WebKit Bugzilla
Attachment 340898 Details for
Bug 185842
: REGRESSION(r231998): causes crashes on 32 JSC bot (Requested by realdawei on #webkit).
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
ROLLOUT of r231998
bug-185842-20180521174934.patch (text/plain), 85.26 KB, created by
WebKit Commit Bot
on 2018-05-21 14:49:34 PDT
(
hide
)
Description:
ROLLOUT of r231998
Filename:
MIME Type:
Creator:
WebKit Commit Bot
Created:
2018-05-21 14:49:34 PDT
Size:
85.26 KB
patch
obsolete
>Subversion Revision: 232028 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 978a38dcecb10541b5d97b286de5ed21f55353af..337266a1044365250f833134c33215f0fa5b3b51 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,21 @@ >+2018-05-21 Commit Queue <commit-queue@webkit.org> >+ >+ Unreviewed, rolling out r231998 and r232017. >+ https://bugs.webkit.org/show_bug.cgi?id=185842 >+ >+ causes crashes on 32 JSC bot (Requested by realdawei on >+ #webkit). >+ >+ Reverted changesets: >+ >+ "[JSC] JSC should have consistent InById IC" >+ https://bugs.webkit.org/show_bug.cgi?id=185682 >+ https://trac.webkit.org/changeset/231998 >+ >+ "Unreviewed, fix 32bit and scope release" >+ https://bugs.webkit.org/show_bug.cgi?id=185682 >+ https://trac.webkit.org/changeset/232017 >+ > 2018-05-21 Jer Noble <jer.noble@apple.com> > > Complete fix for enabling modern EME by default >diff --git a/Source/JavaScriptCore/bytecode/AccessCase.cpp b/Source/JavaScriptCore/bytecode/AccessCase.cpp >index 3e772bc9069ca8838504680c8c03f926cd581c35..e3239a15e4533c87c22291c2626a168a17b373d1 100644 >--- a/Source/JavaScriptCore/bytecode/AccessCase.cpp >+++ b/Source/JavaScriptCore/bytecode/AccessCase.cpp >@@ -118,9 +118,6 @@ std::unique_ptr<AccessCase> AccessCase::fromStructureStubInfo( > case CacheType::PutByIdReplace: > return AccessCase::create(vm, owner, Replace, stubInfo.u.byIdSelf.offset, stubInfo.u.byIdSelf.baseObjectStructure.get()); > >- case CacheType::InByIdSelf: >- return AccessCase::create(vm, owner, InHit, stubInfo.u.byIdSelf.offset, stubInfo.u.byIdSelf.baseObjectStructure.get()); >- > default: > return nullptr; > } >@@ -558,7 +555,10 @@ void AccessCase::generateWithGuard( > jit.move(baseGPR, valueGPR); > > CCallHelpers::Label loop(&jit); >- failAndIgnore = jit.branchIfType(valueGPR, ProxyObjectType); >+ failAndIgnore = jit.branch8( >+ CCallHelpers::Equal, >+ CCallHelpers::Address(valueGPR, JSCell::typeInfoTypeOffset()), >+ CCallHelpers::TrustedImm32(ProxyObjectType)); > > jit.emitLoadStructure(vm, valueGPR, scratch2GPR, scratchGPR); > #if USE(JSVALUE64) >diff --git a/Source/JavaScriptCore/bytecode/BytecodeDumper.cpp b/Source/JavaScriptCore/bytecode/BytecodeDumper.cpp >index 3f9c59e6b6dc8159c48d5157a14515aa897fb667..abe9a8a282edf4e78a463830f350b76f98d0f50f 100644 >--- a/Source/JavaScriptCore/bytecode/BytecodeDumper.cpp >+++ b/Source/JavaScriptCore/bytecode/BytecodeDumper.cpp >@@ -551,59 +551,6 @@ void BytecodeDumper<Block>::printPutByIdCacheStatus(PrintStream& out, int locati > #endif > } > >-template<class Block> >-void BytecodeDumper<Block>::printInByIdCacheStatus(PrintStream& out, int location, const StubInfoMap& map) >-{ >- const auto* instruction = instructionsBegin() + location; >- >- const Identifier& ident = identifier(instruction[3].u.operand); >- >- UNUSED_PARAM(ident); // tell the compiler to shut up in certain platform configurations. >- >-#if ENABLE(JIT) >- if (StructureStubInfo* stubPtr = map.get(CodeOrigin(location))) { >- StructureStubInfo& stubInfo = *stubPtr; >- if (stubInfo.resetByGC) >- out.print(" (Reset By GC)"); >- >- out.printf(" jit("); >- >- Structure* baseStructure = nullptr; >- PolymorphicAccess* stub = nullptr; >- >- switch (stubInfo.cacheType) { >- case CacheType::InByIdSelf: >- out.printf("self"); >- baseStructure = stubInfo.u.byIdSelf.baseObjectStructure.get(); >- break; >- case CacheType::Stub: >- out.printf("stub"); >- stub = stubInfo.u.stub; >- break; >- case CacheType::Unset: >- out.printf("unset"); >- break; >- default: >- RELEASE_ASSERT_NOT_REACHED(); >- break; >- } >- >- if (baseStructure) { >- out.printf(", "); >- dumpStructure(out, "struct", baseStructure, ident); >- } >- >- if (stub) >- out.print(", ", *stub); >- >- out.printf(")"); >- } >-#else >- UNUSED_PARAM(out); >- UNUSED_PARAM(map); >-#endif >-} >- > #if ENABLE(JIT) > template<typename Block> > void BytecodeDumper<Block>::dumpCallLinkStatus(PrintStream&, unsigned, const CallLinkInfoMap&) >@@ -1065,17 +1012,8 @@ void BytecodeDumper<Block>::dumpBytecode(PrintStream& out, const typename Block: > printUnaryOp(out, location, it, "is_function"); > break; > } >- case op_in_by_id: { >- int r0 = (++it)->u.operand; >- int r1 = (++it)->u.operand; >- int id0 = (++it)->u.operand; >- printLocationAndOp(out, location, it, "in_by_id"); >- out.printf("%s, %s, %s", registerName(r0).data(), registerName(r1).data(), idName(id0, identifier(id0)).data()); >- printInByIdCacheStatus(out, location, stubInfos); >- break; >- } >- case op_in_by_val: { >- printBinaryOp(out, location, it, "in_by_val"); >+ case op_in: { >+ printBinaryOp(out, location, it, "in"); > dumpArrayProfiling(out, it, hasPrintedProfiling); > break; > } >diff --git a/Source/JavaScriptCore/bytecode/BytecodeDumper.h b/Source/JavaScriptCore/bytecode/BytecodeDumper.h >index 5e8943ef13e26a2fdebecfe9aae4acdd5841364d..7cd08c95217d4fc5abb7c3478661f96f78663880 100644 >--- a/Source/JavaScriptCore/bytecode/BytecodeDumper.h >+++ b/Source/JavaScriptCore/bytecode/BytecodeDumper.h >@@ -71,7 +71,6 @@ private: > void printGetByIdOp(PrintStream& out, int location, const Instruction*& it); > void printGetByIdCacheStatus(PrintStream& out, int location, const StubInfoMap&); > void printPutByIdCacheStatus(PrintStream& out, int location, const StubInfoMap&); >- void printInByIdCacheStatus(PrintStream& out, int location, const StubInfoMap&); > enum CacheDumpMode { DumpCaches, DontDumpCaches }; > void printCallOp(PrintStream& out, int location, const Instruction*& it, const char* op, CacheDumpMode, bool& hasPrintedProfiling, const CallLinkInfoMap&); > void printPutByIdOp(PrintStream& out, int location, const Instruction*& it, const char* op); >diff --git a/Source/JavaScriptCore/bytecode/BytecodeList.json b/Source/JavaScriptCore/bytecode/BytecodeList.json >index 16f1fb60c3d640bdac9bfa27b6c753f67ffbdc14..5628df5b462163eb296321fe858d03b6d9f76e55 100644 >--- a/Source/JavaScriptCore/bytecode/BytecodeList.json >+++ b/Source/JavaScriptCore/bytecode/BytecodeList.json >@@ -80,8 +80,7 @@ > { "name" : "op_is_object_or_null", "length" : 3 }, > { "name" : "op_is_function", "length" : 3 }, > { "name" : "op_is_cell_with_type", "length" : 4 }, >- { "name" : "op_in_by_val", "length" : 5 }, >- { "name" : "op_in_by_id", "length" : 4 }, >+ { "name" : "op_in", "length" : 5 }, > { "name" : "op_get_array_length", "length" : 9 }, > { "name" : "op_get_by_id", "length" : 9 }, > { "name" : "op_get_by_id_proto_load", "length" : 9 }, >diff --git a/Source/JavaScriptCore/bytecode/BytecodeUseDef.h b/Source/JavaScriptCore/bytecode/BytecodeUseDef.h >index db522ac2e711a49b3f2d92de8ca28bceb531e32e..701d36cfac451b3c88235661a105717203580ddf 100644 >--- a/Source/JavaScriptCore/bytecode/BytecodeUseDef.h >+++ b/Source/JavaScriptCore/bytecode/BytecodeUseDef.h >@@ -186,7 +186,6 @@ void computeUsesForBytecodeOffset(Block* codeBlock, OpcodeID opcodeID, Instructi > case op_get_by_id_unset: > case op_get_by_id_direct: > case op_get_array_length: >- case op_in_by_id: > case op_typeof: > case op_is_empty: > case op_is_undefined: >@@ -227,7 +226,7 @@ void computeUsesForBytecodeOffset(Block* codeBlock, OpcodeID opcodeID, Instructi > case op_enumerator_structure_pname: > case op_enumerator_generic_pname: > case op_get_by_val: >- case op_in_by_val: >+ case op_in: > case op_overrides_has_instance: > case op_instanceof: > case op_add: >@@ -455,8 +454,7 @@ void computeDefsForBytecodeOffset(Block* codeBlock, OpcodeID opcodeID, Instructi > case op_is_object_or_null: > case op_is_cell_with_type: > case op_is_function: >- case op_in_by_id: >- case op_in_by_val: >+ case op_in: > case op_to_number: > case op_to_string: > case op_to_object: >diff --git a/Source/JavaScriptCore/bytecode/CodeBlock.cpp b/Source/JavaScriptCore/bytecode/CodeBlock.cpp >index cce0b6a0069f42b58e19d8e9952fb1c3b4870555..8f1a4bd90e3cab0b5b02cfbf8611ade257933441 100644 >--- a/Source/JavaScriptCore/bytecode/CodeBlock.cpp >+++ b/Source/JavaScriptCore/bytecode/CodeBlock.cpp >@@ -589,7 +589,7 @@ bool CodeBlock::finishCreation(VM& vm, ScriptExecutable* ownerExecutable, Unlink > break; > } > >- case op_in_by_val: >+ case op_in: > case op_put_by_val: > case op_put_by_val_direct: { > int arrayProfileIndex = pc[opLength - 1].u.operand; >diff --git a/Source/JavaScriptCore/bytecode/InlineAccess.cpp b/Source/JavaScriptCore/bytecode/InlineAccess.cpp >index f351f82bee0a4d794da90c5b86bc6dba59c3713c..9130b1e25d44e6635817ea78a483ef8cad679790 100644 >--- a/Source/JavaScriptCore/bytecode/InlineAccess.cpp >+++ b/Source/JavaScriptCore/bytecode/InlineAccess.cpp >@@ -276,25 +276,6 @@ bool InlineAccess::generateArrayLength(StructureStubInfo& stubInfo, JSArray* arr > return linkedCodeInline; > } > >-bool InlineAccess::generateSelfInAccess(StructureStubInfo& stubInfo, Structure* structure) >-{ >- CCallHelpers jit; >- >- GPRReg base = static_cast<GPRReg>(stubInfo.patch.baseGPR); >- JSValueRegs value = stubInfo.valueRegs(); >- >- auto branchToSlowPath = jit.patchableBranch32( >- MacroAssembler::NotEqual, >- MacroAssembler::Address(base, JSCell::structureIDOffset()), >- MacroAssembler::TrustedImm32(bitwise_cast<uint32_t>(structure->id()))); >- jit.boxBooleanPayload(true, value.payloadGPR()); >- >- bool linkedCodeInline = linkCodeInline("in access", jit, stubInfo, [&] (LinkBuffer& linkBuffer) { >- linkBuffer.link(branchToSlowPath, stubInfo.slowPathStartLocation()); >- }); >- return linkedCodeInline; >-} >- > void InlineAccess::rewireStubAsJump(StructureStubInfo& stubInfo, CodeLocationLabel<JITStubRoutinePtrTag> target) > { > CCallHelpers jit; >diff --git a/Source/JavaScriptCore/bytecode/InlineAccess.h b/Source/JavaScriptCore/bytecode/InlineAccess.h >index a4d0335f8ab06607daa11bf1bf16b0e59b7f21ff..9948b3b6f85e936314cb1970c3ac4437ab8e68ba 100644 >--- a/Source/JavaScriptCore/bytecode/InlineAccess.h >+++ b/Source/JavaScriptCore/bytecode/InlineAccess.h >@@ -116,7 +116,6 @@ public: > static bool isCacheableArrayLength(StructureStubInfo&, JSArray*); > static bool generateArrayLength(StructureStubInfo&, JSArray*); > static void rewireStubAsJump(StructureStubInfo&, CodeLocationLabel<JITStubRoutinePtrTag>); >- static bool generateSelfInAccess(StructureStubInfo&, Structure*); > > // This is helpful when determining the size of an IC on > // various platforms. When adding a new type of IC, implement >diff --git a/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp b/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp >index 83515398d976fe126472eee979fe0b5fbf3bfaa4..45e587bb72494c121f75afea0659dfe82be131ee 100644 >--- a/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp >+++ b/Source/JavaScriptCore/bytecode/StructureStubInfo.cpp >@@ -82,15 +82,6 @@ void StructureStubInfo::initPutByIdReplace(CodeBlock* codeBlock, Structure* base > u.byIdSelf.offset = offset; > } > >-void StructureStubInfo::initInByIdSelf(CodeBlock* codeBlock, Structure* baseObjectStructure, PropertyOffset offset) >-{ >- cacheType = CacheType::InByIdSelf; >- >- u.byIdSelf.baseObjectStructure.set( >- *codeBlock->vm(), codeBlock, baseObjectStructure); >- u.byIdSelf.offset = offset; >-} >- > void StructureStubInfo::deref() > { > switch (cacheType) { >@@ -100,7 +91,6 @@ void StructureStubInfo::deref() > case CacheType::Unset: > case CacheType::GetByIdSelf: > case CacheType::PutByIdReplace: >- case CacheType::InByIdSelf: > case CacheType::ArrayLength: > return; > } >@@ -117,7 +107,6 @@ void StructureStubInfo::aboutToDie() > case CacheType::Unset: > case CacheType::GetByIdSelf: > case CacheType::PutByIdReplace: >- case CacheType::InByIdSelf: > case CacheType::ArrayLength: > return; > } >@@ -248,7 +237,7 @@ void StructureStubInfo::reset(CodeBlock* codeBlock) > resetPutByID(codeBlock, *this); > break; > case AccessType::In: >- resetInByID(codeBlock, *this); >+ resetIn(*this); > break; > case AccessType::InstanceOf: > resetInstanceOf(*this); >@@ -271,7 +260,6 @@ void StructureStubInfo::visitWeakReferences(CodeBlock* codeBlock) > switch (cacheType) { > case CacheType::GetByIdSelf: > case CacheType::PutByIdReplace: >- case CacheType::InByIdSelf: > if (Heap::isMarked(u.byIdSelf.baseObjectStructure.get())) > return; > break; >@@ -295,7 +283,6 @@ bool StructureStubInfo::propagateTransitions(SlotVisitor& visitor) > return true; > case CacheType::GetByIdSelf: > case CacheType::PutByIdReplace: >- case CacheType::InByIdSelf: > return u.byIdSelf.baseObjectStructure->markIfCheap(visitor); > case CacheType::Stub: > return u.stub->propagateTransitions(visitor); >diff --git a/Source/JavaScriptCore/bytecode/StructureStubInfo.h b/Source/JavaScriptCore/bytecode/StructureStubInfo.h >index 133b6041d905c0f19fcc627bbf77e5b02416e365..3afe3bafe6e619000662f17bb318baecf22865a9 100644 >--- a/Source/JavaScriptCore/bytecode/StructureStubInfo.h >+++ b/Source/JavaScriptCore/bytecode/StructureStubInfo.h >@@ -58,7 +58,6 @@ enum class CacheType : int8_t { > Unset, > GetByIdSelf, > PutByIdReplace, >- InByIdSelf, > Stub, > ArrayLength > }; >@@ -73,7 +72,6 @@ public: > void initGetByIdSelf(CodeBlock*, Structure* baseObjectStructure, PropertyOffset); > void initArrayLength(); > void initPutByIdReplace(CodeBlock*, Structure* baseObjectStructure, PropertyOffset); >- void initInByIdSelf(CodeBlock*, Structure* baseObjectStructure, PropertyOffset); > > AccessGenerationResult addAccessCase(const GCSafeConcurrentJSLocker&, CodeBlock*, const Identifier&, std::unique_ptr<AccessCase>); > >@@ -178,7 +176,7 @@ public: > StructureSet bufferedStructures; > > struct { >- CodeLocationLabel<JITStubRoutinePtrTag> start; // This is either the start of the inline IC for *byId caches. or the location of patchable jump for 'instanceof' caches. >+ CodeLocationLabel<JITStubRoutinePtrTag> start; // This is either the start of the inline IC for *byId caches, or the location of patchable jump for 'in' and 'instanceof' caches. > RegisterSet usedRegisters; > uint32_t inlineSize; > int32_t deltaFromStartToSlowPathCallLocation; >@@ -199,7 +197,7 @@ public: > CodeLocationLabel<JITStubRoutinePtrTag> slowPathStartLocation() { return patch.start.labelAtOffset(patch.deltaFromStartToSlowPathStart); } > CodeLocationJump<JSInternalPtrTag> patchableJump() > { >- ASSERT(accessType == AccessType::InstanceOf); >+ ASSERT(accessType == AccessType::In || accessType == AccessType::InstanceOf); > return patch.start.jumpAtOffset<JSInternalPtrTag>(0); > } > >diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp >index e199e8f1b41c1355366dc4884d53d6e333310549..6d6449b30e278c3efae7082ee9e7005efd0b59b6 100644 >--- a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp >+++ b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp >@@ -2667,10 +2667,10 @@ RegisterID* BytecodeGenerator::emitInstanceOfCustom(RegisterID* dst, RegisterID* > return dst; > } > >-RegisterID* BytecodeGenerator::emitInByVal(RegisterID* dst, RegisterID* property, RegisterID* base) >+RegisterID* BytecodeGenerator::emitIn(RegisterID* dst, RegisterID* property, RegisterID* base) > { > UnlinkedArrayProfile arrayProfile = newArrayProfile(); >- emitOpcode(op_in_by_val); >+ emitOpcode(op_in); > instructions().append(dst->index()); > instructions().append(base->index()); > instructions().append(property->index()); >@@ -2678,15 +2678,6 @@ RegisterID* BytecodeGenerator::emitInByVal(RegisterID* dst, RegisterID* property > return dst; > } > >-RegisterID* BytecodeGenerator::emitInById(RegisterID* dst, RegisterID* base, const Identifier& property) >-{ >- emitOpcode(op_in_by_id); >- instructions().append(dst->index()); >- instructions().append(base->index()); >- instructions().append(addConstant(property)); >- return dst; >-} >- > RegisterID* BytecodeGenerator::emitTryGetById(RegisterID* dst, RegisterID* base, const Identifier& property) > { > ASSERT_WITH_MESSAGE(!parseIndex(property), "Indexed properties are not supported with tryGetById."); >diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h >index 97828ca50efa8b652ddff6e482993081da5ebc80..b7255ac6216e09dce1ad4d7c669ec546a2cb4673 100644 >--- a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h >+++ b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h >@@ -694,8 +694,7 @@ namespace JSC { > RegisterID* emitInstanceOf(RegisterID* dst, RegisterID* value, RegisterID* basePrototype); > RegisterID* emitInstanceOfCustom(RegisterID* dst, RegisterID* value, RegisterID* constructor, RegisterID* hasInstanceValue); > RegisterID* emitTypeOf(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_typeof, dst, src); } >- RegisterID* emitInByVal(RegisterID* dst, RegisterID* property, RegisterID* base); >- RegisterID* emitInById(RegisterID* dst, RegisterID* base, const Identifier& property); >+ RegisterID* emitIn(RegisterID* dst, RegisterID* property, RegisterID* base); > > RegisterID* emitTryGetById(RegisterID* dst, RegisterID* base, const Identifier& property); > RegisterID* emitGetById(RegisterID* dst, RegisterID* base, const Identifier& property); >diff --git a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp >index a5fa525d216021b00d955ad9de63c11f336a58d1..07a9c907a7e2130a4244dfa0011f7ca52b06e8a6 100644 >--- a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp >+++ b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp >@@ -2280,16 +2280,10 @@ RegisterID* InstanceOfNode::emitBytecode(BytecodeGenerator& generator, RegisterI > > RegisterID* InNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst) > { >- if (isNonIndexStringElement(*m_expr1)) { >- RefPtr<RegisterID> base = generator.emitNode(m_expr2); >- generator.emitExpressionInfo(divot(), divotStart(), divotEnd()); >- return generator.emitInById(generator.finalDestination(dst, base.get()), base.get(), static_cast<StringNode*>(m_expr1)->value()); >- } >- > RefPtr<RegisterID> key = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator)); > RefPtr<RegisterID> base = generator.emitNode(m_expr2); > generator.emitExpressionInfo(divot(), divotStart(), divotEnd()); >- return generator.emitInByVal(generator.finalDestination(dst, key.get()), key.get(), base.get()); >+ return generator.emitIn(generator.finalDestination(dst, key.get()), key.get(), base.get()); > } > > >diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >index c4c92dd3b48d8478cca78a982794f86538fb003c..1cdbb0bdc2f7163618e203eacbdd644c696e68ad 100644 >--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h >@@ -3259,30 +3259,10 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi > clobberWorld(); > break; > >- case InById: { >+ case In: { > // FIXME: We can determine when the property definitely exists based on abstract > // value information. > clobberWorld(); >- filter(node->child1(), SpecObject); >- setNonCellTypeForNode(node, SpecBoolean); >- break; >- } >- >- case InByVal: { >- AbstractValue& property = forNode(node->child2()); >- if (JSValue constant = property.value()) { >- if (constant.isString()) { >- JSString* string = asString(constant); >- const StringImpl* impl = string->tryGetValueImpl(); >- if (impl && impl->isAtomic()) >- m_state.setFoundConstants(true); >- } >- } >- >- // FIXME: We can determine when the property definitely exists based on abstract >- // value information. >- clobberWorld(); >- filter(node->child1(), SpecObject); > setNonCellTypeForNode(node, SpecBoolean); > break; > } >diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp >index fa097f32c666ed3f33fdbc4bbe38c15442b4d6e1..77a3c61d3d0cc96eeb2cbc4c533a49e9999bf1dd 100644 >--- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp >+++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp >@@ -6392,20 +6392,11 @@ void ByteCodeParser::parseBlock(unsigned limit) > NEXT_OPCODE(op_to_object); > } > >- case op_in_by_val: { >- ArrayMode arrayMode = getArrayMode(currentInstruction[OPCODE_LENGTH(op_in_by_val) - 1].u.arrayProfile); >+ case op_in: { >+ ArrayMode arrayMode = getArrayMode(currentInstruction[OPCODE_LENGTH(op_in) - 1].u.arrayProfile); > set(VirtualRegister(currentInstruction[1].u.operand), >- addToGraph(InByVal, OpInfo(arrayMode.asWord()), get(VirtualRegister(currentInstruction[2].u.operand)), get(VirtualRegister(currentInstruction[3].u.operand)))); >- NEXT_OPCODE(op_in_by_val); >- } >- >- case op_in_by_id: { >- Node* base = get(VirtualRegister(currentInstruction[2].u.operand)); >- unsigned identifierNumber = m_inlineStackTop->m_identifierRemap[currentInstruction[3].u.operand]; >- set(VirtualRegister(currentInstruction[1].u.operand), >- addToGraph(InById, OpInfo(identifierNumber), base)); >- NEXT_OPCODE(op_in_by_id); >- break; >+ addToGraph(In, OpInfo(arrayMode.asWord()), get(VirtualRegister(currentInstruction[2].u.operand)), get(VirtualRegister(currentInstruction[3].u.operand)))); >+ NEXT_OPCODE(op_in); > } > > case op_get_enumerable_length: { >diff --git a/Source/JavaScriptCore/dfg/DFGCapabilities.cpp b/Source/JavaScriptCore/dfg/DFGCapabilities.cpp >index dadc92d867e4c44a3462d8d6dab6458075acdd75..5cee65b6843eca5088ed1a9a91094f34057aaa44 100644 >--- a/Source/JavaScriptCore/dfg/DFGCapabilities.cpp >+++ b/Source/JavaScriptCore/dfg/DFGCapabilities.cpp >@@ -236,8 +236,7 @@ CapabilityLevel capabilityLevel(OpcodeID opcodeID, CodeBlock* codeBlock, Instruc > case op_to_object: > case op_switch_imm: > case op_switch_char: >- case op_in_by_val: >- case op_in_by_id: >+ case op_in: > case op_get_scope: > case op_get_from_scope: > case op_get_enumerable_length: >diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h >index 3ea02a8548eb6ab951cacf08341d99aff3e9e675..628f8a939122e53782623c173b022adf9eef4bee 100644 >--- a/Source/JavaScriptCore/dfg/DFGClobberize.h >+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h >@@ -623,8 +623,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu > case ConstructVarargs: > case ConstructForwardVarargs: > case ToPrimitive: >- case InByVal: >- case InById: >+ case In: > case HasOwnProperty: > case ValueAdd: > case SetFunctionName: >diff --git a/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp b/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp >index 757c9b475086c0463476f6b6ec195ff2eae3adc4..6d211ae29c9b808b6b31a15741e582a937bbe2f8 100644 >--- a/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp >+++ b/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp >@@ -651,23 +651,6 @@ private: > break; > } > >- case InByVal: { >- AbstractValue& property = m_state.forNode(node->child2()); >- if (JSValue constant = property.value()) { >- if (constant.isString()) { >- JSString* string = asString(constant); >- const StringImpl* impl = string->tryGetValueImpl(); >- if (impl && impl->isAtomic()) { >- unsigned identifierNumber = m_graph.identifiers().ensure(const_cast<UniquedStringImpl*>(static_cast<const UniquedStringImpl*>(impl))); >- node->convertToInById(identifierNumber); >- changed = true; >- break; >- } >- } >- } >- break; >- } >- > case ToPrimitive: { > if (m_state.forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean | SpecString | SpecSymbol | SpecBigInt)) > break; >diff --git a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp >index fdf2e77fe1fe5168c5e7e2a880812683df630144..fcd1b72856e54bb2c3fec5aa87d1f9c03b007b95 100644 >--- a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp >+++ b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp >@@ -193,8 +193,7 @@ bool doesGC(Graph& graph, Node* node) > case CallStringConstructor: > case NumberToStringWithRadix: > case NumberToStringWithValidRadixConstant: >- case InByVal: >- case InById: >+ case In: > case HasOwnProperty: > case Jump: > case Branch: >diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp >index ecbb3d3b0f20d3d81183165f7f1376ef92abb59e..f4e91617d17821443c44aba5fb32d6f0d9b35277 100644 >--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp >+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp >@@ -1476,12 +1476,7 @@ private: > fixEdge<CellUse>(node->child2()); > break; > >- case InById: { >- fixEdge<CellUse>(node->child1()); >- break; >- } >- >- case InByVal: { >+ case In: { > if (node->child2()->shouldSpeculateInt32()) { > convertToHasIndexedProperty(node); > break; >diff --git a/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp b/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp >index 5fd50b8c7f01ee36e1b273aac23a0c8622783ac4..5e5a7a875244241b526a9f24b4ff40ce9885bf61 100644 >--- a/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp >+++ b/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp >@@ -265,9 +265,26 @@ void JITCompiler::link(LinkBuffer& linkBuffer) > finalizeInlineCaches(m_getByIds, linkBuffer); > finalizeInlineCaches(m_getByIdsWithThis, linkBuffer); > finalizeInlineCaches(m_putByIds, linkBuffer); >- finalizeInlineCaches(m_inByIds, linkBuffer); > finalizeInlineCaches(m_instanceOfs, linkBuffer); > >+ for (unsigned i = 0; i < m_ins.size(); ++i) { >+ StructureStubInfo& info = *m_ins[i].m_stubInfo; >+ >+ CodeLocationLabel<JITStubRoutinePtrTag> start = linkBuffer.locationOf<JITStubRoutinePtrTag>(m_ins[i].m_jump); >+ info.patch.start = start; >+ >+ ptrdiff_t inlineSize = MacroAssembler::differenceBetweenCodePtr( >+ start, linkBuffer.locationOf<JSInternalPtrTag>(m_ins[i].m_done)); >+ RELEASE_ASSERT(inlineSize >= 0); >+ info.patch.inlineSize = inlineSize; >+ >+ info.patch.deltaFromStartToSlowPathCallLocation = MacroAssembler::differenceBetweenCodePtr( >+ start, linkBuffer.locationOf<JSInternalPtrTag>(m_ins[i].m_slowPathGenerator->call())); >+ >+ info.patch.deltaFromStartToSlowPathStart = MacroAssembler::differenceBetweenCodePtr( >+ start, linkBuffer.locationOf<JSInternalPtrTag>(m_ins[i].m_slowPathGenerator->label())); >+ } >+ > auto linkCallThunk = FunctionPtr<NoPtrTag>(vm()->getCTIStub(linkCallThunkGenerator).retaggedCode<NoPtrTag>()); > for (auto& record : m_jsCalls) { > CallLinkInfo& info = *record.info; >diff --git a/Source/JavaScriptCore/dfg/DFGJITCompiler.h b/Source/JavaScriptCore/dfg/DFGJITCompiler.h >index c17b03211488bf859be55504e2eab0adfa434988..050eb7c16f6db904489bd2b786cd3fd1f029459e 100644 >--- a/Source/JavaScriptCore/dfg/DFGJITCompiler.h >+++ b/Source/JavaScriptCore/dfg/DFGJITCompiler.h >@@ -76,6 +76,23 @@ struct CallLinkRecord { > FunctionPtr<OperationPtrTag> m_function; > }; > >+struct InRecord { >+ InRecord( >+ MacroAssembler::PatchableJump jump, MacroAssembler::Label done, >+ SlowPathGenerator* slowPathGenerator, StructureStubInfo* stubInfo) >+ : m_jump(jump) >+ , m_done(done) >+ , m_slowPathGenerator(slowPathGenerator) >+ , m_stubInfo(stubInfo) >+ { >+ } >+ >+ MacroAssembler::PatchableJump m_jump; >+ MacroAssembler::Label m_done; >+ SlowPathGenerator* m_slowPathGenerator; >+ StructureStubInfo* m_stubInfo; >+}; >+ > // === JITCompiler === > // > // DFG::JITCompiler is responsible for generating JIT code from the dataflow graph. >@@ -192,11 +209,11 @@ public: > m_instanceOfs.append(InlineCacheWrapper<JITInstanceOfGenerator>(gen, slowPath)); > } > >- void addInById(const JITInByIdGenerator& gen, SlowPathGenerator* slowPath) >+ void addIn(const InRecord& record) > { >- m_inByIds.append(InlineCacheWrapper<JITInByIdGenerator>(gen, slowPath)); >+ m_ins.append(record); > } >- >+ > void addJSCall(Call fastCall, Call slowCall, DataLabelPtr targetToCheck, CallLinkInfo* info) > { > m_jsCalls.append(JSCallRecord(fastCall, slowCall, targetToCheck, info)); >@@ -342,8 +359,8 @@ private: > Vector<InlineCacheWrapper<JITGetByIdGenerator>, 4> m_getByIds; > Vector<InlineCacheWrapper<JITGetByIdWithThisGenerator>, 4> m_getByIdsWithThis; > Vector<InlineCacheWrapper<JITPutByIdGenerator>, 4> m_putByIds; >- Vector<InlineCacheWrapper<JITInByIdGenerator>, 4> m_inByIds; > Vector<InlineCacheWrapper<JITInstanceOfGenerator>, 4> m_instanceOfs; >+ Vector<InRecord, 4> m_ins; > Vector<JSCallRecord, 4> m_jsCalls; > Vector<JSDirectCallRecord, 4> m_jsDirectCalls; > Vector<JSDirectTailCallRecord, 4> m_jsDirectTailCalls; >diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h >index 6236309e62ee5ff53860b5dabbfe2b0b11d0af09..5cad0aa4d0d4e5d16f666730e71cbda9c8859f17 100644 >--- a/Source/JavaScriptCore/dfg/DFGNode.h >+++ b/Source/JavaScriptCore/dfg/DFGNode.h >@@ -752,15 +752,6 @@ public: > setOp(SetRegExpObjectLastIndex); > m_opInfo = false; > } >- >- void convertToInById(unsigned identifierNumber) >- { >- ASSERT(m_op == InByVal); >- setOpAndDefaultFlags(InById); >- children.setChild2(Edge()); >- m_opInfo = identifierNumber; >- m_opInfo2 = OpInfoWrapper(); >- } > > JSValue asJSValue() > { >@@ -1028,7 +1019,6 @@ public: > case PutSetterById: > case PutGetterSetterById: > case DeleteById: >- case InById: > case GetDynamicVar: > case PutDynamicVar: > case ResolveScopeForHoistingFuncDeclInEval: >@@ -1997,7 +1987,7 @@ public: > case GetIndexedPropertyStorage: > case GetArrayLength: > case GetVectorLength: >- case InByVal: >+ case In: > case PutByValDirect: > case PutByVal: > case PutByValAlias: >diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h >index 531711bdab6ddc3855e419059bd77bb1abde254e..90e4ef3b86e892d8c99e18d3ad41e99db1b579ee 100644 >--- a/Source/JavaScriptCore/dfg/DFGNodeType.h >+++ b/Source/JavaScriptCore/dfg/DFGNodeType.h >@@ -370,8 +370,7 @@ namespace JSC { namespace DFG { > macro(NumberToStringWithValidRadixConstant, NodeResultJS) \ > macro(NewStringObject, NodeResultJS) \ > macro(MakeRope, NodeResultJS) \ >- macro(InByVal, NodeResultBoolean | NodeMustGenerate) \ >- macro(InById, NodeResultBoolean | NodeMustGenerate) \ >+ macro(In, NodeResultBoolean | NodeMustGenerate) \ > macro(ProfileType, NodeMustGenerate) \ > macro(ProfileControlFlow, NodeMustGenerate) \ > macro(SetFunctionName, NodeMustGenerate) \ >diff --git a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp >index 9c661f905aa47c20c58c1302740a3b22de4aa4a4..0d0e717beae4ff528680a002f08864d47f93a00c 100644 >--- a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp >+++ b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp >@@ -981,8 +981,7 @@ private: > setPrediction(SpecObjectOther); > break; > >- case InByVal: >- case InById: >+ case In: > setPrediction(SpecBoolean); > break; > >diff --git a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h >index d6d026c4269b3642551a268ad1563b82467e6d71..26f6c4cfbd318b5510a62e9af8ac505c925a5ee6 100644 >--- a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h >+++ b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h >@@ -332,8 +332,7 @@ bool safeToExecute(AbstractStateType& state, Graph& graph, Node* node, bool igno > case CallStringConstructor: > case NewStringObject: > case MakeRope: >- case InByVal: >- case InById: >+ case In: > case HasOwnProperty: > case PushWithScope: > case CreateActivation: >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >index 1d56d4657a783ddeebc62158fb297efa48ff0812..975e5ac060dc29093c241613e2a2d405a3691259 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp >@@ -1056,52 +1056,67 @@ void SpeculativeJIT::compileGetByIdFlush(Node* node, AccessType accessType) > } > } > >-void SpeculativeJIT::compileInById(Node* node) >+void SpeculativeJIT::compileIn(Node* node) > { > SpeculateCellOperand base(this, node->child1()); >- JSValueRegsTemporary result(this, Reuse, base, PayloadWord); >- > GPRReg baseGPR = base.gpr(); >- JSValueRegs resultRegs = result.regs(); >- >- base.use(); >+ >+ if (JSString* string = node->child2()->dynamicCastConstant<JSString*>(*m_jit.vm())) { >+ if (string->tryGetValueImpl() && string->tryGetValueImpl()->isAtomic()) { >+ StructureStubInfo* stubInfo = m_jit.codeBlock()->addStubInfo(AccessType::In); >+ >+ GPRTemporary result(this); >+ GPRReg resultGPR = result.gpr(); > >- CodeOrigin codeOrigin = node->origin.semantic; >- CallSiteIndex callSite = m_jit.recordCallSiteAndGenerateExceptionHandlingOSRExitIfNeeded(codeOrigin, m_stream->size()); >- RegisterSet usedRegisters = this->usedRegisters(); >- JITInByIdGenerator gen( >- m_jit.codeBlock(), codeOrigin, callSite, usedRegisters, identifierUID(node->identifierNumber()), >- JSValueRegs::payloadOnly(baseGPR), resultRegs); >- gen.generateFastPath(m_jit); >+ use(node->child2()); >+ >+ MacroAssembler::PatchableJump jump = m_jit.patchableJump(); >+ MacroAssembler::Label done = m_jit.label(); >+ >+ // Since this block is executed only when the result of string->tryGetValueImpl() is atomic, >+ // we can cast it to const AtomicStringImpl* safely. >+ auto slowPath = slowPathCall( >+ jump.m_jump, this, operationInOptimize, >+ JSValueRegs::payloadOnly(resultGPR), stubInfo, baseGPR, >+ static_cast<const AtomicStringImpl*>(string->tryGetValueImpl())); >+ >+ stubInfo->callSiteIndex = m_jit.addCallSite(node->origin.semantic); >+ stubInfo->codeOrigin = node->origin.semantic; >+ stubInfo->patch.baseGPR = static_cast<int8_t>(baseGPR); >+ stubInfo->patch.valueGPR = static_cast<int8_t>(resultGPR); >+ stubInfo->patch.thisGPR = static_cast<int8_t>(InvalidGPRReg); >+#if USE(JSVALUE32_64) >+ stubInfo->patch.valueTagGPR = static_cast<int8_t>(InvalidGPRReg); >+ stubInfo->patch.baseTagGPR = static_cast<int8_t>(InvalidGPRReg); >+ stubInfo->patch.thisTagGPR = static_cast<int8_t>(InvalidGPRReg); >+#endif >+ stubInfo->patch.usedRegisters = usedRegisters(); > >- auto slowPath = slowPathCall( >- gen.slowPathJump(), this, operationInByIdOptimize, >- NeedToSpill, ExceptionCheckRequirement::CheckNeeded, >- resultRegs, gen.stubInfo(), CCallHelpers::CellValue(baseGPR), identifierUID(node->identifierNumber())); >+ m_jit.addIn(InRecord(jump, done, slowPath.get(), stubInfo)); >+ addSlowPathGenerator(WTFMove(slowPath)); > >- m_jit.addInById(gen, slowPath.get()); >- addSlowPathGenerator(WTFMove(slowPath)); >+ base.use(); > >- blessedBooleanResult(resultRegs.payloadGPR(), node, UseChildrenCalledExplicitly); >-} >+ blessedBooleanResult(resultGPR, node, UseChildrenCalledExplicitly); >+ return; >+ } >+ } > >-void SpeculativeJIT::compileInByVal(Node* node) >-{ >- SpeculateCellOperand base(this, node->child1()); > JSValueOperand key(this, node->child2()); >- >- GPRReg baseGPR = base.gpr(); > JSValueRegs regs = key.jsValueRegs(); >- >+ >+ GPRFlushedCallResult result(this); >+ GPRReg resultGPR = result.gpr(); >+ > base.use(); > key.use(); >- >+ > flushRegisters(); >- JSValueRegsFlushedCallResult result(this); >- JSValueRegs resultRegs = result.regs(); >- callOperation(operationInByVal, resultRegs, baseGPR, regs); >+ callOperation( >+ operationGenericIn, extractResult(JSValueRegs::payloadOnly(resultGPR)), >+ baseGPR, regs); > m_jit.exceptionCheck(); >- blessedBooleanResult(resultRegs.payloadGPR(), node, UseChildrenCalledExplicitly); >+ blessedBooleanResult(resultGPR, node, UseChildrenCalledExplicitly); > } > > void SpeculativeJIT::compileDeleteById(Node* node) >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >index 05a08ea14e718164a4effc9506e36b39e1cfff4b..77a63b159493e1bc92717b7d55e18876c8c6e384 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h >@@ -735,8 +735,7 @@ public: > void compilePushWithScope(Node*); > void compileGetById(Node*, AccessType); > void compileGetByIdFlush(Node*, AccessType); >- void compileInById(Node*); >- void compileInByVal(Node*); >+ void compileIn(Node*); > > void nonSpeculativeNonPeepholeCompareNullOrUndefined(Edge operand); > void nonSpeculativePeepholeBranchNullOrUndefined(Edge operand, Node* branchNode); >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp >index 272c57a6a88ac8a7cc1cc01b40b6552db4dde591..a303c3ff4c076f31e7d0a026867aeb80bf7f5d55 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp >@@ -3756,12 +3756,8 @@ void SpeculativeJIT::compile(Node* node) > compileSetFunctionName(node); > break; > >- case InById: >- compileInById(node); >- break; >- >- case InByVal: >- compileInByVal(node); >+ case In: >+ compileIn(node); > break; > > case HasOwnProperty: { >diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >index 50f26453538a8c28025609f6c3615ee66946d8cc..06a46baf08f6cd296b1cc77e37786c52604039d4 100644 >--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >@@ -4306,12 +4306,8 @@ void SpeculativeJIT::compile(Node* node) > compileSetFunctionName(node); > break; > >- case InById: >- compileInById(node); >- break; >- >- case InByVal: >- compileInByVal(node); >+ case In: >+ compileIn(node); > break; > > case HasOwnProperty: { >diff --git a/Source/JavaScriptCore/ftl/FTLCapabilities.cpp b/Source/JavaScriptCore/ftl/FTLCapabilities.cpp >index f1513bb999a9c3ee22ec019536159eec89b9be94..9cdd119a0d9981abeb63f0ec0714e5e625e7fa18 100644 >--- a/Source/JavaScriptCore/ftl/FTLCapabilities.cpp >+++ b/Source/JavaScriptCore/ftl/FTLCapabilities.cpp >@@ -205,8 +205,7 @@ inline CapabilityLevel canCompile(Node* node) > case Throw: > case ThrowStaticError: > case Unreachable: >- case InByVal: >- case InById: >+ case In: > case HasOwnProperty: > case IsCellWithType: > case MapHash: >diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >index 911d62ad5427ab15a3fc5c3a2d754fbb9861a144..3247d2a62b3c3d37ddad8f17ca48be5fa3d62f7d 100644 >--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp >@@ -708,11 +708,8 @@ private: > case GetByIdDirectFlush: > compileGetById(AccessType::GetDirect); > break; >- case InById: >- compileInById(); >- break; >- case InByVal: >- compileInByVal(); >+ case In: >+ compileIn(); > break; > case HasOwnProperty: > compileHasOwnProperty(); >@@ -9716,70 +9713,87 @@ private: > setJSValue(m_out.phi(Int64, results)); > } > >- void compileInByVal() >+ void compileIn() > { >- setJSValue(vmCall(Int64, m_out.operation(operationInByVal), m_callFrame, lowCell(m_node->child1()), lowJSValue(m_node->child2()))); >- } >+ DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == CellUse, m_node->child1().useKind()); > >- void compileInById() >- { > Node* node = m_node; >- UniquedStringImpl* uid = m_graph.identifiers()[node->identifierNumber()]; >- LValue base = lowCell(m_node->child1()); >- >- PatchpointValue* patchpoint = m_out.patchpoint(Int64); >- patchpoint->appendSomeRegister(base); >- patchpoint->append(m_tagMask, ValueRep::lateReg(GPRInfo::tagMaskRegister)); >- patchpoint->append(m_tagTypeNumber, ValueRep::lateReg(GPRInfo::tagTypeNumberRegister)); >- >- patchpoint->clobber(RegisterSet::macroScratchRegisters()); >- >- RefPtr<PatchpointExceptionHandle> exceptionHandle = >- preparePatchpointForExceptions(patchpoint); >- >- State* state = &m_ftlState; >- patchpoint->setGenerator( >- [=] (CCallHelpers& jit, const StackmapGenerationParams& params) { >- AllowMacroScratchRegisterUsage allowScratch(jit); >- >- CallSiteIndex callSiteIndex = >- state->jitCode->common.addUniqueCallSiteIndex(node->origin.semantic); >- >- // This is the direct exit target for operation calls. >- Box<CCallHelpers::JumpList> exceptions = >- exceptionHandle->scheduleExitCreation(params)->jumps(jit); >- >- auto generator = Box<JITInByIdGenerator>::create( >- jit.codeBlock(), node->origin.semantic, callSiteIndex, >- params.unavailableRegisters(), uid, JSValueRegs(params[1].gpr()), >- JSValueRegs(params[0].gpr())); >- >- generator->generateFastPath(jit); >- CCallHelpers::Label done = jit.label(); >- >- params.addLatePath( >- [=] (CCallHelpers& jit) { >+ Edge base = node->child1(); >+ LValue cell = lowCell(base); >+ if (JSString* string = node->child2()->dynamicCastConstant<JSString*>(vm())) { >+ if (string->tryGetValueImpl() && string->tryGetValueImpl()->isAtomic()) { >+ UniquedStringImpl* str = bitwise_cast<UniquedStringImpl*>(string->tryGetValueImpl()); >+ PatchpointValue* patchpoint = m_out.patchpoint(Int64); >+ patchpoint->appendSomeRegister(cell); >+ patchpoint->append(m_tagMask, ValueRep::lateReg(GPRInfo::tagMaskRegister)); >+ patchpoint->append(m_tagTypeNumber, ValueRep::lateReg(GPRInfo::tagTypeNumberRegister)); >+ patchpoint->clobber(RegisterSet::macroScratchRegisters()); >+ >+ RefPtr<PatchpointExceptionHandle> exceptionHandle = preparePatchpointForExceptions(patchpoint); >+ >+ State* state = &m_ftlState; >+ patchpoint->setGenerator( >+ [=] (CCallHelpers& jit, const StackmapGenerationParams& params) { > AllowMacroScratchRegisterUsage allowScratch(jit); > >- generator->slowPathJump().link(&jit); >- CCallHelpers::Label slowPathBegin = jit.label(); >- CCallHelpers::Call slowPathCall = callOperation( >- *state, params.unavailableRegisters(), jit, node->origin.semantic, >- exceptions.get(), operationInByIdOptimize, params[0].gpr(), >- CCallHelpers::TrustedImmPtr(generator->stubInfo()), params[1].gpr(), >- CCallHelpers::TrustedImmPtr(uid)).call(); >- jit.jump().linkTo(done, &jit); >- >- generator->reportSlowPathCall(slowPathBegin, slowPathCall); >- >- jit.addLinkTask( >- [=] (LinkBuffer& linkBuffer) { >- generator->finalize(linkBuffer, linkBuffer); >+ // This is the direct exit target for operation calls. We don't need a JS exceptionHandle because we don't >+ // cache Proxy objects. >+ Box<CCallHelpers::JumpList> exceptions = exceptionHandle->scheduleExitCreation(params)->jumps(jit); >+ >+ GPRReg baseGPR = params[1].gpr(); >+ GPRReg resultGPR = params[0].gpr(); >+ >+ StructureStubInfo* stubInfo = >+ jit.codeBlock()->addStubInfo(AccessType::In); >+ stubInfo->callSiteIndex = >+ state->jitCode->common.addCodeOrigin(node->origin.semantic); >+ stubInfo->codeOrigin = node->origin.semantic; >+ stubInfo->patch.baseGPR = static_cast<int8_t>(baseGPR); >+ stubInfo->patch.valueGPR = static_cast<int8_t>(resultGPR); >+ stubInfo->patch.thisGPR = static_cast<int8_t>(InvalidGPRReg); >+ stubInfo->patch.usedRegisters = params.unavailableRegisters(); >+ >+ CCallHelpers::PatchableJump jump = jit.patchableJump(); >+ CCallHelpers::Label done = jit.label(); >+ >+ params.addLatePath( >+ [=] (CCallHelpers& jit) { >+ AllowMacroScratchRegisterUsage allowScratch(jit); >+ >+ jump.m_jump.link(&jit); >+ CCallHelpers::Label slowPathBegin = jit.label(); >+ CCallHelpers::Call slowPathCall = callOperation( >+ *state, params.unavailableRegisters(), jit, >+ node->origin.semantic, exceptions.get(), operationInOptimize, >+ resultGPR, CCallHelpers::TrustedImmPtr(stubInfo), baseGPR, >+ CCallHelpers::TrustedImmPtr(str)).call(); >+ jit.jump().linkTo(done, &jit); >+ >+ jit.addLinkTask( >+ [=] (LinkBuffer& linkBuffer) { >+ CodeLocationLabel<JITStubRoutinePtrTag> start = linkBuffer.locationOf<JITStubRoutinePtrTag>(jump); >+ stubInfo->patch.start = start; >+ ptrdiff_t inlineSize = MacroAssembler::differenceBetweenCodePtr( >+ start, linkBuffer.locationOf<NoPtrTag>(done)); >+ RELEASE_ASSERT(inlineSize >= 0); >+ stubInfo->patch.inlineSize = inlineSize; >+ >+ stubInfo->patch.deltaFromStartToSlowPathCallLocation = MacroAssembler::differenceBetweenCodePtr( >+ start, linkBuffer.locationOf<NoPtrTag>(slowPathCall)); >+ >+ stubInfo->patch.deltaFromStartToSlowPathStart = MacroAssembler::differenceBetweenCodePtr( >+ start, linkBuffer.locationOf<NoPtrTag>(slowPathBegin)); >+ >+ }); > }); > }); >- }); > >- setJSValue(patchpoint); >+ setJSValue(patchpoint); >+ return; >+ } >+ } >+ >+ setJSValue(vmCall(Int64, m_out.operation(operationGenericIn), m_callFrame, cell, lowJSValue(m_node->child2()))); > } > > void compileHasOwnProperty() >diff --git a/Source/JavaScriptCore/jit/ICStats.h b/Source/JavaScriptCore/jit/ICStats.h >index 684e813dc4a4a83c6751030e0bc7b66b9bf2a199..c1c2d4e957dfeae712039c45cbe7b95c62a825c0 100644 >--- a/Source/JavaScriptCore/jit/ICStats.h >+++ b/Source/JavaScriptCore/jit/ICStats.h >@@ -50,10 +50,9 @@ namespace JSC { > macro(OperationGetByIdBuildList) \ > macro(OperationGetByIdOptimize) \ > macro(OperationGetByIdWithThisOptimize) \ >+ macro(OperationInOptimize) \ >+ macro(OperationIn) \ > macro(OperationGenericIn) \ >- macro(OperationInById) \ >- macro(OperationInByIdGeneric) \ >- macro(OperationInByIdOptimize) \ > macro(OperationPutByIdStrict) \ > macro(OperationPutByIdNonStrict) \ > macro(OperationPutByIdDirectStrict) \ >@@ -68,8 +67,7 @@ namespace JSC { > macro(OperationPutByIdDirectNonStrictBuildList) \ > macro(PutByIdAddAccessCase) \ > macro(PutByIdReplaceWithJump) \ >- macro(PutByIdSelfPatch) \ >- macro(InByIdSelfPatch) >+ macro(PutByIdSelfPatch) > > class ICEvent { > public: >diff --git a/Source/JavaScriptCore/jit/JIT.cpp b/Source/JavaScriptCore/jit/JIT.cpp >index d9db0629a438c129d57bfa3831669eb8af156998..199d81a8a35a34b312ef3156f2fd8d3464737dbe 100644 >--- a/Source/JavaScriptCore/jit/JIT.cpp >+++ b/Source/JavaScriptCore/jit/JIT.cpp >@@ -78,6 +78,11 @@ JIT::JIT(VM* vm, CodeBlock* codeBlock, unsigned loopOSREntryBytecodeOffset) > , m_interpreter(vm->interpreter) > , m_labels(codeBlock ? codeBlock->numberOfInstructions() : 0) > , m_bytecodeOffset(std::numeric_limits<unsigned>::max()) >+ , m_getByIdIndex(UINT_MAX) >+ , m_getByIdWithThisIndex(UINT_MAX) >+ , m_putByIdIndex(UINT_MAX) >+ , m_byValInstructionIndex(UINT_MAX) >+ , m_callLinkInfoIndex(UINT_MAX) > , m_pcToCodeOriginMapBuilder(*vm) > , m_canBeOptimized(false) > , m_shouldEmitProfiling(false) >@@ -272,7 +277,7 @@ void JIT::privateCompileMainPass() > unsigned bytecodeOffset = m_bytecodeOffset; > > switch (opcodeID) { >- DEFINE_SLOW_OP(in_by_val) >+ DEFINE_SLOW_OP(in) > DEFINE_SLOW_OP(less) > DEFINE_SLOW_OP(lesseq) > DEFINE_SLOW_OP(greater) >@@ -336,7 +341,6 @@ void JIT::privateCompileMainPass() > DEFINE_OP(op_below) > DEFINE_OP(op_beloweq) > DEFINE_OP(op_try_get_by_id) >- DEFINE_OP(op_in_by_id) > case op_get_array_length: > case op_get_by_id_proto_load: > case op_get_by_id_unset: >@@ -474,7 +478,6 @@ void JIT::privateCompileSlowCases() > m_getByIdIndex = 0; > m_getByIdWithThisIndex = 0; > m_putByIdIndex = 0; >- m_inByIdIndex = 0; > m_instanceOfIndex = 0; > m_byValInstructionIndex = 0; > m_callLinkInfoIndex = 0; >@@ -518,7 +521,6 @@ void JIT::privateCompileSlowCases() > DEFINE_SLOWCASE_OP(op_construct) > DEFINE_SLOWCASE_OP(op_eq) > DEFINE_SLOWCASE_OP(op_try_get_by_id) >- DEFINE_SLOWCASE_OP(op_in_by_id) > case op_get_array_length: > case op_get_by_id_proto_load: > case op_get_by_id_unset: >@@ -598,7 +600,6 @@ void JIT::privateCompileSlowCases() > RELEASE_ASSERT(m_getByIdIndex == m_getByIds.size()); > RELEASE_ASSERT(m_getByIdWithThisIndex == m_getByIdsWithThis.size()); > RELEASE_ASSERT(m_putByIdIndex == m_putByIds.size()); >- RELEASE_ASSERT(m_inByIdIndex == m_inByIds.size()); > RELEASE_ASSERT(m_instanceOfIndex == m_instanceOfs.size()); > RELEASE_ASSERT(m_callLinkInfoIndex == m_callCompilationInfo.size()); > RELEASE_ASSERT(numberOfValueProfiles == m_codeBlock->numberOfValueProfiles()); >@@ -841,7 +842,6 @@ CompilationResult JIT::link() > finalizeInlineCaches(m_getByIds, patchBuffer); > finalizeInlineCaches(m_getByIdsWithThis, patchBuffer); > finalizeInlineCaches(m_putByIds, patchBuffer); >- finalizeInlineCaches(m_inByIds, patchBuffer); > finalizeInlineCaches(m_instanceOfs, patchBuffer); > > if (m_byValCompilationInfo.size()) { >diff --git a/Source/JavaScriptCore/jit/JIT.h b/Source/JavaScriptCore/jit/JIT.h >index b96aa22433aabda50ea8da9f3a995d904b797957..156f1b58129f7f6cf76f1395a53a9a9d208dbfd4 100644 >--- a/Source/JavaScriptCore/jit/JIT.h >+++ b/Source/JavaScriptCore/jit/JIT.h >@@ -500,7 +500,6 @@ namespace JSC { > void emit_op_get_arguments_length(Instruction*); > void emit_op_get_by_val(Instruction*); > void emit_op_get_argument_by_val(Instruction*); >- void emit_op_in_by_id(Instruction*); > void emit_op_init_lazy_reg(Instruction*); > void emit_op_overrides_has_instance(Instruction*); > void emit_op_instanceof(Instruction*); >@@ -612,7 +611,6 @@ namespace JSC { > void emitSlow_op_get_arguments_length(Instruction*, Vector<SlowCaseEntry>::iterator&); > void emitSlow_op_get_by_val(Instruction*, Vector<SlowCaseEntry>::iterator&); > void emitSlow_op_get_argument_by_val(Instruction*, Vector<SlowCaseEntry>::iterator&); >- void emitSlow_op_in_by_id(Instruction*, Vector<SlowCaseEntry>::iterator&); > void emitSlow_op_instanceof(Instruction*, Vector<SlowCaseEntry>::iterator&); > void emitSlow_op_instanceof_custom(Instruction*, Vector<SlowCaseEntry>::iterator&); > void emitSlow_op_jless(Instruction*, Vector<SlowCaseEntry>::iterator&); >@@ -867,7 +865,6 @@ namespace JSC { > Vector<JITGetByIdGenerator> m_getByIds; > Vector<JITGetByIdWithThisGenerator> m_getByIdsWithThis; > Vector<JITPutByIdGenerator> m_putByIds; >- Vector<JITInByIdGenerator> m_inByIds; > Vector<JITInstanceOfGenerator> m_instanceOfs; > Vector<ByValCompilationInfo> m_byValCompilationInfo; > Vector<CallCompilationInfo> m_callCompilationInfo; >@@ -881,13 +878,12 @@ namespace JSC { > JumpList m_exceptionChecksWithCallFrameRollback; > Label m_exceptionHandler; > >- unsigned m_getByIdIndex { UINT_MAX }; >- unsigned m_getByIdWithThisIndex { UINT_MAX }; >- unsigned m_putByIdIndex { UINT_MAX }; >- unsigned m_inByIdIndex { UINT_MAX }; >- unsigned m_instanceOfIndex { UINT_MAX }; >- unsigned m_byValInstructionIndex { UINT_MAX }; >- unsigned m_callLinkInfoIndex { UINT_MAX }; >+ unsigned m_getByIdIndex; >+ unsigned m_getByIdWithThisIndex; >+ unsigned m_putByIdIndex; >+ unsigned m_instanceOfIndex; >+ unsigned m_byValInstructionIndex; >+ unsigned m_callLinkInfoIndex; > > Label m_arityCheck; > std::unique_ptr<LinkBuffer> m_linkBuffer; >diff --git a/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp b/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp >index 2f9697739c0f8e9c11ae197f34454f868d1ba95a..8f17e9e7a39dd6ad086c01a34e2c18084b923f14 100644 >--- a/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp >+++ b/Source/JavaScriptCore/jit/JITInlineCacheGenerator.cpp >@@ -166,21 +166,6 @@ V_JITOperation_ESsiJJI JITPutByIdGenerator::slowPathFunction() > return operationPutByIdNonStrictOptimize; > } > >-JITInByIdGenerator::JITInByIdGenerator( >- CodeBlock* codeBlock, CodeOrigin codeOrigin, CallSiteIndex callSite, const RegisterSet& usedRegisters, >- UniquedStringImpl* propertyName, JSValueRegs base, JSValueRegs value) >- : JITByIdGenerator(codeBlock, codeOrigin, callSite, AccessType::In, usedRegisters, base, value) >-{ >- // FIXME: We are not supporting fast path for "length" property. >- UNUSED_PARAM(propertyName); >- RELEASE_ASSERT(base.payloadGPR() != value.tagGPR()); >-} >- >-void JITInByIdGenerator::generateFastPath(MacroAssembler& jit) >-{ >- generateFastCommon(jit, InlineAccess::sizeForPropertyAccess()); >-} >- > JITInstanceOfGenerator::JITInstanceOfGenerator( > CodeBlock* codeBlock, CodeOrigin codeOrigin, CallSiteIndex callSiteIndex, > const RegisterSet& usedRegisters, GPRReg result, GPRReg value, GPRReg prototype, >diff --git a/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h b/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h >index b747b8689ad93844ab785145c08435f3d68e8d9e..07a08c85c23c22305c3aa45cf4537bd9c765b404 100644 >--- a/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h >+++ b/Source/JavaScriptCore/jit/JITInlineCacheGenerator.h >@@ -143,17 +143,6 @@ private: > PutKind m_putKind; > }; > >-class JITInByIdGenerator : public JITByIdGenerator { >-public: >- JITInByIdGenerator() { } >- >- JITInByIdGenerator( >- CodeBlock*, CodeOrigin, CallSiteIndex, const RegisterSet& usedRegisters, UniquedStringImpl* propertyName, >- JSValueRegs base, JSValueRegs value); >- >- void generateFastPath(MacroAssembler&); >-}; >- > class JITInstanceOfGenerator : public JITInlineCacheGenerator { > public: > JITInstanceOfGenerator() { } >diff --git a/Source/JavaScriptCore/jit/JITOperations.cpp b/Source/JavaScriptCore/jit/JITOperations.cpp >index fa456fac352a8402570fb6ec7731f5120a037bb3..bf1677e22c73e24641cbe8e0e39e55064097be11 100644 >--- a/Source/JavaScriptCore/jit/JITOperations.cpp >+++ b/Source/JavaScriptCore/jit/JITOperations.cpp >@@ -377,91 +377,64 @@ EncodedJSValue JIT_OPERATION operationGetByIdWithThisOptimize(ExecState* exec, S > })); > } > >-EncodedJSValue JIT_OPERATION operationInById(ExecState* exec, StructureStubInfo* stubInfo, EncodedJSValue base, UniquedStringImpl* uid) >+EncodedJSValue JIT_OPERATION operationInOptimize(ExecState* exec, StructureStubInfo* stubInfo, JSCell* base, UniquedStringImpl* key) > { > SuperSamplerScope superSamplerScope(false); >+ >+ VM* vm = &exec->vm(); >+ NativeCallFrameTracer tracer(vm, exec); >+ auto scope = DECLARE_THROW_SCOPE(*vm); > >- VM& vm = exec->vm(); >- NativeCallFrameTracer tracer(&vm, exec); >- auto scope = DECLARE_THROW_SCOPE(vm); >- >- stubInfo->tookSlowPath = true; >- >- Identifier ident = Identifier::fromUid(&vm, uid); >- >- JSValue baseValue = JSValue::decode(base); >- if (!baseValue.isObject()) { >- throwException(exec, scope, createInvalidInParameterError(exec, baseValue)); >- return JSValue::encode(jsUndefined()); >- } >- JSObject* baseObject = asObject(baseValue); >- >- LOG_IC((ICEvent::OperationInById, baseObject->classInfo(vm), ident)); >- >- scope.release(); >- PropertySlot slot(baseObject, PropertySlot::InternalMethodType::HasProperty); >- return JSValue::encode(jsBoolean(baseObject->getPropertySlot(exec, ident, slot))); >-} >- >-EncodedJSValue JIT_OPERATION operationInByIdGeneric(ExecState* exec, EncodedJSValue base, UniquedStringImpl* uid) >-{ >- SuperSamplerScope superSamplerScope(false); >- >- VM& vm = exec->vm(); >- NativeCallFrameTracer tracer(&vm, exec); >- auto scope = DECLARE_THROW_SCOPE(vm); >- >- Identifier ident = Identifier::fromUid(&vm, uid); >- >- JSValue baseValue = JSValue::decode(base); >- if (!baseValue.isObject()) { >- throwException(exec, scope, createInvalidInParameterError(exec, baseValue)); >+ if (!base->isObject()) { >+ throwException(exec, scope, createInvalidInParameterError(exec, base)); > return JSValue::encode(jsUndefined()); > } >- JSObject* baseObject = asObject(baseValue); >- >- LOG_IC((ICEvent::OperationInByIdGeneric, baseObject->classInfo(vm), ident)); >+ >+ AccessType accessType = static_cast<AccessType>(stubInfo->accessType); > >- scope.release(); >- PropertySlot slot(baseObject, PropertySlot::InternalMethodType::HasProperty); >- return JSValue::encode(jsBoolean(baseObject->getPropertySlot(exec, ident, slot))); >+ Identifier ident = Identifier::fromUid(vm, key); >+ LOG_IC((ICEvent::OperationInOptimize, base->classInfo(*vm), ident)); >+ PropertySlot slot(base, PropertySlot::InternalMethodType::HasProperty); >+ bool result = asObject(base)->getPropertySlot(exec, ident, slot); >+ RETURN_IF_EXCEPTION(scope, encodedJSValue()); >+ >+ RELEASE_ASSERT(accessType == stubInfo->accessType); >+ >+ if (stubInfo->considerCaching(exec->codeBlock(), asObject(base)->structure())) >+ repatchIn(exec, base, ident, result, slot, *stubInfo); >+ >+ return JSValue::encode(jsBoolean(result)); > } > >-EncodedJSValue JIT_OPERATION operationInByIdOptimize(ExecState* exec, StructureStubInfo* stubInfo, EncodedJSValue base, UniquedStringImpl* uid) >+EncodedJSValue JIT_OPERATION operationIn(ExecState* exec, StructureStubInfo* stubInfo, JSCell* base, UniquedStringImpl* key) > { > SuperSamplerScope superSamplerScope(false); >+ >+ VM* vm = &exec->vm(); >+ NativeCallFrameTracer tracer(vm, exec); >+ auto scope = DECLARE_THROW_SCOPE(*vm); > >- VM& vm = exec->vm(); >- NativeCallFrameTracer tracer(&vm, exec); >- auto scope = DECLARE_THROW_SCOPE(vm); >- >- Identifier ident = Identifier::fromUid(&vm, uid); >+ stubInfo->tookSlowPath = true; > >- JSValue baseValue = JSValue::decode(base); >- if (!baseValue.isObject()) { >- throwException(exec, scope, createInvalidInParameterError(exec, baseValue)); >+ if (!base->isObject()) { >+ throwException(exec, scope, createInvalidInParameterError(exec, base)); > return JSValue::encode(jsUndefined()); > } >- JSObject* baseObject = asObject(baseValue); >- >- LOG_IC((ICEvent::OperationInByIdOptimize, baseObject->classInfo(vm), ident)); > >+ Identifier ident = Identifier::fromUid(vm, key); >+ LOG_IC((ICEvent::OperationIn, base->classInfo(*vm), ident)); > scope.release(); >- PropertySlot slot(baseObject, PropertySlot::InternalMethodType::HasProperty); >- bool found = baseObject->getPropertySlot(exec, ident, slot); >- if (stubInfo->considerCaching(exec->codeBlock(), baseObject->structure(vm))) >- repatchInByID(exec, baseObject, ident, found, slot, *stubInfo); >- return JSValue::encode(jsBoolean(found)); >+ return JSValue::encode(jsBoolean(asObject(base)->hasProperty(exec, ident))); > } > >-EncodedJSValue JIT_OPERATION operationInByVal(ExecState* exec, JSCell* base, EncodedJSValue key) >+EncodedJSValue JIT_OPERATION operationGenericIn(ExecState* exec, JSCell* base, EncodedJSValue key) > { > SuperSamplerScope superSamplerScope(false); > > VM* vm = &exec->vm(); > NativeCallFrameTracer tracer(vm, exec); > >- return JSValue::encode(jsBoolean(CommonSlowPaths::opInByVal(exec, base, JSValue::decode(key)))); >+ return JSValue::encode(jsBoolean(CommonSlowPaths::opIn(exec, base, JSValue::decode(key)))); > } > > void JIT_OPERATION operationPutByIdStrict(ExecState* exec, StructureStubInfo* stubInfo, EncodedJSValue encodedValue, EncodedJSValue encodedBase, UniquedStringImpl* uid) >diff --git a/Source/JavaScriptCore/jit/JITOperations.h b/Source/JavaScriptCore/jit/JITOperations.h >index 6071e5dab4d3a256785b54d14b581de1acced266..7a32669e4e3ded242bf7ce504c8703016569f45c 100644 >--- a/Source/JavaScriptCore/jit/JITOperations.h >+++ b/Source/JavaScriptCore/jit/JITOperations.h >@@ -371,12 +371,9 @@ EncodedJSValue JIT_OPERATION operationGetByIdWithThisOptimize(ExecState*, Struct > EncodedJSValue JIT_OPERATION operationGetByIdDirect(ExecState*, StructureStubInfo*, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL; > EncodedJSValue JIT_OPERATION operationGetByIdDirectGeneric(ExecState*, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL; > EncodedJSValue JIT_OPERATION operationGetByIdDirectOptimize(ExecState*, StructureStubInfo*, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL; >-EncodedJSValue JIT_OPERATION operationInById(ExecState*, StructureStubInfo*, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL; >-EncodedJSValue JIT_OPERATION operationInByIdGeneric(ExecState*, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL; >-EncodedJSValue JIT_OPERATION operationInByIdOptimize(ExecState*, StructureStubInfo*, EncodedJSValue, UniquedStringImpl*) WTF_INTERNAL; > EncodedJSValue JIT_OPERATION operationInOptimize(ExecState*, StructureStubInfo*, JSCell*, UniquedStringImpl*) WTF_INTERNAL; > EncodedJSValue JIT_OPERATION operationIn(ExecState*, StructureStubInfo*, JSCell*, UniquedStringImpl*) WTF_INTERNAL; >-EncodedJSValue JIT_OPERATION operationInByVal(ExecState*, JSCell*, EncodedJSValue) WTF_INTERNAL; >+EncodedJSValue JIT_OPERATION operationGenericIn(ExecState*, JSCell*, EncodedJSValue) WTF_INTERNAL; > void JIT_OPERATION operationPutByIdStrict(ExecState*, StructureStubInfo*, EncodedJSValue encodedValue, EncodedJSValue encodedBase, UniquedStringImpl*) WTF_INTERNAL; > void JIT_OPERATION operationPutByIdNonStrict(ExecState*, StructureStubInfo*, EncodedJSValue encodedValue, EncodedJSValue encodedBase, UniquedStringImpl*) WTF_INTERNAL; > void JIT_OPERATION operationPutByIdDirectStrict(ExecState*, StructureStubInfo*, EncodedJSValue encodedValue, EncodedJSValue encodedBase, UniquedStringImpl*) WTF_INTERNAL; >diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp >index e636f712090ff5098ed6143ea9b8c9a2f8097739..7e5d107ad22259ea24f3ff5a5a8f1a5b6717eb70 100644 >--- a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp >+++ b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp >@@ -751,42 +751,6 @@ void JIT::emitSlow_op_put_by_id(Instruction* currentInstruction, Vector<SlowCase > gen.reportSlowPathCall(coldPathBegin, call); > } > >-void JIT::emit_op_in_by_id(Instruction* currentInstruction) >-{ >- int resultVReg = currentInstruction[1].u.operand; >- int baseVReg = currentInstruction[2].u.operand; >- const Identifier* ident = &(m_codeBlock->identifier(currentInstruction[3].u.operand)); >- >- emitGetVirtualRegister(baseVReg, regT0); >- >- emitJumpSlowCaseIfNotJSCell(regT0, baseVReg); >- >- JITInByIdGenerator gen( >- m_codeBlock, CodeOrigin(m_bytecodeOffset), CallSiteIndex(m_bytecodeOffset), RegisterSet::stubUnavailableRegisters(), >- ident->impl(), JSValueRegs(regT0), JSValueRegs(regT0)); >- gen.generateFastPath(*this); >- addSlowCase(gen.slowPathJump()); >- m_inByIds.append(gen); >- >- emitPutVirtualRegister(resultVReg); >-} >- >-void JIT::emitSlow_op_in_by_id(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter) >-{ >- linkAllSlowCases(iter); >- >- int resultVReg = currentInstruction[1].u.operand; >- const Identifier* ident = &(m_codeBlock->identifier(currentInstruction[3].u.operand)); >- >- JITInByIdGenerator& gen = m_inByIds[m_inByIdIndex++]; >- >- Label coldPathBegin = label(); >- >- Call call = callOperation(operationInByIdOptimize, resultVReg, gen.stubInfo(), regT0, ident->impl()); >- >- gen.reportSlowPathCall(coldPathBegin, call); >-} >- > void JIT::emitVarInjectionCheck(bool needsVarInjectionChecks) > { > if (!needsVarInjectionChecks) >diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp >index 4ab90314a8bb7385658429652f045e31c847217b..db2a472e850a566e07a023cf4330422218115d67 100644 >--- a/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp >+++ b/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp >@@ -771,41 +771,6 @@ void JIT::emitSlow_op_put_by_id(Instruction* currentInstruction, Vector<SlowCase > gen.reportSlowPathCall(coldPathBegin, call); > } > >-void JIT::emit_op_in_by_id(Instruction* currentInstruction) >-{ >- int dst = currentInstruction[1].u.operand; >- int base = currentInstruction[2].u.operand; >- const Identifier* ident = &(m_codeBlock->identifier(currentInstruction[3].u.operand)); >- >- emitLoad(base, regT1, regT0); >- emitJumpSlowCaseIfNotJSCell(base, regT1); >- >- JITInByIdGenerator gen( >- m_codeBlock, CodeOrigin(m_bytecodeOffset), CallSiteIndex(currentInstruction), RegisterSet::stubUnavailableRegisters(), >- ident->impl(), JSValueRegs::payloadOnly(regT0), JSValueRegs(regT1, regT0)); >- gen.generateFastPath(*this); >- addSlowCase(gen.slowPathJump()); >- m_inByIds.append(gen); >- >- emitStore(dst, regT1, regT0); >-} >- >-void JIT::emitSlow_op_in_by_id(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter) >-{ >- linkAllSlowCases(iter); >- >- int resultVReg = currentInstruction[1].u.operand; >- const Identifier* ident = &(m_codeBlock->identifier(currentInstruction[3].u.operand)); >- >- JITInByIdGenerator& gen = m_inByIds[m_getByIdIndex++]; >- >- Label coldPathBegin = label(); >- >- Call call = callOperation(operationInByIdOptimize, resultVReg, gen.stubInfo(), JSValueRegs(regT1, regT0), ident->impl()); >- >- gen.reportSlowPathCall(coldPathBegin, call); >-} >- > void JIT::emitVarInjectionCheck(bool needsVarInjectionChecks) > { > if (!needsVarInjectionChecks) >diff --git a/Source/JavaScriptCore/jit/Repatch.cpp b/Source/JavaScriptCore/jit/Repatch.cpp >index 85ec0b204d276f29131c9a88df9f3dc0e1072630..14373bbb246718e947def6e92e00250ac4cfdae1 100644 >--- a/Source/JavaScriptCore/jit/Repatch.cpp >+++ b/Source/JavaScriptCore/jit/Repatch.cpp >@@ -605,8 +605,8 @@ void repatchPutByID(ExecState* exec, JSValue baseValue, Structure* structure, co > } > } > >-static InlineCacheAction tryCacheInByID( >- ExecState* exec, JSObject* base, const Identifier& ident, >+static InlineCacheAction tryCacheIn( >+ ExecState* exec, JSCell* base, const Identifier& ident, > bool wasFound, const PropertySlot& slot, StructureStubInfo& stubInfo) > { > VM& vm = exec->vm(); >@@ -631,26 +631,6 @@ static InlineCacheAction tryCacheInByID( > std::unique_ptr<PolyProtoAccessChain> prototypeAccessChain; > ObjectPropertyConditionSet conditionSet; > if (wasFound) { >- InlineCacheAction action = actionForCell(vm, base); >- if (action != AttemptToCache) >- return action; >- >- // Optimize self access. >- if (stubInfo.cacheType == CacheType::Unset >- && slot.isCacheableValue() >- && slot.slotBase() == base >- && !slot.watchpointSet() >- && !structure->needImpurePropertyWatchpoint()) { >- bool generatedCodeInline = InlineAccess::generateSelfInAccess(stubInfo, structure); >- if (generatedCodeInline) { >- LOG_IC((ICEvent::InByIdSelfPatch, structure->classInfo(), ident)); >- structure->startWatchingPropertyForReplacements(vm, slot.cachedOffset()); >- ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), operationInByIdOptimize); >- stubInfo.initInByIdSelf(codeBlock, structure, slot.cachedOffset()); >- return RetryCacheLater; >- } >- } >- > if (slot.slotBase() != base) { > bool usesPolyProto; > prototypeAccessChain = PolyProtoAccessChain::create(exec->lexicalGlobalObject(), base, slot, usesPolyProto); >@@ -684,7 +664,7 @@ static InlineCacheAction tryCacheInByID( > LOG_IC((ICEvent::InAddAccessCase, structure->classInfo(), ident)); > > std::unique_ptr<AccessCase> newCase = AccessCase::create( >- vm, codeBlock, wasFound ? AccessCase::InHit : AccessCase::InMiss, wasFound ? slot.cachedOffset() : invalidOffset, structure, conditionSet, WTFMove(prototypeAccessChain)); >+ vm, codeBlock, wasFound ? AccessCase::InHit : AccessCase::InMiss, invalidOffset, structure, conditionSet, WTFMove(prototypeAccessChain)); > > result = stubInfo.addAccessCase(locker, codeBlock, ident, WTFMove(newCase)); > >@@ -692,7 +672,10 @@ static InlineCacheAction tryCacheInByID( > LOG_IC((ICEvent::InReplaceWithJump, structure->classInfo(), ident)); > > RELEASE_ASSERT(result.code()); >- InlineAccess::rewireStubAsJump(stubInfo, CodeLocationLabel<JITStubRoutinePtrTag>(result.code())); >+ >+ MacroAssembler::repatchJump( >+ stubInfo.patchableJump(), >+ CodeLocationLabel<JITStubRoutinePtrTag>(result.code())); > } > } > >@@ -701,14 +684,13 @@ static InlineCacheAction tryCacheInByID( > return result.shouldGiveUpNow() ? GiveUpOnCache : RetryCacheLater; > } > >-void repatchInByID(ExecState* exec, JSObject* baseObject, const Identifier& propertyName, bool wasFound, const PropertySlot& slot, StructureStubInfo& stubInfo) >+void repatchIn( >+ ExecState* exec, JSCell* base, const Identifier& ident, bool wasFound, >+ const PropertySlot& slot, StructureStubInfo& stubInfo) > { > SuperSamplerScope superSamplerScope(false); >- >- if (tryCacheInByID(exec, baseObject, propertyName, wasFound, slot, stubInfo) == GiveUpOnCache) { >- CodeBlock* codeBlock = exec->codeBlock(); >- ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), operationInById); >- } >+ if (tryCacheIn(exec, base, ident, wasFound, slot, stubInfo) == GiveUpOnCache) >+ ftlThunkAwareRepatchCall(exec->codeBlock(), stubInfo.slowPathCallLocation(), operationIn); > } > > static InlineCacheAction tryCacheInstanceOf( >@@ -1254,10 +1236,9 @@ static void resetPatchableJump(StructureStubInfo& stubInfo) > MacroAssembler::repatchJump(stubInfo.patchableJump(), stubInfo.slowPathStartLocation()); > } > >-void resetInByID(CodeBlock* codeBlock, StructureStubInfo& stubInfo) >+void resetIn(StructureStubInfo& stubInfo) > { >- ftlThunkAwareRepatchCall(codeBlock, stubInfo.slowPathCallLocation(), operationInByIdOptimize); >- InlineAccess::rewireStubAsJump(stubInfo, stubInfo.slowPathStartLocation()); >+ resetPatchableJump(stubInfo); > } > > void resetInstanceOf(StructureStubInfo& stubInfo) >diff --git a/Source/JavaScriptCore/jit/Repatch.h b/Source/JavaScriptCore/jit/Repatch.h >index 0f366ddd8ceb3602cefb1011d600c7ef48d2a15e..aa32c26e1b2284ce35bd7eab70fc7332c7b96fd0 100644 >--- a/Source/JavaScriptCore/jit/Repatch.h >+++ b/Source/JavaScriptCore/jit/Repatch.h >@@ -44,7 +44,7 @@ void buildGetByIDList(ExecState*, JSValue, const Identifier&, const PropertySlot > void buildGetByIDProtoList(ExecState*, JSValue, const Identifier&, const PropertySlot&, StructureStubInfo&); > void repatchPutByID(ExecState*, JSValue, Structure*, const Identifier&, const PutPropertySlot&, StructureStubInfo&, PutKind); > void buildPutByIdList(ExecState*, JSValue, Structure*, const Identifier&, const PutPropertySlot&, StructureStubInfo&, PutKind); >-void repatchInByID(ExecState*, JSObject*, const Identifier&, bool wasFound, const PropertySlot&, StructureStubInfo&); >+void repatchIn(ExecState*, JSCell*, const Identifier&, bool wasFound, const PropertySlot&, StructureStubInfo&); > void repatchInstanceOf(ExecState*, JSValue value, JSValue prototype, StructureStubInfo&, bool wasFound); > void linkFor(ExecState*, CallLinkInfo&, CodeBlock*, JSObject* callee, MacroAssemblerCodePtr<JSEntryPtrTag>); > void linkDirectFor(ExecState*, CallLinkInfo&, CodeBlock*, MacroAssemblerCodePtr<JSEntryPtrTag>); >@@ -54,7 +54,7 @@ void linkVirtualFor(ExecState*, CallLinkInfo&); > void linkPolymorphicCall(ExecState*, CallLinkInfo&, CallVariant); > void resetGetByID(CodeBlock*, StructureStubInfo&, GetByIDKind); > void resetPutByID(CodeBlock*, StructureStubInfo&); >-void resetInByID(CodeBlock*, StructureStubInfo&); >+void resetIn(StructureStubInfo&); > void resetInstanceOf(StructureStubInfo&); > void ftlThunkAwareRepatchCall(CodeBlock*, CodeLocationCall<JSInternalPtrTag>, FunctionPtr<CFunctionPtrTag> newCalleeFunction); > >diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm >index 76487059cd764c0a7fce4aa7e106d7ffcef7b259..2bc9febfec38578267c060c9f638cb1185581cda 100644 >--- a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm >+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm >@@ -1507,16 +1507,10 @@ _llint_op_is_function: > dispatch(constexpr op_is_function_length) > > >-_llint_op_in_by_id: >+_llint_op_in: > traceExecution() >- callSlowPath(_slow_path_in_by_id) >- dispatch(constexpr op_in_by_id_length) >- >- >-_llint_op_in_by_val: >- traceExecution() >- callSlowPath(_slow_path_in_by_val) >- dispatch(constexpr op_in_by_val_length) >+ callSlowPath(_slow_path_in) >+ dispatch(constexpr op_in_length) > > > _llint_op_try_get_by_id: >diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >index 3eea54d6486679d0b4e034d2347e0602ff74bdab..626989d526faeb02a85b20e95d6dcb968abb0ad0 100644 >--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm >@@ -1552,7 +1552,6 @@ _llint_op_put_by_id: > callSlowPath(_llint_slow_path_put_by_id) > dispatch(constexpr op_put_by_id_length) > >- > macro finishGetByVal(result, scratch) > loadisFromInstruction(1, scratch) > storeq result, [cfr, scratch, 8] >diff --git a/Source/JavaScriptCore/parser/NodeConstructors.h b/Source/JavaScriptCore/parser/NodeConstructors.h >index 5d77db19b762ef78414688edc71c89f9f7f6dff9..e6f03b65b75d00252f043ec9931fbba504b93cde 100644 >--- a/Source/JavaScriptCore/parser/NodeConstructors.h >+++ b/Source/JavaScriptCore/parser/NodeConstructors.h >@@ -623,7 +623,7 @@ namespace JSC { > } > > inline InNode::InNode(const JSTokenLocation& location, ExpressionNode* expr1, ExpressionNode* expr2, bool rightHasAssignments) >- : ThrowableBinaryOpNode(location, expr1, expr2, op_in_by_val, rightHasAssignments) >+ : ThrowableBinaryOpNode(location, expr1, expr2, op_in, rightHasAssignments) > { > } > >diff --git a/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp b/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp >index 253db5e4aac6114e306f9d4f2094a4b7c3f1a574..84dd3d2a4516a188f0f98a01d501004cdc725663 100644 >--- a/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp >+++ b/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp >@@ -648,21 +648,10 @@ SLOW_PATH_DECL(slow_path_is_function) > RETURN(jsBoolean(jsIsFunctionType(OP_C(2).jsValue()))); > } > >-SLOW_PATH_DECL(slow_path_in_by_val) >+SLOW_PATH_DECL(slow_path_in) > { > BEGIN(); >- RETURN(jsBoolean(CommonSlowPaths::opInByVal(exec, OP_C(2).jsValue(), OP_C(3).jsValue(), pc[4].u.arrayProfile))); >-} >- >-SLOW_PATH_DECL(slow_path_in_by_id) >-{ >- BEGIN(); >- >- JSValue baseValue = OP_C(2).jsValue(); >- if (!baseValue.isObject()) >- THROW(createInvalidInParameterError(exec, baseValue)); >- >- RETURN(jsBoolean(asObject(baseValue)->hasProperty(exec, exec->codeBlock()->identifier(pc[3].u.operand)))); >+ RETURN(jsBoolean(CommonSlowPaths::opIn(exec, OP_C(2).jsValue(), OP_C(3).jsValue(), pc[4].u.arrayProfile))); > } > > SLOW_PATH_DECL(slow_path_del_by_val) >diff --git a/Source/JavaScriptCore/runtime/CommonSlowPaths.h b/Source/JavaScriptCore/runtime/CommonSlowPaths.h >index 406cda37f19f1e93674e2343541915c420ea5d4e..c28513567cd3a687bd03459f761dc9aff8d0007b 100644 >--- a/Source/JavaScriptCore/runtime/CommonSlowPaths.h >+++ b/Source/JavaScriptCore/runtime/CommonSlowPaths.h >@@ -85,7 +85,7 @@ ALWAYS_INLINE int arityCheckFor(ExecState* exec, VM& vm, CodeSpecializationKind > return padding; > } > >-inline bool opInByVal(ExecState* exec, JSValue baseVal, JSValue propName, ArrayProfile* arrayProfile = nullptr) >+inline bool opIn(ExecState* exec, JSValue baseVal, JSValue propName, ArrayProfile* arrayProfile = nullptr) > { > VM& vm = exec->vm(); > auto scope = DECLARE_THROW_SCOPE(vm); >@@ -308,8 +308,7 @@ SLOW_PATH_HIDDEN_DECL(slow_path_typeof); > SLOW_PATH_HIDDEN_DECL(slow_path_is_object); > SLOW_PATH_HIDDEN_DECL(slow_path_is_object_or_null); > SLOW_PATH_HIDDEN_DECL(slow_path_is_function); >-SLOW_PATH_HIDDEN_DECL(slow_path_in_by_id); >-SLOW_PATH_HIDDEN_DECL(slow_path_in_by_val); >+SLOW_PATH_HIDDEN_DECL(slow_path_in); > SLOW_PATH_HIDDEN_DECL(slow_path_del_by_val); > SLOW_PATH_HIDDEN_DECL(slow_path_strcat); > SLOW_PATH_HIDDEN_DECL(slow_path_to_primitive); >diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog >index 72f9954fad476b4d3cd7c2a0def5544fcfe4b577..33bcc89eb8a267f8aa4754de185f193de9176822 100644 >--- a/JSTests/ChangeLog >+++ b/JSTests/ChangeLog >@@ -1,3 +1,21 @@ >+2018-05-21 Commit Queue <commit-queue@webkit.org> >+ >+ Unreviewed, rolling out r231998 and r232017. >+ https://bugs.webkit.org/show_bug.cgi?id=185842 >+ >+ causes crashes on 32 JSC bot (Requested by realdawei on >+ #webkit). >+ >+ Reverted changesets: >+ >+ "[JSC] JSC should have consistent InById IC" >+ https://bugs.webkit.org/show_bug.cgi?id=185682 >+ https://trac.webkit.org/changeset/231998 >+ >+ "Unreviewed, fix 32bit and scope release" >+ https://bugs.webkit.org/show_bug.cgi?id=185682 >+ https://trac.webkit.org/changeset/232017 >+ > 2018-05-19 Yusuke Suzuki <utatane.tea@gmail.com> > > [JSC] JSC should have consistent InById IC >diff --git a/JSTests/stress/in-by-id-accessors.js b/JSTests/stress/in-by-id-accessors.js >deleted file mode 100644 >index e38dd6d7a3bf1b86d4ae943709b645bd6647e770..0000000000000000000000000000000000000000 >--- a/JSTests/stress/in-by-id-accessors.js >+++ /dev/null >@@ -1,41 +0,0 @@ >-function shouldBe(actual, expected) { >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >- >-function test(object) >-{ >- var name = "hello"; >- return name in object; >-} >-noInline(test); >- >-var protoGetter = { >- __proto__: { >- get hello() { >- throw new Error("out"); >- } >- } >-}; >-var protoSetter = { >- __proto__: { >- set hello(value) { >- throw new Error("out"); >- } >- } >-}; >-for (var i = 0; i < 1e5; ++i) { >- shouldBe(test({ >- get hello() { >- throw new Error("out"); >- } >- }), true); >- shouldBe(test({}), false); >- shouldBe(test(protoGetter), true); >- shouldBe(test({ >- set hello(value) { >- throw new Error("out"); >- } >- }), true); >- shouldBe(test(protoSetter), true); >-} >diff --git a/JSTests/stress/in-by-id-ai.js b/JSTests/stress/in-by-id-ai.js >deleted file mode 100644 >index 56a11ac72a5d2915961d66f8ed3a513a1c0f5fd4..0000000000000000000000000000000000000000 >--- a/JSTests/stress/in-by-id-ai.js >+++ /dev/null >@@ -1,26 +0,0 @@ >-function shouldBe(actual, expected) { >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >- >-function test(object) >-{ >- var name = "hello"; >- return name in object; >-} >-noInline(test); >- >-var proto = { >- __proto__: { hello: 2 } >-}; >-for (var i = 0; i < 1e5; ++i) { >- shouldBe(test({ >- hello: 42 >- }), true); >- shouldBe(test({}), false); >- shouldBe(test({ >- helloworld: 43, >- ok: 44 >- }), false); >- shouldBe(test(proto), true); >-} >diff --git a/JSTests/stress/in-by-id-custom-accessors.js b/JSTests/stress/in-by-id-custom-accessors.js >deleted file mode 100644 >index 9571ec8eb5d7e23af3243b8f11eba30dff0dffbc..0000000000000000000000000000000000000000 >--- a/JSTests/stress/in-by-id-custom-accessors.js >+++ /dev/null >@@ -1,25 +0,0 @@ >-function shouldBe(actual, expected) { >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >- >-function test1(object) >-{ >- return "customValue" in object; >-} >-noInline(test1); >- >-function test2(object) >-{ >- return "customAccessor" in object; >-} >-noInline(test2); >- >-var target1 = $vm.createCustomTestGetterSetter(); >-var target2 = { __proto__: target1 }; >-for (var i = 0; i < 1e5; ++i) { >- shouldBe(test1(target1), true); >- shouldBe(test1(target2), true); >- shouldBe(test2(target1), true); >- shouldBe(test2(target2), true); >-} >diff --git a/JSTests/stress/in-by-id-custom-values.js b/JSTests/stress/in-by-id-custom-values.js >deleted file mode 100644 >index 684781fc358f3ca6de50ccc48f314ff2184c43ea..0000000000000000000000000000000000000000 >--- a/JSTests/stress/in-by-id-custom-values.js >+++ /dev/null >@@ -1,17 +0,0 @@ >-function shouldBe(actual, expected) { >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >- >-function test(object) >-{ >- return "$1" in object; >-} >-noInline(test); >- >-var target1 = RegExp; >-var target2 = { __proto__: RegExp }; >-for (var i = 0; i < 1e5; ++i) { >- shouldBe(test(target1), true); >- shouldBe(test(target2), true); >-} >diff --git a/JSTests/stress/in-by-id-operation.js b/JSTests/stress/in-by-id-operation.js >deleted file mode 100644 >index 95dd2c40e3199b206f0f66cb5b2b25fedee945b2..0000000000000000000000000000000000000000 >--- a/JSTests/stress/in-by-id-operation.js >+++ /dev/null >@@ -1,42 +0,0 @@ >-function shouldBe(actual, expected) { >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >- >-function test(object) >-{ >- return "hello" in object; >-} >-noInline(test); >- >-for (var i = 0; i < 1e6; ++i) { >- shouldBe(test({ >- hello: 42 >- }), true); >- shouldBe(test({ >- hello: undefined, >- world: 44 >- }), true); >- shouldBe(test({ >- helloworld: 43, >- ok: 44 >- }), false); >-} >- >-function selfCache(object) >-{ >- return "hello" in object; >-} >-noInline(selfCache); >- >-var object = {}; >-object.hello = 42; >-for (var i = 0; i < 1e6; ++i) >- shouldBe(selfCache(object), true); >-object.world = 43; >-shouldBe(selfCache(object), true); >-object.world = 43; >-shouldBe(selfCache({ __proto__: object }), true); >-delete object.hello; >-shouldBe(selfCache(object), false); >-shouldBe(selfCache({ __proto__: object }), false); >diff --git a/JSTests/stress/in-by-id-proxy.js b/JSTests/stress/in-by-id-proxy.js >deleted file mode 100644 >index 1e56bf2f8bb88bf36538d2339d2820be422ecd2c..0000000000000000000000000000000000000000 >--- a/JSTests/stress/in-by-id-proxy.js >+++ /dev/null >@@ -1,44 +0,0 @@ >-function shouldBe(actual, expected) { >- if (actual !== expected) >- throw new Error('bad value: ' + actual); >-} >- >-function test(object) >-{ >- return "hello" in object; >-} >-noInline(test); >- >-var count = 0; >-var target = null; >-var key = null; >-var handler = { >- has(targetArg, keyArg) { >- ++count; >- target = targetArg; >- key = keyArg; >- return keyArg in targetArg; >- } >-}; >-var targetObject = {}; >-var proxy = new Proxy(targetObject, handler); >-for (var i = 0; i < 1e4; ++i) { >- shouldBe(count, i); >- shouldBe(test(proxy), false); >- shouldBe(target, targetObject); >- shouldBe(key, "hello"); >-} >-targetObject.hello = 42; >-for (var i = 0; i < 1e4; ++i) { >- shouldBe(count, i + 1e4); >- shouldBe(test(proxy), true); >- shouldBe(target, targetObject); >- shouldBe(key, "hello"); >-} >-delete targetObject.hello; >-for (var i = 0; i < 1e4; ++i) { >- shouldBe(count, i + 2e4); >- shouldBe(test(proxy), false); >- shouldBe(target, targetObject); >- shouldBe(key, "hello"); >-}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=340898">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 185842
: 340898