Changeset 267373 in webkit

Timestamp:

Sep 21, 2020 3:10:24 PM (4 years ago)

Author:

ysuzuki@apple.com

Message:

[JSC] BigInt should work with Map / Set
​https://bugs.webkit.org/show_bug.cgi?id=216667
JSTests:

<rdar://problem/69107221>

Reviewed by Robin Morisset.

• stress/bigint-and-map-set.js: Added.

(shouldBe):
(opaque1n):
(testMap):
(let.set new):

• stress/bigint-string-map-set.js: Added.

(shouldBe):
(testMap):

• stress/bigint32-map-set.js: Added.

(shouldBe):
(testMap):

Source/JavaScriptCore:

Reviewed by Robin Morisset.

This patch makes BigInt supported in Map / Set.

1. In NormalizeMapKey, we always attempt to convert HeapBigInt to BigInt32 (if supported). So we ensure that,

normalized BigInt has one unique form for BigInt32 range. This allows us to use hashing for BigInt32 bit pattern directly.

2. In MapHash, for BigInt32, we directly has the JSValue bits. For HeapBigInt, we calculate hash via Hasher.
3. In GetMapBucket, we consider HeapBigInt case correctly.

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupNormalizeMapKey):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
(JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
(JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):

• runtime/HashMapImpl.h:

(JSC::normalizeMapKey):
(JSC::jsMapHash):
(JSC::concurrentJSMapHash):

• runtime/JSBigInt.cpp:

(JSC::JSBigInt::concurrentHash):

• runtime/JSBigInt.h:

(JSC::tryConvertToBigInt32):

Source/WebCore:

<rdar://problem/69107221>

Reviewed by Robin Morisset.

Strongly ensure that BigInt32 is always selected since Map / Set could use it as a key.

• bindings/js/SerializedScriptValue.cpp:

(WebCore::CloneDeserializer::readBigInt):

Source/WTF:

Reviewed by Robin Morisset.

• wtf/Hasher.h:

(WTF::Hasher::hash const):
(WTF::add):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/bigint-and-map-set.js (added)
• JSTests/stress/bigint-string-map-set.js (added)
• JSTests/stress/bigint32-map-set.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDoesGC.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (9 diffs)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (13 diffs)
• Source/JavaScriptCore/runtime/HashMapImpl.h (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSBigInt.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSBigInt.h (modified) (3 diffs)
• Source/WTF/ChangeLog (modified) (1 diff)
• Source/WTF/wtf/Hasher.h (modified) (3 diffs)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/SerializedScriptValue.cpp (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] BigInt should work with Map / Set
+        https://bugs.webkit.org/show_bug.cgi?id=216667
+        <rdar://problem/69107221>
+
+        Reviewed by Robin Morisset.
+
+        * stress/bigint-and-map-set.js: Added.
+        (shouldBe):
+        (opaque1n):
+        (testMap):
+        (let.set new):
+        * stress/bigint-string-map-set.js: Added.
+        (shouldBe):
+        (testMap):
+        * stress/bigint32-map-set.js: Added.
+        (shouldBe):
+        (testMap):
+
 2020-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] BigInt should work with Map / Set
+        https://bugs.webkit.org/show_bug.cgi?id=216667
+
+        Reviewed by Robin Morisset.
+
+        This patch makes BigInt supported in Map / Set.
+
+        1. In NormalizeMapKey, we always attempt to convert HeapBigInt to BigInt32 (if supported). So we ensure that,
+            normalized BigInt has one unique form for BigInt32 range. This allows us to use hashing for BigInt32 bit pattern directly.
+        2. In MapHash, for BigInt32, we directly has the JSValue bits. For HeapBigInt, we calculate hash via Hasher.
+        3. In GetMapBucket, we consider HeapBigInt case correctly.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
+        (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
+        * runtime/HashMapImpl.h:
+        (JSC::normalizeMapKey):
+        (JSC::jsMapHash):
+        (JSC::concurrentJSMapHash):
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::concurrentHash):
+        * runtime/JSBigInt.h:
+        (JSC::tryConvertToBigInt32):
+
 2020-09-21  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1382 +1382 @@
         }
 
-        SpeculatedType typeMaybeNormalized = (SpecFullNumber & ~SpecInt32Only);
+        SpeculatedType typeMaybeNormalized = (SpecFullNumber & ~SpecInt32Only) | SpecHeapBigInt;
         if (!(forNode(node->child1()).m_type & typeMaybeNormalized)) {
             m_state.setShouldTryConstantFolding(true);

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -995 +995 @@
 
             case NormalizeMapKey: {
-                SpeculatedType typeMaybeNormalized = (SpecFullNumber & ~SpecInt32Only);
+                SpeculatedType typeMaybeNormalized = (SpecFullNumber & ~SpecInt32Only) | SpecHeapBigInt;
                 if (m_state.forNode(node->child1()).m_type & typeMaybeNormalized)
                     break;

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -165 +165 @@
     case SuperSamplerEnd:
     case CPUIntrinsic:
-    case NormalizeMapKey:
+    case NormalizeMapKey: // HeapBigInt => BigInt32 conversion does not involve GC.
     case GetMapBucketHead:
     case GetMapBucketNext:
@@ -518 +518 @@
         case SymbolUse:
         case ObjectUse:
+#if USE(BIGINT32)
+        case BigInt32Use:
+#endif
+        case HeapBigIntUse:
             return false;
         default:

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -2378 +2378 @@
             else if (node->child2()->shouldSpeculateInt32())
                 fixEdge<Int32Use>(node->child2());
+#if USE(BIGINT32)
+            else if (node->child2()->shouldSpeculateBigInt32())
+                fixEdge<BigInt32Use>(node->child2());
+#endif
             else if (node->child2()->shouldSpeculateSymbol())
                 fixEdge<SymbolUse>(node->child2());
@@ -2384 +2388 @@
             else if (node->child2()->shouldSpeculateString())
                 fixEdge<StringUse>(node->child2());
+            else if (node->child2()->shouldSpeculateHeapBigInt())
+                fixEdge<HeapBigIntUse>(node->child2());
             else if (node->child2()->shouldSpeculateCell())
                 fixEdge<CellUse>(node->child2());
@@ -2434 +2440 @@
             if (node->child1()->shouldSpeculateString()) {
                 fixEdge<StringUse>(node->child1());
+                break;
+            }
+
+#if USE(BIGINT32)
+            if (node->child1()->shouldSpeculateBigInt32()) {
+                fixEdge<BigInt32Use>(node->child1());
+                break;
+            }
+#endif
+
+            if (node->child1()->shouldSpeculateHeapBigInt()) {
+                fixEdge<HeapBigIntUse>(node->child1());
                 break;
             }
@@ -3997 +4015 @@
         }
 
-        if (node->child1()->shouldSpeculateCell()) {
-            fixEdge<CellUse>(node->child1());
+#if USE(BIGINT32)
+        if (node->child1()->shouldSpeculateBigInt32()) {
+            fixEdge<BigInt32Use>(node->child1());
             node->convertToIdentity();
             return;
         }
+#endif
 
         fixEdge<UntypedUse>(node->child1());

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -3213 +3213 @@
 }
 
+EncodedJSValue JIT_OPERATION operationNormalizeMapKey(VM* vmPointer, EncodedJSValue input)
+{
+    VM& vm = *vmPointer;
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+    return JSValue::encode(normalizeMapKey(JSValue::decode(input)));
+}
+
 UCPUStrictInt32 JIT_OPERATION operationMapHash(JSGlobalObject* globalObject, EncodedJSValue input)
 {

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

@@ -244 +244 @@
 char* JIT_OPERATION operationDoubleToStringWithValidRadix(JSGlobalObject*, double, int32_t);
 
+EncodedJSValue JIT_OPERATION operationNormalizeMapKey(VM*, EncodedJSValue input) WTF_INTERNAL;
 UCPUStrictInt32 JIT_OPERATION operationMapHash(JSGlobalObject*, EncodedJSValue input);
 JSCell* JIT_OPERATION operationJSMapFindBucket(JSGlobalObject*, JSCell*, EncodedJSValue, int32_t);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -12518 +12518 @@
     CCallHelpers::JumpList doneCases;
 
+    auto isNotCell = m_jit.branchIfNotCell(keyRegs);
+    passThroughCases.append(m_jit.branchIfNotHeapBigInt(keyRegs.payloadGPR()));
+    auto slowPath = m_jit.jump();
+    isNotCell.link(&m_jit);
+
     passThroughCases.append(m_jit.branchIfNotNumber(keyRegs, scratchGPR));
     passThroughCases.append(m_jit.branchIfInt32(keyRegs));
@@ -12540 +12545 @@
     passThroughCases.link(&m_jit);
     m_jit.moveValueRegs(keyRegs, resultRegs);
+    addSlowPathGenerator(slowPathCall(slowPath, this, operationNormalizeMapKey, resultRegs, &vm(), keyRegs));
 
     doneCases.link(&m_jit);

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -4432 +4432 @@
     case MapHash: {
         switch (node->child1().useKind()) {
+#if USE(BIGINT32)
+        case BigInt32Use:
+#endif
         case BooleanUse:
         case Int32Use:
@@ -4451 +4454 @@
             break;
         }
+        case HeapBigIntUse: {
+            SpeculateCellOperand input(this, node->child1());
+            GPRReg inputGPR = input.gpr();
+
+            speculateHeapBigInt(node->child1(), inputGPR);
+
+            flushRegisters();
+            GPRFlushedCallResult result(this);
+            GPRReg resultGPR = result.gpr();
+            callOperation(operationMapHash, resultGPR, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), inputGPR);
+            m_jit.exceptionCheck();
+            strictInt32Result(resultGPR, node);
+            break;
+        }
         case CellUse:
         case StringUse: {
@@ -4473 +4490 @@
             else {
                 auto isString = m_jit.branchIfString(inputGPR);
+                auto isHeapBigInt = m_jit.branchIfHeapBigInt(inputGPR);
                 m_jit.move(inputGPR, resultGPR);
                 m_jit.wangsInt64Hash(resultGPR, tempGPR);
+                addSlowPathGenerator(slowPathCall(isHeapBigInt, this, operationMapHash, resultGPR, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), inputGPR));
                 done.append(m_jit.jump());
                 isString.link(&m_jit);
@@ -4516 +4535 @@
         straightHash.append(m_jit.branchIfNotCell(inputGPR));
         MacroAssembler::JumpList slowPath;
+        auto isHeapBigInt = m_jit.branchIfHeapBigInt(inputGPR);
         straightHash.append(m_jit.branchIfNotString(inputGPR));
         m_jit.loadPtr(MacroAssembler::Address(inputGPR, JSString::offsetOfValue()), resultGPR);
@@ -4527 +4547 @@
         m_jit.move(inputGPR, resultGPR);
         m_jit.wangsInt64Hash(resultGPR, tempGPR);
+        addSlowPathGenerator(slowPathCall(isHeapBigInt, this, operationMapHash, resultGPR, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), inputGPR));
         done.append(m_jit.jump());
 
@@ -4597 +4618 @@
         switch (node->child2().useKind()) {
         case BooleanUse:
+#if USE(BIGINT32)
+        case BigInt32Use:
+#endif
         case Int32Use:
         case SymbolUse:
@@ -4605 +4629 @@
         }
         case CellUse: {
+            // if (bucket.isString()) {
+            //     if (key.isString())
+            //         => slow path
+            // } else if (bucket.isHeapBigInt()) {
+            //     if (key.isHeapBigInt())
+            //         => slow path
+            // }
             done.append(m_jit.branch64(MacroAssembler::Equal, bucketGPR, keyGPR));
             loopAround.append(m_jit.branchIfNotCell(JSValueRegs(bucketGPR)));
-            loopAround.append(m_jit.branchIfNotString(bucketGPR));
+
+            auto isBucketString = m_jit.branchIfString(bucketGPR);
+            loopAround.append(m_jit.branchIfNotHeapBigInt(bucketGPR));
+
+            // bucket is HeapBigInt.
+            slowPathCases.append(m_jit.branchIfHeapBigInt(keyGPR));
+            loopAround.append(m_jit.jump());
+
+            // bucket is String.
+            isBucketString.link(&m_jit);
             loopAround.append(m_jit.branchIfNotString(keyGPR));
-            // They're both strings.
             slowPathCases.append(m_jit.jump());
             break;
@@ -4617 +4656 @@
             loopAround.append(m_jit.branchIfNotCell(JSValueRegs(bucketGPR)));
             loopAround.append(m_jit.branchIfNotString(bucketGPR));
+            slowPathCases.append(m_jit.jump());
+            break;
+        }
+        case HeapBigIntUse: {
+            done.append(m_jit.branch64(MacroAssembler::Equal, bucketGPR, keyGPR)); // They're definitely the same value, we found the bucket we were looking for!
+            loopAround.append(m_jit.branchIfNotCell(JSValueRegs(bucketGPR)));
+            loopAround.append(m_jit.branchIfNotHeapBigInt(bucketGPR));
             slowPathCases.append(m_jit.jump());
             break;
@@ -4627 +4673 @@
             loopAround.append(m_jit.branchIfNotCell(JSValueRegs(keyGPR)));
             // Both are cells here.
-            loopAround.append(m_jit.branchIfNotString(bucketGPR));
-            // The first is a string here.
-            slowPathCases.append(m_jit.branchIfString(keyGPR));
-            // The first is a string, but the second is not, we continue to loop around.
+            auto isBucketString = m_jit.branchIfString(bucketGPR);
+            // bucket is not String.
+            loopAround.append(m_jit.branchIfNotHeapBigInt(bucketGPR));
+            // bucket is HeapBigInt.
+            slowPathCases.append(m_jit.branchIfHeapBigInt(keyGPR));
             loopAround.append(m_jit.jump());
+            // bucket is String.
+            isBucketString.link(&m_jit);
+            loopAround.append(m_jit.branchIfNotString(keyGPR));
+            slowPathCases.append(m_jit.jump());
             break;
         }

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -11245 +11245 @@
         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
         switch (m_node->child1().useKind()) {
+#if USE(BIGINT32)
+        case BigInt32Use:
+#endif
         case BooleanUse:
         case Int32Use:
@@ -11255 +11258 @@
         }
 
+        case HeapBigIntUse: {
+            LValue key = lowHeapBigInt(m_node->child1());
+            setInt32(m_out.castToInt32(vmCall(Int64, operationMapHash, weakPointer(globalObject), key)));
+            return;
+        }
+
         case CellUse: {
             LBasicBlock isString = m_out.newBlock();
             LBasicBlock notString = m_out.newBlock();
+            LBasicBlock isHeapBigIntCase = m_out.newBlock();
+            LBasicBlock notStringHeapBigIntCase = m_out.newBlock();
             LBasicBlock continuation = m_out.newBlock();
 
@@ -11269 +11280 @@
             m_out.jump(continuation);
 
-            m_out.appendTo(notString, continuation);
+            m_out.appendTo(notString, isHeapBigIntCase);
+            m_out.branch(isHeapBigInt(value, (provenType(m_node->child1()) & ~SpecString)), unsure(isHeapBigIntCase), unsure(notStringHeapBigIntCase));
+
+            m_out.appendTo(isHeapBigIntCase, notStringHeapBigIntCase);
+            ValueFromBlock heapBigIntResult = m_out.anchor(m_out.castToInt32(vmCall(Int64, operationMapHash, weakPointer(globalObject), value)));
+            m_out.jump(continuation);
+
+            m_out.appendTo(notStringHeapBigIntCase, continuation);
             ValueFromBlock notStringResult = m_out.anchor(wangsInt64Hash(value));
             m_out.jump(continuation);
 
             m_out.appendTo(continuation, lastNext);
-            setInt32(m_out.phi(Int32, stringResult, notStringResult));
+            setInt32(m_out.phi(Int32, stringResult, heapBigIntResult, notStringResult));
             return;
         }
@@ -11295 +11313 @@
         LBasicBlock straightHash = m_out.newBlock();
         LBasicBlock isStringCase = m_out.newBlock();
+        LBasicBlock notStringCase = m_out.newBlock();
         LBasicBlock nonEmptyStringCase = m_out.newBlock();
         LBasicBlock continuation = m_out.newBlock();
@@ -11301 +11320 @@
             isCell(value, provenType(m_node->child1())), unsure(isCellCase), unsure(straightHash));
 
-        LBasicBlock lastNext = m_out.appendTo(isCellCase, isStringCase);
+        LBasicBlock lastNext = m_out.appendTo(isCellCase, notStringCase);
         LValue isString = m_out.equal(m_out.load8ZeroExt32(value, m_heaps.JSCell_typeInfoType), m_out.constInt32(StringType));
         m_out.branch(
-            isString, unsure(isStringCase), unsure(straightHash));
+            isString, unsure(isStringCase), unsure(notStringCase));
+
+        m_out.appendTo(notStringCase, isStringCase);
+        m_out.branch(isHeapBigInt(value, (provenType(m_node->child1()) & ~SpecString)), unsure(slowCase), unsure(straightHash));
 
         m_out.appendTo(isStringCase, nonEmptyStringCase);
@@ -11332 +11354 @@
         ASSERT(m_node->child1().useKind() == UntypedUse);
 
+        LBasicBlock isCellCase = m_out.newBlock();
+        LBasicBlock notCellCase = m_out.newBlock();
+        LBasicBlock isHeapBigIntCase = m_out.newBlock();
         LBasicBlock isNumberCase = m_out.newBlock();
         LBasicBlock notInt32NumberCase = m_out.newBlock();
@@ -11338 +11363 @@
         LBasicBlock continuation = m_out.newBlock();
 
-        LBasicBlock lastNext = m_out.insertNewBlocksBefore(isNumberCase);
+        LBasicBlock lastNext = m_out.insertNewBlocksBefore(isCellCase);
 
         LValue key = lowJSValue(m_node->child1());
         ValueFromBlock fastResult = m_out.anchor(key);
+        m_out.branch(isNotCell(key, provenType(m_node->child1())), unsure(notCellCase), unsure(isCellCase));
+
+        m_out.appendTo(isCellCase, isHeapBigIntCase);
+        m_out.branch(isNotHeapBigInt(key, (provenType(m_node->child1()) & SpecCellCheck)), unsure(continuation), unsure(isHeapBigIntCase));
+
+        m_out.appendTo(isHeapBigIntCase, notCellCase);
+        ValueFromBlock bigIntResult = m_out.anchor(vmCall(Int64, operationNormalizeMapKey, m_vmValue, key));
+        m_out.jump(continuation);
+
+        m_out.appendTo(notCellCase, isNumberCase);
         m_out.branch(isNotNumber(key), unsure(continuation), unsure(isNumberCase));
 
@@ -11363 +11398 @@
 
         m_out.appendTo(continuation, lastNext);
-        setJSValue(m_out.phi(Int64, fastResult, normalizedNaNResult, doubleResult, boxedIntResult));
+        setJSValue(m_out.phi(Int64, fastResult, bigIntResult, normalizedNaNResult, doubleResult, boxedIntResult));
     }
 
@@ -11419 +11454 @@
         switch (m_node->child2().useKind()) {
         case BooleanUse:
+#if USE(BIGINT32)
+        case BigInt32Use:
+#endif
         case Int32Use:
         case SymbolUse:
@@ -11442 +11480 @@
             break;
         }
+        case HeapBigIntUse: {
+            LBasicBlock notBitEqual = m_out.newBlock();
+            LBasicBlock bucketKeyIsCell = m_out.newBlock();
+
+            m_out.branch(m_out.equal(key, bucketKey),
+                unsure(continuation), unsure(notBitEqual));
+
+            m_out.appendTo(notBitEqual, bucketKeyIsCell);
+            m_out.branch(isCell(bucketKey),
+                unsure(bucketKeyIsCell), unsure(loopAround));
+
+            m_out.appendTo(bucketKeyIsCell, loopAround);
+            m_out.branch(isHeapBigInt(bucketKey),
+                unsure(slowPath), unsure(loopAround));
+            break;
+        }
         case CellUse: {
             LBasicBlock notBitEqual = m_out.newBlock();
             LBasicBlock bucketKeyIsCell = m_out.newBlock();
             LBasicBlock bucketKeyIsString = m_out.newBlock();
+            LBasicBlock bucketKeyIsNotString = m_out.newBlock();
+            LBasicBlock bucketKeyIsHeapBigInt = m_out.newBlock();
 
             m_out.branch(m_out.equal(key, bucketKey),
@@ -11456 +11512 @@
             m_out.appendTo(bucketKeyIsCell, bucketKeyIsString);
             m_out.branch(isString(bucketKey),
-                unsure(bucketKeyIsString), unsure(loopAround));
-
-            m_out.appendTo(bucketKeyIsString, loopAround);
-            m_out.branch(isString(key),
+                unsure(bucketKeyIsString), unsure(bucketKeyIsNotString));
+
+            m_out.appendTo(bucketKeyIsString, bucketKeyIsNotString);
+            m_out.branch(isString(key, provenType(m_node->child2())),
+                unsure(slowPath), unsure(loopAround));
+
+            m_out.appendTo(bucketKeyIsNotString, bucketKeyIsHeapBigInt);
+            m_out.branch(isHeapBigInt(bucketKey),
+                unsure(bucketKeyIsHeapBigInt), unsure(loopAround));
+
+            m_out.appendTo(bucketKeyIsHeapBigInt, loopAround);
+            m_out.branch(isHeapBigInt(key, provenType(m_node->child2())),
                 unsure(slowPath), unsure(loopAround));
             break;
@@ -11468 +11532 @@
             LBasicBlock bothAreCells = m_out.newBlock();
             LBasicBlock bucketKeyIsString = m_out.newBlock();
+            LBasicBlock bucketKeyIsNotString = m_out.newBlock();
+            LBasicBlock bucketKeyIsHeapBigInt = m_out.newBlock();
 
             m_out.branch(m_out.equal(key, bucketKey),
@@ -11482 +11548 @@
             m_out.appendTo(bothAreCells, bucketKeyIsString);
             m_out.branch(isString(bucketKey),
-                unsure(bucketKeyIsString), unsure(loopAround));
-
-            m_out.appendTo(bucketKeyIsString, loopAround);
-            m_out.branch(isString(key),
+                unsure(bucketKeyIsString), unsure(bucketKeyIsNotString));
+
+            m_out.appendTo(bucketKeyIsString, bucketKeyIsNotString);
+            m_out.branch(isString(key, provenType(m_node->child2())),
+                unsure(slowPath), unsure(loopAround));
+
+            m_out.appendTo(bucketKeyIsNotString, bucketKeyIsHeapBigInt);
+            m_out.branch(isHeapBigInt(bucketKey),
+                unsure(bucketKeyIsHeapBigInt), unsure(loopAround));
+
+            m_out.appendTo(bucketKeyIsHeapBigInt, loopAround);
+            m_out.branch(isHeapBigInt(key, provenType(m_node->child2())),
                 unsure(slowPath), unsure(loopAround));
             break;

trunk/Source/JavaScriptCore/runtime/HashMapImpl.h

@@ -244 +244 @@
 ALWAYS_INLINE JSValue normalizeMapKey(JSValue key)
 {
-    if (!key.isNumber())
+    if (!key.isNumber()) {
+        if (key.isHeapBigInt())
+            return tryConvertToBigInt32(key.asHeapBigInt());
         return key;
+    }
 
     if (key.isInt32())
@@ -288 +291 @@
     }
 
+    if (value.isHeapBigInt())
+        return value.asHeapBigInt()->hash();
+
     return wangsInt64Hash(JSValue::encode(value));
 }
@@ -303 +309 @@
         return impl->concurrentHash();
     }
+
+    if (key.isHeapBigInt())
+        return key.asHeapBigInt()->concurrentHash();
 
     uint64_t rawValue = JSValue::encode(key);

trunk/Source/JavaScriptCore/runtime/JSBigInt.cpp

@@ -55 +55 @@
 #include "StructureInlines.h"
 #include <algorithm>
+#include <wtf/Hasher.h>
 #include <wtf/MathExtras.h>
 
@@ -430 +431 @@
     : payload(value)
 { }
-
-static ALWAYS_INLINE JSValue tryConvertToBigInt32(JSBigInt* bigInt)
-{
-#if USE(BIGINT32)
-    if (UNLIKELY(!bigInt))
-        return JSValue();
-
-    if (bigInt->length() <= 1) {
-        if (!bigInt->length())
-            return jsBigInt32(0);
-        JSBigInt::Digit digit = bigInt->digit(0);
-        if (bigInt->sign()) {
-            static constexpr uint64_t maxValue = -static_cast<int64_t>(std::numeric_limits<int32_t>::min());
-            if (digit <= maxValue)
-                return jsBigInt32(static_cast<int32_t>(-static_cast<int64_t>(digit)));
-        } else {
-            static constexpr uint64_t maxValue = static_cast<uint64_t>(std::numeric_limits<int32_t>::max());
-            if (digit <= maxValue)
-                return jsBigInt32(static_cast<int32_t>(digit));
-        }
-    }
-#endif
-
-    return bigInt;
-}
 
 static ALWAYS_INLINE JSValue tryConvertToBigInt32(JSBigInt::ImplResult implResult)
@@ -3074 +3050 @@
 #endif
 
+static ALWAYS_INLINE unsigned computeHash(JSBigInt::Digit* digits, unsigned length, bool sign)
+{
+    Hasher hasher;
+    WTF::add(hasher, sign);
+    for (unsigned index = 0; index < length; ++index)
+        WTF::add(hasher, digits[index]);
+    return hasher.hash();
+}
+
+Optional<unsigned> JSBigInt::concurrentHash()
+{
+    // FIXME: Implement JSBigInt::concurrentHash by inserting right store barriers.
+    // https://bugs.webkit.org/show_bug.cgi?id=216801
+    return WTF::nullopt;
+}
+
+unsigned JSBigInt::hashSlow()
+{
+    ASSERT(!m_hash);
+    m_hash = computeHash(dataStorage(), length(), m_sign);
+    return m_hash;
+}
+
 } // namespace JSC

trunk/Source/JavaScriptCore/runtime/JSBigInt.h

@@ -428 +428 @@
     JS_EXPORT_PRIVATE JSBigInt* tryRightTrim(VM&);
 
+    JS_EXPORT_PRIVATE Optional<unsigned> concurrentHash();
+    unsigned hash()
+    {
+        if (m_hash)
+            return m_hash;
+        return hashSlow();
+    }
+
 private:
     JSBigInt(VM&, Structure*, Digit*, unsigned length);
 
     JSBigInt* rightTrim(JSGlobalObject*, VM&);
+
+    JS_EXPORT_PRIVATE unsigned hashSlow();
 
     static JSBigInt* createFromImpl(JSGlobalObject*, uint64_t value, bool sign);
@@ -573 +583 @@
 
     inline Digit* dataStorage() { return m_data.get(m_length); }
+    inline Digit* dataStorageUnsafe() { return m_data.getUnsafe(); }
 
     const unsigned m_length;
+    unsigned m_hash { 0 };
     bool m_sign { false };
     CagedBarrierPtr<Gigacage::Primitive, Digit, tagCagedPtr> m_data;
@@ -609 +621 @@
 }
 
+ALWAYS_INLINE JSValue tryConvertToBigInt32(JSBigInt* bigInt)
+{
+#if USE(BIGINT32)
+    if (UNLIKELY(!bigInt))
+        return JSValue();
+
+    if (bigInt->length() <= 1) {
+        if (!bigInt->length())
+            return jsBigInt32(0);
+        JSBigInt::Digit digit = bigInt->digit(0);
+        if (bigInt->sign()) {
+            static constexpr uint64_t maxValue = -static_cast<int64_t>(std::numeric_limits<int32_t>::min());
+            if (digit <= maxValue)
+                return jsBigInt32(static_cast<int32_t>(-static_cast<int64_t>(digit)));
+        } else {
+            static constexpr uint64_t maxValue = static_cast<uint64_t>(std::numeric_limits<int32_t>::max());
+            if (digit <= maxValue)
+                return jsBigInt32(static_cast<int32_t>(digit));
+        }
+    }
+#endif
+
+    return bigInt;
+}
+
 } // namespace JSC

trunk/Source/WTF/ChangeLog

@@ +1 @@
+2020-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] BigInt should work with Map / Set
+        https://bugs.webkit.org/show_bug.cgi?id=216667
+
+        Reviewed by Robin Morisset.
+
+        * wtf/Hasher.h:
+        (WTF::Hasher::hash const):
+        (WTF::add):
+
 2020-09-21  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/WTF/wtf/Hasher.h

@@ -48 +48 @@
 template<typename... Types> uint32_t computeHash(const Types&...);
 template<typename T, typename... OtherTypes> uint32_t computeHash(std::initializer_list<T>, std::initializer_list<OtherTypes>...);
+template<typename UnsignedInteger> std::enable_if_t<std::is_unsigned<UnsignedInteger>::value && sizeof(UnsignedInteger) <= sizeof(uint32_t), void> add(Hasher&, UnsignedInteger);
 
 class Hasher {
@@ -76 +77 @@
     }
 
+    unsigned hash() const
+    {
+        return m_underlyingHasher.hash();
+    }
+
 private:
     StringHasher m_underlyingHasher;
@@ -90 +96 @@
     // We overloaded for double and float below, just deal with integers here.
     add(hasher, static_cast<std::make_unsigned_t<SignedArithmetic>>(number));
+}
+
+inline void add(Hasher& hasher, bool boolean)
+{
+    add(hasher, static_cast<uint8_t>(boolean));
 }
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-09-21  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] BigInt should work with Map / Set
+        https://bugs.webkit.org/show_bug.cgi?id=216667
+        <rdar://problem/69107221>
+
+        Reviewed by Robin Morisset.
+
+        Strongly ensure that BigInt32 is always selected since Map / Set could use it as a key.
+
+        * bindings/js/SerializedScriptValue.cpp:
+        (WebCore::CloneDeserializer::readBigInt):
+
 2020-09-21  Peng Liu  <peng.liu6@apple.com>
 

trunk/Source/WebCore/bindings/js/SerializedScriptValue.cpp

@@ -3055 +3055 @@
             }
             m_gcBuffer.appendWithCrashOnOverflow(bigInt);
-            return bigInt;
+            return tryConvertToBigInt32(bigInt);
         }
 #endif
@@ -3095 +3095 @@
         }
         m_gcBuffer.appendWithCrashOnOverflow(bigInt);
-        return bigInt;
+        return tryConvertToBigInt32(bigInt);
     }