[ES6] Add support for Symbol.hasInstance
https://bugs.webkit.org/show_bug.cgi?id=151839
Reviewed by Saam Barati.
Source/JavaScriptCore:
Fixed version of r193986, r193983, and r193974.
This patch adds support for Symbol.hasInstance, unfortunately in order to prevent
regressions several new bytecodes and DFG IR nodes were necessary. Before, Symbol.hasInstance
when executing an instanceof expression we would emit three bytecodes: overrides_has_instance, get_by_id,
then instanceof. As the spec has changed, we emit a more complicated set of bytecodes in addition to some
new ones. First the role of overrides_has_instance and its corresponding DFG node have changed. Now it returns
a js-boolean indicating whether the RHS of the instanceof expression (from here on called the constructor for simplicity)
needs non-default behavior for resolving the expression. i.e. The constructor has a Symbol.hasInstance that differs from the one on
Function.prototype[Symbol.hasInstance] or is a bound/C-API function. Once we get to the DFG this node is generally eliminated as
we can prove the value of Symbol.hasInstance is a constant. The second new bytecode is instanceof_custom. insntanceof_custom, just
emits a call to slow path code that computes the result.
In the DFG, there is also a new node, CheckTypeInfoFlags, which checks the type info flags are consistent with the ones provided and
OSR exits if the flags are not. Additionally, we attempt to prove that the result of CheckHasValue will be a constant and transform
it into a CheckTypeInfoFlags followed by a JSConstant.
* API/JSCallbackObject.h:
* builtins/FunctionPrototype.js:
(symbolHasInstance):
* bytecode/BytecodeBasicBlock.cpp:
(JSC::isBranch): Deleted.
* bytecode/BytecodeList.json:
* bytecode/BytecodeUseDef.h:
(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* bytecode/PreciseJumpTargets.cpp:
(JSC::getJumpTargetsForBytecodeOffset): Deleted.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitOverridesHasInstance):
(JSC::BytecodeGenerator::emitInstanceOfCustom):
(JSC::BytecodeGenerator::emitCheckHasInstance): Deleted.
* bytecompiler/BytecodeGenerator.h:
* bytecompiler/NodesCodegen.cpp:
(JSC::InstanceOfNode::emitBytecode):
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGCapabilities.cpp:
(JSC::DFG::capabilityLevel):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasCellOperand):
(JSC::DFG::Node::hasTypeInfoOperand):
(JSC::DFG::Node::typeInfoOperand):
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
(JSC::DFG::SpeculativeJIT::compileInstanceOfCustom):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
(JSC::FTL::DFG::LowerDFGToLLVM::compileOverridesHasInstance):
(JSC::FTL::DFG::LowerDFGToLLVM::compileCheckTypeInfoFlags):
(JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOfCustom):
(JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance): Deleted.
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):
* jit/JIT.h:
* jit/JITInlines.h:
(JSC::JIT::callOperation):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_overrides_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_instanceof_custom):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emitSlow_op_instanceof_custom):
(JSC::JIT::emit_op_check_has_instance): Deleted.
(JSC::JIT::emitSlow_op_check_has_instance): Deleted.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_overrides_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emit_op_instanceof_custom):
(JSC::JIT::emitSlow_op_instanceof_custom):
(JSC::JIT::emit_op_check_has_instance): Deleted.
(JSC::JIT::emitSlow_op_check_has_instance): Deleted.
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LLIntSlowPaths.h:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/CommonIdentifiers.h:
* runtime/ExceptionHelpers.cpp:
(JSC::invalidParameterInstanceofSourceAppender):
(JSC::invalidParameterInstanceofNotFunctionSourceAppender):
(JSC::invalidParameterInstanceofhasInstanceValueNotFunctionSourceAppender):
(JSC::createInvalidInstanceofParameterErrorNotFunction):
(JSC::createInvalidInstanceofParameterErrorhasInstanceValueNotFunction):
(JSC::createInvalidInstanceofParameterError): Deleted.
* runtime/ExceptionHelpers.h:
* runtime/FunctionPrototype.cpp:
(JSC::FunctionPrototype::addFunctionProperties):
* runtime/FunctionPrototype.h:
* runtime/JSBoundFunction.cpp:
(JSC::isBoundFunction):
(JSC::hasInstanceBoundFunction):
* runtime/JSBoundFunction.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::functionProtoHasInstanceSymbolFunction):
* runtime/JSObject.cpp:
(JSC::JSObject::hasInstance):
(JSC::objectPrivateFuncInstanceOf):
* runtime/JSObject.h:
* runtime/JSTypeInfo.h:
(JSC::TypeInfo::TypeInfo):
(JSC::TypeInfo::overridesHasInstance):
* runtime/WriteBarrier.h:
(JSC::WriteBarrierBase<Unknown>::slot):
* tests/es6.yaml:
* tests/stress/instanceof-custom-hasinstancesymbol.js: Added.
(Constructor):
(value):
(instanceOf):
(body):
* tests/stress/symbol-hasInstance.js: Added.
(Constructor):
(value):
(ObjectClass.Symbol.hasInstance):
(NumberClass.Symbol.hasInstance):
LayoutTests:
Fix tests to reflect the changes to instanceof in ES6.
Added a new regression test for bound functions in instanceof
as the perfomance on bound functions should, to some degree,
reflect the performance on C-API users.
* inspector/model/remote-object-get-properties-expected.txt:
* js/Object-getOwnPropertyNames-expected.txt:
* js/exception-for-nonobject-expected.txt:
* js/exception-instanceof-expected.txt:
* js/instance-of-immediates-expected.txt:
* js/regress/instanceof-bound-expected.txt: Added.
* js/regress/instanceof-bound.html: Added.
* js/regress/script-tests/instanceof-bound.js: Added.
(Constructor):
(test):
* js/script-tests/Object-getOwnPropertyNames.js:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@194248 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
index 1a2d72a..34ef630 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
@@ -2465,12 +2465,17 @@
case NotifyWrite:
break;
- case CheckHasInstance:
- // Sadly, we don't propagate the fact that we've done CheckHasInstance
+ case OverridesHasInstance:
+ forNode(node).setType(SpecBoolean);
break;
case InstanceOf:
- // Again, sadly, we don't propagate the fact that we've done InstanceOf
+ // Sadly, we don't propagate the fact that we've done InstanceOf
+ forNode(node).setType(SpecBoolean);
+ break;
+
+ case InstanceOfCustom:
+ clobberWorld(node->origin.semantic, clobberLimit);
forNode(node).setType(SpecBoolean);
break;
@@ -2527,6 +2532,7 @@
case CountExecution:
case CheckTierUpInLoop:
case CheckTierUpAtReturn:
+ case CheckTypeInfoFlags:
break;
case CopyRest:
diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
index 6ad2143..4c4dd19 100644
--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
@@ -3505,9 +3505,15 @@
NEXT_OPCODE(op_check_tdz);
}
- case op_check_has_instance:
- addToGraph(CheckHasInstance, get(VirtualRegister(currentInstruction[3].u.operand)));
- NEXT_OPCODE(op_check_has_instance);
+ case op_overrides_has_instance: {
+ JSFunction* defaultHasInstanceSymbolFunction = m_inlineStackTop->m_codeBlock->globalObjectFor(currentCodeOrigin())->functionProtoHasInstanceSymbolFunction();
+
+ Node* constructor = get(VirtualRegister(currentInstruction[2].u.operand));
+ Node* hasInstanceValue = get(VirtualRegister(currentInstruction[3].u.operand));
+
+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(OverridesHasInstance, OpInfo(m_graph.freeze(defaultHasInstanceSymbolFunction)), constructor, hasInstanceValue));
+ NEXT_OPCODE(op_overrides_has_instance);
+ }
case op_instanceof: {
Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
@@ -3515,7 +3521,15 @@
set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(InstanceOf, value, prototype));
NEXT_OPCODE(op_instanceof);
}
-
+
+ case op_instanceof_custom: {
+ Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
+ Node* constructor = get(VirtualRegister(currentInstruction[3].u.operand));
+ Node* hasInstanceValue = get(VirtualRegister(currentInstruction[4].u.operand));
+ set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(InstanceOfCustom, value, constructor, hasInstanceValue));
+ NEXT_OPCODE(op_instanceof_custom);
+ }
+
case op_is_undefined: {
Node* value = get(VirtualRegister(currentInstruction[2].u.operand));
set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(IsUndefined, value));
diff --git a/Source/JavaScriptCore/dfg/DFGCapabilities.cpp b/Source/JavaScriptCore/dfg/DFGCapabilities.cpp
index d1c9bce..d100d97 100644
--- a/Source/JavaScriptCore/dfg/DFGCapabilities.cpp
+++ b/Source/JavaScriptCore/dfg/DFGCapabilities.cpp
@@ -128,8 +128,9 @@
case op_profile_type:
case op_profile_control_flow:
case op_mov:
- case op_check_has_instance:
+ case op_overrides_has_instance:
case op_instanceof:
+ case op_instanceof_custom:
case op_is_undefined:
case op_is_boolean:
case op_is_number:
diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
index 7a06808..72b24c7 100644
--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
@@ -740,9 +740,14 @@
read(JSCell_structureID);
return;
- case CheckHasInstance:
+ case CheckTypeInfoFlags:
read(JSCell_typeInfoFlags);
- def(HeapLocation(CheckHasInstanceLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
+ def(HeapLocation(CheckTypeInfoFlagsLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
+ return;
+
+ case OverridesHasInstance:
+ read(JSCell_typeInfoFlags);
+ def(HeapLocation(OverridesHasInstanceLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node));
return;
case InstanceOf:
@@ -750,6 +755,11 @@
def(HeapLocation(InstanceOfLoc, JSCell_structureID, node->child1(), node->child2()), LazyNode(node));
return;
+ case InstanceOfCustom:
+ read(World);
+ write(Heap);
+ return;
+
case PutStructure:
write(JSCell_structureID);
write(JSCell_typeInfoType);
diff --git a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
index f0f16ad..702da5b 100644
--- a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
+++ b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
@@ -142,8 +142,9 @@
case ProfileDidCall:
case ProfileType:
case ProfileControlFlow:
- case CheckHasInstance:
+ case OverridesHasInstance:
case InstanceOf:
+ case InstanceOfCustom:
case IsUndefined:
case IsBoolean:
case IsNumber:
@@ -181,6 +182,7 @@
case CheckInBounds:
case ConstantStoragePointer:
case Check:
+ case CheckTypeInfoFlags:
case MultiGetByOffset:
case ValueRep:
case DoubleRep:
diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index 13c372d..a9e0b21 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -1111,10 +1111,29 @@
fixEdge<FunctionUse>(node->child1());
break;
}
+
+ case OverridesHasInstance: {
+ if (node->child2().node()->isCellConstant()) {
+ if (node->child2().node()->asCell() != m_graph.globalObjectFor(node->origin.semantic)->functionProtoHasInstanceSymbolFunction()) {
+
+ m_graph.convertToConstant(node, jsBoolean(true));
+ break;
+ }
+
+ if (!m_graph.hasExitSite(node->origin.semantic, BadTypeInfoFlags)) {
+ // Here we optimistically assume that we will not see an bound/C-API function here.
+ m_insertionSet.insertNode(m_indexInBlock, SpecNone, CheckTypeInfoFlags, node->origin, OpInfo(ImplementsDefaultHasInstance), Edge(node->child1().node(), CellUse));
+ m_graph.convertToConstant(node, jsBoolean(false));
+ break;
+ }
+ }
+
+ fixEdge<CellUse>(node->child1());
+ break;
+ }
case CheckStructure:
case CheckCell:
- case CheckHasInstance:
case CreateThis:
case GetButterfly:
case GetButterflyReadOnly: {
@@ -1175,7 +1194,11 @@
fixEdge<CellUse>(node->child2());
break;
}
-
+
+ case InstanceOfCustom:
+ fixEdge<CellUse>(node->child2());
+ break;
+
case In: {
// FIXME: We should at some point have array profiling on op_in, in which
// case we would be able to turn this into a kind of GetByVal.
@@ -1423,6 +1446,7 @@
case NotifyWrite:
case VarInjectionWatchpoint:
case Call:
+ case CheckTypeInfoFlags:
case TailCallInlinedCaller:
case Construct:
case CallVarargs:
diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
index 6923656..55d84cf 100644
--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
+++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
@@ -95,9 +95,13 @@
case ButterflyReadOnlyLoc:
out.print("ButterflyReadOnlyLoc");
return;
-
- case CheckHasInstanceLoc:
- out.print("CheckHasInstanceLoc");
+
+ case CheckTypeInfoFlagsLoc:
+ out.print("CheckTypeInfoFlagsLoc");
+ return;
+
+ case OverridesHasInstanceLoc:
+ out.print("OverridesHasInstanceLoc");
return;
case ClosureVariableLoc:
diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.h b/Source/JavaScriptCore/dfg/DFGHeapLocation.h
index 495d300..b85fa26 100644
--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.h
+++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.h
@@ -40,7 +40,8 @@
ArrayLengthLoc,
ButterflyLoc,
ButterflyReadOnlyLoc,
- CheckHasInstanceLoc,
+ CheckTypeInfoFlagsLoc,
+ OverridesHasInstanceLoc,
ClosureVariableLoc,
DirectArgumentsLoc,
GetterLoc,
diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h
index c6c2a3a..323a420 100644
--- a/Source/JavaScriptCore/dfg/DFGNode.h
+++ b/Source/JavaScriptCore/dfg/DFGNode.h
@@ -1364,6 +1364,7 @@
{
switch (op()) {
case CheckCell:
+ case OverridesHasInstance:
case NewFunction:
case NewArrowFunction:
case NewGeneratorFunction:
@@ -1426,6 +1427,17 @@
return reinterpret_cast<UniquedStringImpl*>(m_opInfo);
}
+ bool hasTypeInfoOperand()
+ {
+ return op() == CheckTypeInfoFlags;
+ }
+
+ unsigned typeInfoOperand()
+ {
+ ASSERT(hasTypeInfoOperand() && m_opInfo <= UCHAR_MAX);
+ return static_cast<unsigned>(m_opInfo);
+ }
+
bool hasTransition()
{
switch (op()) {
diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h
index 281cf9a..abcef65 100644
--- a/Source/JavaScriptCore/dfg/DFGNodeType.h
+++ b/Source/JavaScriptCore/dfg/DFGNodeType.h
@@ -222,6 +222,7 @@
macro(CheckBadCell, NodeMustGenerate) \
macro(CheckInBounds, NodeMustGenerate) \
macro(CheckIdent, NodeMustGenerate) \
+ macro(CheckTypeInfoFlags, NodeMustGenerate) /* Takes an OpInfo with the flags you want to test are set */\
\
/* Optimizations for array mutation. */\
macro(ArrayPush, NodeResultJS | NodeMustGenerate) \
@@ -280,8 +281,9 @@
macro(Breakpoint, NodeMustGenerate) \
macro(ProfileWillCall, NodeMustGenerate) \
macro(ProfileDidCall, NodeMustGenerate) \
- macro(CheckHasInstance, NodeMustGenerate) \
+ macro(OverridesHasInstance, NodeMustGenerate | NodeResultBoolean) \
macro(InstanceOf, NodeResultBoolean) \
+ macro(InstanceOfCustom, NodeMustGenerate | NodeResultBoolean) \
macro(IsUndefined, NodeResultBoolean) \
macro(IsBoolean, NodeResultBoolean) \
macro(IsNumber, NodeResultBoolean) \
diff --git a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
index 72218d3..04fd274 100644
--- a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
@@ -408,7 +408,9 @@
case CompareGreaterEq:
case CompareEq:
case CompareStrictEq:
+ case OverridesHasInstance:
case InstanceOf:
+ case InstanceOfCustom:
case IsUndefined:
case IsBoolean:
case IsNumber:
@@ -575,6 +577,7 @@
case DoubleAsInt32:
case GetLocalUnlinked:
case CheckArray:
+ case CheckTypeInfoFlags:
case Arrayify:
case ArrayifyToStructure:
case CheckTierUpInLoop:
@@ -687,7 +690,6 @@
case ProfileDidCall:
case ProfileType:
case ProfileControlFlow:
- case CheckHasInstance:
case ThrowReferenceError:
case ForceOSRExit:
case SetArgument:
diff --git a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
index a1bb6e6..230efed 100644
--- a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
+++ b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h
@@ -242,8 +242,10 @@
case ProfileDidCall:
case ProfileType:
case ProfileControlFlow:
- case CheckHasInstance:
+ case CheckTypeInfoFlags:
+ case OverridesHasInstance:
case InstanceOf:
+ case InstanceOfCustom:
case IsUndefined:
case IsBoolean:
case IsNumber:
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
index 02ff82d..319521c 100755
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -2744,6 +2744,17 @@
putResult.link(&m_jit);
}
+void SpeculativeJIT::compileCheckTypeInfoFlags(Node* node)
+{
+ SpeculateCellOperand base(this, node->child1());
+
+ GPRReg baseGPR = base.gpr();
+
+ speculationCheck(BadTypeInfoFlags, JSValueRegs(), 0, m_jit.branchTest8(MacroAssembler::Zero, MacroAssembler::Address(baseGPR, JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(node->typeInfoOperand())));
+
+ noResult(node);
+}
+
void SpeculativeJIT::compileInstanceOf(Node* node)
{
if (node->child1().useKind() == UntypedUse) {
@@ -3182,6 +3193,28 @@
return;
}
+void SpeculativeJIT::compileInstanceOfCustom(Node* node)
+{
+ // We could do something smarter here but this case is currently super rare and unless
+ // Symbol.hasInstance becomes popular will likely remain that way.
+
+ JSValueOperand value(this, node->child1());
+ SpeculateCellOperand constructor(this, node->child2());
+ JSValueOperand hasInstanceValue(this, node->child3());
+ GPRTemporary result(this);
+
+ JSValueRegs valueRegs = value.jsValueRegs();
+ GPRReg constructorGPR = constructor.gpr();
+ JSValueRegs hasInstanceRegs = hasInstanceValue.jsValueRegs();
+ GPRReg resultGPR = result.gpr();
+
+ MacroAssembler::Jump slowCase = m_jit.jump();
+
+ addSlowPathGenerator(slowPathCall(slowCase, this, operationInstanceOfCustom, resultGPR, valueRegs, constructorGPR, hasInstanceRegs));
+
+ unblessedBooleanResult(resultGPR, node);
+}
+
void SpeculativeJIT::compileArithAdd(Node* node)
{
switch (node->binaryUseKind()) {
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
index 3fcfd90..0322bb7 100755
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
@@ -727,6 +727,7 @@
void compileInstanceOfForObject(Node*, GPRReg valueReg, GPRReg prototypeReg, GPRReg scratchAndResultReg, GPRReg scratch2Reg);
void compileInstanceOf(Node*);
+ void compileInstanceOfCustom(Node*);
void emitCall(Node*);
@@ -1511,6 +1512,17 @@
m_jit.setupArgumentsWithExecState(arg1, arg2, TrustedImm32(arg3), arg4);
return appendCallSetResult(operation, result);
}
+
+ JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, GPRReg arg1, GPRReg arg2, GPRReg arg3)
+ {
+ m_jit.setupArgumentsWithExecState(arg1, arg2, arg3);
+ return appendCallSetResult(operation, result);
+ }
+ JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, JSValueRegs arg1, GPRReg arg2, JSValueRegs arg3)
+ {
+ return callOperation(operation, result, arg1.payloadGPR(), arg2, arg3.payloadGPR());
+ }
+
JITCompiler::Call callOperation(Z_JITOperation_EJZ operation, GPRReg result, GPRReg arg1, unsigned arg2)
{
m_jit.setupArgumentsWithExecState(arg1, TrustedImm32(arg2));
@@ -1837,6 +1849,16 @@
return appendCall(operation);
}
+ JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, GPRReg arg1Tag, GPRReg arg1Payload, GPRReg arg2, GPRReg arg3Tag, GPRReg arg3Payload)
+ {
+ m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, arg2, EABI_32BIT_DUMMY_ARG arg3Payload, arg3Tag);
+ return appendCallSetResult(operation, result);
+ }
+ JITCompiler::Call callOperation(Z_JITOperation_EJOJ operation, GPRReg result, JSValueRegs arg1, GPRReg arg2, JSValueRegs arg3)
+ {
+ return callOperation(operation, result, arg1.tagGPR(), arg1.payloadGPR(), arg2, arg3.tagGPR(), arg3.payloadGPR());
+ }
+
JITCompiler::Call callOperation(Z_JITOperation_EJZZ operation, GPRReg result, GPRReg arg1Tag, GPRReg arg1Payload, unsigned arg2, unsigned arg3)
{
m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, TrustedImm32(arg2), TrustedImm32(arg3));
@@ -2209,6 +2231,7 @@
void compileGetArrayLength(Node*);
+ void compileCheckTypeInfoFlags(Node*);
void compileCheckIdent(Node*);
void compileValueRep(Node*);
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
index 626975f..89a0dc3 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -4163,17 +4163,48 @@
break;
}
- case CheckHasInstance: {
+ case CheckTypeInfoFlags: {
+ compileCheckTypeInfoFlags(node);
+ break;
+ }
+
+ case OverridesHasInstance: {
+
+ Node* hasInstanceValueNode = node->child2().node();
+ JSFunction* defaultHasInstanceFunction = jsCast<JSFunction*>(node->cellOperand()->value());
+
+ MacroAssembler::Jump notDefaulthasInstanceValue;
+ MacroAssembler::Jump hasInstanceValueNotCell;
SpeculateCellOperand base(this, node->child1());
- GPRTemporary structure(this);
+ JSValueOperand hasInstanceValue(this, node->child2());
+ GPRTemporary result(this);
- // Speculate that base 'ImplementsDefaultHasInstance'.
- speculationCheck(Uncountable, JSValueRegs(), 0, m_jit.branchTest8(
- MacroAssembler::Zero,
- MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()),
- MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
+ GPRReg resultGPR = result.gpr();
- noResult(node);
+ // If we have proven that the constructor's Symbol.hasInstance will always be the one on
+ // Function.prototype[Symbol.hasInstance] then we don't need a runtime check here. We don't worry
+ // about the case where the constructor's Symbol.hasInstance is a constant but is not the default
+ // one as fixup should have converted this check to true.
+ ASSERT(!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell());
+ if (!hasInstanceValueNode->isCellConstant()) {
+
+ JSValueRegs hasInstanceValueRegs = hasInstanceValue.jsValueRegs();
+ hasInstanceValueNotCell = m_jit.branchIfNotCell(hasInstanceValueRegs);
+ notDefaulthasInstanceValue = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValueRegs.payloadGPR(), TrustedImmPtr(defaultHasInstanceFunction));
+ }
+
+ // Check that constructor 'ImplementsDefaultHasInstance'.
+ m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);
+ MacroAssembler::Jump done = m_jit.jump();
+
+ if (!hasInstanceValueNode->isCellConstant()) {
+ hasInstanceValueNotCell.link(&m_jit);
+ notDefaulthasInstanceValue.link(&m_jit);
+ moveTrueTo(resultGPR);
+ }
+
+ done.link(&m_jit);
+ booleanResult(resultGPR, node);
break;
}
@@ -4182,6 +4213,11 @@
break;
}
+ case InstanceOfCustom: {
+ compileInstanceOfCustom(node);
+ break;
+ }
+
case IsUndefined: {
JSValueOperand value(this, node->child1());
GPRTemporary result(this);
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
index 2facfaa..70e8ea8 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
@@ -4153,17 +4153,42 @@
break;
}
- case CheckHasInstance: {
+ case CheckTypeInfoFlags: {
+ compileCheckTypeInfoFlags(node);
+ break;
+ }
+
+ case OverridesHasInstance: {
+
+ Node* hasInstanceValueNode = node->child2().node();
+ JSFunction* defaultHasInstanceFunction = jsCast<JSFunction*>(node->cellOperand()->value());
+
+ MacroAssembler::Jump notDefault;
SpeculateCellOperand base(this, node->child1());
- GPRTemporary structure(this);
+ JSValueOperand hasInstanceValue(this, node->child2());
+ GPRTemporary result(this);
- // Speculate that base 'ImplementsDefaultHasInstance'.
- speculationCheck(Uncountable, JSValueRegs(), 0, m_jit.branchTest8(
- MacroAssembler::Zero,
- MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()),
- MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance)));
+ GPRReg resultGPR = result.gpr();
- noResult(node);
+ // If we have proven that the constructor's Symbol.hasInstance will always be the one on Function.prototype[Symbol.hasInstance]
+ // then we don't need a runtime check here. We don't worry about the case where the constructor's Symbol.hasInstance is a constant
+ // but is not the default one as fixup should have converted this check to true.
+ ASSERT(!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell());
+ if (!hasInstanceValueNode->isCellConstant())
+ notDefault = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValue.gpr(), TrustedImmPtr(defaultHasInstanceFunction));
+
+ // Check that base 'ImplementsDefaultHasInstance'.
+ m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);
+ m_jit.or32(TrustedImm32(ValueFalse), resultGPR);
+ MacroAssembler::Jump done = m_jit.jump();
+
+ if (notDefault.isSet()) {
+ notDefault.link(&m_jit);
+ moveTrueTo(resultGPR);
+ }
+
+ done.link(&m_jit);
+ jsValueResult(resultGPR, node, DataFormatJSBoolean);
break;
}
@@ -4171,6 +4196,11 @@
compileInstanceOf(node);
break;
}
+
+ case InstanceOfCustom: {
+ compileInstanceOfCustom(node);
+ break;
+ }
case IsUndefined: {
JSValueOperand value(this, node->child1());
