<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[279747] branches/safari-612.1.23-branch</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/279747">279747</a></dd>
<dt>Author</dt> <dd>repstein@apple.com</dd>
<dt>Date</dt> <dd>2021-07-08 13:27:22 -0700 (Thu, 08 Jul 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/279690">r279690</a>. rdar://problem/80339399

    [JSC] Fix Object.assign fast path to accept undefined/null
    https://bugs.webkit.org/show_bug.cgi?id=227769
    rdar://80264271

    Reviewed by Saam Barati.

    JSTests:

    * stress/object-assign-undefined.js: Added.
    (test):

    Source/JavaScriptCore:

    Object.assign can accept undefined or null as a second (or latter) parameters.
    If it is passed, the parameter is just ignored. Previous DFG / FTL optimization patch
    does not handle this case.

    * dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
    * dfg/DFGFixupPhase.cpp:
    (JSC::DFG::FixupPhase::fixupNode):
    * dfg/DFGOperations.cpp:
    (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
    * dfg/DFGOperations.h:
    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::compileObjectAssign):
    * ftl/FTLLowerDFGToB3.cpp:
    (JSC::FTL::DFG::LowerDFGToB3::compileObjectAssign):
    * runtime/ObjectConstructor.cpp:
    (JSC::JSC_DEFINE_HOST_FUNCTION):
    * runtime/ObjectConstructorInlines.h:
    (JSC::objectAssignFast):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279690 268f45cc-cd09-0410-ab3c-d52691b4dbfc</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari612123branchJSTestsChangeLog">branches/safari-612.1.23-branch/JSTests/ChangeLog</a></li>
<li><a href="#branchessafari612123branchSourceJavaScriptCoreChangeLog">branches/safari-612.1.23-branch/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#branchessafari612123branchSourceJavaScriptCoredfgDFGByteCodeParsercpp">branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#branchessafari612123branchSourceJavaScriptCoredfgDFGFixupPhasecpp">branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#branchessafari612123branchSourceJavaScriptCoredfgDFGOperationscpp">branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#branchessafari612123branchSourceJavaScriptCoredfgDFGOperationsh">branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGOperations.h</a></li>
<li><a href="#branchessafari612123branchSourceJavaScriptCoredfgDFGSpeculativeJITcpp">branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#branchessafari612123branchSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">branches/safari-612.1.23-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#branchessafari612123branchSourceJavaScriptCoreruntimeObjectConstructorcpp">branches/safari-612.1.23-branch/Source/JavaScriptCore/runtime/ObjectConstructor.cpp</a></li>
<li><a href="#branchessafari612123branchSourceJavaScriptCoreruntimeObjectConstructorInlinesh">branches/safari-612.1.23-branch/Source/JavaScriptCore/runtime/ObjectConstructorInlines.h</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#branchessafari612123branchJSTestsstressobjectassignundefinedjs">branches/safari-612.1.23-branch/JSTests/stress/object-assign-undefined.js</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari612123branchJSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.23-branch/JSTests/ChangeLog (279746 => 279747)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.23-branch/JSTests/ChangeLog        2021-07-08 20:27:16 UTC (rev 279746)
+++ branches/safari-612.1.23-branch/JSTests/ChangeLog   2021-07-08 20:27:22 UTC (rev 279747)
</span><span class="lines">@@ -1,5 +1,56 @@
</span><span class="cx"> 2021-07-08  Ruben Turcios  <rubent_22@apple.com>
</span><span class="cx"> 
</span><ins>+        Cherry-pick r279690. rdar://problem/80339399
+
+    [JSC] Fix Object.assign fast path to accept undefined/null
+    https://bugs.webkit.org/show_bug.cgi?id=227769
+    rdar://80264271
+    
+    Reviewed by Saam Barati.
+    
+    JSTests:
+    
+    * stress/object-assign-undefined.js: Added.
+    (test):
+    
+    Source/JavaScriptCore:
+    
+    Object.assign can accept undefined or null as a second (or latter) parameters.
+    If it is passed, the parameter is just ignored. Previous DFG / FTL optimization patch
+    does not handle this case.
+    
+    * dfg/DFGByteCodeParser.cpp:
+    (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+    * dfg/DFGFixupPhase.cpp:
+    (JSC::DFG::FixupPhase::fixupNode):
+    * dfg/DFGOperations.cpp:
+    (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+    * dfg/DFGOperations.h:
+    * dfg/DFGSpeculativeJIT.cpp:
+    (JSC::DFG::SpeculativeJIT::compileObjectAssign):
+    * ftl/FTLLowerDFGToB3.cpp:
+    (JSC::FTL::DFG::LowerDFGToB3::compileObjectAssign):
+    * runtime/ObjectConstructor.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/ObjectConstructorInlines.h:
+    (JSC::objectAssignFast):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279690 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-07-07  Yusuke Suzuki  <ysuzuki@apple.com>
+
+            [JSC] Fix Object.assign fast path to accept undefined/null
+            https://bugs.webkit.org/show_bug.cgi?id=227769
+            rdar://80264271
+
+            Reviewed by Saam Barati.
+
+            * stress/object-assign-undefined.js: Added.
+            (test):
+
+2021-07-08  Ruben Turcios  <rubent_22@apple.com>
+
</ins><span class="cx">         Cherry-pick r279604. rdar://problem/80340434
</span><span class="cx"> 
</span><span class="cx">     [JSC] Optimize Object.assign and putDirectInternal
</span></span></pre></div>
<a id="branchessafari612123branchJSTestsstressobjectassignundefinedjs"></a>
<div class="addfile"><h4>Added: branches/safari-612.1.23-branch/JSTests/stress/object-assign-undefined.js (0 => 279747)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.23-branch/JSTests/stress/object-assign-undefined.js                                (rev 0)
+++ branches/safari-612.1.23-branch/JSTests/stress/object-assign-undefined.js   2021-07-08 20:27:22 UTC (rev 279747)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+function test(target, source)
+{
+    Object.assign(target, source);
+}
+noInline(test);
+
+test({}, undefined);
+test({}, null);
+for (var i = 0; i < 1e4; ++i)
+    test({}, {});
+test({}, undefined);
+test({}, null);
+for (var i = 0; i < 1e4; ++i)
+    test({}, undefined);
</ins></span></pre></div>
<a id="branchessafari612123branchSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.23-branch/Source/JavaScriptCore/ChangeLog (279746 => 279747)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.23-branch/Source/JavaScriptCore/ChangeLog  2021-07-08 20:27:16 UTC (rev 279746)
+++ branches/safari-612.1.23-branch/Source/JavaScriptCore/ChangeLog     2021-07-08 20:27:22 UTC (rev 279747)
</span><span class="lines">@@ -1,5 +1,73 @@
</span><span class="cx"> 2021-07-08  Ruben Turcios  <rubent_22@apple.com>
</span><span class="cx"> 
</span><ins>+        Cherry-pick r279690. rdar://problem/80339399
+
+    [JSC] Fix Object.assign fast path to accept undefined/null
+    https://bugs.webkit.org/show_bug.cgi?id=227769
+    rdar://80264271
+    
+    Reviewed by Saam Barati.
+    
+    JSTests:
+    
+    * stress/object-assign-undefined.js: Added.
+    (test):
+    
+    Source/JavaScriptCore:
+    
+    Object.assign can accept undefined or null as a second (or latter) parameters.
+    If it is passed, the parameter is just ignored. Previous DFG / FTL optimization patch
+    does not handle this case.
+    
+    * dfg/DFGByteCodeParser.cpp:
+    (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+    * dfg/DFGFixupPhase.cpp:
+    (JSC::DFG::FixupPhase::fixupNode):
+    * dfg/DFGOperations.cpp:
+    (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+    * dfg/DFGOperations.h:
+    * dfg/DFGSpeculativeJIT.cpp:
+    (JSC::DFG::SpeculativeJIT::compileObjectAssign):
+    * ftl/FTLLowerDFGToB3.cpp:
+    (JSC::FTL::DFG::LowerDFGToB3::compileObjectAssign):
+    * runtime/ObjectConstructor.cpp:
+    (JSC::JSC_DEFINE_HOST_FUNCTION):
+    * runtime/ObjectConstructorInlines.h:
+    (JSC::objectAssignFast):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279690 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-07-07  Yusuke Suzuki  <ysuzuki@apple.com>
+
+            [JSC] Fix Object.assign fast path to accept undefined/null
+            https://bugs.webkit.org/show_bug.cgi?id=227769
+            rdar://80264271
+
+            Reviewed by Saam Barati.
+
+            Object.assign can accept undefined or null as a second (or latter) parameters.
+            If it is passed, the parameter is just ignored. Previous DFG / FTL optimization patch
+            does not handle this case.
+
+            * dfg/DFGByteCodeParser.cpp:
+            (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+            * dfg/DFGFixupPhase.cpp:
+            (JSC::DFG::FixupPhase::fixupNode):
+            * dfg/DFGOperations.cpp:
+            (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+            * dfg/DFGOperations.h:
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::compileObjectAssign):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileObjectAssign):
+            * runtime/ObjectConstructor.cpp:
+            (JSC::JSC_DEFINE_HOST_FUNCTION):
+            * runtime/ObjectConstructorInlines.h:
+            (JSC::objectAssignFast):
+
+2021-07-08  Ruben Turcios  <rubent_22@apple.com>
+
</ins><span class="cx">         Cherry-pick r279604. rdar://problem/80340434
</span><span class="cx"> 
</span><span class="cx">     [JSC] Optimize Object.assign and putDirectInternal
</span></span></pre></div>
<a id="branchessafari612123branchSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (279746 => 279747)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp  2021-07-08 20:27:16 UTC (rev 279746)
+++ branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp     2021-07-08 20:27:22 UTC (rev 279747)
</span><span class="lines">@@ -2943,10 +2943,7 @@
</span><span class="cx">             Node* target = addToGraph(ToObject, OpInfo(errorStringIndex), OpInfo(SpecNone), get(virtualRegisterForArgumentIncludingThis(1, registerOffset)));
</span><span class="cx">             m_exitOK = true;
</span><span class="cx">             addToGraph(ExitOK);
</span><del>-            Node* source = addToGraph(ToObject, OpInfo(errorStringIndex), OpInfo(SpecNone), get(virtualRegisterForArgumentIncludingThis(2, registerOffset)));
-            m_exitOK = true;
-            addToGraph(ExitOK);
-            addToGraph(ObjectAssign, Edge(target, KnownCellUse), Edge(source, KnownCellUse));
</del><ins>+            addToGraph(ObjectAssign, Edge(target, KnownCellUse), Edge(get(virtualRegisterForArgumentIncludingThis(2, registerOffset))));
</ins><span class="cx">             setResult(target);
</span><span class="cx">             return true;
</span><span class="cx">         }
</span></span></pre></div>
<a id="branchessafari612123branchSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (279746 => 279747)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp      2021-07-08 20:27:16 UTC (rev 279746)
+++ branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2021-07-08 20:27:22 UTC (rev 279747)
</span><span class="lines">@@ -2800,6 +2800,15 @@
</span><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx"> 
</span><ins>+        case ObjectAssign: {
+            Edge& source = node->child2();
+            if (source->shouldSpeculateObject())
+                fixEdge<ObjectUse>(source);
+            else
+                fixEdge<UntypedUse>(source);
+            break;
+        }
+
</ins><span class="cx"> #if ASSERT_ENABLED
</span><span class="cx">         // Have these no-op cases here to ensure that nobody forgets to add handlers for new opcodes.
</span><span class="cx">         case SetArgumentDefinitely:
</span><span class="lines">@@ -2892,7 +2901,6 @@
</span><span class="cx">         case FilterSetPrivateBrandStatus:
</span><span class="cx">         case InvalidationPoint:
</span><span class="cx">         case CreateArgumentsButterfly:
</span><del>-        case ObjectAssign:
</del><span class="cx">             break;
</span><span class="cx"> #else // not ASSERT_ENABLED
</span><span class="cx">         default:
</span></span></pre></div>
<a id="branchessafari612123branchSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp (279746 => 279747)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp      2021-07-08 20:27:16 UTC (rev 279746)
+++ branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp 2021-07-08 20:27:22 UTC (rev 279747)
</span><span class="lines">@@ -310,7 +310,6 @@
</span><span class="cx">     CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
</span><span class="cx">     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
</span><span class="cx">     auto scope = DECLARE_THROW_SCOPE(vm);
</span><del>-
</del><span class="cx">     bool targetCanPerformFastPut = jsDynamicCast<JSFinalObject*>(vm, target) && target->canPerformFastPutInlineExcludingProto(vm) && target->isStructureExtensible(vm);
</span><span class="cx"> 
</span><span class="cx">     if (targetCanPerformFastPut) {
</span><span class="lines">@@ -366,6 +365,38 @@
</span><span class="cx">     objectAssignGeneric(globalObject, vm, target, source);
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+JSC_DEFINE_JIT_OPERATION(operationObjectAssignUntyped, void, (JSGlobalObject* globalObject, JSObject* target, EncodedJSValue encodedSource))
+{
+    VM& vm = globalObject->vm();
+    CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
+    JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
+    auto scope = DECLARE_THROW_SCOPE(vm);
+
+    bool targetCanPerformFastPut = jsDynamicCast<JSFinalObject*>(vm, target) && target->canPerformFastPutInlineExcludingProto(vm) && target->isStructureExtensible(vm);
+
+    JSValue sourceValue = JSValue::decode(encodedSource);
+    if (sourceValue.isUndefinedOrNull())
+        return;
+    JSObject* source = sourceValue.toObject(globalObject);
+    RETURN_IF_EXCEPTION(scope, void());
+
+    if (targetCanPerformFastPut) {
+        if (!source->staticPropertiesReified(vm)) {
+            source->reifyAllStaticProperties(globalObject);
+            RETURN_IF_EXCEPTION(scope, void());
+        }
+
+        if (canPerformFastPropertyEnumerationForObjectAssign(source->structure(vm))) {
+            Vector<RefPtr<UniquedStringImpl>, 8> properties;
+            MarkedArgumentBuffer values;
+            objectAssignFast(vm, target, source, properties, values);
+            return;
+        }
+    }
+
+    objectAssignGeneric(globalObject, vm, target, source);
+}
+
</ins><span class="cx"> JSC_DEFINE_JIT_OPERATION(operationCreateThis, JSCell*, (JSGlobalObject* globalObject, JSObject* constructor, uint32_t inlineCapacity))
</span><span class="cx"> {
</span><span class="cx">     VM& vm = globalObject->vm();
</span></span></pre></div>
<a id="branchessafari612123branchSourceJavaScriptCoredfgDFGOperationsh"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGOperations.h (279746 => 279747)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGOperations.h        2021-07-08 20:27:16 UTC (rev 279746)
+++ branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGOperations.h   2021-07-08 20:27:22 UTC (rev 279747)
</span><span class="lines">@@ -54,6 +54,7 @@
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationObjectCreate, JSCell*, (JSGlobalObject*, EncodedJSValue));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationObjectCreateObject, JSCell*, (JSGlobalObject*, JSObject*));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationObjectAssignObject, void, (JSGlobalObject*, JSObject*, JSObject*));
</span><ins>+JSC_DECLARE_JIT_OPERATION(operationObjectAssignUntyped, void, (JSGlobalObject*, JSObject*, EncodedJSValue));
</ins><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationCreateThis, JSCell*, (JSGlobalObject*, JSObject* constructor, uint32_t inlineCapacity));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationCreatePromise, JSCell*, (JSGlobalObject*, JSObject* constructor));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationCreateInternalPromise, JSCell*, (JSGlobalObject*, JSObject* constructor));
</span></span></pre></div>
<a id="branchessafari612123branchSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (279746 => 279747)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp  2021-07-08 20:27:16 UTC (rev 279746)
+++ branches/safari-612.1.23-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp     2021-07-08 20:27:22 UTC (rev 279747)
</span><span class="lines">@@ -14052,16 +14052,40 @@
</span><span class="cx"> void SpeculativeJIT::compileObjectAssign(Node* node)
</span><span class="cx"> {
</span><span class="cx">     SpeculateCellOperand target(this, node->child1());
</span><del>-    SpeculateCellOperand source(this, node->child2());
</del><span class="cx"> 
</span><del>-    GPRReg targetGPR = target.gpr();
-    GPRReg sourceGPR = source.gpr();
</del><ins>+    switch (node->child2().useKind()) {
+    case ObjectUse: {
+        SpeculateCellOperand source(this, node->child2());
</ins><span class="cx"> 
</span><del>-    flushRegisters();
-    callOperation(operationObjectAssignObject, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), targetGPR, sourceGPR);
-    m_jit.exceptionCheck();
</del><ins>+        GPRReg targetGPR = target.gpr();
+        GPRReg sourceGPR = source.gpr();
</ins><span class="cx"> 
</span><del>-    noResult(node);
</del><ins>+        speculateObject(node->child2(), sourceGPR);
+
+        flushRegisters();
+        callOperation(operationObjectAssignObject, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), targetGPR, sourceGPR);
+        m_jit.exceptionCheck();
+
+        noResult(node);
+        return;
+    }
+    case UntypedUse: {
+        JSValueOperand source(this, node->child2());
+
+        GPRReg targetGPR = target.gpr();
+        JSValueRegs sourceRegs = source.jsValueRegs();
+
+        flushRegisters();
+        callOperation(operationObjectAssignUntyped, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), targetGPR, sourceRegs);
+        m_jit.exceptionCheck();
+
+        noResult(node);
+        return;
+    }
+    default:
+        DFG_CRASH(m_jit.graph(), node, "Bad use kind");
+        return;
+    }
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::compileObjectCreate(Node* node)
</span></span></pre></div>
<a id="branchessafari612123branchSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.23-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (279746 => 279747)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.23-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp    2021-07-08 20:27:16 UTC (rev 279746)
+++ branches/safari-612.1.23-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp       2021-07-08 20:27:22 UTC (rev 279747)
</span><span class="lines">@@ -7082,7 +7082,17 @@
</span><span class="cx">     void compileObjectAssign()
</span><span class="cx">     {
</span><span class="cx">         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_origin.semantic);
</span><del>-        vmCall(Void, operationObjectAssignObject, weakPointer(globalObject), lowCell(m_node->child1()), lowCell(m_node->child2()));
</del><ins>+        switch (m_node->child2().useKind()) {
+        case ObjectUse:
+            vmCall(Void, operationObjectAssignObject, weakPointer(globalObject), lowCell(m_node->child1()), lowObject(m_node->child2()));
+            return;
+        case UntypedUse:
+            vmCall(Void, operationObjectAssignUntyped, weakPointer(globalObject), lowCell(m_node->child1()), lowJSValue(m_node->child2()));
+            return;
+        default:
+            DFG_CRASH(m_graph, m_node, "Bad use kind");
+            return;
+        }
</ins><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     void compileObjectCreate()
</span></span></pre></div>
<a id="branchessafari612123branchSourceJavaScriptCoreruntimeObjectConstructorcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.23-branch/Source/JavaScriptCore/runtime/ObjectConstructor.cpp (279746 => 279747)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.23-branch/Source/JavaScriptCore/runtime/ObjectConstructor.cpp      2021-07-08 20:27:16 UTC (rev 279746)
+++ branches/safari-612.1.23-branch/Source/JavaScriptCore/runtime/ObjectConstructor.cpp 2021-07-08 20:27:22 UTC (rev 279747)
</span><span class="lines">@@ -333,42 +333,7 @@
</span><span class="cx">             }
</span><span class="cx"> 
</span><span class="cx">             if (canPerformFastPropertyEnumerationForObjectAssign(source->structure(vm))) {
</span><del>-                // |source| Structure does not have any getters. And target can perform fast put.
-                // So enumerating properties and putting properties are non observable.
-
-                // FIXME: It doesn't seem like we should have to do this in two phases, but
-                // we're running into crashes where it appears that source is transitioning
-                // under us, and even ends up in a state where it has a null butterfly. My
-                // leading hypothesis here is that we fire some value replacement watchpoint
-                // that ends up transitioning the structure underneath us.
-                // https://bugs.webkit.org/show_bug.cgi?id=187837
-
-                // FIXME: This fast path is very similar to DFGOperations' one. But extracting it to a function caused performance
-                // regression in object-assign-replace. Since the code is small and fast path, we keep both.
-
-                // Do not clear since Vector::clear shrinks the backing store.
-                properties.resize(0);
-                values.clear();
-                source->structure(vm)->forEachProperty(vm, [&] (const PropertyMapEntry& entry) -> bool {
-                    if (entry.attributes & PropertyAttribute::DontEnum)
-                        return true;
-
-                    PropertyName propertyName(entry.key);
-                    if (propertyName.isPrivateName())
-                        return true;
-
-                    properties.append(entry.key);
-                    values.appendWithCrashOnOverflow(source->getDirect(entry.offset));
-
-                    return true;
-                });
-
-                for (size_t i = 0; i < properties.size(); ++i) {
-                    // FIXME: We could put properties in a batching manner to accelerate Object.assign more.
-                    // https://bugs.webkit.org/show_bug.cgi?id=185358
-                    PutPropertySlot putPropertySlot(target, true);
-                    target->putOwnDataProperty(vm, properties[i].get(), values.at(i), putPropertySlot);
-                }
</del><ins>+                objectAssignFast(vm, target, source, properties, values);
</ins><span class="cx">                 continue;
</span><span class="cx">             }
</span><span class="cx">         }
</span></span></pre></div>
<a id="branchessafari612123branchSourceJavaScriptCoreruntimeObjectConstructorInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.23-branch/Source/JavaScriptCore/runtime/ObjectConstructorInlines.h (279746 => 279747)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.23-branch/Source/JavaScriptCore/runtime/ObjectConstructorInlines.h 2021-07-08 20:27:16 UTC (rev 279746)
+++ branches/safari-612.1.23-branch/Source/JavaScriptCore/runtime/ObjectConstructorInlines.h    2021-07-08 20:27:22 UTC (rev 279747)
</span><span class="lines">@@ -53,4 +53,45 @@
</span><span class="cx">     return true;
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+ALWAYS_INLINE void objectAssignFast(VM& vm, JSObject* target, JSObject* source, Vector<RefPtr<UniquedStringImpl>, 8>& properties, MarkedArgumentBuffer& values)
+{
+    // |source| Structure does not have any getters. And target can perform fast put.
+    // So enumerating properties and putting properties are non observable.
+
+    // FIXME: It doesn't seem like we should have to do this in two phases, but
+    // we're running into crashes where it appears that source is transitioning
+    // under us, and even ends up in a state where it has a null butterfly. My
+    // leading hypothesis here is that we fire some value replacement watchpoint
+    // that ends up transitioning the structure underneath us.
+    // https://bugs.webkit.org/show_bug.cgi?id=187837
+
+    // FIXME: This fast path is very similar to ObjectConstructor' one. But extracting it to a function caused performance
+    // regression in object-assign-replace. Since the code is small and fast path, we keep both.
+
+    // Do not clear since Vector::clear shrinks the backing store.
+    properties.resize(0);
+    values.clear();
+    source->structure(vm)->forEachProperty(vm, [&] (const PropertyMapEntry& entry) -> bool {
+        if (entry.attributes & PropertyAttribute::DontEnum)
+            return true;
+
+        PropertyName propertyName(entry.key);
+        if (propertyName.isPrivateName())
+            return true;
+
+        properties.append(entry.key);
+        values.appendWithCrashOnOverflow(source->getDirect(entry.offset));
+
+        return true;
+    });
+
+    for (size_t i = 0; i < properties.size(); ++i) {
+        // FIXME: We could put properties in a batching manner to accelerate Object.assign more.
+        // https://bugs.webkit.org/show_bug.cgi?id=185358
+        PutPropertySlot putPropertySlot(target, true);
+        target->putOwnDataProperty(vm, properties[i].get(), values.at(i), putPropertySlot);
+    }
+}
+
+
</ins><span class="cx"> } // namespace JSC
</span></span></pre>
</div>
</div>

</body>
</html>