<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[225342] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/225342">225342</a></dd>
<dt>Author</dt> <dd>utatane.tea@gmail.com</dd>
<dt>Date</dt> <dd>2017-11-30 12:48:53 -0800 (Thu, 30 Nov 2017)</dd>
</dl>

<h3>Log Message</h3>
<pre>[DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
https://bugs.webkit.org/show_bug.cgi?id=180190

Reviewed by Mark Lam.

JSTests:

* stress/operation-in-may-have-negative-int32-array-storage.js: Added.
(shouldBe):
(test1):
* stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
(shouldBe):
(test1):
* stress/operation-in-may-have-negative-int32-double-array.js: Added.
(shouldBe):
(test1):
* stress/operation-in-may-have-negative-int32-generic-array.js: Added.
(shouldBe):
(test1):
* stress/operation-in-may-have-negative-int32-int32-array.js: Added.
(shouldBe):
(test1):
* stress/operation-in-may-have-negative-int32.js: Added.
(shouldBe):
(test2):
* stress/operation-in-negative-int32-cast.js: Added.
(shouldBe):
(test1):

Source/JavaScriptCore:

If DFG HasIndexedProperty node observes negative index, it goes to a slow
path by calling operationHasIndexedProperty. The problem is that
operationHasIndexedProperty does not account negative index. Negative index
was used as uint32 array index.

In this patch we add a path for negative index in operationHasIndexedProperty.
And rename it to operationHasIndexedPropertyByInt to make intension clear.
We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
since it is only used in DFG and FTL.

While fixing this bug, we found that our op_in does not record OutOfBound feedback.
This causes repeated OSR exit and significantly regresses the performance. We opened
a bug to track this issue[1].

[1]: https://bugs.webkit.org/show_bug.cgi?id=180192

* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
* jit/JITOperations.cpp:
* jit/JITOperations.h:</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkJSTestsChangeLog">trunk/JSTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationscpp">trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationsh">trunk/Source/JavaScriptCore/dfg/DFGOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationscpp">trunk/Source/JavaScriptCore/jit/JITOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITOperationsh">trunk/Source/JavaScriptCore/jit/JITOperations.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkJSTestsstressoperationinmayhavenegativeint32arraystoragejs">trunk/JSTests/stress/operation-in-may-have-negative-int32-array-storage.js</a></li>
<li><a href="#trunkJSTestsstressoperationinmayhavenegativeint32contiguousarrayjs">trunk/JSTests/stress/operation-in-may-have-negative-int32-contiguous-array.js</a></li>
<li><a href="#trunkJSTestsstressoperationinmayhavenegativeint32doublearrayjs">trunk/JSTests/stress/operation-in-may-have-negative-int32-double-array.js</a></li>
<li><a href="#trunkJSTestsstressoperationinmayhavenegativeint32genericarrayjs">trunk/JSTests/stress/operation-in-may-have-negative-int32-generic-array.js</a></li>
<li><a href="#trunkJSTestsstressoperationinmayhavenegativeint32int32arrayjs">trunk/JSTests/stress/operation-in-may-have-negative-int32-int32-array.js</a></li>
<li><a href="#trunkJSTestsstressoperationinmayhavenegativeint32js">trunk/JSTests/stress/operation-in-may-have-negative-int32.js</a></li>
<li><a href="#trunkJSTestsstressoperationinnegativeint32castjs">trunk/JSTests/stress/operation-in-negative-int32-cast.js</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkJSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/JSTests/ChangeLog (225341 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/ChangeLog  2017-11-30 20:40:04 UTC (rev 225341)
+++ trunk/JSTests/ChangeLog     2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -1,3 +1,32 @@
</span><ins>+2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
+        https://bugs.webkit.org/show_bug.cgi?id=180190
+
+        Reviewed by Mark Lam.
+
+        * stress/operation-in-may-have-negative-int32-array-storage.js: Added.
+        (shouldBe):
+        (test1):
+        * stress/operation-in-may-have-negative-int32-contiguous-array.js: Added.
+        (shouldBe):
+        (test1):
+        * stress/operation-in-may-have-negative-int32-double-array.js: Added.
+        (shouldBe):
+        (test1):
+        * stress/operation-in-may-have-negative-int32-generic-array.js: Added.
+        (shouldBe):
+        (test1):
+        * stress/operation-in-may-have-negative-int32-int32-array.js: Added.
+        (shouldBe):
+        (test1):
+        * stress/operation-in-may-have-negative-int32.js: Added.
+        (shouldBe):
+        (test2):
+        * stress/operation-in-negative-int32-cast.js: Added.
+        (shouldBe):
+        (test1):
+
</ins><span class="cx"> 2017-11-28  JF Bastien  <jfbastien@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Strict and sloppy functions shouldn't share structure
</span></span></pre></div>
<a id="trunkJSTestsstressoperationinmayhavenegativeint32arraystoragejs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/operation-in-may-have-negative-int32-array-storage.js (0 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/operation-in-may-have-negative-int32-array-storage.js                               (rev 0)
+++ trunk/JSTests/stress/operation-in-may-have-negative-int32-array-storage.js  2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -0,0 +1,19 @@
</span><ins>+function shouldBe(actual, expected)
+{
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+var k = -1;
+var o1 = [20];
+o1[k] = 42;
+ensureArrayStorage(o1);
+
+function test1(o)
+{
+    return k in o;
+}
+noInline(test1);
+
+for (var i = 0; i < 1e6; ++i)
+    shouldBe(test1(o1), true);
</ins></span></pre></div>
<a id="trunkJSTestsstressoperationinmayhavenegativeint32contiguousarrayjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/operation-in-may-have-negative-int32-contiguous-array.js (0 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/operation-in-may-have-negative-int32-contiguous-array.js                            (rev 0)
+++ trunk/JSTests/stress/operation-in-may-have-negative-int32-contiguous-array.js       2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+function shouldBe(actual, expected)
+{
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+var k = -1;
+var o1 = ["Cocoa"];
+o1[k] = 42;
+
+function test1(o)
+{
+    return k in o;
+}
+noInline(test1);
+
+for (var i = 0; i < 1e6; ++i)
+    shouldBe(test1(o1), true);
</ins></span></pre></div>
<a id="trunkJSTestsstressoperationinmayhavenegativeint32doublearrayjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/operation-in-may-have-negative-int32-double-array.js (0 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/operation-in-may-have-negative-int32-double-array.js                                (rev 0)
+++ trunk/JSTests/stress/operation-in-may-have-negative-int32-double-array.js   2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+function shouldBe(actual, expected)
+{
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+var k = -1;
+var o1 = [42.5];
+o1[k] = 300.2;
+
+function test1(o)
+{
+    return k in o;
+}
+noInline(test1);
+
+for (var i = 0; i < 1e6; ++i)
+    shouldBe(test1(o1), true);
</ins></span></pre></div>
<a id="trunkJSTestsstressoperationinmayhavenegativeint32genericarrayjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/operation-in-may-have-negative-int32-generic-array.js (0 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/operation-in-may-have-negative-int32-generic-array.js                               (rev 0)
+++ trunk/JSTests/stress/operation-in-may-have-negative-int32-generic-array.js  2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+function shouldBe(actual, expected)
+{
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+var k = -1;
+var o1 = [];
+o1[k] = 42;
+
+function test1(o)
+{
+    return k in o;
+}
+noInline(test1);
+
+for (var i = 0; i < 1e6; ++i)
+    shouldBe(test1(o1), true);
</ins></span></pre></div>
<a id="trunkJSTestsstressoperationinmayhavenegativeint32int32arrayjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/operation-in-may-have-negative-int32-int32-array.js (0 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/operation-in-may-have-negative-int32-int32-array.js                         (rev 0)
+++ trunk/JSTests/stress/operation-in-may-have-negative-int32-int32-array.js    2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -0,0 +1,18 @@
</span><ins>+function shouldBe(actual, expected)
+{
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+var k = -1;
+var o1 = [20];
+o1[k] = 42;
+
+function test1(o)
+{
+    return k in o;
+}
+noInline(test1);
+
+for (var i = 0; i < 1e6; ++i)
+    shouldBe(test1(o1), true);
</ins></span></pre></div>
<a id="trunkJSTestsstressoperationinmayhavenegativeint32js"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/operation-in-may-have-negative-int32.js (0 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/operation-in-may-have-negative-int32.js                             (rev 0)
+++ trunk/JSTests/stress/operation-in-may-have-negative-int32.js        2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -0,0 +1,32 @@
</span><ins>+function shouldBe(actual, expected)
+{
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+var k = -1;
+var o1 = {};
+o1[k] = true;
+var o2 = {};
+
+function test1(o)
+{
+    return k in o;
+}
+noInline(test1);
+
+function test2(o)
+{
+    return k in o;
+}
+noInline(test2);
+
+for (var i = 0; i < 1e6; ++i)
+    shouldBe(test1(o1), true);
+for (var i = 0; i < 1e6; ++i)
+    shouldBe(test1(o2), false);
+
+for (var i = 0; i < 1e6; ++i)
+    shouldBe(test2(o2), false);
+for (var i = 0; i < 1e6; ++i)
+    shouldBe(test2(o1), true);
</ins></span></pre></div>
<a id="trunkJSTestsstressoperationinnegativeint32castjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/operation-in-negative-int32-cast.js (0 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/operation-in-negative-int32-cast.js                         (rev 0)
+++ trunk/JSTests/stress/operation-in-negative-int32-cast.js    2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -0,0 +1,20 @@
</span><ins>+function shouldBe(actual, expected)
+{
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+var INT32_MIN = -2147483648;
+var INT32_MIN_IN_UINT32 = 0x80000000;
+var o1 = [];
+o1[INT32_MIN_IN_UINT32] = true;
+ensureArrayStorage(o1);
+
+function test1(o, key)
+{
+    return key in o;
+}
+noInline(test1);
+
+for (var i = 0; i < 1e6; ++i)
+    shouldBe(test1(o1, INT32_MIN), false);
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (225341 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog    2017-11-30 20:40:04 UTC (rev 225341)
+++ trunk/Source/JavaScriptCore/ChangeLog       2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -1,3 +1,37 @@
</span><ins>+2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
+        https://bugs.webkit.org/show_bug.cgi?id=180190
+
+        Reviewed by Mark Lam.
+
+        If DFG HasIndexedProperty node observes negative index, it goes to a slow
+        path by calling operationHasIndexedProperty. The problem is that
+        operationHasIndexedProperty does not account negative index. Negative index
+        was used as uint32 array index.
+
+        In this patch we add a path for negative index in operationHasIndexedProperty.
+        And rename it to operationHasIndexedPropertyByInt to make intension clear.
+        We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
+        since it is only used in DFG and FTL.
+
+        While fixing this bug, we found that our op_in does not record OutOfBound feedback.
+        This causes repeated OSR exit and significantly regresses the performance. We opened
+        a bug to track this issue[1].
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
+
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+
</ins><span class="cx"> 2017-11-30  Michael Saboff  <msaboff@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Allow JSC command line tool to accept UTF8
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp (225341 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp        2017-11-30 20:40:04 UTC (rev 225341)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp   2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -634,7 +634,7 @@
</span><span class="cx">     NativeCallFrameTracer tracer(vm, exec);
</span><span class="cx">     
</span><span class="cx">     if (index < 0) {
</span><del>-        // Go the slowest way possible becase negative indices don't use indexed storage.
</del><ins>+        // Go the slowest way possible because negative indices don't use indexed storage.
</ins><span class="cx">         return JSValue::encode(JSValue(base).get(exec, Identifier::from(exec, index)));
</span><span class="cx">     }
</span><span class="cx"> 
</span><span class="lines">@@ -1808,6 +1808,18 @@
</span><span class="cx">     return reinterpret_cast<char*>(asObject(cell)->ensureArrayStorage(vm));
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+EncodedJSValue JIT_OPERATION operationHasIndexedPropertyByInt(ExecState* exec, JSCell* baseCell, int32_t subscript, int32_t internalMethodType)
+{
+    VM& vm = exec->vm();
+    NativeCallFrameTracer tracer(&vm, exec);
+    JSObject* object = baseCell->toObject(exec, exec->lexicalGlobalObject());
+    if (UNLIKELY(subscript < 0)) {
+        // Go the slowest way possible because negative indices don't use indexed storage.
+        return JSValue::encode(jsBoolean(object->hasPropertyGeneric(exec, Identifier::from(exec, subscript), static_cast<PropertySlot::InternalMethodType>(internalMethodType))));
+    }
+    return JSValue::encode(jsBoolean(object->hasPropertyGeneric(exec, subscript, static_cast<PropertySlot::InternalMethodType>(internalMethodType))));
+}
+
</ins><span class="cx"> StringImpl* JIT_OPERATION operationResolveRope(ExecState* exec, JSString* string)
</span><span class="cx"> {
</span><span class="cx">     VM& vm = exec->vm();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.h (225341 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.h  2017-11-30 20:40:04 UTC (rev 225341)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.h     2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -80,6 +80,7 @@
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationGetByValWithThis(ExecState*, EncodedJSValue, EncodedJSValue, EncodedJSValue) WTF_INTERNAL;
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationGetPrototypeOf(ExecState*, EncodedJSValue) WTF_INTERNAL;
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationGetPrototypeOfObject(ExecState*, JSObject*) WTF_INTERNAL;
</span><ins>+EncodedJSValue JIT_OPERATION operationHasIndexedPropertyByInt(ExecState*, JSCell*, int32_t, int32_t);
</ins><span class="cx"> char* JIT_OPERATION operationNewArray(ExecState*, Structure*, void*, size_t) WTF_INTERNAL;
</span><span class="cx"> char* JIT_OPERATION operationNewArrayBuffer(ExecState*, Structure*, size_t, size_t) WTF_INTERNAL;
</span><span class="cx"> char* JIT_OPERATION operationNewEmptyArray(ExecState*, Structure*) WTF_INTERNAL;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (225341 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp       2017-11-30 20:40:04 UTC (rev 225341)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp  2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -5271,7 +5271,7 @@
</span><span class="cx">         moveTrueTo(resultPayloadGPR);
</span><span class="cx">         MacroAssembler::Jump done = m_jit.jump();
</span><span class="cx"> 
</span><del>-        addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedProperty, JSValueRegs(resultTagGPR, resultPayloadGPR), baseGPR, indexGPR, static_cast<int32_t>(node->internalMethodType())));
</del><ins>+        addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedPropertyByInt, JSValueRegs(resultTagGPR, resultPayloadGPR), baseGPR, indexGPR, static_cast<int32_t>(node->internalMethodType())));
</ins><span class="cx">         
</span><span class="cx">         done.link(&m_jit);
</span><span class="cx">         booleanResult(resultPayloadGPR, node);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (225341 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp  2017-11-30 20:40:04 UTC (rev 225341)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp     2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -5733,7 +5733,7 @@
</span><span class="cx">         }
</span><span class="cx">         }
</span><span class="cx"> 
</span><del>-        addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedProperty, resultGPR, baseGPR, indexGPR, static_cast<int32_t>(node->internalMethodType())));
</del><ins>+        addSlowPathGenerator(slowPathCall(slowCases, this, operationHasIndexedPropertyByInt, resultGPR, baseGPR, indexGPR, static_cast<int32_t>(node->internalMethodType())));
</ins><span class="cx">         
</span><span class="cx">         jsValueResult(resultGPR, node, DataFormatJSBoolean);
</span><span class="cx">         break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (225341 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp      2017-11-30 20:40:04 UTC (rev 225341)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -9428,7 +9428,7 @@
</span><span class="cx">             m_out.appendTo(slowCase, continuation);
</span><span class="cx">             ValueFromBlock slowResult = m_out.anchor(m_out.equal(
</span><span class="cx">                 m_out.constInt64(JSValue::encode(jsBoolean(true))), 
</span><del>-                vmCall(Int64, m_out.operation(operationHasIndexedProperty), m_callFrame, base, index, internalMethodType)));
</del><ins>+                vmCall(Int64, m_out.operation(operationHasIndexedPropertyByInt), m_callFrame, base, index, internalMethodType)));
</ins><span class="cx">             m_out.jump(continuation);
</span><span class="cx"> 
</span><span class="cx">             m_out.appendTo(continuation, lastNext);
</span><span class="lines">@@ -9464,7 +9464,7 @@
</span><span class="cx">             m_out.appendTo(slowCase, continuation);
</span><span class="cx">             ValueFromBlock slowResult = m_out.anchor(m_out.equal(
</span><span class="cx">                 m_out.constInt64(JSValue::encode(jsBoolean(true))), 
</span><del>-                vmCall(Int64, m_out.operation(operationHasIndexedProperty), m_callFrame, base, index, internalMethodType)));
</del><ins>+                vmCall(Int64, m_out.operation(operationHasIndexedPropertyByInt), m_callFrame, base, index, internalMethodType)));
</ins><span class="cx">             m_out.jump(continuation);
</span><span class="cx">             
</span><span class="cx">             m_out.appendTo(continuation, lastNext);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.cpp (225341 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.cpp        2017-11-30 20:40:04 UTC (rev 225341)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.cpp   2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -2398,14 +2398,6 @@
</span><span class="cx">     return JSValue::encode(jsBoolean(base->hasPropertyGeneric(exec, asString(propertyName)->toIdentifier(exec), PropertySlot::InternalMethodType::GetOwnProperty)));
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-EncodedJSValue JIT_OPERATION operationHasIndexedProperty(ExecState* exec, JSCell* baseCell, int32_t subscript, int32_t internalMethodType)
-{
-    VM& vm = exec->vm();
-    NativeCallFrameTracer tracer(&vm, exec);
-    JSObject* object = baseCell->toObject(exec, exec->lexicalGlobalObject());
-    return JSValue::encode(jsBoolean(object->hasPropertyGeneric(exec, subscript, static_cast<PropertySlot::InternalMethodType>(internalMethodType))));
-}
-    
</del><span class="cx"> JSCell* JIT_OPERATION operationGetPropertyEnumerator(ExecState* exec, JSCell* cell)
</span><span class="cx"> {
</span><span class="cx">     VM& vm = exec->vm();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITOperations.h (225341 => 225342)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITOperations.h  2017-11-30 20:40:04 UTC (rev 225341)
+++ trunk/Source/JavaScriptCore/jit/JITOperations.h     2017-11-30 20:48:53 UTC (rev 225342)
</span><span class="lines">@@ -461,7 +461,6 @@
</span><span class="cx"> int32_t JIT_OPERATION operationInstanceOfCustom(ExecState*, EncodedJSValue encodedValue, JSObject* constructor, EncodedJSValue encodedHasInstance) WTF_INTERNAL;
</span><span class="cx"> 
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationHasGenericProperty(ExecState*, EncodedJSValue, JSCell*);
</span><del>-EncodedJSValue JIT_OPERATION operationHasIndexedProperty(ExecState*, JSCell*, int32_t, int32_t);
</del><span class="cx"> JSCell* JIT_OPERATION operationGetPropertyEnumerator(ExecState*, JSCell*);
</span><span class="cx"> EncodedJSValue JIT_OPERATION operationNextEnumeratorPname(ExecState*, JSCell*, int32_t);
</span><span class="cx"> JSCell* JIT_OPERATION operationToIndexString(ExecState*, int32_t);
</span></span></pre>
</div>
</div>

</body>
</html>