<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[193974] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/193974">193974</a></dd>
<dt>Author</dt> <dd>keith_miller@apple.com</dd>
<dt>Date</dt> <dd>2015-12-11 13:43:45 -0800 (Fri, 11 Dec 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>[ES6] Add support for Symbol.hasInstance
https://bugs.webkit.org/show_bug.cgi?id=151839
Reviewed by Saam Barati.
Source/JavaScriptCore:
This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
emits a call to slow path code that computes the result.
In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
it into a CheckTypeInfoFlags followed by a JSConstant.
* API/JSCallbackObject.h:
* builtins/FunctionPrototype.js:
(symbolHasInstance):
* bytecode/BytecodeBasicBlock.cpp:
(JSC::isBranch): Deleted.
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* bytecode/PreciseJumpTargets.cpp:
(JSC::getJumpTargetsForBytecodeOffset): Deleted.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitOverridesHasInstance):
(JSC::BytecodeGenerator::emitInstanceOfCustom):
(JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::InstanceOfNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasCellOperand):
(JSC::DFG::Node::hasTypeInfoOperand):
(JSC::DFG::Node::typeInfoOperand):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
(JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
(JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
(JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
(JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
(JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_overrides_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_instanceof_custom):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emitSlow_op_instanceof_custom):
(JSC::JIT::emit_op_check_has_instance): Deleted.
(JSC::JIT::emitSlow_op_check_has_instance): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_overrides_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_instanceof_custom):
(JSC::JIT::emitSlow_op_instanceof_custom):
(JSC::JIT::emit_op_check_has_instance): Deleted.
(JSC::JIT::emitSlow_op_check_has_instance): Deleted.
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonIdentifiers.h:
* runtime/ExceptionHelpers.cpp:
(JSC::invalidParameterInstanceofSourceAppender):
(JSC::invalidParameterInstanceofNotFunctionSourceAppender):
(JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
(JSC::createInvalidInstanceofParameterErrorNotFunction):
(JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
(JSC::createInvalidInstanceofParameterError): Deleted.
* runtime/ExceptionHelpers.h:
* runtime/FunctionPrototype.cpp:
(JSC::FunctionPrototype::addFunctionProperties):
* runtime/FunctionPrototype.h:
* runtime/JSBoundFunction.cpp:
(JSC::isBoundFunction):
(JSC::hasInstanceBoundFunction):
* runtime/JSBoundFunction.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
* runtime/JSObject.cpp:
(JSC::JSObject::hasInstance):
(JSC::objectPrivateFuncInstanceOf):
* runtime/JSObject.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):
(JSC::TypeInfo::overridesHasInstance):
* runtime/WriteBarrier.h:
(JSC::WriteBarrierBase<Unknown>::slot):
* tests/es6.yaml:
* tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
(Constructor):
(value):
(instanceOf):
(body):
* tests/stress/symbol-hasInstance.js: Added.
(Constructor):
(value):
(ObjectClass.Symbol.hasInstance):
(NumberClass.Symbol.hasInstance):
LayoutTests:
Fix tests to reflect the changes to instanceof in ES6.
Added a new regression test for bound functions in instanceof
as the perfomance on bound functions should, to some degree,
reflect the performance on C-API users.
* js/Object-getOwnPropertyNames-expected.txt:
* js/exception-for-nonobject-expected.txt:
* js/exception-instanceof-expected.txt:
* js/instance-of-immediates-expected.txt:
* js/regress/instanceof-bound-expected.txt: Added.
* js/regress/instanceof-bound.html: Added.
* js/regress/script-tests/instanceof-bound.js: Added.
(Constructor):
(test):
* js/script-tests/Object-getOwnPropertyNames.js:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkLayoutTestsjsObjectgetOwnPropertyNamesexpectedtxt">trunk/LayoutTests/js/Object-getOwnPropertyNames-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsexceptionfornonobjectexpectedtxt">trunk/LayoutTests/js/exception-for-nonobject-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsexceptioninstanceofexpectedtxt">trunk/LayoutTests/js/exception-instanceof-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsinstanceofimmediatesexpectedtxt">trunk/LayoutTests/js/instance-of-immediates-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsscripttestsObjectgetOwnPropertyNamesjs">trunk/LayoutTests/js/script-tests/Object-getOwnPropertyNames.js</a></li>
<li><a href="#trunkSourceJavaScriptCoreAPIJSCallbackObjecth">trunk/Source/JavaScriptCore/API/JSCallbackObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebuiltinsFunctionPrototypejs">trunk/Source/JavaScriptCore/builtins/FunctionPrototype.js</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeBasicBlockcpp">trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeListjson">trunk/Source/JavaScriptCore/bytecode/BytecodeList.json</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeUseDefh">trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeExitKindcpp">trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeExitKindh">trunk/Source/JavaScriptCore/bytecode/ExitKind.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodePreciseJumpTargetscpp">trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorh">trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecompilerNodesCodegencpp">trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGCapabilitiescpp">trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDoesGCcpp">trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGHeapLocationcpp">trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGHeapLocationh">trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeh">trunk/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeTypeh">trunk/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSafeToExecuteh">trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITh">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLIntrinsicRepositoryh">trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITcpp">trunk/Source/JavaScriptCore/jit/JIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITh">trunk/Source/JavaScriptCore/jit/JIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITInlinesh">trunk/Source/JavaScriptCore/jit/JITInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodescpp">trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOpcodes32_64cpp">trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationscpp">trunk/Source/JavaScriptCore/jit/JITOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationsh">trunk/Source/JavaScriptCore/jit/JITOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntDatacpp">trunk/Source/JavaScriptCore/llint/LLIntData.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntSlowPathscpp">trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLLIntSlowPathsh">trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCorellintLowLevelInterpreter64asm">trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeCommonIdentifiersh">trunk/Source/JavaScriptCore/runtime/CommonIdentifiers.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeExceptionHelperscpp">trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeExceptionHelpersh">trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeFunctionPrototypecpp">trunk/Source/JavaScriptCore/runtime/FunctionPrototype.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeFunctionPrototypeh">trunk/Source/JavaScriptCore/runtime/FunctionPrototype.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSBoundFunctioncpp">trunk/Source/JavaScriptCore/runtime/JSBoundFunction.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSBoundFunctionh">trunk/Source/JavaScriptCore/runtime/JSBoundFunction.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp">trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSGlobalObjecth">trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjectcpp">trunk/Source/JavaScriptCore/runtime/JSObject.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSObjecth">trunk/Source/JavaScriptCore/runtime/JSObject.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSTypeInfoh">trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeWriteBarrierh">trunk/Source/JavaScriptCore/runtime/WriteBarrier.h</a></li>
<li><a href="#trunkSourceJavaScriptCoretestses6yaml">trunk/Source/JavaScriptCore/tests/es6.yaml</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsjsregressinstanceofboundexpectedtxt">trunk/LayoutTests/js/regress/instanceof-bound-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregressinstanceofboundhtml">trunk/LayoutTests/js/regress/instanceof-bound.html</a></li>
<li><a href="#trunkLayoutTestsjsregressscripttestsinstanceofboundjs">trunk/LayoutTests/js/regress/script-tests/instanceof-bound.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressinstanceofcustomhasinstancesymboljs">trunk/Source/JavaScriptCore/tests/stress/instanceof-custom-hasinstancesymbol.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstresssymbolhasInstancejs">trunk/Source/JavaScriptCore/tests/stress/symbol-hasInstance.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/LayoutTests/ChangeLog 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -1,3 +1,27 @@
</span><ins>+2015-12-11 Keith Miller <keith_miller@apple.com>
+
+ [ES6] Add support for Symbol.hasInstance
+ https://bugs.webkit.org/show_bug.cgi?id=151839
+
+ Reviewed by Saam Barati.
+
+ Fix tests to reflect the changes to instanceof in ES6.
+
+ Added a new regression test for bound functions in instanceof
+ as the perfomance on bound functions should, to some degree,
+ reflect the performance on C-API users.
+
+ * js/Object-getOwnPropertyNames-expected.txt:
+ * js/exception-for-nonobject-expected.txt:
+ * js/exception-instanceof-expected.txt:
+ * js/instance-of-immediates-expected.txt:
+ * js/regress/instanceof-bound-expected.txt: Added.
+ * js/regress/instanceof-bound.html: Added.
+ * js/regress/script-tests/instanceof-bound.js: Added.
+ (Constructor):
+ (test):
+ * js/script-tests/Object-getOwnPropertyNames.js:
+
</ins><span class="cx"> 2015-12-11 Ryan Haddad <ryanhaddad@apple.com>
</span><span class="cx">
</span><span class="cx"> Updating mac-wk1 TestExpectations for fast/replaced/replaced-breaking.html to Yosemite+ to fix EWS bot results.
</span></span></pre></div>
<a id="trunkLayoutTestsjsObjectgetOwnPropertyNamesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/Object-getOwnPropertyNames-expected.txt (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/Object-getOwnPropertyNames-expected.txt 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/LayoutTests/js/Object-getOwnPropertyNames-expected.txt 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -61,7 +61,7 @@
</span><span class="cx"> PASS getSortedOwnPropertyNames(Error.prototype) is ['constructor', 'message', 'name', 'toString']
</span><span class="cx"> PASS getSortedOwnPropertyNames(Math) is ['E','LN10','LN2','LOG10E','LOG2E','PI','SQRT1_2','SQRT2','abs','acos','acosh','asin','asinh','atan','atan2','atanh','cbrt','ceil','clz32','cos','cosh','exp','expm1','floor','fround','hypot','imul','log','log10','log1p','log2','max','min','pow','random','round','sign','sin','sinh','sqrt','tan','tanh','trunc']
</span><span class="cx"> PASS getSortedOwnPropertyNames(JSON) is ['parse', 'stringify']
</span><del>-PASS getSortedOwnPropertyNames(Symbol) is ['for', 'iterator', 'keyFor', 'length', 'name', 'prototype', 'toStringTag', 'unscopables']
</del><ins>+PASS getSortedOwnPropertyNames(Symbol) is ['for', 'hasInstance', 'iterator', 'keyFor', 'length', 'name', 'prototype', 'toStringTag', 'unscopables']
</ins><span class="cx"> PASS getSortedOwnPropertyNames(Symbol.prototype) is ['constructor', 'toString', 'valueOf']
</span><span class="cx"> PASS globalPropertyNames.indexOf('NaN') != -1 is true
</span><span class="cx"> PASS globalPropertyNames.indexOf('Infinity') != -1 is true
</span></span></pre></div>
<a id="trunkLayoutTestsjsexceptionfornonobjectexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/exception-for-nonobject-expected.txt (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/exception-for-nonobject-expected.txt 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/LayoutTests/js/exception-for-nonobject-expected.txt 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -4,7 +4,7 @@
</span><span class="cx">
</span><span class="cx">
</span><span class="cx"> PASS new {}.undefined threw exception TypeError: undefined is not a constructor (evaluating 'new {}.undefined').
</span><del>-PASS 1 instanceof {}.undefined threw exception TypeError: {}.undefined is not a function. (evaluating '1 instanceof {}.undefined').
</del><ins>+PASS 1 instanceof {}.undefined threw exception TypeError: Right hand side of instanceof is not an object.
</ins><span class="cx"> PASS successfullyParsed is true
</span><span class="cx">
</span><span class="cx"> TEST COMPLETE
</span></span></pre></div>
<a id="trunkLayoutTestsjsexceptioninstanceofexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/exception-instanceof-expected.txt (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/exception-instanceof-expected.txt 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/LayoutTests/js/exception-instanceof-expected.txt 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -3,11 +3,11 @@
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span><span class="cx">
</span><span class="cx">
</span><del>-PASS 'instanceof' instanceof 'instanceof' threw exception TypeError: "instanceof" is not a function. (evaluating ''instanceof' instanceof 'instanceof'').
-PASS 20 instanceof 'hello' threw exception TypeError: 'hello' is not a function. (evaluating '20 instanceof 'hello'').
</del><ins>+PASS 'instanceof' instanceof 'instanceof' threw exception TypeError: Right hand side of instanceof is not an object.
+PASS 20 instanceof 'hello' threw exception TypeError: Right hand side of instanceof is not an object.
</ins><span class="cx"> PASS 20 instanceof {} threw exception TypeError: {} is not a function. (evaluating '20 instanceof {}').
</span><del>-PASS 20 instanceof {}.foo threw exception TypeError: {}.foo is not a function. (evaluating '20 instanceof {}.foo').
-PASS 20 instanceof true threw exception TypeError: true is not a function. (evaluating '20 instanceof true').
</del><ins>+PASS 20 instanceof {}.foo threw exception TypeError: Right hand side of instanceof is not an object.
+PASS 20 instanceof true threw exception TypeError: Right hand side of instanceof is not an object.
</ins><span class="cx"> PASS successfullyParsed is true
</span><span class="cx">
</span><span class="cx"> TEST COMPLETE
</span></span></pre></div>
<a id="trunkLayoutTestsjsinstanceofimmediatesexpectedtxt"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/instance-of-immediates-expected.txt (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/instance-of-immediates-expected.txt 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/LayoutTests/js/instance-of-immediates-expected.txt 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -3,9 +3,9 @@
</span><span class="cx"> On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
</span><span class="cx">
</span><span class="cx">
</span><del>-PASS (1 instanceof 1) threw exception TypeError: 1 is not a function. (evaluating '1 instanceof 1').
-PASS ({} instanceof 1) threw exception TypeError: 1 is not a function. (evaluating '{} instanceof 1').
-PASS (obj instanceof 1) threw exception TypeError: 1 is not a function. (evaluating 'obj instanceof 1').
</del><ins>+PASS (1 instanceof 1) threw exception TypeError: Right hand side of instanceof is not an object.
+PASS ({} instanceof 1) threw exception TypeError: Right hand side of instanceof is not an object.
+PASS (obj instanceof 1) threw exception TypeError: Right hand side of instanceof is not an object.
</ins><span class="cx"> PASS (1 instanceof {}) threw exception TypeError: {} is not a function. (evaluating '1 instanceof {}').
</span><span class="cx"> PASS ({} instanceof {}) threw exception TypeError: {} is not a function. (evaluating '{} instanceof {}').
</span><span class="cx"> PASS (obj instanceof {}) threw exception TypeError: {} is not a function. (evaluating 'obj instanceof {}').
</span></span></pre></div>
<a id="trunkLayoutTestsjsregressinstanceofboundexpectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/instanceof-bound-expected.txt (0 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/instanceof-bound-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress/instanceof-bound-expected.txt 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+JSRegress/instanceof-bound
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressinstanceofboundhtml"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/instanceof-bound.html (0 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/instanceof-bound.html (rev 0)
+++ trunk/LayoutTests/js/regress/instanceof-bound.html 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -0,0 +1,12 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="../../resources/regress-pre.js"></script>
+<script src="script-tests/instanceof-bound.js"></script>
+<script src="../../resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregressscripttestsinstanceofboundjs"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress/script-tests/instanceof-bound.js (0 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress/script-tests/instanceof-bound.js (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/instanceof-bound.js 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -0,0 +1,30 @@
</span><ins>+// This tests that we do not constantly OSR on instanceof where the RHS is a bound function.
+// While this bound functions are unlikely to be passed to instanceof often C-API users use
+// the same method of overriding instanceof expressions.
+
+
+function Constructor(x) {
+ this.x = x;
+}
+
+Constructor.prototype = {}
+
+BoundConstructor = Constructor.bind();
+foo = new Constructor(1);
+bar = new BoundConstructor(1);
+
+i = 0;
+
+function test()
+{
+ if (!(foo instanceof BoundConstructor)) {
+ throw new Error("foo should be an instanceof BoundConstructor");
+ }
+ let j = 0;
+ for (;j < 1000; j++) {}
+ return j;
+}
+noInline(test);
+
+for (i = 0; i < 50000; i++)
+ test();
</ins></span></pre></div>
<a id="trunkLayoutTestsjsscripttestsObjectgetOwnPropertyNamesjs"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/js/script-tests/Object-getOwnPropertyNames.js (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/script-tests/Object-getOwnPropertyNames.js 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/LayoutTests/js/script-tests/Object-getOwnPropertyNames.js 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -70,7 +70,7 @@
</span><span class="cx"> "Error.prototype": "['constructor', 'message', 'name', 'toString']",
</span><span class="cx"> "Math": "['E','LN10','LN2','LOG10E','LOG2E','PI','SQRT1_2','SQRT2','abs','acos','acosh','asin','asinh','atan','atan2','atanh','cbrt','ceil','clz32','cos','cosh','exp','expm1','floor','fround','hypot','imul','log','log10','log1p','log2','max','min','pow','random','round','sign','sin','sinh','sqrt','tan','tanh','trunc']",
</span><span class="cx"> "JSON": "['parse', 'stringify']",
</span><del>- "Symbol": "['for', 'iterator', 'keyFor', 'length', 'name', 'prototype', 'toStringTag', 'unscopables']",
</del><ins>+ "Symbol": "['for', 'hasInstance', 'iterator', 'keyFor', 'length', 'name', 'prototype', 'toStringTag', 'unscopables']",
</ins><span class="cx"> "Symbol.prototype": "['constructor', 'toString', 'valueOf']"
</span><span class="cx"> };
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreAPIJSCallbackObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/API/JSCallbackObject.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/API/JSCallbackObject.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/API/JSCallbackObject.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -127,7 +127,7 @@
</span><span class="cx">
</span><span class="cx"> public:
</span><span class="cx"> typedef Parent Base;
</span><del>- static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesHasInstance | OverridesGetPropertyNames | TypeOfShouldCallGetCallData;
</del><ins>+ static const unsigned StructureFlags = Base::StructureFlags | ProhibitsPropertyCaching | OverridesGetOwnPropertySlot | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ImplementsHasInstance | OverridesHasInstanceFlag | OverridesGetPropertyNames | TypeOfShouldCallGetCallData;
</ins><span class="cx">
</span><span class="cx"> ~JSCallbackObject();
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -1,3 +1,162 @@
</span><ins>+2015-12-11 Keith Miller <keith_miller@apple.com>
+
+ [ES6] Add support for Symbol.hasInstance
+ https://bugs.webkit.org/show_bug.cgi?id=151839
+
+ Reviewed by Saam Barati.
+
+ This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
+ regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
+ when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
+ then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
+ new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
+ a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
+ needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
+ Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
+ we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
+ emits a call to slow path code that computes the result.
+
+ In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
+ OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
+ it into a CheckTypeInfoFlags followed by a JSConstant.
+
+ * API/JSCallbackObject.h:
+ * builtins/FunctionPrototype.js:
+ (symbolHasInstance):
+ * bytecode/BytecodeBasicBlock.cpp:
+ (JSC::isBranch): Deleted.
+ * bytecode/BytecodeList.json:
+ * bytecode/BytecodeUseDef.h:
+ (JSC::computeUsesForBytecodeOffset):
+ (JSC::computeDefsForBytecodeOffset):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+ * bytecode/ExitKind.cpp:
+ (JSC::exitKindToString):
+ * bytecode/ExitKind.h:
+ * bytecode/PreciseJumpTargets.cpp:
+ (JSC::getJumpTargetsForBytecodeOffset): Deleted.
+ * bytecompiler/BytecodeGenerator.cpp:
+ (JSC::BytecodeGenerator::emitOverridesHasInstance):
+ (JSC::BytecodeGenerator::emitInstanceOfCustom):
+ (JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
+ * bytecompiler/BytecodeGenerator.h:
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::InstanceOfNode::emitBytecode):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGCapabilities.cpp:
+ (JSC::DFG::capabilityLevel):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGHeapLocation.cpp:
+ (WTF::printInternal):
+ * dfg/DFGHeapLocation.h:
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasCellOperand):
+ (JSC::DFG::Node::hasTypeInfoOperand):
+ (JSC::DFG::Node::typeInfoOperand):
+ * dfg/DFGNodeType.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
+ (JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::callOperation):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLIntrinsicRepository.h:
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
+ (JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
+ (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
+ (JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
+ (JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ (JSC::JIT::privateCompileSlowCases):
+ * jit/JIT.h:
+ * jit/JITInlines.h:
+ (JSC::JIT::callOperation):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_overrides_has_instance):
+ (JSC::JIT::emit_op_instanceof):
+ (JSC::JIT::emit_op_instanceof_custom):
+ (JSC::JIT::emitSlow_op_instanceof):
+ (JSC::JIT::emitSlow_op_instanceof_custom):
+ (JSC::JIT::emit_op_check_has_instance): Deleted.
+ (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_overrides_has_instance):
+ (JSC::JIT::emit_op_instanceof):
+ (JSC::JIT::emit_op_instanceof_custom):
+ (JSC::JIT::emitSlow_op_instanceof_custom):
+ (JSC::JIT::emit_op_check_has_instance): Deleted.
+ (JSC::JIT::emitSlow_op_check_has_instance): Deleted.
+ * jit/JITOperations.cpp:
+ * jit/JITOperations.h:
+ * llint/LLIntData.cpp:
+ (JSC::LLInt::Data::performAssertions):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ * llint/LLIntSlowPaths.h:
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+ * runtime/CommonIdentifiers.h:
+ * runtime/ExceptionHelpers.cpp:
+ (JSC::invalidParameterInstanceofSourceAppender):
+ (JSC::invalidParameterInstanceofNotFunctionSourceAppender):
+ (JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
+ (JSC::createInvalidInstanceofParameterErrorNotFunction):
+ (JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
+ (JSC::createInvalidInstanceofParameterError): Deleted.
+ * runtime/ExceptionHelpers.h:
+ * runtime/FunctionPrototype.cpp:
+ (JSC::FunctionPrototype::addFunctionProperties):
+ * runtime/FunctionPrototype.h:
+ * runtime/JSBoundFunction.cpp:
+ (JSC::isBoundFunction):
+ (JSC::hasInstanceBoundFunction):
+ * runtime/JSBoundFunction.h:
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::init):
+ (JSC::JSGlobalObject::visitChildren):
+ * runtime/JSGlobalObject.h:
+ (JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::hasInstance):
+ (JSC::objectPrivateFuncInstanceOf):
+ * runtime/JSObject.h:
+ * runtime/JSTypeInfo.h:
+ (JSC::TypeInfo::TypeInfo):
+ (JSC::TypeInfo::overridesHasInstance):
+ * runtime/WriteBarrier.h:
+ (JSC::WriteBarrierBase<Unknown>::slot):
+ * tests/es6.yaml:
+ * tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
+ (Constructor):
+ (value):
+ (instanceOf):
+ (body):
+ * tests/stress/symbol-hasInstance.js: Added.
+ (Constructor):
+ (value):
+ (ObjectClass.Symbol.hasInstance):
+ (NumberClass.Symbol.hasInstance):
+
</ins><span class="cx"> 2015-12-11 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> check-for-inappropriate-objc-class-names should check all class names, not just externally visible ones
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebuiltinsFunctionPrototypejs"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/builtins/FunctionPrototype.js (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/builtins/FunctionPrototype.js 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/builtins/FunctionPrototype.js 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -36,3 +36,18 @@
</span><span class="cx">
</span><span class="cx"> return this.@apply(thisValue, argumentValues);
</span><span class="cx"> }
</span><ins>+
+// FIXME: this should have a different name: https://bugs.webkit.org/show_bug.cgi?id=151363
+function symbolHasInstance(value)
+{
+ "use strict";
+
+ if (typeof this !== "function")
+ return false;
+
+ if (@isBoundFunction(this))
+ return @hasInstanceBoundFunction(this, value);
+
+ let target = this.prototype;
+ return @instanceOf(value, target);
+}
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeBasicBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeBasicBlock.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -58,7 +58,6 @@
</span><span class="cx"> case op_switch_imm:
</span><span class="cx"> case op_switch_char:
</span><span class="cx"> case op_switch_string:
</span><del>- case op_check_has_instance:
</del><span class="cx"> case op_save:
</span><span class="cx"> return true;
</span><span class="cx"> default:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeListjson"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeList.json (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeList.json 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeList.json 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -45,8 +45,9 @@
</span><span class="cx"> { "name" : "op_bitand", "length" : 5 },
</span><span class="cx"> { "name" : "op_bitxor", "length" : 5 },
</span><span class="cx"> { "name" : "op_bitor", "length" : 5 },
</span><del>- { "name" : "op_check_has_instance", "length" : 5 },
</del><ins>+ { "name" : "op_overrides_has_instance", "length" : 4 },
</ins><span class="cx"> { "name" : "op_instanceof", "length" : 4 },
</span><ins>+ { "name" : "op_instanceof_custom", "length" : 5 },
</ins><span class="cx"> { "name" : "op_typeof", "length" : 3 },
</span><span class="cx"> { "name" : "op_is_undefined", "length" : 3 },
</span><span class="cx"> { "name" : "op_is_boolean", "length" : 3 },
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeUseDefh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -169,7 +169,6 @@
</span><span class="cx"> case op_get_by_val:
</span><span class="cx"> case op_in:
</span><span class="cx"> case op_instanceof:
</span><del>- case op_check_has_instance:
</del><span class="cx"> case op_add:
</span><span class="cx"> case op_mul:
</span><span class="cx"> case op_div:
</span><span class="lines">@@ -195,6 +194,8 @@
</span><span class="cx"> functor(codeBlock, instruction, opcodeID, instruction[3].u.operand);
</span><span class="cx"> return;
</span><span class="cx"> }
</span><ins>+ case op_overrides_has_instance:
+ case op_instanceof_custom:
</ins><span class="cx"> case op_has_structure_property:
</span><span class="cx"> case op_construct_varargs:
</span><span class="cx"> case op_call_varargs:
</span><span class="lines">@@ -350,8 +351,9 @@
</span><span class="cx"> case op_construct:
</span><span class="cx"> case op_get_by_id:
</span><span class="cx"> case op_get_array_length:
</span><del>- case op_check_has_instance:
</del><ins>+ case op_overrides_has_instance:
</ins><span class="cx"> case op_instanceof:
</span><ins>+ case op_instanceof_custom:
</ins><span class="cx"> case op_get_by_val:
</span><span class="cx"> case op_typeof:
</span><span class="cx"> case op_is_undefined:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -1013,13 +1013,12 @@
</span><span class="cx"> ++it;
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>- case op_check_has_instance: {
</del><ins>+ case op_overrides_has_instance: {
</ins><span class="cx"> int r0 = (++it)->u.operand;
</span><span class="cx"> int r1 = (++it)->u.operand;
</span><span class="cx"> int r2 = (++it)->u.operand;
</span><del>- int offset = (++it)->u.operand;
- printLocationAndOp(out, exec, location, it, "check_has_instance");
- out.printf("%s, %s, %s, %d(->%d)", registerName(r0).data(), registerName(r1).data(), registerName(r2).data(), offset, location + offset);
</del><ins>+ printLocationAndOp(out, exec, location, it, "overrides_has_instance");
+ out.printf("%s, %s, %s", registerName(r0).data(), registerName(r1).data(), registerName(r2).data());
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx"> case op_instanceof: {
</span><span class="lines">@@ -1030,6 +1029,15 @@
</span><span class="cx"> out.printf("%s, %s, %s", registerName(r0).data(), registerName(r1).data(), registerName(r2).data());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><ins>+ case op_instanceof_custom: {
+ int r0 = (++it)->u.operand;
+ int r1 = (++it)->u.operand;
+ int r2 = (++it)->u.operand;
+ int r3 = (++it)->u.operand;
+ printLocationAndOp(out, exec, location, it, "instanceof_custom");
+ out.printf("%s, %s, %s, %s", registerName(r0).data(), registerName(r1).data(), registerName(r2).data(), registerName(r3).data());
+ break;
+ }
</ins><span class="cx"> case op_unsigned: {
</span><span class="cx"> printUnaryOp(out, exec, location, it, "unsigned");
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeExitKindcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/bytecode/ExitKind.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -50,6 +50,8 @@
</span><span class="cx"> return "BadConstantCache";
</span><span class="cx"> case BadIndexingType:
</span><span class="cx"> return "BadIndexingType";
</span><ins>+ case BadTypeInfoFlags:
+ return "BadTypeInfoFlags";
</ins><span class="cx"> case Overflow:
</span><span class="cx"> return "Overflow";
</span><span class="cx"> case NegativeZero:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeExitKindh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/ExitKind.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/ExitKind.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/bytecode/ExitKind.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -37,6 +37,7 @@
</span><span class="cx"> BadCache, // We exited because an inline cache was wrong.
</span><span class="cx"> BadConstantCache, // We exited because a cache on a weak constant (usually a prototype) was wrong.
</span><span class="cx"> BadIndexingType, // We exited because an indexing type was wrong.
</span><ins>+ BadTypeInfoFlags, // We exited because we made an incorrect assumption about what TypeInfo flags we would see.
</ins><span class="cx"> Overflow, // We exited because of overflow.
</span><span class="cx"> NegativeZero, // We exited because we encountered negative zero.
</span><span class="cx"> Int52Overflow, // We exited because of an Int52 overflow.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodePreciseJumpTargetscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -74,9 +74,6 @@
</span><span class="cx"> out.append(bytecodeOffset + current[2].u.operand);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>- case op_check_has_instance:
- out.append(bytecodeOffset + current[4].u.operand);
- break;
</del><span class="cx"> case op_loop_hint:
</span><span class="cx"> out.append(bytecodeOffset);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -2099,14 +2099,13 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void BytecodeGenerator::emitCheckHasInstance(RegisterID* dst, RegisterID* value, RegisterID* base, Label* target)
</del><ins>+RegisterID* BytecodeGenerator::emitOverridesHasInstance(RegisterID* dst, RegisterID* constructor, RegisterID* hasInstanceValue)
</ins><span class="cx"> {
</span><del>- size_t begin = instructions().size();
- emitOpcode(op_check_has_instance);
</del><ins>+ emitOpcode(op_overrides_has_instance);
</ins><span class="cx"> instructions().append(dst->index());
</span><del>- instructions().append(value->index());
- instructions().append(base->index());
- instructions().append(target->bind(begin, instructions().size()));
</del><ins>+ instructions().append(constructor->index());
+ instructions().append(hasInstanceValue->index());
+ return dst;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // Indicates the least upper bound of resolve type based on local scope. The bytecode linker
</span><span class="lines">@@ -2273,6 +2272,16 @@
</span><span class="cx"> return dst;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+RegisterID* BytecodeGenerator::emitInstanceOfCustom(RegisterID* dst, RegisterID* value, RegisterID* constructor, RegisterID* hasInstanceValue)
+{
+ emitOpcode(op_instanceof_custom);
+ instructions().append(dst->index());
+ instructions().append(value->index());
+ instructions().append(constructor->index());
+ instructions().append(hasInstanceValue->index());
+ return dst;
+}
+
</ins><span class="cx"> RegisterID* BytecodeGenerator::emitGetById(RegisterID* dst, RegisterID* base, const Identifier& property)
</span><span class="cx"> {
</span><span class="cx"> m_codeBlock->addPropertyAccessInstruction(instructions().size());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerBytecodeGeneratorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -534,8 +534,9 @@
</span><span class="cx"> RegisterID* emitInc(RegisterID* srcDst);
</span><span class="cx"> RegisterID* emitDec(RegisterID* srcDst);
</span><span class="cx">
</span><del>- void emitCheckHasInstance(RegisterID* dst, RegisterID* value, RegisterID* base, Label* target);
</del><ins>+ RegisterID* emitOverridesHasInstance(RegisterID* dst, RegisterID* constructor, RegisterID* hasInstanceValue);
</ins><span class="cx"> RegisterID* emitInstanceOf(RegisterID* dst, RegisterID* value, RegisterID* basePrototype);
</span><ins>+ RegisterID* emitInstanceOfCustom(RegisterID* dst, RegisterID* value, RegisterID* constructor, RegisterID* hasInstanceValue);
</ins><span class="cx"> RegisterID* emitTypeOf(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_typeof, dst, src); }
</span><span class="cx"> RegisterID* emitIn(RegisterID* dst, RegisterID* property, RegisterID* base) { return emitBinaryOp(op_in, dst, property, base, OperandTypes()); }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecompilerNodesCodegencpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -1659,22 +1659,49 @@
</span><span class="cx">
</span><span class="cx"> RegisterID* InstanceOfNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
</span><span class="cx"> {
</span><del>- RefPtr<RegisterID> src1 = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
- RefPtr<RegisterID> src2 = generator.emitNode(m_expr2);
</del><ins>+ RefPtr<RegisterID> hasInstanceValue = generator.newTemporary();
+ RefPtr<RegisterID> isObject = generator.newTemporary();
+ RefPtr<RegisterID> isCustom = generator.newTemporary();
</ins><span class="cx"> RefPtr<RegisterID> prototype = generator.newTemporary();
</span><del>- RefPtr<RegisterID> dstReg = generator.finalDestination(dst, src1.get());
- RefPtr<Label> target = generator.newLabel();
</del><ins>+ RefPtr<RegisterID> value = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
+ RefPtr<RegisterID> constructor = generator.emitNode(m_expr2);
+ RefPtr<RegisterID> dstReg = generator.finalDestination(dst, value.get());
+ RefPtr<Label> custom = generator.newLabel();
+ RefPtr<Label> done = generator.newLabel();
+ RefPtr<Label> typeError = generator.newLabel();
</ins><span class="cx">
</span><span class="cx"> generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
</span><del>- generator.emitCheckHasInstance(dstReg.get(), src1.get(), src2.get(), target.get());
</del><ins>+ generator.emitIsObject(isObject.get(), constructor.get());
+ generator.emitJumpIfFalse(isObject.get(), typeError.get());
</ins><span class="cx">
</span><span class="cx"> generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
</span><del>- generator.emitGetById(prototype.get(), src2.get(), generator.vm()->propertyNames->prototype);
</del><ins>+ generator.emitGetById(hasInstanceValue.get(), constructor.get(), generator.vm()->propertyNames->hasInstanceSymbol);
</ins><span class="cx">
</span><span class="cx"> generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
</span><del>- RegisterID* result = generator.emitInstanceOf(dstReg.get(), src1.get(), prototype.get());
- generator.emitLabel(target.get());
- return result;
</del><ins>+ generator.emitOverridesHasInstance(isCustom.get(), constructor.get(), hasInstanceValue.get());
+
+ generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
+ generator.emitJumpIfTrue(isCustom.get(), custom.get());
+
+ generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
+ generator.emitGetById(prototype.get(), constructor.get(), generator.vm()->propertyNames->prototype);
+
+ generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
+ generator.emitInstanceOf(dstReg.get(), value.get(), prototype.get());
+
+ generator.emitJump(done.get());
+
+ generator.emitLabel(typeError.get());
+ generator.emitThrowTypeError("Right hand side of instanceof is not an object");
+
+ generator.emitLabel(custom.get());
+
+ generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
+ generator.emitInstanceOfCustom(dstReg.get(), value.get(), constructor.get(), hasInstanceValue.get());
+
+ generator.emitLabel(done.get());
+
+ return dstReg.get();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> // ------------------------------ LogicalOpNode ----------------------------
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -2448,14 +2448,19 @@
</span><span class="cx"> case NotifyWrite:
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case CheckHasInstance:
- // Sadly, we don't propagate the fact that we've done CheckHasInstance
</del><ins>+ case OverridesHasInstance:
+ forNode(node).setType(SpecBoolean);
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case InstanceOf:
</span><del>- // Again, sadly, we don't propagate the fact that we've done InstanceOf
</del><ins>+ // Sadly, we don't propagate the fact that we've done InstanceOf
</ins><span class="cx"> forNode(node).setType(SpecBoolean);
</span><span class="cx"> break;
</span><ins>+
+ case InstanceOfCustom:
+ clobberWorld(node->origin.semantic, clobberLimit);
+ forNode(node).setType(SpecBoolean);
+ break;
</ins><span class="cx">
</span><span class="cx"> case Phi:
</span><span class="cx"> RELEASE_ASSERT(m_graph.m_form == SSA);
</span><span class="lines">@@ -2510,6 +2515,7 @@
</span><span class="cx"> case CountExecution:
</span><span class="cx"> case CheckTierUpInLoop:
</span><span class="cx"> case CheckTierUpAtReturn:
</span><ins>+ case CheckTypeInfoFlags:
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case CopyRest:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -3497,17 +3497,31 @@
</span><span class="cx"> NEXT_OPCODE(op_check_tdz);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case op_check_has_instance:
- addToGraph(CheckHasInstance, get(VirtualRegister(currentInstruction[3].u.operand)));
- NEXT_OPCODE(op_check_has_instance);
</del><ins>+ case op_overrides_has_instance: {
+ JSFunction* defaultHasInstanceSymbolFunction = m_inlineStackTop->m_codeBlock->globalObjectFor(currentCodeOrigin())->functionProtoHasInstanceSymbolFunction();
</ins><span class="cx">
</span><ins>+ Node* constructor = get(VirtualRegister(currentInstruction[2].u.operand));
+ Node* hasInstanceValue = get(VirtualRegister(currentInstruction[3].u.operand));
+
+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(OverridesHasInstance, OpInfo(m_graph.freeze(defaultHasInstanceSymbolFunction)), constructor, hasInstanceValue));
+ NEXT_OPCODE(op_overrides_has_instance);
+ }
+
</ins><span class="cx"> case op_instanceof: {
</span><span class="cx"> Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
</span><span class="cx"> Node* prototype = get(VirtualRegister(currentInstruction[3].u.operand));
</span><span class="cx"> set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(InstanceOf, value, prototype));
</span><span class="cx"> NEXT_OPCODE(op_instanceof);
</span><span class="cx"> }
</span><del>-
</del><ins>+
+ case op_instanceof_custom: {
+ Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
+ Node* constructor = get(VirtualRegister(currentInstruction[3].u.operand));
+ Node* hasInstanceValue = get(VirtualRegister(currentInstruction[4].u.operand));
+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(InstanceOfCustom, value, constructor, hasInstanceValue));
+ NEXT_OPCODE(op_instanceof_custom);
+ }
+
</ins><span class="cx"> case op_is_undefined: {
</span><span class="cx"> Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
</span><span class="cx"> set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsUndefined, value));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGCapabilities.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -128,8 +128,9 @@
</span><span class="cx"> case op_profile_type:
</span><span class="cx"> case op_profile_control_flow:
</span><span class="cx"> case op_mov:
</span><del>- case op_check_has_instance:
</del><ins>+ case op_overrides_has_instance:
</ins><span class="cx"> case op_instanceof:
</span><ins>+ case op_instanceof_custom:
</ins><span class="cx"> case op_is_undefined:
</span><span class="cx"> case op_is_boolean:
</span><span class="cx"> case op_is_number:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -727,16 +727,26 @@
</span><span class="cx"> read(JSCell_structureID);
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- case CheckHasInstance:
</del><ins>+ case CheckTypeInfoFlags:
</ins><span class="cx"> read(JSCell_typeInfoFlags);
</span><del>- def(HeapLocation(CheckHasInstanceLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
</del><ins>+ def(HeapLocation(CheckTypeInfoFlagsLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
</ins><span class="cx"> return;
</span><span class="cx">
</span><ins>+ case OverridesHasInstance:
+ read(JSCell_typeInfoFlags);
+ def(HeapLocation(OverridesHasInstanceLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
+ return;
+
</ins><span class="cx"> case InstanceOf:
</span><span class="cx"> read(JSCell_structureID);
</span><span class="cx"> def(HeapLocation(InstanceOfLoc, JSCell_structureID, node->child1(), node->child2()), LazyNode(node));
</span><span class="cx"> return;
</span><span class="cx">
</span><ins>+ case InstanceOfCustom:
+ read(World);
+ write(Heap);
+ return;
+
</ins><span class="cx"> case PutStructure:
</span><span class="cx"> write(JSCell_structureID);
</span><span class="cx"> write(JSCell_typeInfoType);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -141,8 +141,9 @@
</span><span class="cx"> case ProfileDidCall:
</span><span class="cx"> case ProfileType:
</span><span class="cx"> case ProfileControlFlow:
</span><del>- case CheckHasInstance:
</del><ins>+ case OverridesHasInstance:
</ins><span class="cx"> case InstanceOf:
</span><ins>+ case InstanceOfCustom:
</ins><span class="cx"> case IsUndefined:
</span><span class="cx"> case IsBoolean:
</span><span class="cx"> case IsNumber:
</span><span class="lines">@@ -180,6 +181,7 @@
</span><span class="cx"> case CheckInBounds:
</span><span class="cx"> case ConstantStoragePointer:
</span><span class="cx"> case Check:
</span><ins>+ case CheckTypeInfoFlags:
</ins><span class="cx"> case MultiGetByOffset:
</span><span class="cx"> case ValueRep:
</span><span class="cx"> case DoubleRep:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -1100,10 +1100,29 @@
</span><span class="cx"> fixEdge<FunctionUse>(node->child1());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><ins>+
+ case OverridesHasInstance: {
+ if (node->child2().node()->isCellConstant()) {
+ if (node->child2().node()->asCell() != m_graph.globalObjectFor(node->origin.semantic)->functionProtoHasInstanceSymbolFunction()) {
+
+ m_graph.convertToConstant(node, jsBoolean(true));
+ break;
+ }
+
+ if (!m_graph.hasExitSite(node->origin.semantic, BadTypeInfoFlags)) {
+ // Here we optimistically assume that we will not see an bound/C-API function here.
+ m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckTypeInfoFlags, node->origin, OpInfo(ImplementsDefaultHasInstance), Edge(node->child1().node(), CellUse));
+ m_graph.convertToConstant(node, jsBoolean(false));
+ break;
+ }
+ }
+
+ fixEdge<CellUse>(node->child1());
+ break;
+ }
</ins><span class="cx">
</span><span class="cx"> case CheckStructure:
</span><span class="cx"> case CheckCell:
</span><del>- case CheckHasInstance:
</del><span class="cx"> case CreateThis:
</span><span class="cx"> case GetButterfly:
</span><span class="cx"> case GetButterflyReadOnly: {
</span><span class="lines">@@ -1164,7 +1183,11 @@
</span><span class="cx"> fixEdge<CellUse>(node->child2());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>-
</del><ins>+
+ case InstanceOfCustom:
+ fixEdge<CellUse>(node->child2());
+ break;
+
</ins><span class="cx"> case In: {
</span><span class="cx"> // FIXME: We should at some point have array profiling on op_in, in which
</span><span class="cx"> // case we would be able to turn this into a kind of GetByVal.
</span><span class="lines">@@ -1410,6 +1433,7 @@
</span><span class="cx"> case NotifyWrite:
</span><span class="cx"> case VarInjectionWatchpoint:
</span><span class="cx"> case Call:
</span><ins>+ case CheckTypeInfoFlags:
</ins><span class="cx"> case TailCallInlinedCaller:
</span><span class="cx"> case Construct:
</span><span class="cx"> case CallVarargs:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGHeapLocationcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -95,10 +95,14 @@
</span><span class="cx"> case ButterflyReadOnlyLoc:
</span><span class="cx"> out.print("ButterflyReadOnlyLoc");
</span><span class="cx"> return;
</span><del>-
- case CheckHasInstanceLoc:
- out.print("CheckHasInstanceLoc");
</del><ins>+
+ case CheckTypeInfoFlagsLoc:
+ out.print("CheckTypeInfoFlagsLoc");
</ins><span class="cx"> return;
</span><ins>+
+ case OverridesHasInstanceLoc:
+ out.print("OverridesHasInstanceLoc");
+ return;
</ins><span class="cx">
</span><span class="cx"> case ClosureVariableLoc:
</span><span class="cx"> out.print("ClosureVariableLoc");
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGHeapLocationh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGHeapLocation.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -40,7 +40,8 @@
</span><span class="cx"> ArrayLengthLoc,
</span><span class="cx"> ButterflyLoc,
</span><span class="cx"> ButterflyReadOnlyLoc,
</span><del>- CheckHasInstanceLoc,
</del><ins>+ CheckTypeInfoFlagsLoc,
+ OverridesHasInstanceLoc,
</ins><span class="cx"> ClosureVariableLoc,
</span><span class="cx"> DirectArgumentsLoc,
</span><span class="cx"> GetterLoc,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNode.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNode.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGNode.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -1354,6 +1354,7 @@
</span><span class="cx"> {
</span><span class="cx"> switch (op()) {
</span><span class="cx"> case CheckCell:
</span><ins>+ case OverridesHasInstance:
</ins><span class="cx"> case NewFunction:
</span><span class="cx"> case NewArrowFunction:
</span><span class="cx"> case CreateActivation:
</span><span class="lines">@@ -1415,6 +1416,17 @@
</span><span class="cx"> return reinterpret_cast<UniquedStringImpl*>(m_opInfo);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ bool hasTypeInfoOperand()
+ {
+ return op() == CheckTypeInfoFlags;
+ }
+
+ unsigned typeInfoOperand()
+ {
+ ASSERT(hasTypeInfoOperand() && m_opInfo <= UCHAR_MAX);
+ return static_cast<unsigned>(m_opInfo);
+ }
+
</ins><span class="cx"> bool hasTransition()
</span><span class="cx"> {
</span><span class="cx"> switch (op()) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeType.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -221,6 +221,7 @@
</span><span class="cx"> macro(CheckBadCell, NodeMustGenerate) \
</span><span class="cx"> macro(CheckInBounds, NodeMustGenerate) \
</span><span class="cx"> macro(CheckIdent, NodeMustGenerate) \
</span><ins>+ macro(CheckTypeInfoFlags, NodeMustGenerate) /* Takes an OpInfo with the flags you want to test are set */\
</ins><span class="cx"> \
</span><span class="cx"> /* Optimizations for array mutation. */\
</span><span class="cx"> macro(ArrayPush, NodeResultJS | NodeMustGenerate) \
</span><span class="lines">@@ -278,8 +279,9 @@
</span><span class="cx"> macro(Breakpoint, NodeMustGenerate) \
</span><span class="cx"> macro(ProfileWillCall, NodeMustGenerate) \
</span><span class="cx"> macro(ProfileDidCall, NodeMustGenerate) \
</span><del>- macro(CheckHasInstance, NodeMustGenerate) \
</del><ins>+ macro(OverridesHasInstance, NodeMustGenerate | NodeResultBoolean) \
</ins><span class="cx"> macro(InstanceOf, NodeResultBoolean) \
</span><ins>+ macro(InstanceOfCustom, NodeMustGenerate | NodeResultBoolean) \
</ins><span class="cx"> macro(IsUndefined, NodeResultBoolean) \
</span><span class="cx"> macro(IsBoolean, NodeResultBoolean) \
</span><span class="cx"> macro(IsNumber, NodeResultBoolean) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -402,7 +402,9 @@
</span><span class="cx"> case CompareGreaterEq:
</span><span class="cx"> case CompareEq:
</span><span class="cx"> case CompareStrictEq:
</span><ins>+ case OverridesHasInstance:
</ins><span class="cx"> case InstanceOf:
</span><ins>+ case InstanceOfCustom:
</ins><span class="cx"> case IsUndefined:
</span><span class="cx"> case IsBoolean:
</span><span class="cx"> case IsNumber:
</span><span class="lines">@@ -569,6 +571,7 @@
</span><span class="cx"> case DoubleAsInt32:
</span><span class="cx"> case GetLocalUnlinked:
</span><span class="cx"> case CheckArray:
</span><ins>+ case CheckTypeInfoFlags:
</ins><span class="cx"> case Arrayify:
</span><span class="cx"> case ArrayifyToStructure:
</span><span class="cx"> case CheckTierUpInLoop:
</span><span class="lines">@@ -680,7 +683,6 @@
</span><span class="cx"> case ProfileDidCall:
</span><span class="cx"> case ProfileType:
</span><span class="cx"> case ProfileControlFlow:
</span><del>- case CheckHasInstance:
</del><span class="cx"> case ThrowReferenceError:
</span><span class="cx"> case ForceOSRExit:
</span><span class="cx"> case SetArgument:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -241,8 +241,10 @@
</span><span class="cx"> case ProfileDidCall:
</span><span class="cx"> case ProfileType:
</span><span class="cx"> case ProfileControlFlow:
</span><del>- case CheckHasInstance:
</del><ins>+ case CheckTypeInfoFlags:
+ case OverridesHasInstance:
</ins><span class="cx"> case InstanceOf:
</span><ins>+ case InstanceOfCustom:
</ins><span class="cx"> case IsUndefined:
</span><span class="cx"> case IsBoolean:
</span><span class="cx"> case IsNumber:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -2738,6 +2738,17 @@
</span><span class="cx"> putResult.link(&m_jit);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void SpeculativeJIT::compileCheckTypeInfoFlags(Node* node)
+{
+ SpeculateCellOperand base(this, node->child1());
+
+ GPRReg baseGPR = base.gpr();
+
+ speculationCheck(BadTypeInfoFlags, JSValueRegs(), 0, m_jit.branchTest8(MacroAssembler::Zero, MacroAssembler::Address(baseGPR, JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(node->typeInfoOperand())));
+
+ noResult(node);
+}
+
</ins><span class="cx"> void SpeculativeJIT::compileInstanceOf(Node* node)
</span><span class="cx"> {
</span><span class="cx"> if (node->child1().useKind() == UntypedUse) {
</span><span class="lines">@@ -2950,6 +2961,28 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void SpeculativeJIT::compileInstanceOfCustom(Node* node)
+{
+ // We could do something smarter here but this case is currently super rare and unless
+ // Symbol.hasInstance becomes popular will likely remain that way.
+
+ JSValueOperand value(this, node->child1());
+ SpeculateCellOperand constructor(this, node->child2());
+ JSValueOperand hasInstanceValue(this, node->child3());
+ GPRTemporary result(this);
+
+ JSValueRegs valueRegs = value.jsValueRegs();
+ GPRReg constructorGPR = constructor.gpr();
+ JSValueRegs hasInstanceRegs = hasInstanceValue.jsValueRegs();
+ GPRReg resultGPR = result.gpr();
+
+ MacroAssembler::Jump slowCase = m_jit.jump();
+
+ addSlowPathGenerator(slowPathCall(slowCase, this, operationInstanceOfCustom, resultGPR, valueRegs, constructorGPR, hasInstanceRegs));
+
+ unblessedBooleanResult(resultGPR, node);
+}
+
</ins><span class="cx"> void SpeculativeJIT::compileArithAdd(Node* node)
</span><span class="cx"> {
</span><span class="cx"> switch (node->binaryUseKind()) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -727,6 +727,7 @@
</span><span class="cx">
</span><span class="cx"> void compileInstanceOfForObject(Node*, GPRReg valueReg, GPRReg prototypeReg, GPRReg scratchAndResultReg, GPRReg scratch2Reg);
</span><span class="cx"> void compileInstanceOf(Node*);
</span><ins>+ void compileInstanceOfCustom(Node*);
</ins><span class="cx">
</span><span class="cx"> void emitCall(Node*);
</span><span class="cx">
</span><span class="lines">@@ -1511,6 +1512,17 @@
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, arg2, TrustedImm32(arg3), arg4);
</span><span class="cx"> return appendCallSetResult(operation, result);
</span><span class="cx"> }
</span><ins>+
+ JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+ return appendCallSetResult(operation, result);
+ }
+ JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, JSValueRegs arg1, GPRReg arg2, JSValueRegs arg3)
+ {
+ return callOperation(operation, result, arg1.payloadGPR(), arg2, arg3.payloadGPR());
+ }
+
</ins><span class="cx"> JITCompiler::Call callOperation(Z_JITOperation_EJZ operation, GPRReg result, GPRReg arg1, unsigned arg2)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(arg1, TrustedImm32(arg2));
</span><span class="lines">@@ -1832,6 +1844,16 @@
</span><span class="cx"> return appendCall(operation);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2, GPRReg arg3Tag, GPRReg arg3Payload)
+ {
+ m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2, EABI_32BIT_DUMMY_ARG arg3Payload, arg3Tag);
+ return appendCallSetResult(operation, result);
+ }
+ JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, JSValueRegs arg1, GPRReg arg2, JSValueRegs arg3)
+ {
+ return callOperation(operation, result, arg1.tagGPR(), arg1.payloadGPR(), arg2, arg3.tagGPR(), arg3.payloadGPR());
+ }
+
</ins><span class="cx"> JITCompiler::Call callOperation(Z_JITOperation_EJZZ operation, GPRReg result, GPRReg arg1Tag, GPRReg arg1Payload, unsigned arg2, unsigned arg3)
</span><span class="cx"> {
</span><span class="cx"> m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, TrustedImm32(arg2), TrustedImm32(arg3));
</span><span class="lines">@@ -2204,6 +2226,7 @@
</span><span class="cx">
</span><span class="cx"> void compileGetArrayLength(Node*);
</span><span class="cx">
</span><ins>+ void compileCheckTypeInfoFlags(Node*);
</ins><span class="cx"> void compileCheckIdent(Node*);
</span><span class="cx">
</span><span class="cx"> void compileValueRep(Node*);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -4159,17 +4159,48 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case CheckHasInstance: {
</del><ins>+ case CheckTypeInfoFlags: {
+ compileCheckTypeInfoFlags(node);
+ break;
+ }
+
+ case OverridesHasInstance: {
+
+ Node* hasInstanceValueNode = node->child2().node();
+ JSFunction* defaultHasInstanceFunction = jsCast<JSFunction*>(node->cellOperand()->value());
+
+ MacroAssembler::Jump notDefaulthasInstanceValue;
+ MacroAssembler::Jump hasInstanceValueNotCell;
</ins><span class="cx"> SpeculateCellOperand base(this, node->child1());
</span><del>- GPRTemporary structure(this);
</del><ins>+ JSValueOperand hasInstanceValue(this, node->child2());
+ GPRTemporary result(this);
</ins><span class="cx">
</span><del>- // Speculate that base 'ImplementsDefaultHasInstance'.
- speculationCheck(Uncountable, JSValueRegs(), 0, m_jit.branchTest8(
- MacroAssembler::Zero,
- MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()),
- MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
</del><ins>+ GPRReg resultGPR = result.gpr();
</ins><span class="cx">
</span><del>- noResult(node);
</del><ins>+ // If we have proven that the constructor's Symbol.hasInstance will always be the one on
+ // Function.prototype[Symbol.hasInstance] then we don't need a runtime check here. We don't worry
+ // about the case where the constructor's Symbol.hasInstance is a constant but is not the default
+ // one as fixup should have converted this check to true.
+ ASSERT(!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell());
+ if (!hasInstanceValueNode->isCellConstant()) {
+
+ JSValueRegs hasInstanceValueRegs = hasInstanceValue.jsValueRegs();
+ hasInstanceValueNotCell = m_jit.branchIfNotCell(hasInstanceValueRegs);
+ notDefaulthasInstanceValue = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValueRegs.payloadGPR(), TrustedImmPtr(defaultHasInstanceFunction));
+ }
+
+ // Check that constructor 'ImplementsDefaultHasInstance'.
+ m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);
+ MacroAssembler::Jump done = m_jit.jump();
+
+ if (!hasInstanceValueNode->isCellConstant()) {
+ hasInstanceValueNotCell.link(&m_jit);
+ notDefaulthasInstanceValue.link(&m_jit);
+ moveTrueTo(resultGPR);
+ }
+
+ done.link(&m_jit);
+ booleanResult(resultGPR, node);
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -4178,6 +4209,11 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case InstanceOfCustom: {
+ compileInstanceOfCustom(node);
+ break;
+ }
+
</ins><span class="cx"> case IsUndefined: {
</span><span class="cx"> JSValueOperand value(this, node->child1());
</span><span class="cx"> GPRTemporary result(this);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -4149,17 +4149,42 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case CheckHasInstance: {
</del><ins>+ case CheckTypeInfoFlags: {
+ compileCheckTypeInfoFlags(node);
+ break;
+ }
+
+ case OverridesHasInstance: {
+
+ Node* hasInstanceValueNode = node->child2().node();
+ JSFunction* defaultHasInstanceFunction = jsCast<JSFunction*>(node->cellOperand()->value());
+
+ MacroAssembler::Jump notDefault;
</ins><span class="cx"> SpeculateCellOperand base(this, node->child1());
</span><del>- GPRTemporary structure(this);
</del><ins>+ JSValueOperand hasInstanceValue(this, node->child2());
+ GPRTemporary result(this);
</ins><span class="cx">
</span><del>- // Speculate that base 'ImplementsDefaultHasInstance'.
- speculationCheck(Uncountable, JSValueRegs(), 0, m_jit.branchTest8(
- MacroAssembler::Zero,
- MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()),
- MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
</del><ins>+ GPRReg resultGPR = result.gpr();
</ins><span class="cx">
</span><del>- noResult(node);
</del><ins>+ // If we have proven that the constructor's Symbol.hasInstance will always be the one on Function.prototype[Symbol.hasInstance]
+ // then we don't need a runtime check here. We don't worry about the case where the constructor's Symbol.hasInstance is a constant
+ // but is not the default one as fixup should have converted this check to true.
+ ASSERT(!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell());
+ if (!hasInstanceValueNode->isCellConstant())
+ notDefault = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValue.gpr(), TrustedImmPtr(defaultHasInstanceFunction));
+
+ // Check that base 'ImplementsDefaultHasInstance'.
+ m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);
+ m_jit.or32(TrustedImm32(ValueFalse), resultGPR);
+ MacroAssembler::Jump done = m_jit.jump();
+
+ if (notDefault.isSet()) {
+ notDefault.link(&m_jit);
+ moveTrueTo(resultGPR);
+ }
+
+ done.link(&m_jit);
+ jsValueResult(resultGPR, node, DataFormatJSBoolean);
</ins><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -4167,6 +4192,11 @@
</span><span class="cx"> compileInstanceOf(node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span><ins>+
+ case InstanceOfCustom: {
+ compileInstanceOfCustom(node);
+ break;
+ }
</ins><span class="cx">
</span><span class="cx"> case IsUndefined: {
</span><span class="cx"> JSValueOperand value(this, node->child1());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -174,8 +174,10 @@
</span><span class="cx"> case IsObject:
</span><span class="cx"> case IsObjectOrNull:
</span><span class="cx"> case IsFunction:
</span><del>- case CheckHasInstance:
</del><ins>+ case CheckTypeInfoFlags:
+ case OverridesHasInstance:
</ins><span class="cx"> case InstanceOf:
</span><ins>+ case InstanceOfCustom:
</ins><span class="cx"> case DoubleRep:
</span><span class="cx"> case ValueRep:
</span><span class="cx"> case Int52Rep:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLIntrinsicRepositoryh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -128,6 +128,7 @@
</span><span class="cx"> macro(Z_JITOperation_D, functionType(int32, doubleType)) \
</span><span class="cx"> macro(Z_JITOperation_EC, functionType(int32, intPtr, intPtr)) \
</span><span class="cx"> macro(Z_JITOperation_EGC, functionType(int32, intPtr, intPtr, intPtr)) \
</span><ins>+ macro(Z_JITOperation_EJOJ, functionType(int32, intPtr, int64, intPtr, int64)) \
</ins><span class="cx"> macro(Z_JITOperation_EJZ, functionType(int32, intPtr, int64, int32)) \
</span><span class="cx"> macro(Z_JITOperation_ESJss, functionType(int32, intPtr, intPtr, int64)) \
</span><span class="cx"> macro(V_JITOperation_ECRUiUi, functionType(voidType, intPtr, intPtr, intPtr, int32, int32))
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -941,12 +941,18 @@
</span><span class="cx"> case TypeOf:
</span><span class="cx"> compileTypeOf();
</span><span class="cx"> break;
</span><del>- case CheckHasInstance:
- compileCheckHasInstance();
</del><ins>+ case CheckTypeInfoFlags:
+ compileCheckTypeInfoFlags();
</ins><span class="cx"> break;
</span><ins>+ case OverridesHasInstance:
+ compileOverridesHasInstance();
+ break;
</ins><span class="cx"> case InstanceOf:
</span><span class="cx"> compileInstanceOf();
</span><span class="cx"> break;
</span><ins>+ case InstanceOfCustom:
+ compileInstanceOfCustom();
+ break;
</ins><span class="cx"> case CountExecution:
</span><span class="cx"> compileCountExecution();
</span><span class="cx"> break;
</span><span class="lines">@@ -5715,13 +5721,40 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void compileCheckHasInstance()
</del><ins>+ void compileOverridesHasInstance()
</ins><span class="cx"> {
</span><ins>+ JSFunction* defaultHasInstanceFunction = jsCast<JSFunction*>(m_node->cellOperand()->value());
+
+ LValue constructor = lowCell(m_node->child1());
+ LValue hasInstance = lowJSValue(m_node->child2());
+
+ LBasicBlock defaultHasInstance = FTL_NEW_BLOCK(m_out, ("OverridesHasInstance Symbol.hasInstance is default"));
+ LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("OverridesHasInstance continuation"));
+
+ // Unlike in the DFG, we don't worry about cleaning this code up for the case where we have proven the hasInstanceValue is a constant as LLVM should fix it for us.
+
+ ASSERT(!m_node->child2().node()->isCellConstant() || defaultHasInstanceFunction == m_node->child2().node()->asCell());
+
+ ValueFromBlock notDefaultHasInstanceResult = m_out.anchor(m_out.booleanTrue);
+ m_out.branch(m_out.notEqual(hasInstance, m_out.constIntPtr(defaultHasInstanceFunction)), unsure(continuation), unsure(defaultHasInstance));
+
+ LBasicBlock lastNext = m_out.appendTo(defaultHasInstance, continuation);
+ ValueFromBlock implementsDefaultHasInstanceResult = m_out.anchor(m_out.testIsZero32(
+ m_out.load8ZeroExt32(constructor, m_heaps.JSCell_typeInfoFlags),
+ m_out.constInt32(ImplementsDefaultHasInstance)));
+ m_out.jump(continuation);
+
+ m_out.appendTo(continuation, lastNext);
+ setBoolean(m_out.phi(m_out.boolean, implementsDefaultHasInstanceResult, notDefaultHasInstanceResult));
+ }
+
+ void compileCheckTypeInfoFlags()
+ {
</ins><span class="cx"> speculate(
</span><del>- Uncountable, noValue(), 0,
</del><ins>+ BadTypeInfoFlags, noValue(), 0,
</ins><span class="cx"> m_out.testIsZero32(
</span><span class="cx"> m_out.load8ZeroExt32(lowCell(m_node->child1()), m_heaps.JSCell_typeInfoFlags),
</span><del>- m_out.constInt32(ImplementsDefaultHasInstance)));
</del><ins>+ m_out.constInt32(m_node->typeInfoOperand())));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void compileInstanceOf()
</span><span class="lines">@@ -5774,6 +5807,15 @@
</span><span class="cx"> setBoolean(
</span><span class="cx"> m_out.phi(m_out.boolean, notCellResult, isInstanceResult, notInstanceResult));
</span><span class="cx"> }
</span><ins>+
+ void compileInstanceOfCustom()
+ {
+ LValue value = lowJSValue(m_node->child1());
+ LValue constructor = lowCell(m_node->child2());
+ LValue hasInstance = lowJSValue(m_node->child3());
+
+ setBoolean(m_out.bitNot(m_out.equal(m_out.constInt32(0), vmCall(m_out.int32, m_out.operation(operationInstanceOfCustom), m_callFrame, value, constructor, hasInstance))));
+ }
</ins><span class="cx">
</span><span class="cx"> void compileCountExecution()
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/jit/JIT.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -228,8 +228,9 @@
</span><span class="cx"> case op_get_array_length:
</span><span class="cx"> DEFINE_OP(op_get_by_id)
</span><span class="cx"> DEFINE_OP(op_get_by_val)
</span><del>- DEFINE_OP(op_check_has_instance)
</del><ins>+ DEFINE_OP(op_overrides_has_instance)
</ins><span class="cx"> DEFINE_OP(op_instanceof)
</span><ins>+ DEFINE_OP(op_instanceof_custom)
</ins><span class="cx"> DEFINE_OP(op_is_undefined)
</span><span class="cx"> DEFINE_OP(op_is_boolean)
</span><span class="cx"> DEFINE_OP(op_is_number)
</span><span class="lines">@@ -399,8 +400,8 @@
</span><span class="cx"> case op_get_array_length:
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_get_by_id)
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_get_by_val)
</span><del>- DEFINE_SLOWCASE_OP(op_check_has_instance)
</del><span class="cx"> DEFINE_SLOWCASE_OP(op_instanceof)
</span><ins>+ DEFINE_SLOWCASE_OP(op_instanceof_custom)
</ins><span class="cx"> DEFINE_SLOWCASE_OP(op_jfalse)
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_jless)
</span><span class="cx"> DEFINE_SLOWCASE_OP(op_jlesseq)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/jit/JIT.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -509,8 +509,9 @@
</span><span class="cx"> void emit_op_get_by_val(Instruction*);
</span><span class="cx"> void emit_op_get_argument_by_val(Instruction*);
</span><span class="cx"> void emit_op_init_lazy_reg(Instruction*);
</span><del>- void emit_op_check_has_instance(Instruction*);
</del><ins>+ void emit_op_overrides_has_instance(Instruction*);
</ins><span class="cx"> void emit_op_instanceof(Instruction*);
</span><ins>+ void emit_op_instanceof_custom(Instruction*);
</ins><span class="cx"> void emit_op_is_undefined(Instruction*);
</span><span class="cx"> void emit_op_is_boolean(Instruction*);
</span><span class="cx"> void emit_op_is_number(Instruction*);
</span><span class="lines">@@ -616,8 +617,8 @@
</span><span class="cx"> void emitSlow_op_get_arguments_length(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx"> void emitSlow_op_get_by_val(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx"> void emitSlow_op_get_argument_by_val(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><del>- void emitSlow_op_check_has_instance(Instruction*, Vector<SlowCaseEntry>::iterator&);
</del><span class="cx"> void emitSlow_op_instanceof(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><ins>+ void emitSlow_op_instanceof_custom(Instruction*, Vector<SlowCaseEntry>::iterator&);
</ins><span class="cx"> void emitSlow_op_jfalse(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx"> void emitSlow_op_jless(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="cx"> void emitSlow_op_jlesseq(Instruction*, Vector<SlowCaseEntry>::iterator&);
</span><span class="lines">@@ -744,6 +745,7 @@
</span><span class="cx"> MacroAssembler::Call callOperation(J_JITOperation_EJJ, int, GPRReg, GPRReg);
</span><span class="cx"> MacroAssembler::Call callOperation(J_JITOperation_EJJAp, int, GPRReg, GPRReg, ArrayProfile*);
</span><span class="cx"> MacroAssembler::Call callOperation(J_JITOperation_EJJBy, int, GPRReg, GPRReg, ByValInfo*);
</span><ins>+ MacroAssembler::Call callOperation(Z_JITOperation_EJOJ, GPRReg, GPRReg, GPRReg);
</ins><span class="cx"> MacroAssembler::Call callOperation(C_JITOperation_EJsc, GPRReg);
</span><span class="cx"> MacroAssembler::Call callOperation(J_JITOperation_EJscC, int, GPRReg, JSCell*);
</span><span class="cx"> MacroAssembler::Call callOperation(J_JITOperation_EJscCJ, int, GPRReg, JSCell*, GPRReg);
</span><span class="lines">@@ -811,6 +813,7 @@
</span><span class="cx"> MacroAssembler::Call callOperation(J_JITOperation_EJ, int, GPRReg, GPRReg);
</span><span class="cx"> MacroAssembler::Call callOperation(J_JITOperation_EJIdc, int, GPRReg, GPRReg, const Identifier*);
</span><span class="cx"> MacroAssembler::Call callOperation(J_JITOperation_EJJ, int, GPRReg, GPRReg, GPRReg, GPRReg);
</span><ins>+ MacroAssembler::Call callOperation(Z_JITOperation_EJOJ, GPRReg, GPRReg, GPRReg, GPRReg, GPRReg);
</ins><span class="cx"> MacroAssembler::Call callOperation(J_JITOperation_EJJAp, int, GPRReg, GPRReg, GPRReg, GPRReg, ArrayProfile*);
</span><span class="cx"> MacroAssembler::Call callOperation(J_JITOperation_EJJBy, int, GPRReg, GPRReg, GPRReg, GPRReg, ByValInfo*);
</span><span class="cx"> MacroAssembler::Call callOperation(P_JITOperation_EJS, GPRReg, GPRReg, size_t);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITInlines.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITInlines.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/jit/JITInlines.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -503,6 +503,12 @@
</span><span class="cx"> return appendCallWithExceptionCheckSetJSValueResult(operation, dst);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(Z_JITOperation_EJOJ operation, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+{
+ setupArgumentsWithExecState(arg1, arg2, arg3);
+ return appendCallWithExceptionCheck(operation);
+}
+
</ins><span class="cx"> ALWAYS_INLINE MacroAssembler::Call JIT::callOperationNoExceptionCheck(V_JITOperation_EJ operation, GPRReg arg1)
</span><span class="cx"> {
</span><span class="cx"> setupArgumentsWithExecState(arg1);
</span><span class="lines">@@ -596,6 +602,12 @@
</span><span class="cx"> return appendCall(operation);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(Z_JITOperation_EJOJ operation, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2, GPRReg arg3Tag, GPRReg arg3Payload)
+{
+ setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2, EABI_32BIT_DUMMY_ARG arg3Payload, arg3Tag);
+ return appendCallWithExceptionCheck(operation);
+}
+
</ins><span class="cx"> ALWAYS_INLINE MacroAssembler::Call JIT::callOperation(Z_JITOperation_EJZZ operation, GPRReg arg1Tag, GPRReg arg1Payload, int32_t arg2, int32_t arg3)
</span><span class="cx"> {
</span><span class="cx"> setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, TrustedImm32(arg2), TrustedImm32(arg3));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -105,17 +105,29 @@
</span><span class="cx"> emitStoreCell(dst, returnValueGPR);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT::emit_op_check_has_instance(Instruction* currentInstruction)
</del><ins>+void JIT::emit_op_overrides_has_instance(Instruction* currentInstruction)
</ins><span class="cx"> {
</span><del>- int baseVal = currentInstruction[3].u.operand;
</del><ins>+ int dst = currentInstruction[1].u.operand;
+ int constructor = currentInstruction[2].u.operand;
+ int hasInstanceValue = currentInstruction[3].u.operand;
</ins><span class="cx">
</span><del>- emitGetVirtualRegister(baseVal, regT0);
</del><ins>+ emitGetVirtualRegister(hasInstanceValue, regT0);
</ins><span class="cx">
</span><del>- // Check that baseVal is a cell.
- emitJumpSlowCaseIfNotJSCell(regT0, baseVal);
</del><ins>+ // We don't jump if we know what Symbol.hasInstance would do.
+ Jump customhasInstanceValue = branchPtr(NotEqual, regT0, TrustedImmPtr(m_codeBlock->globalObject()->functionProtoHasInstanceSymbolFunction()));
</ins><span class="cx">
</span><del>- // Check that baseVal 'ImplementsHasInstance'.
- addSlowCase(branchTest8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance)));
</del><ins>+ emitGetVirtualRegister(constructor, regT0);
+
+ // Check that constructor 'ImplementsHasInstance' i.e. the object is a C-API user or a bound function.
+ test8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance), regT0);
+ emitTagBool(regT0);
+ Jump done = jump();
+
+ customhasInstanceValue.link(this);
+ move(TrustedImm32(ValueTrue), regT0);
+
+ done.link(this);
+ emitPutVirtualRegister(dst);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT::emit_op_instanceof(Instruction* currentInstruction)
</span><span class="lines">@@ -129,7 +141,7 @@
</span><span class="cx"> emitGetVirtualRegister(value, regT2);
</span><span class="cx"> emitGetVirtualRegister(proto, regT1);
</span><span class="cx">
</span><del>- // Check that proto are cells. baseVal must be a cell - this is checked by op_check_has_instance.
</del><ins>+ // Check that proto are cells. baseVal must be a cell - this is checked by the get_by_id for Symbol.hasInstance.
</ins><span class="cx"> emitJumpSlowCaseIfNotJSCell(regT2, value);
</span><span class="cx"> emitJumpSlowCaseIfNotJSCell(regT1, proto);
</span><span class="cx">
</span><span class="lines">@@ -157,6 +169,12 @@
</span><span class="cx"> emitPutVirtualRegister(dst);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void JIT::emit_op_instanceof_custom(Instruction*)
+{
+ // This always goes to slow path since we expect it to be rare.
+ addSlowCase(jump());
+}
+
</ins><span class="cx"> void JIT::emit_op_is_undefined(Instruction* currentInstruction)
</span><span class="cx"> {
</span><span class="cx"> int dst = currentInstruction[1].u.operand;
</span><span class="lines">@@ -829,33 +847,34 @@
</span><span class="cx"> slowPathCall.call();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT::emitSlow_op_check_has_instance(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</del><ins>+void JIT::emitSlow_op_instanceof(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</ins><span class="cx"> {
</span><span class="cx"> int dst = currentInstruction[1].u.operand;
</span><span class="cx"> int value = currentInstruction[2].u.operand;
</span><del>- int baseVal = currentInstruction[3].u.operand;
</del><ins>+ int proto = currentInstruction[3].u.operand;
</ins><span class="cx">
</span><del>- linkSlowCaseIfNotJSCell(iter, baseVal);
</del><ins>+ linkSlowCaseIfNotJSCell(iter, value);
+ linkSlowCaseIfNotJSCell(iter, proto);
</ins><span class="cx"> linkSlowCase(iter);
</span><span class="cx"> emitGetVirtualRegister(value, regT0);
</span><del>- emitGetVirtualRegister(baseVal, regT1);
- callOperation(operationCheckHasInstance, dst, regT0, regT1);
-
- emitJumpSlowToHot(jump(), currentInstruction[4].u.operand);
</del><ins>+ emitGetVirtualRegister(proto, regT1);
+ callOperation(operationInstanceOf, dst, regT0, regT1);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT::emitSlow_op_instanceof(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</del><ins>+void JIT::emitSlow_op_instanceof_custom(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</ins><span class="cx"> {
</span><span class="cx"> int dst = currentInstruction[1].u.operand;
</span><span class="cx"> int value = currentInstruction[2].u.operand;
</span><del>- int proto = currentInstruction[3].u.operand;
</del><ins>+ int constructor = currentInstruction[3].u.operand;
+ int hasInstanceValue = currentInstruction[4].u.operand;
</ins><span class="cx">
</span><del>- linkSlowCaseIfNotJSCell(iter, value);
- linkSlowCaseIfNotJSCell(iter, proto);
</del><span class="cx"> linkSlowCase(iter);
</span><span class="cx"> emitGetVirtualRegister(value, regT0);
</span><del>- emitGetVirtualRegister(proto, regT1);
- callOperation(operationInstanceOf, dst, regT0, regT1);
</del><ins>+ emitGetVirtualRegister(constructor, regT1);
+ emitGetVirtualRegister(hasInstanceValue, regT2);
+ callOperation(operationInstanceOfCustom, regT0, regT1, regT2);
+ emitTagBool(returnValueGPR);
+ emitPutVirtualRegister(dst, returnValueGPR);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT::emitSlow_op_to_number(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOpcodes32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -183,17 +183,31 @@
</span><span class="cx"> emitStoreCell(dst, returnValueGPR);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT::emit_op_check_has_instance(Instruction* currentInstruction)
</del><ins>+void JIT::emit_op_overrides_has_instance(Instruction* currentInstruction)
</ins><span class="cx"> {
</span><del>- int baseVal = currentInstruction[3].u.operand;
</del><ins>+ int dst = currentInstruction[1].u.operand;
+ int constructor = currentInstruction[2].u.operand;
+ int hasInstanceValue = currentInstruction[3].u.operand;
</ins><span class="cx">
</span><del>- emitLoadPayload(baseVal, regT0);
</del><ins>+ emitLoadPayload(hasInstanceValue, regT0);
+ // We don't jump if we know what Symbol.hasInstance would do.
+ Jump hasInstanceValueNotCell = emitJumpIfNotJSCell(hasInstanceValue);
+ Jump customhasInstanceValue = branchPtr(NotEqual, regT0, TrustedImmPtr(m_codeBlock->globalObject()->functionProtoHasInstanceSymbolFunction()));
</ins><span class="cx">
</span><del>- // Check that baseVal is a cell.
- emitJumpSlowCaseIfNotJSCell(baseVal);
-
- // Check that baseVal 'ImplementsHasInstance'.
- addSlowCase(branchTest8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance)));
</del><ins>+ // We know that constructor is an object from the way bytecode is emitted for instanceof expressions.
+ emitLoadPayload(constructor, regT0);
+
+ // Check that constructor 'ImplementsHasInstance' i.e. the object is a C-API user or a bound function.
+ test8(Zero, Address(regT0, JSCell::typeInfoFlagsOffset()), TrustedImm32(ImplementsDefaultHasInstance), regT0);
+ Jump done = jump();
+
+ hasInstanceValueNotCell.link(this);
+ customhasInstanceValue.link(this);
+ move(TrustedImm32(1), regT0);
+
+ done.link(this);
+ emitStoreBool(dst, regT0);
+
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT::emit_op_instanceof(Instruction* currentInstruction)
</span><span class="lines">@@ -207,7 +221,7 @@
</span><span class="cx"> emitLoadPayload(value, regT2);
</span><span class="cx"> emitLoadPayload(proto, regT1);
</span><span class="cx">
</span><del>- // Check that proto are cells. baseVal must be a cell - this is checked by op_check_has_instance.
</del><ins>+ // Check that proto are cells. baseVal must be a cell - this is checked by the get_by_id for Symbol.hasInstance.
</ins><span class="cx"> emitJumpSlowCaseIfNotJSCell(value);
</span><span class="cx"> emitJumpSlowCaseIfNotJSCell(proto);
</span><span class="cx">
</span><span class="lines">@@ -235,20 +249,10 @@
</span><span class="cx"> emitStoreBool(dst, regT0);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void JIT::emitSlow_op_check_has_instance(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</del><ins>+void JIT::emit_op_instanceof_custom(Instruction*)
</ins><span class="cx"> {
</span><del>- int dst = currentInstruction[1].u.operand;
- int value = currentInstruction[2].u.operand;
- int baseVal = currentInstruction[3].u.operand;
-
- linkSlowCaseIfNotJSCell(iter, baseVal);
- linkSlowCase(iter);
-
- emitLoad(value, regT1, regT0);
- emitLoad(baseVal, regT3, regT2);
- callOperation(operationCheckHasInstance, dst, regT1, regT0, regT3, regT2);
-
- emitJumpSlowToHot(jump(), currentInstruction[4].u.operand);
</del><ins>+ // This always goes to slow path since we expect it to be rare.
+ addSlowCase(jump());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT::emitSlow_op_instanceof(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</span><span class="lines">@@ -266,6 +270,22 @@
</span><span class="cx"> callOperation(operationInstanceOf, dst, regT1, regT0, regT3, regT2);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void JIT::emitSlow_op_instanceof_custom(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
+{
+ int dst = currentInstruction[1].u.operand;
+ int value = currentInstruction[2].u.operand;
+ int constructor = currentInstruction[3].u.operand;
+ int hasInstanceValue = currentInstruction[4].u.operand;
+
+ linkSlowCase(iter);
+
+ emitLoad(value, regT1, regT0);
+ emitLoadPayload(constructor, regT2);
+ emitLoad(hasInstanceValue, regT4, regT3);
+ callOperation(operationInstanceOfCustom, regT1, regT0, regT2, regT4, regT3);
+ emitStoreBool(dst, returnValueGPR);
+}
+
</ins><span class="cx"> void JIT::emit_op_is_undefined(Instruction* currentInstruction)
</span><span class="cx"> {
</span><span class="cx"> int dst = currentInstruction[1].u.operand;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -1487,25 +1487,19 @@
</span><span class="cx"> profiler->willExecute(exec, JSValue::decode(encodedValue));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-EncodedJSValue JIT_OPERATION operationCheckHasInstance(ExecState* exec, EncodedJSValue encodedValue, EncodedJSValue encodedBaseVal)
</del><ins>+int32_t JIT_OPERATION operationInstanceOfCustom(ExecState* exec, EncodedJSValue encodedValue, JSObject* constructor, EncodedJSValue encodedHasInstance)
</ins><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="cx">
</span><span class="cx"> JSValue value = JSValue::decode(encodedValue);
</span><del>- JSValue baseVal = JSValue::decode(encodedBaseVal);
</del><ins>+ JSValue hasInstanceValue = JSValue::decode(encodedHasInstance);
</ins><span class="cx">
</span><del>- if (baseVal.isObject()) {
- JSObject* baseObject = asObject(baseVal);
- ASSERT(!baseObject->structure(vm)->typeInfo().implementsDefaultHasInstance());
- if (baseObject->structure(vm)->typeInfo().implementsHasInstance()) {
- bool result = baseObject->methodTable(vm)->customHasInstance(baseObject, exec, value);
- return JSValue::encode(jsBoolean(result));
- }
- }
</del><ins>+ ASSERT(hasInstanceValue != exec->lexicalGlobalObject()->functionProtoHasInstanceSymbolFunction() || !constructor->structure()->typeInfo().implementsDefaultHasInstance());
</ins><span class="cx">
</span><del>- vm.throwException(exec, createInvalidInstanceofParameterError(exec, baseVal));
- return JSValue::encode(JSValue());
</del><ins>+ if (constructor->hasInstance(exec, value, hasInstanceValue))
+ return 1;
+ return 0;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -175,6 +175,7 @@
</span><span class="cx"> typedef int32_t JIT_OPERATION (*Z_JITOperation_EGC)(ExecState*, JSGlobalObject*, JSCell*);
</span><span class="cx"> typedef int32_t JIT_OPERATION (*Z_JITOperation_ESJss)(ExecState*, size_t, JSString*);
</span><span class="cx"> typedef int32_t JIT_OPERATION (*Z_JITOperation_EJ)(ExecState*, EncodedJSValue);
</span><ins>+typedef int32_t JIT_OPERATION (*Z_JITOperation_EJOJ)(ExecState*, EncodedJSValue, JSObject*, EncodedJSValue);
</ins><span class="cx"> typedef int32_t JIT_OPERATION (*Z_JITOperation_EJZ)(ExecState*, EncodedJSValue, int32_t);
</span><span class="cx"> typedef int32_t JIT_OPERATION (*Z_JITOperation_EJZZ)(ExecState*, EncodedJSValue, int32_t, int32_t);
</span><span class="cx"> typedef size_t JIT_OPERATION (*S_JITOperation_ECC)(ExecState*, JSCell*, JSCell*);
</span><span class="lines">@@ -328,7 +329,6 @@
</span><span class="cx"> void JIT_OPERATION operationPopScope(ExecState*, int32_t) WTF_INTERNAL;
</span><span class="cx"> void JIT_OPERATION operationProfileDidCall(ExecState*, EncodedJSValue) WTF_INTERNAL;
</span><span class="cx"> void JIT_OPERATION operationProfileWillCall(ExecState*, EncodedJSValue) WTF_INTERNAL;
</span><del>-EncodedJSValue JIT_OPERATION operationCheckHasInstance(ExecState*, EncodedJSValue, EncodedJSValue baseVal) WTF_INTERNAL;
</del><span class="cx"> EncodedJSValue JIT_OPERATION operationGetByValOptimize(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo*) WTF_INTERNAL;
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationGetByValGeneric(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo*) WTF_INTERNAL;
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationGetByValString(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedSubscript, ByValInfo*) WTF_INTERNAL;
</span><span class="lines">@@ -357,6 +357,7 @@
</span><span class="cx"> void JIT_OPERATION operationExceptionFuzz(ExecState*);
</span><span class="cx">
</span><span class="cx"> int32_t JIT_OPERATION operationCheckIfExceptionIsUncatchableAndNotifyProfiler(ExecState*);
</span><ins>+int32_t JIT_OPERATION operationInstanceOfCustom(ExecState*, EncodedJSValue encodedValue, JSObject* constructor, EncodedJSValue encodedHasInstance) WTF_INTERNAL;
</ins><span class="cx">
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationHasGenericProperty(ExecState*, EncodedJSValue, JSCell*);
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationHasIndexedProperty(ExecState*, JSCell*, int32_t);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntData.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntData.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/llint/LLIntData.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -34,6 +34,7 @@
</span><span class="cx"> #include "MaxFrameExtentForSlowPathCall.h"
</span><span class="cx"> #include "Opcode.h"
</span><span class="cx"> #include "PropertyOffset.h"
</span><ins>+#include "WriteBarrier.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC { namespace LLInt {
</span><span class="cx">
</span><span class="lines">@@ -154,6 +155,7 @@
</span><span class="cx"> ASSERT(FunctionCode == 2);
</span><span class="cx"> ASSERT(ModuleCode == 3);
</span><span class="cx">
</span><ins>+ ASSERT(!(reinterpret_cast<ptrdiff_t>((reinterpret_cast<WriteBarrier<JSCell>*>(0x4000)->slot())) - 0x4000));
</ins><span class="cx"> static_assert(PutByIdPrimaryTypeMask == 0x6, "LLInt assumes PutByIdPrimaryTypeMask is == 0x6");
</span><span class="cx"> static_assert(PutByIdPrimaryTypeSecondary == 0x0, "LLInt assumes PutByIdPrimaryTypeSecondary is == 0x0");
</span><span class="cx"> static_assert(PutByIdPrimaryTypeObjectWithStructure == 0x2, "LLInt assumes PutByIdPrimaryTypeObjectWithStructure is == 0x2");
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntSlowPathscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -522,30 +522,28 @@
</span><span class="cx"> LLINT_RETURN(RegExpObject::create(vm, exec->lexicalGlobalObject()->regExpStructure(), regExp));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-LLINT_SLOW_PATH_DECL(slow_path_check_has_instance)
</del><ins>+LLINT_SLOW_PATH_DECL(slow_path_instanceof)
</ins><span class="cx"> {
</span><span class="cx"> LLINT_BEGIN();
</span><del>-
</del><span class="cx"> JSValue value = LLINT_OP_C(2).jsValue();
</span><del>- JSValue baseVal = LLINT_OP_C(3).jsValue();
- if (baseVal.isObject()) {
- JSObject* baseObject = asObject(baseVal);
- ASSERT(!baseObject->structure()->typeInfo().implementsDefaultHasInstance());
- if (baseObject->structure()->typeInfo().implementsHasInstance()) {
- JSValue result = jsBoolean(baseObject->methodTable()->customHasInstance(baseObject, exec, value));
- LLINT_RETURN_WITH_PC_ADJUSTMENT(result, pc[4].u.operand);
- }
- }
- LLINT_THROW(createInvalidInstanceofParameterError(exec, baseVal));
</del><ins>+ JSValue proto = LLINT_OP_C(3).jsValue();
+ ASSERT(!value.isObject() || !proto.isObject());
+ LLINT_RETURN(jsBoolean(JSObject::defaultHasInstance(exec, value, proto)));
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-LLINT_SLOW_PATH_DECL(slow_path_instanceof)
</del><ins>+LLINT_SLOW_PATH_DECL(slow_path_instanceof_custom)
</ins><span class="cx"> {
</span><span class="cx"> LLINT_BEGIN();
</span><ins>+
</ins><span class="cx"> JSValue value = LLINT_OP_C(2).jsValue();
</span><del>- JSValue proto = LLINT_OP_C(3).jsValue();
- ASSERT(!value.isObject() || !proto.isObject());
- LLINT_RETURN(jsBoolean(JSObject::defaultHasInstance(exec, value, proto)));
</del><ins>+ JSValue constructor = LLINT_OP_C(3).jsValue();
+ JSValue hasInstanceValue = LLINT_OP_C(4).jsValue();
+
+ ASSERT(constructor.isObject());
+ ASSERT(hasInstanceValue != exec->lexicalGlobalObject()->functionProtoHasInstanceSymbolFunction() || !constructor.getObject()->structure()->typeInfo().implementsDefaultHasInstance());
+
+ JSValue result = jsBoolean(constructor.getObject()->hasInstance(exec, value, hasInstanceValue));
+ LLINT_RETURN(result);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> LLINT_SLOW_PATH_DECL(slow_path_get_by_id)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLLIntSlowPathsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -67,8 +67,8 @@
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_new_array_with_size);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_new_array_buffer);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_new_regexp);
</span><del>-LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_check_has_instance);
</del><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_instanceof);
</span><ins>+LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_instanceof_custom);
</ins><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_by_id);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_arguments_length);
</span><span class="cx"> LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_put_by_id);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter32_64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -1175,18 +1175,36 @@
</span><span class="cx"> 5)
</span><span class="cx">
</span><span class="cx">
</span><del>-_llint_op_check_has_instance:
</del><ins>+_llint_op_overrides_has_instance:
</ins><span class="cx"> traceExecution()
</span><del>- loadi 12[PC], t1
- loadConstantOrVariablePayload(t1, CellTag, t0, .opCheckHasInstanceSlow)
- btbz JSCell::m_flags[t0], ImplementsDefaultHasInstance, .opCheckHasInstanceSlow
- dispatch(5)
</del><span class="cx">
</span><del>-.opCheckHasInstanceSlow:
- callSlowPath(_llint_slow_path_check_has_instance)
- dispatch(0)
</del><ins>+ loadisFromInstruction(1, t3)
+ storei BooleanTag, TagOffset[cfr, t3, 8]
</ins><span class="cx">
</span><ins>+ # First check if hasInstanceValue is the one on Function.prototype[Symbol.hasInstance]
+ loadisFromInstruction(3, t0)
+ loadConstantOrVariablePayload(t0, CellTag, t2, .opOverrideshasInstanceValueNotCell)
+ loadConstantOrVariable(t0, t1, t2)
+ bineq t1, CellTag, .opOverrideshasInstanceValueNotCell
</ins><span class="cx">
</span><ins>+ # We don't need hasInstanceValue's tag register anymore.
+ loadp CodeBlock[cfr], t1
+ loadp CodeBlock::m_globalObject[t1], t1
+ loadp JSGlobalObject::m_functionProtoHasInstanceSymbolFunction[t1], t1
+ bineq t1, t2, .opOverrideshasInstanceValueNotDefault
+
+ # We know the constructor is a cell.
+ loadisFromInstruction(2, t0)
+ loadConstantOrVariablePayloadUnchecked(t0, t1)
+ tbz JSCell::m_flags[t1], ImplementsDefaultHasInstance, t0
+ storei t0, PayloadOffset[cfr, t3, 8]
+ dispatch(4)
+
+.opOverrideshasInstanceValueNotCell:
+.opOverrideshasInstanceValueNotDefault:
+ storei 1, PayloadOffset[cfr, t3, 8]
+ dispatch(4)
+
</ins><span class="cx"> _llint_op_instanceof:
</span><span class="cx"> traceExecution()
</span><span class="cx"> # Actually do the work.
</span><span class="lines">@@ -1215,7 +1233,12 @@
</span><span class="cx"> callSlowPath(_llint_slow_path_instanceof)
</span><span class="cx"> dispatch(4)
</span><span class="cx">
</span><ins>+_llint_op_instanceof_custom:
+ traceExecution()
+ callSlowPath(_llint_slow_path_instanceof_custom)
+ dispatch(5)
</ins><span class="cx">
</span><ins>+
</ins><span class="cx"> _llint_op_is_undefined:
</span><span class="cx"> traceExecution()
</span><span class="cx"> loadi 8[PC], t1
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorellintLowLevelInterpreter64asm"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -1069,18 +1069,30 @@
</span><span class="cx"> 5)
</span><span class="cx">
</span><span class="cx">
</span><del>-_llint_op_check_has_instance:
</del><ins>+_llint_op_overrides_has_instance:
</ins><span class="cx"> traceExecution()
</span><ins>+ loadisFromInstruction(1, t3)
+
</ins><span class="cx"> loadisFromInstruction(3, t1)
</span><del>- loadConstantOrVariableCell(t1, t0, .opCheckHasInstanceSlow)
- btbz JSCell::m_flags[t0], ImplementsDefaultHasInstance, .opCheckHasInstanceSlow
- dispatch(5)
</del><ins>+ loadConstantOrVariable(t1, t0)
+ loadp CodeBlock[cfr], t2
+ loadp CodeBlock::m_globalObject[t2], t2
+ loadp JSGlobalObject::m_functionProtoHasInstanceSymbolFunction[t2], t2
+ bqneq t0, t2, .opOverridesHasInstanceNotDefaultSymbol
</ins><span class="cx">
</span><del>-.opCheckHasInstanceSlow:
- callSlowPath(_llint_slow_path_check_has_instance)
- dispatch(0)
</del><ins>+ loadisFromInstruction(2, t1)
+ loadConstantOrVariable(t1, t0)
+ tbz JSCell::m_flags[t0], ImplementsDefaultHasInstance, t1
+ orq ValueFalse, t1
+ storeq t1, [cfr, t3, 8]
+ dispatch(4)
</ins><span class="cx">
</span><ins>+.opOverridesHasInstanceNotDefaultSymbol:
+ storeq ValueTrue, t1
+ storeq t1, [cfr, t3, 8]
+ dispatch(4)
</ins><span class="cx">
</span><ins>+
</ins><span class="cx"> _llint_op_instanceof:
</span><span class="cx"> traceExecution()
</span><span class="cx"> # Actually do the work.
</span><span class="lines">@@ -1109,6 +1121,10 @@
</span><span class="cx"> callSlowPath(_llint_slow_path_instanceof)
</span><span class="cx"> dispatch(4)
</span><span class="cx">
</span><ins>+_llint_op_instanceof_custom:
+ traceExecution()
+ callSlowPath(_llint_slow_path_instanceof_custom)
+ dispatch(5)
</ins><span class="cx">
</span><span class="cx"> _llint_op_is_undefined:
</span><span class="cx"> traceExecution()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeCommonIdentifiersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/CommonIdentifiers.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/CommonIdentifiers.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/CommonIdentifiers.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -250,7 +250,6 @@
</span><span class="cx"> macro(yield)
</span><span class="cx">
</span><span class="cx"> #define JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL_NOT_IMPLEMENTED_YET(macro)\
</span><del>- macro(hasInstance) \
</del><span class="cx"> macro(isConcatSpreadable) \
</span><span class="cx"> macro(match) \
</span><span class="cx"> macro(replace) \
</span><span class="lines">@@ -260,6 +259,7 @@
</span><span class="cx"> macro(toPrimitive)
</span><span class="cx">
</span><span class="cx"> #define JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL(macro) \
</span><ins>+ macro(hasInstance) \
</ins><span class="cx"> macro(iterator) \
</span><span class="cx"> macro(unscopables) \
</span><span class="cx"> macro(toStringTag)
</span><span class="lines">@@ -345,6 +345,9 @@
</span><span class="cx"> macro(NumberFormat) \
</span><span class="cx"> macro(newTargetLocal) \
</span><span class="cx"> macro(derivedConstructor) \
</span><ins>+ macro(isBoundFunction) \
+ macro(hasInstanceBoundFunction) \
+ macro(instanceOf) \
</ins><span class="cx">
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeExceptionHelperscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -209,7 +209,7 @@
</span><span class="cx"> return makeString(rightHandSide, " is not an Object. (evaluating '", sourceText, "')");
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static String invalidParameterInstanceofSourceAppender(const String& originalMessage, const String& sourceText, RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
</del><ins>+inline String invalidParameterInstanceofSourceAppender(const String& content, const String& originalMessage, const String& sourceText, RuntimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
</ins><span class="cx"> {
</span><span class="cx"> if (occurrence == ErrorInstance::FoundApproximateSource)
</span><span class="cx"> return defaultApproximateSourceError(originalMessage, sourceText);
</span><span class="lines">@@ -222,9 +222,19 @@
</span><span class="cx">
</span><span class="cx"> static const unsigned instanceofLength = 10;
</span><span class="cx"> String rightHandSide = sourceText.substring(instanceofIndex + instanceofLength).simplifyWhiteSpace();
</span><del>- return makeString(rightHandSide, " is not a function. (evaluating '", sourceText, "')");
</del><ins>+ return makeString(rightHandSide, content, ". (evaluating '", sourceText, "')");
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+static String invalidParameterInstanceofNotFunctionSourceAppender(const String& originalMessage, const String& sourceText, RuntimeType runtimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
+{
+ return invalidParameterInstanceofSourceAppender(WTF::makeString(" is not a function"), originalMessage, sourceText, runtimeType, occurrence);
+}
+
+static String invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender(const String& originalMessage, const String& sourceText, RuntimeType runtimeType, ErrorInstance::SourceTextWhereErrorOccurred occurrence)
+{
+ return invalidParameterInstanceofSourceAppender(WTF::makeString("[Symbol.hasInstance] is not a function, undefined, or null"), originalMessage, sourceText, runtimeType, occurrence);
+}
+
</ins><span class="cx"> JSObject* createError(ExecState* exec, JSValue value, const String& message, ErrorInstance::SourceAppender appender)
</span><span class="cx"> {
</span><span class="cx"> String errorMessage = makeString(errorDescriptionForValue(exec, value)->value(exec), ' ', message);
</span><span class="lines">@@ -245,11 +255,16 @@
</span><span class="cx"> return createError(exec, value, makeString("is not an Object."), invalidParameterInSourceAppender);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-JSObject* createInvalidInstanceofParameterError(ExecState* exec, JSValue value)
</del><ins>+JSObject* createInvalidInstanceofParameterErrorNotFunction(ExecState* exec, JSValue value)
</ins><span class="cx"> {
</span><del>- return createError(exec, value, makeString("is not a function."), invalidParameterInstanceofSourceAppender);
</del><ins>+ return createError(exec, value, makeString(" is not a function"), invalidParameterInstanceofNotFunctionSourceAppender);
</ins><span class="cx"> }
</span><span class="cx">
</span><ins>+JSObject* createInvalidInstanceofParameterErrorhasInstanceValueNotFunction(ExecState* exec, JSValue value)
+{
+ return createError(exec, value, makeString("[Symbol.hasInstance] is not a function, undefined, or null"), invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender);
+}
+
</ins><span class="cx"> JSObject* createNotAConstructorError(ExecState* exec, JSValue value)
</span><span class="cx"> {
</span><span class="cx"> return createError(exec, value, ASCIILiteral("is not a constructor"), defaultSourceAppender);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeExceptionHelpersh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/ExceptionHelpers.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -45,7 +45,8 @@
</span><span class="cx"> JSObject* createNotAnObjectError(ExecState*, JSValue);
</span><span class="cx"> JSObject* createInvalidFunctionApplyParameterError(ExecState*, JSValue);
</span><span class="cx"> JSObject* createInvalidInParameterError(ExecState*, JSValue);
</span><del>-JSObject* createInvalidInstanceofParameterError(ExecState*, JSValue);
</del><ins>+JSObject* createInvalidInstanceofParameterErrorNotFunction(ExecState*, JSValue);
+JSObject* createInvalidInstanceofParameterErrorhasInstanceValueNotFunction(ExecState*, JSValue);
</ins><span class="cx"> JSObject* createNotAConstructorError(ExecState*, JSValue);
</span><span class="cx"> JSObject* createNotAFunctionError(ExecState*, JSValue);
</span><span class="cx"> JSObject* createErrorForInvalidGlobalAssignment(ExecState*, const String&);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeFunctionPrototypecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/FunctionPrototype.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/FunctionPrototype.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/FunctionPrototype.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -53,7 +53,7 @@
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(0), DontDelete | ReadOnly | DontEnum);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void FunctionPrototype::addFunctionProperties(ExecState* exec, JSGlobalObject* globalObject, JSFunction** callFunction, JSFunction** applyFunction)
</del><ins>+void FunctionPrototype::addFunctionProperties(ExecState* exec, JSGlobalObject* globalObject, JSFunction** callFunction, JSFunction** applyFunction, JSFunction** hasInstanceSymbolFunction)
</ins><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx">
</span><span class="lines">@@ -62,6 +62,7 @@
</span><span class="cx">
</span><span class="cx"> *applyFunction = putDirectBuiltinFunctionWithoutTransition(vm, globalObject, vm.propertyNames->builtinNames().applyPublicName(), functionPrototypeApplyCodeGenerator(vm), DontEnum);
</span><span class="cx"> *callFunction = putDirectBuiltinFunctionWithoutTransition(vm, globalObject, vm.propertyNames->builtinNames().callPublicName(), functionPrototypeCallCodeGenerator(vm), DontEnum);
</span><ins>+ *hasInstanceSymbolFunction = putDirectBuiltinFunction(vm, globalObject, vm.propertyNames->hasInstanceSymbol, functionPrototypeSymbolHasInstanceCodeGenerator(vm), DontDelete | ReadOnly | DontEnum);
</ins><span class="cx">
</span><span class="cx"> JSFunction* bindFunction = JSFunction::create(vm, globalObject, 1, vm.propertyNames->bind.string(), functionProtoFuncBind);
</span><span class="cx"> putDirectWithoutTransition(vm, vm.propertyNames->bind, bindFunction, DontEnum);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeFunctionPrototypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/FunctionPrototype.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/FunctionPrototype.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/FunctionPrototype.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -36,7 +36,7 @@
</span><span class="cx"> return prototype;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void addFunctionProperties(ExecState*, JSGlobalObject*, JSFunction** callFunction, JSFunction** applyFunction);
</del><ins>+ void addFunctionProperties(ExecState*, JSGlobalObject*, JSFunction** callFunction, JSFunction** applyFunction, JSFunction** hasInstanceSymbolFunction);
</ins><span class="cx">
</span><span class="cx"> static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue proto)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSBoundFunctioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSBoundFunction.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSBoundFunction.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/JSBoundFunction.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -74,6 +74,20 @@
</span><span class="cx"> return JSValue::encode(construct(exec, targetFunction, constructType, constructData, args));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+EncodedJSValue JSC_HOST_CALL isBoundFunction(ExecState* exec)
+{
+ return JSValue::encode(JSValue(static_cast<bool>(jsDynamicCast<JSBoundFunction*>(exec->uncheckedArgument(0)))));
+}
+
+EncodedJSValue JSC_HOST_CALL hasInstanceBoundFunction(ExecState* exec)
+{
+ JSBoundFunction* boundObject = jsCast<JSBoundFunction*>(exec->uncheckedArgument(0));
+ JSValue value = exec->uncheckedArgument(1);
+
+ return JSValue::encode(jsBoolean(boundObject->targetFunction()->hasInstance(exec, value)));
+}
+
+
</ins><span class="cx"> JSBoundFunction* JSBoundFunction::create(VM& vm, JSGlobalObject* globalObject, JSObject* targetFunction, JSValue boundThis, JSValue boundArgs, int length, const String& name)
</span><span class="cx"> {
</span><span class="cx"> ConstructData constructData;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSBoundFunctionh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSBoundFunction.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSBoundFunction.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/JSBoundFunction.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -32,11 +32,13 @@
</span><span class="cx">
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL boundFunctionCall(ExecState*);
</span><span class="cx"> EncodedJSValue JSC_HOST_CALL boundFunctionConstruct(ExecState*);
</span><ins>+EncodedJSValue JSC_HOST_CALL isBoundFunction(ExecState*);
+EncodedJSValue JSC_HOST_CALL hasInstanceBoundFunction(ExecState*);
</ins><span class="cx">
</span><span class="cx"> class JSBoundFunction : public JSFunction {
</span><span class="cx"> public:
</span><span class="cx"> typedef JSFunction Base;
</span><del>- const static unsigned StructureFlags = OverridesHasInstance | Base::StructureFlags;
</del><ins>+ const static unsigned StructureFlags = OverridesHasInstanceFlag | Base::StructureFlags;
</ins><span class="cx">
</span><span class="cx"> static JSBoundFunction* create(VM&, JSGlobalObject*, JSObject* targetFunction, JSValue boundThis, JSValue boundArgs, int, const String&);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -286,12 +286,14 @@
</span><span class="cx"> m_internalFunctionStructure.set(vm, this, InternalFunction::createStructure(vm, this, m_functionPrototype.get()));
</span><span class="cx"> JSFunction* callFunction = 0;
</span><span class="cx"> JSFunction* applyFunction = 0;
</span><del>- m_functionPrototype->addFunctionProperties(exec, this, &callFunction, &applyFunction);
</del><ins>+ JSFunction* hasInstanceSymbolFunction = 0;
+ m_functionPrototype->addFunctionProperties(exec, this, &callFunction, &applyFunction, &hasInstanceSymbolFunction);
</ins><span class="cx"> m_callFunction.set(vm, this, callFunction);
</span><span class="cx"> m_applyFunction.set(vm, this, applyFunction);
</span><span class="cx"> m_arrayProtoValuesFunction.set(vm, this, JSFunction::create(vm, this, 0, vm.propertyNames->values.string(), arrayProtoFuncValues));
</span><span class="cx"> m_initializePromiseFunction.set(vm, this, JSFunction::createBuiltinFunction(vm, promiseOperationsInitializePromiseCodeGenerator(vm), this));
</span><span class="cx"> m_newPromiseCapabilityFunction.set(vm, this, JSFunction::createBuiltinFunction(vm, promiseOperationsNewPromiseCapabilityCodeGenerator(vm), this));
</span><ins>+ m_functionProtoHasInstanceSymbolFunction.set(vm, this, hasInstanceSymbolFunction);
</ins><span class="cx"> m_nullGetterFunction.set(vm, this, NullGetterFunction::create(vm, NullGetterFunction::createStructure(vm, this, m_functionPrototype.get())));
</span><span class="cx"> m_nullSetterFunction.set(vm, this, NullSetterFunction::create(vm, NullSetterFunction::createStructure(vm, this, m_functionPrototype.get())));
</span><span class="cx"> m_objectPrototype.set(vm, this, ObjectPrototype::create(vm, this, ObjectPrototype::createStructure(vm, this, jsNull())));
</span><span class="lines">@@ -521,6 +523,9 @@
</span><span class="cx"> JSFunction* privateFuncToInteger = JSFunction::createBuiltinFunction(vm, globalObjectToIntegerCodeGenerator(vm), this);
</span><span class="cx"> JSFunction* privateFuncTypedArrayLength = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncLength);
</span><span class="cx"> JSFunction* privateFuncTypedArraySort = JSFunction::create(vm, this, 0, String(), typedArrayViewPrivateFuncSort);
</span><ins>+ JSFunction* privateFuncIsBoundFunction = JSFunction::create(vm, this, 0, String(), isBoundFunction);
+ JSFunction* privateFuncHasInstanceBoundFunction = JSFunction::create(vm, this, 0, String(), hasInstanceBoundFunction);
+ JSFunction* privateFuncInstanceOf = JSFunction::create(vm, this, 0, String(), objectPrivateFuncInstanceOf);
</ins><span class="cx">
</span><span class="cx"> GlobalPropertyInfo staticGlobals[] = {
</span><span class="cx"> GlobalPropertyInfo(vm.propertyNames->NaN, jsNaN(), DontEnum | DontDelete | ReadOnly),
</span><span class="lines">@@ -535,6 +540,9 @@
</span><span class="cx"> GlobalPropertyInfo(vm.propertyNames->TypeErrorPrivateName, m_typeErrorConstructor.get(), DontEnum | DontDelete | ReadOnly),
</span><span class="cx"> GlobalPropertyInfo(vm.propertyNames->typedArrayLengthPrivateName, privateFuncTypedArrayLength, DontEnum | DontDelete | ReadOnly),
</span><span class="cx"> GlobalPropertyInfo(vm.propertyNames->typedArraySortPrivateName, privateFuncTypedArraySort, DontEnum | DontDelete | ReadOnly),
</span><ins>+ GlobalPropertyInfo(vm.propertyNames->isBoundFunctionPrivateName, privateFuncIsBoundFunction, DontEnum | DontDelete | ReadOnly),
+ GlobalPropertyInfo(vm.propertyNames->hasInstanceBoundFunctionPrivateName, privateFuncHasInstanceBoundFunction, DontEnum | DontDelete | ReadOnly),
+ GlobalPropertyInfo(vm.propertyNames->instanceOfPrivateName, privateFuncInstanceOf, DontEnum | DontDelete | ReadOnly),
</ins><span class="cx"> GlobalPropertyInfo(vm.propertyNames->BuiltinLogPrivateName, builtinLog, DontEnum | DontDelete | ReadOnly),
</span><span class="cx"> GlobalPropertyInfo(vm.propertyNames->ArrayPrivateName, arrayConstructor, DontEnum | DontDelete | ReadOnly),
</span><span class="cx"> GlobalPropertyInfo(vm.propertyNames->NumberPrivateName, numberConstructor, DontEnum | DontDelete | ReadOnly),
</span><span class="lines">@@ -832,6 +840,7 @@
</span><span class="cx"> visitor.append(&thisObject->m_arrayProtoValuesFunction);
</span><span class="cx"> visitor.append(&thisObject->m_initializePromiseFunction);
</span><span class="cx"> visitor.append(&thisObject->m_newPromiseCapabilityFunction);
</span><ins>+ visitor.append(&thisObject->m_functionProtoHasInstanceSymbolFunction);
</ins><span class="cx"> visitor.append(&thisObject->m_throwTypeErrorGetterSetter);
</span><span class="cx"> visitor.append(&thisObject->m_moduleLoader);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSGlobalObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -222,6 +222,7 @@
</span><span class="cx"> WriteBarrier<JSFunction> m_arrayProtoValuesFunction;
</span><span class="cx"> WriteBarrier<JSFunction> m_initializePromiseFunction;
</span><span class="cx"> WriteBarrier<JSFunction> m_newPromiseCapabilityFunction;
</span><ins>+ WriteBarrier<JSFunction> m_functionProtoHasInstanceSymbolFunction;
</ins><span class="cx"> WriteBarrier<GetterSetter> m_throwTypeErrorGetterSetter;
</span><span class="cx">
</span><span class="cx"> WriteBarrier<ModuleLoaderObject> m_moduleLoader;
</span><span class="lines">@@ -438,6 +439,7 @@
</span><span class="cx"> JSFunction* arrayProtoValuesFunction() const { return m_arrayProtoValuesFunction.get(); }
</span><span class="cx"> JSFunction* initializePromiseFunction() const { return m_initializePromiseFunction.get(); }
</span><span class="cx"> JSFunction* newPromiseCapabilityFunction() const { return m_newPromiseCapabilityFunction.get(); }
</span><ins>+ JSFunction* functionProtoHasInstanceSymbolFunction() const { return m_functionProtoHasInstanceSymbolFunction.get(); }
</ins><span class="cx"> GetterSetter* throwTypeErrorGetterSetter(VM& vm)
</span><span class="cx"> {
</span><span class="cx"> if (!m_throwTypeErrorGetterSetter)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjectcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.cpp (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.cpp 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.cpp 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -1457,18 +1457,40 @@
</span><span class="cx"> return 0;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-bool JSObject::hasInstance(ExecState* exec, JSValue value)
</del><ins>+bool JSObject::hasInstance(ExecState* exec, JSValue value, JSValue hasInstanceValue)
</ins><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><ins>+
+ if (!hasInstanceValue.isUndefinedOrNull() && hasInstanceValue != exec->lexicalGlobalObject()->functionProtoHasInstanceSymbolFunction()) {
+ CallData callData;
+ CallType callType = JSC::getCallData(hasInstanceValue, callData);
+ if (callType == CallTypeNone) {
+ vm.throwException(exec, createInvalidInstanceofParameterErrorhasInstanceValueNotFunction(exec, this));
+ return false;
+ }
+
+ MarkedArgumentBuffer args;
+ args.append(value);
+ JSValue result = call(exec, hasInstanceValue, callType, callData, this, args);
+ return result.toBoolean(exec);
+ }
+
</ins><span class="cx"> TypeInfo info = structure(vm)->typeInfo();
</span><span class="cx"> if (info.implementsDefaultHasInstance())
</span><span class="cx"> return defaultHasInstance(exec, value, get(exec, exec->propertyNames().prototype));
</span><span class="cx"> if (info.implementsHasInstance())
</span><span class="cx"> return methodTable(vm)->customHasInstance(this, exec, value);
</span><del>- vm.throwException(exec, createInvalidInstanceofParameterError(exec, this));
</del><ins>+ vm.throwException(exec, createInvalidInstanceofParameterErrorNotFunction(exec, this));
</ins><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool JSObject::hasInstance(ExecState* exec, JSValue value)
+{
+ JSValue hasInstanceValue = get(exec, exec->propertyNames().hasInstanceSymbol);
+
+ return hasInstance(exec, value, hasInstanceValue);
+}
+
</ins><span class="cx"> bool JSObject::defaultHasInstance(ExecState* exec, JSValue value, JSValue proto)
</span><span class="cx"> {
</span><span class="cx"> if (!value.isObject())
</span><span class="lines">@@ -1487,6 +1509,14 @@
</span><span class="cx"> return false;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+EncodedJSValue JSC_HOST_CALL objectPrivateFuncInstanceOf(ExecState* exec)
+{
+ JSValue value = exec->uncheckedArgument(0);
+ JSValue proto = exec->uncheckedArgument(1);
+
+ return JSValue::encode(jsBoolean(JSObject::defaultHasInstance(exec, value, proto)));
+}
+
</ins><span class="cx"> void JSObject::getPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
</span><span class="cx"> {
</span><span class="cx"> object->methodTable(exec->vm())->getOwnPropertyNames(object, exec, propertyNames, mode);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSObjecth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSObject.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSObject.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/JSObject.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -485,6 +485,7 @@
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE static JSValue defaultValue(const JSObject*, ExecState*, PreferredPrimitiveType);
</span><span class="cx">
</span><ins>+ JS_EXPORT_PRIVATE bool hasInstance(ExecState*, JSValue value, JSValue hasInstanceValue);
</ins><span class="cx"> bool hasInstance(ExecState*, JSValue);
</span><span class="cx"> static bool defaultHasInstance(ExecState*, JSValue, JSValue prototypeProperty);
</span><span class="cx">
</span><span class="lines">@@ -974,6 +975,8 @@
</span><span class="cx"> }
</span><span class="cx"> };
</span><span class="cx">
</span><ins>+JS_EXPORT_PRIVATE EncodedJSValue JSC_HOST_CALL objectPrivateFuncInstanceOf(ExecState*);
+
</ins><span class="cx"> inline JSFinalObject* JSFinalObject::create(
</span><span class="cx"> ExecState* exec, Structure* structure, Butterfly* butterfly)
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSTypeInfoh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -38,7 +38,7 @@
</span><span class="cx">
</span><span class="cx"> static const unsigned MasqueradesAsUndefined = 1; // WebCore uses MasqueradesAsUndefined to make document.all undetectable.
</span><span class="cx"> static const unsigned ImplementsHasInstance = 1 << 1;
</span><del>-static const unsigned OverridesHasInstance = 1 << 2;
</del><ins>+static const unsigned OverridesHasInstanceFlag = 1 << 2; // FIXME: This is only trivially used by the runtime and should be removed: https://bugs.webkit.org/show_bug.cgi?id=152005
</ins><span class="cx"> static const unsigned ImplementsDefaultHasInstance = 1 << 3;
</span><span class="cx"> static const unsigned TypeOfShouldCallGetCallData = 1 << 4; // Need this flag if you override getCallData() and you want typeof to use this to determine if it should say "function". Currently we always set this flag when we override getCallData().
</span><span class="cx"> static const unsigned OverridesGetOwnPropertySlot = 1 << 5;
</span><span class="lines">@@ -68,9 +68,9 @@
</span><span class="cx"> , m_flags2(outOfLineTypeFlags)
</span><span class="cx"> {
</span><span class="cx"> // No object that doesn't ImplementsHasInstance should override it!
</span><del>- ASSERT((m_flags & (ImplementsHasInstance | OverridesHasInstance)) != OverridesHasInstance);
</del><ins>+ ASSERT((m_flags & (ImplementsHasInstance | OverridesHasInstanceFlag)) != OverridesHasInstanceFlag);
</ins><span class="cx"> // ImplementsDefaultHasInstance means (ImplementsHasInstance & !OverridesHasInstance)
</span><del>- if ((m_flags & (ImplementsHasInstance | OverridesHasInstance)) == ImplementsHasInstance)
</del><ins>+ if ((m_flags & (ImplementsHasInstance | OverridesHasInstanceFlag)) == ImplementsHasInstance)
</ins><span class="cx"> m_flags |= ImplementsDefaultHasInstance;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -83,7 +83,7 @@
</span><span class="cx"> unsigned flags() const { return (static_cast<unsigned>(m_flags2) << 8) | static_cast<unsigned>(m_flags); }
</span><span class="cx"> bool masqueradesAsUndefined() const { return isSetOnFlags1(MasqueradesAsUndefined); }
</span><span class="cx"> bool implementsHasInstance() const { return isSetOnFlags1(ImplementsHasInstance); }
</span><del>- bool overridesHasInstance() const { return isSetOnFlags1(OverridesHasInstance); }
</del><ins>+ bool overridesHasInstance() const { return isSetOnFlags1(OverridesHasInstanceFlag); }
</ins><span class="cx"> bool implementsDefaultHasInstance() const { return isSetOnFlags1(ImplementsDefaultHasInstance); }
</span><span class="cx"> bool typeOfShouldCallGetCallData() const { return isSetOnFlags1(TypeOfShouldCallGetCallData); }
</span><span class="cx"> bool overridesGetOwnPropertySlot() const { return overridesGetOwnPropertySlot(inlineTypeFlags()); }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeWriteBarrierh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/WriteBarrier.h (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/WriteBarrier.h 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/runtime/WriteBarrier.h 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -152,14 +152,9 @@
</span><span class="cx"> bool isGetterSetter() const { return get().isGetterSetter(); }
</span><span class="cx"> bool isCustomGetterSetter() const { return get().isCustomGetterSetter(); }
</span><span class="cx">
</span><del>- JSValue* slot()
</del><ins>+ JSValue* slot() const
</ins><span class="cx"> {
</span><del>- union {
- EncodedJSValue* v;
- JSValue* slot;
- } u;
- u.v = &m_value;
- return u.slot;
</del><ins>+ return bitwise_cast<JSValue*>(&m_value);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> int32_t* tagPointer() { return &bitwise_cast<EncodedValueDescriptor*>(&m_value)->asBits.tag; }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestses6yaml"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/tests/es6.yaml (193973 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/es6.yaml 2015-12-11 21:01:53 UTC (rev 193973)
+++ trunk/Source/JavaScriptCore/tests/es6.yaml 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -1183,7 +1183,7 @@
</span><span class="cx"> - path: es6/WeakSet_iterator_closing.js
</span><span class="cx"> cmd: runES6 :fail
</span><span class="cx"> - path: es6/well-known_symbols_Symbol.hasInstance.js
</span><del>- cmd: runES6 :fail
</del><ins>+ cmd: runES6 :normal
</ins><span class="cx"> - path: es6/well-known_symbols_Symbol.isConcatSpreadable.js
</span><span class="cx"> cmd: runES6 :fail
</span><span class="cx"> - path: es6/well-known_symbols_Symbol.match.js
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressinstanceofcustomhasinstancesymboljs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/instanceof-custom-hasinstancesymbol.js (0 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/instanceof-custom-hasinstancesymbol.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/instanceof-custom-hasinstancesymbol.js 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -0,0 +1,24 @@
</span><ins>+function Constructor(x) {}
+
+Object.defineProperty(Constructor, Symbol.hasInstance, {value: function() { return false; }});
+
+x = new Constructor();
+
+function instanceOf(a, b) {
+ return a instanceof b;
+}
+noInline(instanceOf);
+
+function body() {
+ var result = 0;
+ for (var i = 0; i < 100000; i++) {
+ if (instanceOf(x, Constructor))
+ result++;
+ }
+
+ return result;
+}
+noInline(body);
+
+if (body())
+ throw "result incorrect";
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstresssymbolhasInstancejs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/symbol-hasInstance.js (0 => 193974)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/symbol-hasInstance.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/symbol-hasInstance.js 2015-12-11 21:43:45 UTC (rev 193974)
</span><span class="lines">@@ -0,0 +1,54 @@
</span><ins>+// This file tests the functionality of Symbol.hasInstance.
+
+
+// Test a custom Symbol.hasInstance on a function object.
+function Constructor(x) {}
+foo = new Constructor();
+
+if (!(foo instanceof Constructor))
+ throw "should be instanceof";
+
+Object.defineProperty(Constructor, Symbol.hasInstance, {value: function(value) {
+ if (this !== Constructor)
+ throw "|this| should be Constructor";
+ if (value !== foo)
+ throw "first argument should be foo";
+ return false;
+} });
+
+
+if (foo instanceof Constructor)
+ throw "should not be instanceof";
+
+
+// Test Symbol.hasInstance on an ordinary object.
+ObjectClass = {}
+ObjectClass[Symbol.hasInstance] = function (value) {
+ return value !== null && (typeof value === "object" || typeof value === "function");
+}
+
+if (!(foo instanceof ObjectClass))
+ throw "foo should be an instanceof ObjectClass";
+
+if (!(Constructor instanceof ObjectClass))
+ throw "Constructor should be an instanceof ObjectClass";
+
+NumberClass = {}
+NumberClass[Symbol.hasInstance] = function (value) {
+ return typeof value === "number";
+}
+
+if (!(1 instanceof NumberClass))
+ throw "1 should be an instanceof NumberClass";
+
+if (foo instanceof NumberClass)
+ throw "foo should be an instanceof NumberClass";
+
+
+// Test the Function.prototype[Symbol.hasInstance] works when actually called.
+descriptor = Object.getOwnPropertyDescriptor(Function.prototype, Symbol.hasInstance);
+if (descriptor.writable !== false || descriptor.configurable !== false || descriptor.enumerable !== false)
+ throw "Function.prototype[Symbol.hasInstance] has a bad descriptor";
+
+if (!Function.prototype[Symbol.hasInstance].call(Constructor, foo))
+ throw "Function.prototype[Symbol.hasInstance] should claim that foo is an instanceof Constructor";
</ins></span></pre>
</div>
</div>
</body>
</html>