JSValue right = GET_C(bytecode.m_rhs).jsValue();
+    auto leftNumeric = left.toNumeric(exec);
+    CHECK_EXCEPTION();
+    auto rightNumeric = right.toNumeric(exec);
+    CHECK_EXCEPTION();
+
+    if (WTF::holds_alternative<JSBigInt*>(leftNumeric) || WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
+        if (WTF::holds_alternative<JSBigInt*>(leftNumeric) && WTF::holds_alternative<JSBigInt*>(rightNumeric)) {
+            JSBigInt* result = JSBigInt::exponentiate(exec, WTF::get<JSBigInt*>(leftNumeric), WTF::get<JSBigInt*>(rightNumeric));
+            CHECK_EXCEPTION();
+            RETURN(result);
+        }
+
+        THROW(createTypeError(exec, "Invalid mix of BigInt and other type in exponentiation operation."));
+    }
+    
+    double a = WTF::get<double>(leftNumeric);
+    double b = WTF::get<double>(rightNumeric);
+
     RETURN(jsNumber(operationMathPow(a, b)));
 }

trunk/Source/JavaScriptCore/runtime/JSBigInt.cpp

@@ -238 +238 @@
 }
 
+JSBigInt* JSBigInt::exponentiate(ExecState* exec, JSBigInt* base, JSBigInt* exponent)
+{
+    VM& vm = exec->vm();
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    if (exponent->sign()) {
+        throwRangeError(exec, scope, "Negative exponent is not allowed"_s);
+        return nullptr;
+    }
+
+    // 2. If base is 0n and exponent is 0n, return 1n.
+    if (exponent->isZero())
+        return JSBigInt::createFrom(vm, 1);
+    
+    // 3. Return a BigInt representing the mathematical value of base raised
+    //    to the power exponent.
+    if (base->isZero())
+        return base;
+
+    if (base->length() == 1 && base->digit(0) == 1) {
+        // (-1) ** even_number == 1.
+        if (base->sign() && !(exponent->digit(0) & 1))
+            return JSBigInt::unaryMinus(vm, base);
+
+        // (-1) ** odd_number == -1; 1 ** anything == 1.
+        return base;
+    }
+
+    // For all bases >= 2, very large exponents would lead to unrepresentable
+    // results.
+    static_assert(maxLengthBits < std::numeric_limits<Digit>::max(), "maxLengthBits needs to be less than digit::max()");
+    if (exponent->length() > 1) {
+        throwRangeError(exec, scope, "BigInt generated from this operation is too big"_s);
+        return nullptr;
+    }
+
+    Digit expValue = exponent->digit(0);
+    if (expValue == 1)
+        return base;
+    if (expValue >= maxLengthBits) {
+        throwRangeError(exec, scope, "BigInt generated from this operation is too big"_s);
+        return nullptr;
+    }
+
+    static_assert(maxLengthBits <= maxInt, "maxLengthBits needs to be <= maxInt");
+    int n = static_cast<int>(expValue);
+    if (base->length() == 1 && base->digit(0) == 2) {
+        // Fast path for 2^n.
+        int neededDigits = 1 + (n / digitBits);
+        JSBigInt* result = JSBigInt::tryCreateWithLength(exec, neededDigits);
+        RETURN_IF_EXCEPTION(scope, nullptr);
+
+        result->initialize(InitializationType::WithZero);
+        // All bits are zero. Now set the n-th bit.
+        Digit msd = static_cast<Digit>(1) << (n % digitBits);
+        result->setDigit(neededDigits - 1, msd);
+        // Result is negative for odd powers of -2n.
+        if (base->sign()) 
+            result->setSign(static_cast<bool>(n & 1));
+
+        return result;
+    }
+
+    JSBigInt* result = nullptr;
+    JSBigInt* runningSquare = base;
+
+    // This implicitly sets the result's sign correctly.
+    if (n & 1)
+        result = base;
+
+    n >>= 1;
+    for (; n; n >>= 1) {
+        JSBigInt* maybeResult = JSBigInt::multiply(exec, runningSquare, runningSquare);
+        RETURN_IF_EXCEPTION(scope, nullptr);
+        runningSquare = maybeResult;
+        if (n & 1) {
+            if (!result)
+                result = runningSquare;
+            else {
+                maybeResult = JSBigInt::multiply(exec, result, runningSquare);
+                RETURN_IF_EXCEPTION(scope, nullptr);
+                result = maybeResult;
+            }
+        }
+    }
+
+    return result;
+}
+
 JSBigInt* JSBigInt::multiply(ExecState* exec, JSBigInt* x, JSBigInt* y)
 {
@@ -1056 +1145 @@
 }
 
-// Returns whether (factor1 * factor2) > (high << kDigitBits) + low.
+// Returns whether (factor1 * factor2) > (high << digitBits) + low.
 inline bool JSBigInt::productGreaterThan(Digit factor1, Digit factor2, Digit high, Digit low)
 {

trunk/Source/JavaScriptCore/runtime/JSBigInt.h

@@ -112 +112 @@
     inline bool toBoolean() const { return !isZero(); }
 
+    static JSBigInt* exponentiate(ExecState*, JSBigInt* base, JSBigInt* exponent);
+
     static JSBigInt* multiply(ExecState*, JSBigInt* x, JSBigInt* y);