Rollout r200426 since it causes PLT regressions.
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 17 May 2016 22:19:59 +0000 (22:19 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 17 May 2016 22:19:59 +0000 (22:19 +0000)
https://bugs.webkit.org/show_bug.cgi?id=157812

Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@201049 268f45cc-cd09-0410-ab3c-d52691b4dbfc

45 files changed:
LayoutTests/ChangeLog
LayoutTests/js/Object-getOwnPropertyNames-expected.txt
LayoutTests/js/dom/array-prototype-properties-expected.txt
LayoutTests/js/script-tests/Object-getOwnPropertyNames.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/builtins/ArrayPrototype.js
Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.cpp
Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGClobberize.h
Source/JavaScriptCore/dfg/DFGDoesGC.cpp
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGNodeType.h
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/dfg/DFGOperations.h
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
Source/JavaScriptCore/dfg/DFGSafeToExecute.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Source/JavaScriptCore/ftl/FTLCapabilities.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/jit/JITOperations.h
Source/JavaScriptCore/jsc.cpp
Source/JavaScriptCore/runtime/ArrayConstructor.cpp
Source/JavaScriptCore/runtime/ArrayConstructor.h
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/ArrayPrototype.h
Source/JavaScriptCore/runtime/CommonIdentifiers.h
Source/JavaScriptCore/runtime/Intrinsic.h
Source/JavaScriptCore/runtime/JSArray.cpp
Source/JavaScriptCore/runtime/JSArray.h
Source/JavaScriptCore/runtime/JSArrayInlines.h [deleted file]
Source/JavaScriptCore/runtime/JSGlobalObject.cpp
Source/JavaScriptCore/runtime/JSType.h
Source/JavaScriptCore/runtime/ObjectConstructor.h
Source/JavaScriptCore/tests/es6.yaml
Source/JavaScriptCore/tests/stress/array-concat-spread-object.js [deleted file]
Source/JavaScriptCore/tests/stress/array-concat-spread-proxy-exception-check.js [deleted file]
Source/JavaScriptCore/tests/stress/array-concat-spread-proxy.js [deleted file]
Source/JavaScriptCore/tests/stress/array-concat-with-slow-indexingtypes.js [deleted file]
Source/JavaScriptCore/tests/stress/array-species-config-array-constructor.js

index 1608c0b..0cf6120 100644 (file)
@@ -1,3 +1,10 @@
+2016-05-17  Keith Miller  <keith_miller@apple.com>
+
+        Rollout r200426 since it causes PLT regressions.
+        https://bugs.webkit.org/show_bug.cgi?id=157812
+
+        Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.
+
 2016-05-17  Brian Burg  <bburg@apple.com>
 
         Web Inspector: Filtering huge data grids should yield occasionally so the UI remains responsive
index c8abdf1..13e65ab 100644 (file)
@@ -61,7 +61,7 @@ PASS getSortedOwnPropertyNames(Error) is ['length', 'name', 'prototype']
 PASS getSortedOwnPropertyNames(Error.prototype) is ['constructor', 'message', 'name', 'toString']
 PASS getSortedOwnPropertyNames(Math) is ['E','LN10','LN2','LOG10E','LOG2E','PI','SQRT1_2','SQRT2','abs','acos','acosh','asin','asinh','atan','atan2','atanh','cbrt','ceil','clz32','cos','cosh','exp','expm1','floor','fround','hypot','imul','log','log10','log1p','log2','max','min','pow','random','round','sign','sin','sinh','sqrt','tan','tanh','trunc']
 PASS getSortedOwnPropertyNames(JSON) is ['parse', 'stringify']
-PASS getSortedOwnPropertyNames(Symbol) is ['for', 'hasInstance', 'isConcatSpreadable', 'iterator', 'keyFor', 'length', 'match', 'name', 'prototype', 'replace', 'search', 'species', 'split', 'toPrimitive', 'toStringTag', 'unscopables']
+PASS getSortedOwnPropertyNames(Symbol) is ['for', 'hasInstance', 'iterator', 'keyFor', 'length', 'match', 'name', 'prototype', 'replace', 'search', 'species', 'split', 'toPrimitive', 'toStringTag', 'unscopables']
 PASS getSortedOwnPropertyNames(Symbol.prototype) is ['constructor', 'toString', 'valueOf']
 PASS getSortedOwnPropertyNames(Map) is ['length', 'name', 'prototype']
 PASS getSortedOwnPropertyNames(Map.prototype) is ['clear', 'constructor', 'delete', 'entries', 'forEach', 'get', 'has', 'keys', 'set', 'size', 'values']
index 5228eb6..c4e9afc 100644 (file)
@@ -5,7 +5,7 @@ On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE
 
 PASS Array.prototype.toString.call(undefined) threw exception TypeError: undefined is not an object (evaluating 'Array.prototype.toString.call(undefined)').
 PASS Array.prototype.toLocaleString.call(undefined) threw exception TypeError: undefined is not an object (evaluating 'Array.prototype.toLocaleString.call(undefined)').
-PASS Array.prototype.concat.call(undefined, []) threw exception TypeError: Array.prototype.concat requires that |this| not be undefined.
+PASS Array.prototype.concat.call(undefined, []) threw exception TypeError: undefined is not an object (evaluating 'Array.prototype.concat.call(undefined, [])').
 PASS Array.prototype.join.call(undefined, []) threw exception TypeError: undefined is not an object (evaluating 'Array.prototype.join.call(undefined, [])').
 PASS Array.prototype.pop.call(undefined) threw exception TypeError: undefined is not an object (evaluating 'Array.prototype.pop.call(undefined)').
 PASS Array.prototype.push.call(undefined, {}) threw exception TypeError: undefined is not an object (evaluating 'Array.prototype.push.call(undefined, {})').
index ba1a8ec..1ffcbb4 100644 (file)
@@ -70,7 +70,7 @@ var expectedPropertyNamesSet = {
     "Error.prototype": "['constructor', 'message', 'name', 'toString']",
     "Math": "['E','LN10','LN2','LOG10E','LOG2E','PI','SQRT1_2','SQRT2','abs','acos','acosh','asin','asinh','atan','atan2','atanh','cbrt','ceil','clz32','cos','cosh','exp','expm1','floor','fround','hypot','imul','log','log10','log1p','log2','max','min','pow','random','round','sign','sin','sinh','sqrt','tan','tanh','trunc']",
     "JSON": "['parse', 'stringify']",
-    "Symbol": "['for', 'hasInstance', 'isConcatSpreadable', 'iterator', 'keyFor', 'length', 'match', 'name', 'prototype', 'replace', 'search', 'species', 'split', 'toPrimitive', 'toStringTag', 'unscopables']",
+    "Symbol": "['for', 'hasInstance', 'iterator', 'keyFor', 'length', 'match', 'name', 'prototype', 'replace', 'search', 'species', 'split', 'toPrimitive', 'toStringTag', 'unscopables']",
     "Symbol.prototype": "['constructor', 'toString', 'valueOf']",
     "Map": "['length', 'name', 'prototype']",
     "Map.prototype": "['clear', 'constructor', 'delete', 'entries', 'forEach', 'get', 'has', 'keys', 'set', 'size', 'values']",
index 4253001..5dd2210 100644 (file)
@@ -1,5 +1,12 @@
 2016-05-17  Keith Miller  <keith_miller@apple.com>
 
+        Rollout r200426 since it causes PLT regressions.
+        https://bugs.webkit.org/show_bug.cgi?id=157812
+
+        Unreviewed rollout of r200426 since the bots see a ~.6% PLT regression from the patch.
+
+2016-05-17  Keith Miller  <keith_miller@apple.com>
+
         Add test262 harness support code
         https://bugs.webkit.org/show_bug.cgi?id=157797
 
index 684cded..b1cbaba 100644 (file)
                5370B4F51BF26202005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 5370B4F31BF25EA2005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.cpp */; };
                5370B4F61BF26205005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 5370B4F41BF25EA2005C40FC /* AdaptiveInferredPropertyValueWatchpointBase.h */; };
                53917E7B1B7906FA000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h in Headers */ = {isa = PBXBuildFile; fileRef = 53917E7A1B7906E4000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h */; };
-               539FB8BA1C99DA7C00940FA1 /* JSArrayInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 539FB8B91C99DA7C00940FA1 /* JSArrayInlines.h */; };
                53F6BF6D1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 53F6BF6C1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
                5D5D8AD10E0D0EBE00F9C692 /* libedit.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 5D5D8AD00E0D0EBE00F9C692 /* libedit.dylib */; };
                5DBB151B131D0B310056AD36 /* testapi.js in Copy Support Script */ = {isa = PBXBuildFile; fileRef = 14D857740A4696C80032146C /* testapi.js */; };
                53917E7A1B7906E4000EBD33 /* JSGenericTypedArrayViewPrototypeFunctions.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSGenericTypedArrayViewPrototypeFunctions.h; sourceTree = "<group>"; };
                53917E7C1B791106000EBD33 /* JSTypedArrayViewPrototype.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSTypedArrayViewPrototype.h; sourceTree = "<group>"; };
                53917E831B791CB8000EBD33 /* TypedArrayPrototype.js */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.javascript; name = TypedArrayPrototype.js; path = builtins/TypedArrayPrototype.js; sourceTree = SOURCE_ROOT; };
-               539FB8B91C99DA7C00940FA1 /* JSArrayInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSArrayInlines.h; sourceTree = "<group>"; };
                53F256E11B87E28000B4B768 /* JSTypedArrayViewPrototype.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSTypedArrayViewPrototype.cpp; sourceTree = "<group>"; };
                53F6BF6C1C3F060A00F41E5D /* InternalFunctionAllocationProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = InternalFunctionAllocationProfile.h; sourceTree = "<group>"; };
                593D43CCA0BBE06D89C59707 /* MapDataInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = MapDataInlines.h; sourceTree = "<group>"; };
                                70DC3E081B2DF2C700054299 /* IteratorPrototype.h */,
                                93ADFCE60CCBD7AC00D30B08 /* JSArray.cpp */,
                                938772E5038BFE19008635CE /* JSArray.h */,
-                               539FB8B91C99DA7C00940FA1 /* JSArrayInlines.h */,
                                0F2B66B417B6B5AB00A7AE3F /* JSArrayBuffer.cpp */,
                                0F2B66B517B6B5AB00A7AE3F /* JSArrayBuffer.h */,
                                0F2B66B617B6B5AB00A7AE3F /* JSArrayBufferConstructor.cpp */,
                                0FB7F39B15ED8E4600F167B2 /* IndexingType.h in Headers */,
                                0F0A75231B94BFA900110660 /* InferredType.h in Headers */,
                                0FFC92121B94D4DF0071DD66 /* InferredTypeTable.h in Headers */,
-                               539FB8BA1C99DA7C00940FA1 /* JSArrayInlines.h in Headers */,
                                0FF8BDEB1AD4CF7100DFE884 /* InferredValue.h in Headers */,
                                BC18C4100E16F5CD00B34460 /* InitializeThreading.h in Headers */,
                                A513E5B8185B8BD3007E95AD /* InjectedScript.h in Headers */,
index 1cfce52..3cf4b35 100644 (file)
@@ -691,94 +691,6 @@ function sort(comparator)
     return array;
 }
 
-function concatSlowPath()
-{
-    "use strict";
-
-    var argCount = arguments.length;
-    var result = new this.species(0);
-    var resultIsArray = @isJSArray(result);
-
-    var currentElement = this.array;
-    var resultIndex = 0;
-    var argIndex = 0;
-
-    do {
-        var spreadable = @isObject(currentElement) && currentElement[@symbolIsConcatSpreadable];
-        if ((spreadable == @undefined && @isArray(currentElement)) || spreadable) {
-            var length = @toLength(currentElement.length);
-            if (resultIsArray && @isJSArray(currentElement)
-                && @appendMemcpy(result, currentElement)) {
-
-                resultIndex += length;
-            } else {
-                if (length + resultIndex > @MAX_SAFE_INTEGER)
-                    throw @TypeError("length exceeded the maximum safe integer");
-                for (var i = 0; i < length; i++) {
-                    if (i in currentElement)
-                        @putByValDirect(result, resultIndex, currentElement[i]);
-                    resultIndex++;
-                }
-            }
-        } else {
-            if (resultIndex >= @MAX_SAFE_INTEGER)
-                throw @TypeError("length exceeded the maximum safe integer");
-            @putByValDirect(result, resultIndex++, currentElement);
-        }
-        currentElement = arguments[argIndex];
-    } while (argIndex++ < argCount);
-
-    result.length = resultIndex;
-    return result;
-}
-
-function concat(first)
-{
-    "use strict";
-
-    if (this == null) {
-        if (this === null)
-            throw new @TypeError("Array.prototype.concat requires that |this| not be null");
-        throw new @TypeError("Array.prototype.concat requires that |this| not be undefined");
-    }
-
-    var array = @Object(this);
-
-    var constructor;
-    if (@isArray(array)) {
-        constructor = array.constructor;
-        // We have this check so that if some array from a different global object
-        // calls this map they don't get an array with the Array.prototype of the
-        // other global object.
-        if (@isArrayConstructor(constructor) && @Array !== constructor)
-            constructor = @undefined;
-        if (@isObject(constructor)) {
-            constructor = constructor[@symbolSpecies];
-            if (constructor === null)
-                constructor = @Array;
-        }
-    }
-    if (constructor === @undefined)
-        constructor = @Array;
-
-    var result;
-    if (arguments.length === 1
-        && constructor === @Array
-        && @isJSArray(array)
-        && @isJSArray(first)
-        // FIXME: these get_by_ids should be "in"s but using "in" here is a 10% regression.
-        // https://bugs.webkit.org/show_bug.cgi?id=155590
-        && array[@symbolIsConcatSpreadable] == @undefined
-        && first[@symbolIsConcatSpreadable] == @undefined) {
-
-        result = @concatMemcpy(array, first);
-        if (result !== null)
-            return result;
-    }
-
-    return @concatSlowPath.@apply({ array: array, species: constructor }, arguments);
-}
-
 function copyWithin(target, start /*, end */)
 {
     "use strict";
index 239ac98..26b0db7 100644 (file)
@@ -51,11 +51,9 @@ BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry(VM& vm)
     m_arrayIterationKindValue.set(m_vm, jsNumber(ArrayIterateValue));
     m_arrayIterationKindKeyValue.set(m_vm, jsNumber(ArrayIterateKeyValue));
     m_MAX_STRING_LENGTH.set(m_vm, jsNumber(JSString::MaxLength));
-    m_MAX_SAFE_INTEGER.set(m_vm, jsDoubleNumber(9007199254740991.0)); // 2 ^ 53 - 1
     m_promiseStatePending.set(m_vm, jsNumber(static_cast<unsigned>(JSPromise::Status::Pending)));
     m_promiseStateFulfilled.set(m_vm, jsNumber(static_cast<unsigned>(JSPromise::Status::Fulfilled)));
     m_promiseStateRejected.set(m_vm, jsNumber(static_cast<unsigned>(JSPromise::Status::Rejected)));
-    m_symbolIsConcatSpreadable.set(m_vm, Symbol::create(m_vm, static_cast<SymbolImpl&>(*m_vm.propertyNames->isConcatSpreadableSymbol.impl())));
     m_symbolIterator.set(m_vm, Symbol::create(m_vm, static_cast<SymbolImpl&>(*m_vm.propertyNames->iteratorSymbol.impl())));
     m_symbolMatch.set(m_vm, Symbol::create(m_vm, static_cast<SymbolImpl&>(*m_vm.propertyNames->matchSymbol.impl())));
     m_symbolReplace.set(m_vm, Symbol::create(m_vm, static_cast<SymbolImpl&>(*m_vm.propertyNames->replaceSymbol.impl())));
index bed9893..bbe9a91 100644 (file)
@@ -53,11 +53,9 @@ class Identifier;
     macro(arrayIterationKindValue) \
     macro(arrayIterationKindKeyValue) \
     macro(MAX_STRING_LENGTH) \
-    macro(MAX_SAFE_INTEGER) \
     macro(promiseStatePending) \
     macro(promiseStateFulfilled) \
     macro(promiseStateRejected) \
-    macro(symbolIsConcatSpreadable) \
     macro(symbolIterator) \
     macro(symbolMatch) \
     macro(symbolReplace) \
index 09091ec..09b4f2e 100644 (file)
@@ -28,7 +28,6 @@
 
 #if ENABLE(DFG_JIT)
 
-#include "ArrayConstructor.h"
 #include "DFGAbstractInterpreter.h"
 #include "GetByIdStatus.h"
 #include "GetterSetter.h"
@@ -1027,9 +1026,6 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
     }
 
     case IsEmpty:
-    case IsArrayObject:
-    case IsJSArray:
-    case IsArrayConstructor:
     case IsUndefined:
     case IsBoolean:
     case IsNumber:
@@ -1042,28 +1038,6 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
         if (child.value()) {
             bool constantWasSet = true;
             switch (node->op()) {
-            case IsArrayObject:
-                if (child.value().isObject()) {
-                    if (child.value().getObject()->type() == ArrayType) {
-                        setConstant(node, jsBoolean(true));
-                        break;
-                    }
-
-                    if (child.value().getObject()->type() == ProxyObjectType) {
-                        // We have no way of knowing what type we are proxing yet.
-                        constantWasSet = false;
-                        break;
-                    }
-                }
-
-                setConstant(node, jsBoolean(false));
-                break;
-            case IsJSArray:
-                setConstant(node, jsBoolean(child.value().isObject() && child.value().getObject()->type() == ArrayType));
-                break;
-            case IsArrayConstructor:
-                setConstant(node, jsBoolean(child.value().isObject() && child.value().getObject()->classInfo() == ArrayConstructor::info()));
-                break;
             case IsUndefined:
                 setConstant(node, jsBoolean(
                     child.value().isCell()
@@ -1132,22 +1106,6 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
         
         bool constantWasSet = false;
         switch (node->op()) {
-        case IsJSArray:
-        case IsArrayObject:
-            // We don't have a SpeculatedType for Proxies yet so we can't do better at proving false.
-            if (!(child.m_type & ~SpecArray)) {
-                setConstant(node, jsBoolean(true));
-                constantWasSet = true;
-                break;
-            }
-
-            if (!(child.m_type & SpecObject)) {
-                setConstant(node, jsBoolean(false));
-                constantWasSet = true;
-                break;
-            }
-
-            break;
         case IsEmpty: {
             if (child.m_type && !(child.m_type & SpecEmpty)) {
                 setConstant(node, jsBoolean(false));
@@ -1946,21 +1904,7 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
         ASSERT(node->structure());
         forNode(node).set(m_graph, node->structure());
         break;
-
-    case CallObjectConstructor: {
-        AbstractValue& source = forNode(node->child1());
-        AbstractValue& destination = forNode(node);
-
-        if (!(source.m_type & ~SpecObject)) {
-            m_state.setFoundConstants(true);
-            destination = source;
-            break;
-        }
-
-        forNode(node).setType(m_graph, SpecObject);
-        break;
-    }
-
+        
     case PhantomNewObject:
     case PhantomNewFunction:
     case PhantomNewGeneratorFunction:
index d6913c1..2f49fa5 100644 (file)
@@ -45,7 +45,6 @@
 #include "JSLexicalEnvironment.h"
 #include "JSCInlines.h"
 #include "JSModuleEnvironment.h"
-#include "ObjectConstructor.h"
 #include "PreciseJumpTargets.h"
 #include "PutByIdFlags.h"
 #include "PutByIdStatus.h"
@@ -2174,34 +2173,6 @@ bool ByteCodeParser::handleIntrinsicCall(Node* callee, int resultOperand, Intrin
         }
     }
 
-    case IsArrayIntrinsic: {
-        if (argumentCountIncludingThis != 2)
-            return false;
-
-        insertChecks();
-        Node* isArray = addToGraph(IsArrayObject, OpInfo(prediction), get(virtualRegisterForArgument(1, registerOffset)));
-        set(VirtualRegister(resultOperand), isArray);
-        return true;
-    }
-
-    case IsJSArrayIntrinsic: {
-        ASSERT(argumentCountIncludingThis == 2);
-
-        insertChecks();
-        Node* isArray = addToGraph(IsJSArray, OpInfo(prediction), get(virtualRegisterForArgument(1, registerOffset)));
-        set(VirtualRegister(resultOperand), isArray);
-        return true;
-    }
-
-    case IsArrayConstructorIntrinsic: {
-        ASSERT(argumentCountIncludingThis == 2);
-
-        insertChecks();
-        Node* isArray = addToGraph(IsArrayConstructor, OpInfo(prediction), get(virtualRegisterForArgument(1, registerOffset)));
-        set(VirtualRegister(resultOperand), isArray);
-        return true;
-    }
-
     case CharCodeAtIntrinsic: {
         if (argumentCountIncludingThis != 2)
             return false;
@@ -2681,16 +2652,7 @@ bool ByteCodeParser::handleConstantInternalFunction(
         set(VirtualRegister(resultOperand), result);
         return true;
     }
-
-    // FIXME: This should handle construction as well. https://bugs.webkit.org/show_bug.cgi?id=155591
-    if (function->classInfo() == ObjectConstructor::info() && kind == CodeForCall) {
-        insertChecks();
-
-        Node* result = addToGraph(CallObjectConstructor, get(virtualRegisterForArgument(1, registerOffset)));
-        set(VirtualRegister(resultOperand), result);
-        return true;
-    }
-
+    
     for (unsigned typeIndex = 0; typeIndex < NUMBER_OF_TYPED_ARRAY_TYPES; ++typeIndex) {
         bool result = handleTypedArrayConstructor(
             resultOperand, function, registerOffset, argumentCountIncludingThis,
index fa76940..726439d 100644 (file)
@@ -164,8 +164,6 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
     case GetGlobalObject:
     case StringCharCodeAt:
     case CompareStrictEq:
-    case IsJSArray:
-    case IsArrayConstructor:
     case IsEmpty:
     case IsUndefined:
     case IsBoolean:
@@ -207,8 +205,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
         read(MathDotRandomState);
         write(MathDotRandomState);
         return;
-
-    case IsArrayObject:
+        
     case HasGenericProperty:
     case HasStructureProperty:
     case GetEnumerableLength:
@@ -425,7 +422,6 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
         write(HeapObjectCount);
         return;
 
-    case CallObjectConstructor:
     case ToThis:
     case CreateThis:
         read(MiscFields);
index 6cf0d0b..af11e18 100644 (file)
@@ -157,9 +157,6 @@ bool doesGC(Graph& graph, Node* node)
     case OverridesHasInstance:
     case InstanceOf:
     case InstanceOfCustom:
-    case IsArrayObject:
-    case IsJSArray:
-    case IsArrayConstructor:
     case IsEmpty:
     case IsUndefined:
     case IsBoolean:
@@ -258,7 +255,6 @@ bool doesGC(Graph& graph, Node* node)
     case CreateDirectArguments:
     case CreateScopedArguments:
     case CreateClonedArguments:
-    case CallObjectConstructor:
     case ToThis:
     case CreateThis:
     case AllocatePropertyStorage:
index 0e336ee..ce52527 100644 (file)
@@ -1056,18 +1056,7 @@ private:
             fixEdge<Int32Use>(node->child1());
             break;
         }
-
-        case CallObjectConstructor: {
-            if (node->child1()->shouldSpeculateObject()) {
-                fixEdge<ObjectUse>(node->child1());
-                node->convertToIdentity();
-                break;
-            }
-
-            fixEdge<UntypedUse>(node->child1());
-            break;
-        }
-
+            
         case ToThis: {
             fixupToThis(node);
             break;
@@ -1548,9 +1537,6 @@ private:
         case ProfileDidCall:
         case DeleteById:
         case DeleteByVal:
-        case IsArrayObject:
-        case IsJSArray:
-        case IsArrayConstructor:
         case IsEmpty:
         case IsUndefined:
         case IsBoolean:
index 181c790..341134f 100644 (file)
@@ -308,11 +308,6 @@ namespace JSC { namespace DFG {
     macro(OverridesHasInstance, NodeMustGenerate | NodeResultBoolean) \
     macro(InstanceOf, NodeResultBoolean) \
     macro(InstanceOfCustom, NodeMustGenerate | NodeResultBoolean) \
-    \
-    /* I'd like to call this IsArray but then we get namespace problems with the indexing type name. Also, it is marked must generate because it can throw. */ \
-    macro(IsArrayObject, NodeMustGenerate | NodeResultBoolean) \
-    macro(IsJSArray, NodeResultBoolean) \
-    macro(IsArrayConstructor, NodeResultBoolean) \
     macro(IsEmpty, NodeResultBoolean) \
     macro(IsUndefined, NodeResultBoolean) \
     macro(IsBoolean, NodeResultBoolean) \
@@ -326,7 +321,6 @@ namespace JSC { namespace DFG {
     macro(LogicalNot, NodeResultBoolean) \
     macro(ToPrimitive, NodeResultJS | NodeMustGenerate) \
     macro(ToString, NodeResultJS | NodeMustGenerate) \
-    macro(CallObjectConstructor, NodeResultJS) \
     macro(CallStringConstructor, NodeResultJS | NodeMustGenerate) \
     macro(NewStringObject, NodeResultJS) \
     macro(MakeRope, NodeResultJS) \
index 0198066..a5d0d04 100644 (file)
@@ -26,7 +26,6 @@
 #include "config.h"
 #include "DFGOperations.h"
 
-#include "ArrayConstructor.h"
 #include "ButterflyInlines.h"
 #include "ClonedArguments.h"
 #include "CodeBlock.h"
@@ -187,19 +186,6 @@ JSCell* JIT_OPERATION operationCreateThis(ExecState* exec, JSObject* constructor
     return constructEmptyObject(exec);
 }
 
-JSCell* JIT_OPERATION operationObjectConstructor(ExecState* exec, JSGlobalObject* globalObject, EncodedJSValue encodedTarget)
-{
-    VM* vm = &exec->vm();
-    NativeCallFrameTracer tracer(vm, exec);
-
-    JSValue value = JSValue::decode(encodedTarget);
-    ASSERT(!value.isObject());
-
-    if (value.isUndefinedOrNull())
-        return constructEmptyObject(exec, globalObject->objectPrototype());
-    return value.toObject(exec, globalObject);
-}
-
 EncodedJSValue JIT_OPERATION operationValueBitAnd(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
 {
     VM* vm = &exec->vm();
@@ -697,22 +683,6 @@ size_t JIT_OPERATION operationRegExpTestGeneric(ExecState* exec, JSGlobalObject*
     return asRegExpObject(base)->test(exec, globalObject, input);
 }
 
-size_t JIT_OPERATION operationIsArrayConstructor(ExecState* exec, EncodedJSValue encodedTarget)
-{
-    VM& vm = exec->vm();
-    NativeCallFrameTracer tracer(&vm, exec);
-
-    return isArrayConstructor(JSValue::decode(encodedTarget));
-}
-
-size_t JIT_OPERATION operationIsArrayObject(ExecState* exec, EncodedJSValue encodedTarget)
-{
-    VM& vm = exec->vm();
-    NativeCallFrameTracer tracer(&vm, exec);
-
-    return isArray(exec, JSValue::decode(encodedTarget));
-}
-
 size_t JIT_OPERATION operationCompareStrictEqCell(ExecState* exec, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2)
 {
     VM* vm = &exec->vm();
index fcae75e..5a9bc25 100644 (file)
@@ -41,7 +41,6 @@ JSCell* JIT_OPERATION operationStringFromCharCode(ExecState*, int32_t)  WTF_INTE
 EncodedJSValue JIT_OPERATION operationStringFromCharCodeUntyped(ExecState*, EncodedJSValue)  WTF_INTERNAL;
 
 // These routines are provide callbacks out to C++ implementations of operations too complex to JIT.
-JSCell* JIT_OPERATION operationObjectConstructor(ExecState*, JSGlobalObject*, EncodedJSValue encodedTarget) WTF_INTERNAL;
 JSCell* JIT_OPERATION operationCreateThis(ExecState*, JSObject* constructor, int32_t inlineCapacity) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationToThis(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
 EncodedJSValue JIT_OPERATION operationToThisStrict(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
@@ -114,8 +113,6 @@ size_t JIT_OPERATION operationRegExpTest(ExecState*, JSGlobalObject*, RegExpObje
 size_t JIT_OPERATION operationRegExpTestGeneric(ExecState*, JSGlobalObject*, EncodedJSValue, EncodedJSValue) WTF_INTERNAL;
 size_t JIT_OPERATION operationCompareStrictEqCell(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
 size_t JIT_OPERATION operationCompareStrictEq(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
-size_t JIT_OPERATION operationIsArrayConstructor(ExecState*, EncodedJSValue);
-size_t JIT_OPERATION operationIsArrayObject(ExecState*, EncodedJSValue);
 JSCell* JIT_OPERATION operationCreateActivationDirect(ExecState*, Structure*, JSScope*, SymbolTable*, EncodedJSValue);
 JSCell* JIT_OPERATION operationCreateDirectArguments(ExecState*, Structure*, int32_t length, int32_t minCapacity);
 JSCell* JIT_OPERATION operationCreateDirectArgumentsDuringExit(ExecState*, InlineCallFrame*, JSFunction*, int32_t argumentCount);
index 1661e94..8700775 100644 (file)
@@ -783,9 +783,6 @@ private:
         case OverridesHasInstance:
         case InstanceOf:
         case InstanceOfCustom:
-        case IsArrayObject:
-        case IsJSArray:
-        case IsArrayConstructor:
         case IsEmpty:
         case IsUndefined:
         case IsBoolean:
@@ -811,10 +808,6 @@ private:
             break;
         }
 
-        case CallObjectConstructor: {
-            setPrediction(SpecObject);
-            break;
-        }
         case SkipScope:
         case GetGlobalObject: {
             setPrediction(SpecObjectOther);
index f9bdeb9..6135736 100644 (file)
@@ -258,9 +258,6 @@ bool safeToExecute(AbstractStateType& state, Graph& graph, Node* node)
     case OverridesHasInstance:
     case InstanceOf:
     case InstanceOfCustom:
-    case IsArrayObject:
-    case IsJSArray:
-    case IsArrayConstructor:
     case IsEmpty:
     case IsUndefined:
     case IsBoolean:
@@ -272,7 +269,6 @@ bool safeToExecute(AbstractStateType& state, Graph& graph, Node* node)
     case IsRegExpObject:
     case TypeOf:
     case LogicalNot:
-    case CallObjectConstructor:
     case ToPrimitive:
     case ToString:
     case SetFunctionName:
index 1b492e8..0581acd 100644 (file)
@@ -1646,7 +1646,7 @@ void SpeculativeJIT::compileCurrentBlock()
             dataLog("\n");
         }
 
-        if (Options::validateDFGExceptionHandling() && (mayExit(m_jit.graph(), m_currentNode) != DoesNotExit || m_currentNode->isTerminal()))
+        if (Options::validateDFGExceptionHandling() && mayExit(m_jit.graph(), m_currentNode) != DoesNotExit)
             m_jit.jitReleaseAssertNoException();
 
         m_jit.pcToCodeOriginMapBuilder().appendItem(m_jit.label(), m_origin.semantic);
@@ -3401,76 +3401,6 @@ void SpeculativeJIT::compileInstanceOfCustom(Node* node)
     unblessedBooleanResult(resultGPR, node);
 }
 
-void SpeculativeJIT::compileIsJSArray(Node* node)
-{
-    JSValueOperand value(this, node->child1());
-    GPRFlushedCallResult result(this);
-
-    JSValueRegs valueRegs = value.jsValueRegs();
-    GPRReg resultGPR = result.gpr();
-
-    JITCompiler::Jump isNotCell = m_jit.branchIfNotCell(valueRegs);
-
-    m_jit.compare8(JITCompiler::Equal,
-        JITCompiler::Address(valueRegs.payloadGPR(), JSCell::typeInfoTypeOffset()),
-        TrustedImm32(ArrayType),
-        resultGPR);
-    blessBoolean(resultGPR);
-    JITCompiler::Jump done = m_jit.jump();
-
-    isNotCell.link(&m_jit);
-    moveFalseTo(resultGPR);
-
-    done.link(&m_jit);
-    blessedBooleanResult(resultGPR, node);
-}
-
-void SpeculativeJIT::compileIsArrayObject(Node* node)
-{
-    JSValueOperand value(this, node->child1());
-    GPRFlushedCallResult result(this);
-
-    JSValueRegs valueRegs = value.jsValueRegs();
-    GPRReg resultGPR = result.gpr();
-
-    JITCompiler::JumpList done;
-
-    JITCompiler::Jump isNotCell = m_jit.branchIfNotCell(valueRegs);
-
-    JITCompiler::Jump notJSArray = m_jit.branch8(JITCompiler::NotEqual,
-        JITCompiler::Address(valueRegs.payloadGPR(), JSCell::typeInfoTypeOffset()),
-        TrustedImm32(ArrayType));
-    m_jit.move(TrustedImm32(true), resultGPR);
-    done.append(m_jit.jump());
-
-    notJSArray.link(&m_jit);
-    silentSpillAllRegisters(resultGPR);
-    callOperation(operationIsArrayObject, resultGPR, valueRegs);
-    silentFillAllRegisters(resultGPR);
-    m_jit.exceptionCheck();
-    done.append(m_jit.jump());
-
-    isNotCell.link(&m_jit);
-    m_jit.move(TrustedImm32(false), resultGPR);
-
-    done.link(&m_jit);
-    unblessedBooleanResult(resultGPR, node);
-}
-
-// FIXME: This function should just get the ClassInfo and check if it's == ArrayConstructor::info(). https://bugs.webkit.org/show_bug.cgi?id=155667
-void SpeculativeJIT::compileIsArrayConstructor(Node* node)
-{
-    JSValueOperand value(this, node->child1());
-    GPRFlushedCallResult result(this);
-
-    JSValueRegs valueRegs = value.jsValueRegs();
-    GPRReg resultGPR = result.gpr();
-
-    flushRegisters();
-    callOperation(operationIsArrayConstructor, resultGPR, valueRegs);
-    unblessedBooleanResult(resultGPR, node);
-}
-
 void SpeculativeJIT::compileIsRegExpObject(Node* node)
 {
     JSValueOperand value(this, node->child1());
@@ -3495,28 +3425,6 @@ void SpeculativeJIT::compileIsRegExpObject(Node* node)
     blessedBooleanResult(resultGPR, node);
 }
 
-void SpeculativeJIT::compileCallObjectConstructor(Node* node)
-{
-    RELEASE_ASSERT(node->child1().useKind() == UntypedUse);
-    JSValueOperand value(this, node->child1());
-#if USE(JSVALUE64)
-    GPRTemporary result(this, Reuse, value);
-#else
-    GPRTemporary result(this, Reuse, value, PayloadWord);
-#endif
-
-    JSValueRegs valueRegs = value.jsValueRegs();
-    GPRReg resultGPR = result.gpr();
-
-    MacroAssembler::JumpList slowCases;
-    slowCases.append(m_jit.branchIfNotCell(valueRegs));
-    slowCases.append(m_jit.branchIfNotObject(valueRegs.payloadGPR()));
-    m_jit.move(valueRegs.payloadGPR(), resultGPR);
-
-    addSlowPathGenerator(slowPathCall(slowCases, this, operationObjectConstructor, resultGPR, m_jit.globalObjectFor(node->origin.semantic), valueRegs));
-    cellResult(resultGPR, node);
-}
-
 void SpeculativeJIT::compileArithAdd(Node* node)
 {
     switch (node->binaryUseKind()) {
index 00fc208..431db5a 100644 (file)
@@ -752,11 +752,8 @@ public:
     void compileInstanceOf(Node*);
     void compileInstanceOfCustom(Node*);
 
-    void compileIsJSArray(Node*);
-    void compileIsArrayConstructor(Node*);
-    void compileIsArrayObject(Node*);
     void compileIsRegExpObject(Node*);
-    
+
     void emitCall(Node*);
     
     // Called once a node has completed code generation but prior to setting
@@ -1461,17 +1458,6 @@ public:
         return appendCallSetResult(operation, result);
     }
 
-    JITCompiler::Call callOperation(C_JITOperation_EGJ operation, GPRReg result, JSGlobalObject* globalObject, GPRReg arg1)
-    {
-        m_jit.setupArgumentsWithExecState(TrustedImmPtr(globalObject), arg1);
-        return appendCallSetResult(operation, result);
-    }
-
-    JITCompiler::Call callOperation(C_JITOperation_EGJ operation, GPRReg result, JSGlobalObject* globalObject, JSValueRegs arg1)
-    {
-        return callOperation(operation, result, globalObject, arg1.gpr());
-    }
-
     JITCompiler::Call callOperation(C_JITOperation_EJ operation, GPRReg result, GPRReg arg1)
     {
         m_jit.setupArgumentsWithExecState(arg1);
@@ -1512,18 +1498,10 @@ public:
         m_jit.setupArgumentsWithExecState(arg1);
         return appendCallSetResult(operation, result);
     }
-    JITCompiler::Call callOperation(S_JITOperation_EJ operation, GPRReg result, JSValueRegs arg1)
-    {
-        return callOperation(operation, result, arg1.gpr());
-    }
     JITCompiler::Call callOperation(J_JITOperation_EJ operation, JSValueRegs result, JSValueRegs arg1)
     {
         return callOperation(operation, result.payloadGPR(), arg1.payloadGPR());
     }
-    JITCompiler::Call callOperation(J_JITOperation_EJ operation, GPRReg result, JSValueRegs arg1)
-    {
-        return callOperation(operation, result, arg1.payloadGPR());
-    }
     JITCompiler::Call callOperation(J_JITOperation_EJ operation, GPRReg result, GPRReg arg1)
     {
         m_jit.setupArgumentsWithExecState(arg1);
@@ -1925,17 +1903,6 @@ public:
         return appendCallSetResult(operation, result);
     }
 
-    JITCompiler::Call callOperation(C_JITOperation_EGJ operation, GPRReg result, JSGlobalObject* globalObject, GPRReg arg1Tag, GPRReg arg1Payload)
-    {
-        m_jit.setupArgumentsWithExecState(TrustedImmPtr(globalObject), arg1Payload, arg1Tag);
-        return appendCallSetResult(operation, result);
-    }
-
-    JITCompiler::Call callOperation(C_JITOperation_EGJ operation, GPRReg result, JSGlobalObject* globalObject, JSValueRegs arg1)
-    {
-        return callOperation(operation, result, globalObject, arg1.tagGPR(), arg1.payloadGPR());
-    }
-
     JITCompiler::Call callOperation(C_JITOperation_EJ operation, GPRReg result, GPRReg arg1Tag, GPRReg arg1Payload)
     {
         m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag);
@@ -1960,11 +1927,6 @@ public:
         return appendCallSetResult(operation, result);
     }
 
-    JITCompiler::Call callOperation(S_JITOperation_EJ operation, GPRReg result, JSValueRegs arg1)
-    {
-        return callOperation(operation, result, arg1.tagGPR(), arg1.payloadGPR());
-    }
-
     JITCompiler::Call callOperation(S_JITOperation_EJI operation, GPRReg result, GPRReg arg1Tag, GPRReg arg1Payload, UniquedStringImpl* uid)
     {
         m_jit.setupArgumentsWithExecState(EABI_32BIT_DUMMY_ARG arg1Payload, arg1Tag, TrustedImmPtr(uid));
@@ -2555,7 +2517,6 @@ public:
     void compileLazyJSConstant(Node*);
     void compileMaterializeNewObject(Node*);
     void compileRecordRegExpCachedResult(Node*);
-    void compileCallObjectConstructor(Node*);
     void compileResolveScope(Node*);
     void compileGetDynamicVar(Node*);
     void compilePutDynamicVar(Node*);
index 1f8ee0d..d723a70 100644 (file)
@@ -3924,11 +3924,6 @@ void SpeculativeJIT::compile(Node* node)
         cellResult(resultPayload.gpr(), node);
         break;
     }
-
-    case CallObjectConstructor: {
-        compileCallObjectConstructor(node);
-        break;
-    }
         
     case ToThis: {
         ASSERT(node->child1().useKind() == UntypedUse);
@@ -4646,21 +4641,6 @@ void SpeculativeJIT::compile(Node* node)
         break;
     }
 
-    case IsJSArray: {
-        compileIsJSArray(node);
-        break;
-    }
-
-    case IsArrayObject: {
-        compileIsArrayObject(node);
-        break;
-    }
-
-    case IsArrayConstructor: {
-        compileIsArrayConstructor(node);
-        break;
-    }
-
     case IsObject: {
         JSValueOperand value(this, node->child1());
         GPRTemporary result(this, Reuse, value, TagWord);
index 650f985..b9a400c 100644 (file)
@@ -3909,12 +3909,7 @@ void SpeculativeJIT::compile(Node* node)
         cellResult(result.gpr(), node);
         break;
     }
-
-    case CallObjectConstructor: {
-        compileCallObjectConstructor(node);
-        break;
-    }
-
+        
     case ToThis: {
         ASSERT(node->child1().useKind() == UntypedUse);
         JSValueOperand thisValue(this, node->child1());
@@ -4611,21 +4606,6 @@ void SpeculativeJIT::compile(Node* node)
         break;
     }
 
-    case IsJSArray: {
-        compileIsJSArray(node);
-        break;
-    }
-
-    case IsArrayObject: {
-        compileIsArrayObject(node);
-        break;
-    }
-
-    case IsArrayConstructor: {
-        compileIsArrayConstructor(node);
-        break;
-    }
-
     case IsObject: {
         JSValueOperand value(this, node->child1());
         GPRTemporary result(this, Reuse, value);
index b5102fa..21aee05 100644 (file)
@@ -161,7 +161,6 @@ inline CapabilityLevel canCompile(Node* node)
     case GetScope:
     case GetCallee:
     case GetArgumentCount:
-    case CallObjectConstructor:
     case ToString:
     case CallStringConstructor:
     case MakeRope:
@@ -177,9 +176,6 @@ inline CapabilityLevel canCompile(Node* node)
     case Throw:
     case ThrowReferenceError:
     case Unreachable:
-    case IsArrayObject:
-    case IsJSArray:
-    case IsArrayConstructor:
     case IsEmpty:
     case IsUndefined:
     case IsBoolean:
index 3307a17..97abb86 100644 (file)
@@ -479,9 +479,6 @@ private:
         case DFG::Check:
             compileNoOp();
             break;
-        case CallObjectConstructor:
-            compileCallObjectConstructor();
-            break;
         case ToThis:
             compileToThis();
             break;
@@ -866,15 +863,6 @@ private:
         case IsString:
             compileIsString();
             break;
-        case IsArrayObject:
-            compileIsArrayObject();
-            break;
-        case IsJSArray:
-            compileIsJSArray();
-            break;
-        case IsArrayConstructor:
-            compileIsArrayConstructor();
-            break;
         case IsObject:
             compileIsObject();
             break;
@@ -1453,29 +1441,6 @@ private:
         DFG_NODE_DO_TO_CHILDREN(m_graph, m_node, speculate);
     }
 
-    void compileCallObjectConstructor()
-    {
-        JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
-        LValue value = lowJSValue(m_node->child1());
-
-        LBasicBlock isCellCase = m_out.newBlock();
-        LBasicBlock slowCase = m_out.newBlock();
-        LBasicBlock continuation = m_out.newBlock();
-
-        m_out.branch(isCell(value, provenType(m_node->child1())), usually(isCellCase), rarely(slowCase));
-
-        LBasicBlock lastNext = m_out.appendTo(isCellCase, slowCase);
-        ValueFromBlock fastResult = m_out.anchor(value);
-        m_out.branch(isObject(value), usually(continuation), rarely(slowCase));
-
-        m_out.appendTo(slowCase, continuation);
-        ValueFromBlock slowResult = m_out.anchor(vmCall(m_out.int64, m_out.operation(operationObjectConstructor), m_callFrame, m_out.constIntPtr(globalObject), value));
-        m_out.jump(continuation);
-
-        m_out.appendTo(continuation, lastNext);
-        setJSValue(m_out.phi(m_out.int64, fastResult, slowResult));
-    }
-    
     void compileToThis()
     {
         LValue value = lowJSValue(m_node->child1());
@@ -5925,55 +5890,6 @@ private:
         setBoolean(m_out.phi(m_out.boolean, notCellResult, cellResult));
     }
 
-    void compileIsArrayObject()
-    {
-        LValue value = lowJSValue(m_node->child1());
-
-        LBasicBlock cellCase = m_out.newBlock();
-        LBasicBlock notArrayCase = m_out.newBlock();
-        LBasicBlock continuation = m_out.newBlock();
-
-        ValueFromBlock notCellResult = m_out.anchor(m_out.booleanFalse);
-        m_out.branch(isCell(value, provenType(m_node->child1())), unsure(cellCase), unsure(continuation));
-
-        LBasicBlock lastNext = m_out.appendTo(cellCase, notArrayCase);
-        ValueFromBlock arrayResult = m_out.anchor(m_out.booleanTrue);
-        m_out.branch(isArray(value, provenType(m_node->child1())), unsure(continuation), unsure(notArrayCase));
-
-        m_out.appendTo(notArrayCase, continuation);
-        ValueFromBlock notArrayResult = m_out.anchor(vmCall(m_out.boolean, m_out.operation(operationIsArrayObject), m_callFrame, value));
-        m_out.jump(continuation);
-
-        m_out.appendTo(continuation, lastNext);
-        setBoolean(m_out.phi(m_out.boolean, notCellResult, arrayResult, notArrayResult));
-    }
-
-    void compileIsJSArray()
-    {
-        LValue value = lowJSValue(m_node->child1());
-
-        LBasicBlock isCellCase = m_out.newBlock();
-        LBasicBlock continuation = m_out.newBlock();
-
-        ValueFromBlock notCellResult = m_out.anchor(m_out.booleanFalse);
-        m_out.branch(
-            isCell(value, provenType(m_node->child1())), unsure(isCellCase), unsure(continuation));
-
-        LBasicBlock lastNext = m_out.appendTo(isCellCase, continuation);
-        ValueFromBlock cellResult = m_out.anchor(isArray(value, provenType(m_node->child1())));
-        m_out.jump(continuation);
-
-        m_out.appendTo(continuation, lastNext);
-        setBoolean(m_out.phi(m_out.boolean, notCellResult, cellResult));
-    }
-
-    void compileIsArrayConstructor()
-    {
-        LValue value = lowJSValue(m_node->child1());
-
-        setBoolean(vmCall(m_out.boolean, m_out.operation(operationIsArrayConstructor), m_callFrame, value));
-    }
-
     void compileIsObject()
     {
         LValue value = lowJSValue(m_node->child1());
@@ -10098,15 +10014,6 @@ private:
         
         jsValueToStrictInt52(edge, lowJSValue(edge, ManualOperandSpeculation));
     }
-
-    LValue isArray(LValue cell, SpeculatedType type = SpecFullTop)
-    {
-        if (LValue proven = isProvenValue(type & SpecCell, SpecArray))
-            return proven;
-        return m_out.equal(
-            m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType),
-            m_out.constInt32(ArrayType));
-    }
     
     LValue isObject(LValue cell, SpeculatedType type = SpecFullTop)
     {
index 2129703..1ba4181 100644 (file)
@@ -167,7 +167,6 @@ typedef JSCell* JIT_OPERATION (*C_JITOperation_ECZ)(ExecState*, JSCell*, int32_t
 typedef JSCell* JIT_OPERATION (*C_JITOperation_ECZC)(ExecState*, JSCell*, int32_t, JSCell*);
 typedef JSCell* JIT_OPERATION (*C_JITOperation_ECC)(ExecState*, JSCell*, JSCell*);
 typedef JSCell* JIT_OPERATION (*C_JITOperation_EGC)(ExecState*, JSGlobalObject*, JSCell*);
-typedef JSCell* JIT_OPERATION (*C_JITOperation_EGJ)(ExecState*, JSGlobalObject*, EncodedJSValue);
 typedef JSCell* JIT_OPERATION (*C_JITOperation_EIcf)(ExecState*, InlineCallFrame*);
 typedef JSCell* JIT_OPERATION (*C_JITOperation_EJ)(ExecState*, EncodedJSValue);
 typedef JSCell* JIT_OPERATION (*C_JITOperation_EJsc)(ExecState*, JSScope*);
index 7eef6b3..43822be 100644 (file)
@@ -569,7 +569,6 @@ static EncodedJSValue JSC_HOST_CALL functionGetHiddenValue(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionSetHiddenValue(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionPrint(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionDebug(ExecState*);
-static EncodedJSValue JSC_HOST_CALL functionDataLogValue(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionDescribe(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionDescribeArray(ExecState*);
 static EncodedJSValue JSC_HOST_CALL functionJSCStack(ExecState*);
@@ -746,8 +745,7 @@ protected:
     void finishCreation(VM& vm, const Vector<String>& arguments)
     {
         Base::finishCreation(vm);
-
-        addFunction(vm, "dataLogValue", functionDataLogValue, 1);
+        
         addFunction(vm, "debug", functionDebug, 1);
         addFunction(vm, "describe", functionDescribe, 1);
         addFunction(vm, "describeArray", functionDescribeArray, 1);
@@ -851,7 +849,6 @@ protected:
         }
 
         putDirect(vm, Identifier::fromString(globalExec(), "console"), jsUndefined());
-        putDirect(vm, vm.propertyNames->printPrivateName, JSFunction::create(vm, this, 1, vm.propertyNames->printPrivateName.string(), functionPrint));
     }
 
     void addFunction(VM& vm, const char* name, NativeFunction function, unsigned arguments)
@@ -1160,12 +1157,6 @@ EncodedJSValue JSC_HOST_CALL functionDebug(ExecState* exec)
     return JSValue::encode(jsUndefined());
 }
 
-EncodedJSValue JSC_HOST_CALL functionDataLogValue(ExecState* exec)
-{
-    dataLog("value is: ", exec->argument(0), "\n");
-    return JSValue::encode(jsUndefined());
-}
-
 EncodedJSValue JSC_HOST_CALL functionDescribe(ExecState* exec)
 {
     if (exec->argumentCount() < 1)
index 6115c1a..ca28bcc 100644 (file)
@@ -68,7 +68,7 @@ void ArrayConstructor::finishCreation(VM& vm, JSGlobalObject* globalObject, Arra
     putDirectWithoutTransition(vm, vm.propertyNames->prototype, arrayPrototype, DontEnum | DontDelete | ReadOnly);
     putDirectWithoutTransition(vm, vm.propertyNames->length, jsNumber(1), ReadOnly | DontEnum | DontDelete);
     putDirectNonIndexAccessor(vm, vm.propertyNames->speciesSymbol, speciesSymbol, Accessor | ReadOnly | DontEnum);
-    JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->isArray, arrayConstructorIsArray, DontEnum, 1, IsArrayIntrinsic);
+    JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->isArray, arrayConstructorIsArray, DontEnum, 1);
 }
 
 bool ArrayConstructor::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName propertyName, PropertySlot &slot)
@@ -135,7 +135,7 @@ EncodedJSValue JSC_HOST_CALL arrayConstructorIsArray(ExecState* exec)
 
 EncodedJSValue JSC_HOST_CALL arrayConstructorPrivateFuncIsArrayConstructor(ExecState* exec)
 {
-    return JSValue::encode(jsBoolean(isArrayConstructor(exec->uncheckedArgument(0))));
+    return JSValue::encode(jsBoolean(jsDynamicCast<ArrayConstructor*>(exec->uncheckedArgument(0))));
 }
 
 } // namespace JSC
index bc3accc..664703a 100644 (file)
@@ -91,14 +91,6 @@ inline bool isArray(ExecState* exec, JSValue argumentValue)
     ASSERT_NOT_REACHED();
 }
 
-inline bool isArrayConstructor(JSValue argumentValue)
-{
-    if (!argumentValue.isObject())
-        return false;
-
-    return jsCast<JSObject*>(argumentValue)->classInfo() == ArrayConstructor::info();
-}
-
 } // namespace JSC
 
 #endif // ArrayConstructor_h
index 57a77ae..c0850cf 100644 (file)
@@ -34,7 +34,6 @@
 #include "Error.h"
 #include "Interpreter.h"
 #include "JIT.h"
-#include "JSArrayInlines.h"
 #include "JSArrayIterator.h"
 #include "JSCBuiltins.h"
 #include "JSCInlines.h"
@@ -51,6 +50,7 @@
 namespace JSC {
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncToLocaleString(ExecState*);
+EncodedJSValue JSC_HOST_CALL arrayProtoFuncConcat(ExecState*);
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncJoin(ExecState*);
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncPop(ExecState*);
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncPush(ExecState*);
@@ -91,7 +91,7 @@ void ArrayPrototype::finishCreation(VM& vm, JSGlobalObject* globalObject)
     
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toString, arrayProtoFuncToString, DontEnum, 0);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->toLocaleString, arrayProtoFuncToLocaleString, DontEnum, 0);
-    JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION("concat", arrayPrototypeConcatCodeGenerator, DontEnum);
+    JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION("concat", arrayProtoFuncConcat, DontEnum, 1);
     JSC_BUILTIN_FUNCTION_WITHOUT_TRANSITION("fill", arrayPrototypeFillCodeGenerator, DontEnum);
     JSC_NATIVE_FUNCTION_WITHOUT_TRANSITION(vm.propertyNames->join, arrayProtoFuncJoin, DontEnum, 1);
     JSC_NATIVE_INTRINSIC_FUNCTION_WITHOUT_TRANSITION("pop", arrayProtoFuncPop, DontEnum, 0, ArrayPopIntrinsic);
@@ -588,6 +588,87 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncJoin(ExecState* exec)
     return JSValue::encode(join(*exec, thisObject, separator->view(exec).get()));
 }
 
+EncodedJSValue JSC_HOST_CALL arrayProtoFuncConcat(ExecState* exec)
+{
+    JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
+    unsigned argCount = exec->argumentCount();
+    JSValue curArg = thisValue.toObject(exec);
+    if (!curArg)
+        return JSValue::encode(JSValue());
+    Checked<unsigned, RecordOverflow> finalArraySize = 0;
+
+    // We need to do species construction before geting the rest of the elements.
+    std::pair<SpeciesConstructResult, JSObject*> speciesResult = speciesConstructArray(exec, curArg.getObject(), 0);
+    if (speciesResult.first == SpeciesConstructResult::Exception)
+        return JSValue::encode(jsUndefined());
+
+    JSArray* currentArray = nullptr;
+    JSArray* previousArray = nullptr;
+    for (unsigned i = 0; ; ++i) {
+        previousArray = currentArray;
+        currentArray = jsDynamicCast<JSArray*>(curArg);
+        if (currentArray) {
+            // Can't use JSArray::length here because this might be a RuntimeArray!
+            finalArraySize += getLength(exec, currentArray);
+            if (exec->hadException())
+                return JSValue::encode(jsUndefined());
+        } else
+            ++finalArraySize;
+        if (i == argCount)
+            break;
+        curArg = exec->uncheckedArgument(i);
+    }
+
+    if (finalArraySize.hasOverflowed())
+        return JSValue::encode(throwOutOfMemoryError(exec));
+
+    if (speciesResult.first == SpeciesConstructResult::FastPath && argCount == 1 && previousArray && currentArray && finalArraySize.unsafeGet() < MIN_SPARSE_ARRAY_INDEX) {
+        IndexingType type = JSArray::fastConcatType(exec->vm(), *previousArray, *currentArray);
+        if (type != NonArray)
+            return previousArray->fastConcatWith(*exec, *currentArray);
+    }
+
+    ASSERT(speciesResult.first != SpeciesConstructResult::Exception);
+
+    JSObject* result;
+    if (speciesResult.first == SpeciesConstructResult::CreatedObject)
+        result = speciesResult.second;
+    else {
+        // We add the newTarget because the compiler gets confused between 0 being a number and a pointer.
+        result = constructEmptyArray(exec, nullptr, 0, JSValue());
+        if (exec->hadException())
+            return JSValue::encode(jsUndefined());
+    }
+
+    curArg = thisValue.toObject(exec);
+    ASSERT(!exec->hadException());
+    unsigned n = 0;
+    for (unsigned i = 0; ; ++i) {
+        if (JSArray* currentArray = jsDynamicCast<JSArray*>(curArg)) {
+            // Can't use JSArray::length here because this might be a RuntimeArray!
+            unsigned length = getLength(exec, currentArray);
+            if (exec->hadException())
+                return JSValue::encode(jsUndefined());
+            for (unsigned k = 0; k < length; ++k) {
+                JSValue v = getProperty(exec, currentArray, k);
+                if (exec->hadException())
+                    return JSValue::encode(jsUndefined());
+                if (v)
+                    result->putDirectIndex(exec, n, v);
+                n++;
+            }
+        } else {
+            result->putDirectIndex(exec, n, curArg);
+            n++;
+        }
+        if (i == argCount)
+            break;
+        curArg = exec->uncheckedArgument(i);
+    }
+    setLength(exec, result, n);
+    return JSValue::encode(result);
+}
+
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncPop(ExecState* exec)
 {
     JSValue thisValue = exec->thisValue().toThis(exec, StrictMode);
@@ -988,92 +1069,6 @@ EncodedJSValue JSC_HOST_CALL arrayProtoFuncLastIndexOf(ExecState* exec)
     return JSValue::encode(jsNumber(-1));
 }
 
-EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncIsJSArray(ExecState* exec)
-{
-    JSValue value = exec->uncheckedArgument(0);
-    if (value.isObject())
-        return JSValue::encode(jsBoolean(value.getObject()->type() == ArrayType));
-    return JSValue::encode(jsBoolean(false));
-}
-
-inline bool moveElements(ExecState* exec, VM& vm, JSArray* target, unsigned targetOffset, JSArray* source, unsigned sourceLength)
-{
-    ASSERT(!hasAnyArrayStorage(source->indexingType()));
-    for (unsigned i = 0; i < sourceLength; ++i) {
-        JSValue value = getProperty(exec, source, i);
-        if (vm.exception())
-            return false;
-        if (value) {
-            target->putDirectIndex(exec, targetOffset + i, value);
-            if (vm.exception())
-                return false;
-        }
-    }
-    return true;
-}
-
-EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncConcatMemcpy(ExecState* exec)
-{
-    ASSERT(exec->argumentCount() == 2);
-    VM& vm = exec->vm();
-
-    JSArray* firstArray = jsCast<JSArray*>(exec->uncheckedArgument(0));
-    JSArray* secondArray = jsCast<JSArray*>(exec->uncheckedArgument(1));
-
-    if (!firstArray->canFastCopy(vm, secondArray))
-        return JSValue::encode(jsNull());
-
-    Butterfly* firstButterfly = firstArray->butterfly();
-    Butterfly* secondButterfly = secondArray->butterfly();
-
-    unsigned firstArraySize = firstButterfly->publicLength();
-    unsigned secondArraySize = secondButterfly->publicLength();
-
-    IndexingType type = firstArray->memCopyWithIndexingType(secondArray->indexingType());
-    if (type == NonArray || firstArraySize + secondArraySize >= MIN_SPARSE_ARRAY_INDEX) {
-        JSArray* result = constructEmptyArray(exec, nullptr, firstArraySize + secondArraySize);
-        if (vm.exception())
-            return JSValue::encode(JSValue());
-
-        if (!moveElements(exec, vm, result, 0, firstArray, firstArraySize)
-            || !moveElements(exec, vm, result, firstArraySize, secondArray, secondArraySize)) {
-            ASSERT(vm.exception());
-            return JSValue::encode(JSValue());
-        }
-
-        return JSValue::encode(result);
-    }
-
-    Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type);
-    JSArray* result = JSArray::tryCreateUninitialized(vm, resultStructure, firstArraySize + secondArraySize);
-    if (!result)
-        return JSValue::encode(throwOutOfMemoryError(exec));
-
-    if (type == ArrayWithDouble) {
-        double* buffer = result->butterfly()->contiguousDouble().data();
-        memcpy(buffer, firstButterfly->contiguousDouble().data(), sizeof(JSValue) * firstArraySize);
-        memcpy(buffer + firstArraySize, secondButterfly->contiguousDouble().data(), sizeof(JSValue) * secondArraySize);
-    } else if (type != ArrayWithUndecided) {
-        WriteBarrier<Unknown>* buffer = result->butterfly()->contiguous().data();
-        memcpy(buffer, firstButterfly->contiguous().data(), sizeof(JSValue) * firstArraySize);
-        memcpy(buffer + firstArraySize, secondButterfly->contiguous().data(), sizeof(JSValue) * secondArraySize);
-    }
-
-    result->butterfly()->setPublicLength(firstArraySize + secondArraySize);
-    return JSValue::encode(result);
-}
-
-EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncAppendMemcpy(ExecState* exec)
-{
-    ASSERT(exec->argumentCount() == 2);
-
-    JSArray* resultArray = jsCast<JSArray*>(exec->uncheckedArgument(0));
-    JSArray* otherArray = jsCast<JSArray*>(exec->uncheckedArgument(1));
-
-    return JSValue::encode(jsBoolean(resultArray->appendMemcpy(exec, exec->vm(), otherArray)));
-}
-
-
 // -------------------- ArrayPrototype.constructor Watchpoint ------------------
 
 class ArrayPrototypeAdaptiveInferredPropertyWatchpoint : public AdaptiveInferredPropertyValueWatchpointBase {
index 176fc04..64d2163 100644 (file)
@@ -65,9 +65,6 @@ private:
 
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncToString(ExecState*);
 EncodedJSValue JSC_HOST_CALL arrayProtoFuncValues(ExecState*);
-EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncIsJSArray(ExecState*);
-EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncConcatMemcpy(ExecState*);
-EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncAppendMemcpy(ExecState*);
 
 } // namespace JSC
 
index 9c89c5d..1d32539 100644 (file)
     macro(yield)
 
 #define JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL_NOT_IMPLEMENTED_YET(macro)\
+    macro(isConcatSpreadable) \
     macro(replace) \
 
 #define JSC_COMMON_PRIVATE_IDENTIFIERS_EACH_WELL_KNOWN_SYMBOL(macro) \
     macro(hasInstance) \
-    macro(isConcatSpreadable) \
     macro(iterator) \
     macro(match) \
     macro(replace) \
     macro(hasInstanceBoundFunction) \
     macro(instanceOf) \
     macro(isArray) \
-    macro(isJSArray) \
     macro(isArrayConstructor) \
     macro(isConstructor) \
     macro(isRegExpObject) \
-    macro(concatMemcpy) \
-    macro(appendMemcpy) \
     macro(predictFinalLengthFromArgumunts) \
     macro(print) \
     macro(isSet) \
index d6fdc11..dfd8301 100644 (file)
@@ -59,9 +59,6 @@ enum JS_EXPORT_PRIVATE Intrinsic {
     RandomIntrinsic,
     FRoundIntrinsic,
     TruncIntrinsic,
-    IsArrayIntrinsic,
-    IsArrayConstructorIntrinsic,
-    IsJSArrayIntrinsic,
     IsRegExpObjectIntrinsic,
     BoundThisNoArgsFunctionCallIntrinsic,
 
index 4d2450e..afa062f 100644 (file)
@@ -392,37 +392,6 @@ bool JSArray::setLengthWithArrayStorage(ExecState* exec, unsigned newLength, boo
     return true;
 }
 
-bool JSArray::appendMemcpy(ExecState* exec, VM& vm, JSC::JSArray* otherArray)
-{
-    if (!canFastCopy(vm, otherArray))
-        return false;
-
-    IndexingType type = indexingType();
-    if (type != memCopyWithIndexingType(otherArray->indexingType()))
-        return false;
-
-    unsigned oldLength = length();
-    unsigned otherLength = otherArray->length();
-    unsigned newLength = oldLength + otherLength;
-    if (newLength >= MIN_SPARSE_ARRAY_INDEX)
-        return false;
-
-    if (!ensureLength(vm, newLength))
-        return false;
-    ASSERT(type == indexingType());
-    if (length() != newLength) {
-        throwOutOfMemoryError(exec);
-        return false;
-    }
-
-    if (type == ArrayWithDouble)
-        memcpy(butterfly()->contiguousDouble().data() + oldLength, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
-    else
-        memcpy(butterfly()->contiguous().data() + oldLength, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);
-
-    return true;
-}
-
 bool JSArray::setLength(ExecState* exec, unsigned newLength, bool throwException)
 {
     Butterfly* butterfly = m_butterfly.get();
@@ -750,6 +719,38 @@ JSArray* JSArray::fastSlice(ExecState& exec, unsigned startIndex, unsigned count
     }
 }
 
+EncodedJSValue JSArray::fastConcatWith(ExecState& exec, JSArray& otherArray)
+{
+    auto newArrayType = indexingType();
+
+    VM& vm = exec.vm();
+    ASSERT(newArrayType == fastConcatType(vm, *this, otherArray));
+
+    unsigned thisArraySize = m_butterfly.get()->publicLength();
+    unsigned otherArraySize = otherArray.m_butterfly.get()->publicLength();
+    ASSERT(thisArraySize + otherArraySize < MIN_SPARSE_ARRAY_INDEX);
+
+    Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(newArrayType);
+    JSArray* resultArray = JSArray::tryCreateUninitialized(vm, resultStructure, thisArraySize + otherArraySize);
+    if (!resultArray)
+        return JSValue::encode(throwOutOfMemoryError(&exec));
+
+    auto& resultButterfly = *resultArray->butterfly();
+    auto& otherButterfly = *otherArray.butterfly();
+    if (newArrayType == ArrayWithDouble) {
+        auto buffer = resultButterfly.contiguousDouble().data();
+        memcpy(buffer, m_butterfly.get()->contiguousDouble().data(), sizeof(JSValue) * thisArraySize);
+        memcpy(buffer + thisArraySize, otherButterfly.contiguousDouble().data(), sizeof(JSValue) * otherArraySize);
+    } else {
+        auto buffer = resultButterfly.contiguous().data();
+        memcpy(buffer, m_butterfly.get()->contiguous().data(), sizeof(JSValue) * thisArraySize);
+        memcpy(buffer + thisArraySize, otherButterfly.contiguous().data(), sizeof(JSValue) * otherArraySize);
+    }
+
+    resultButterfly.setPublicLength(thisArraySize + otherArraySize);
+    return JSValue::encode(resultArray);
+}
+
 bool JSArray::shiftCountWithArrayStorage(VM& vm, unsigned startIndex, unsigned count, ArrayStorage* storage)
 {
     unsigned oldLength = storage->length();
index 494c7b5..bcc6e67 100644 (file)
@@ -23,7 +23,6 @@
 
 #include "ArrayConventions.h"
 #include "ButterflyInlines.h"
-#include "JSCellInlines.h"
 #include "JSObject.h"
 
 namespace JSC {
@@ -79,10 +78,19 @@ public:
 
     JSArray* fastSlice(ExecState&, unsigned startIndex, unsigned count);
 
-    bool canFastCopy(VM&, JSArray* otherArray);
-    // This function returns NonArray if the indexing types are not compatable for memcpying.
-    IndexingType memCopyWithIndexingType(IndexingType other);
-    bool appendMemcpy(ExecState*, VM&, JSArray* otherArray);
+    static IndexingType fastConcatType(VM& vm, JSArray& firstArray, JSArray& secondArray)
+    {
+        IndexingType type = firstArray.indexingType();
+        if (type != secondArray.indexingType())
+            return NonArray;
+        if (type != ArrayWithDouble && type != ArrayWithInt32 && type != ArrayWithContiguous)
+            return NonArray;
+        if (firstArray.structure(vm)->holesMustForwardToPrototype(vm)
+            || secondArray.structure(vm)->holesMustForwardToPrototype(vm))
+            return NonArray;
+        return type;
+    }
+    EncodedJSValue fastConcatWith(ExecState&, JSArray&);
 
     enum ShiftCountMode {
         // This form of shift hints that we're doing queueing. With this assumption in hand,
@@ -144,7 +152,7 @@ public:
 
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, IndexingType indexingType)
     {
-        return Structure::create(vm, globalObject, prototype, TypeInfo(ArrayType, StructureFlags), info(), indexingType);
+        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info(), indexingType);
     }
         
 protected:
@@ -289,8 +297,7 @@ inline JSArray* asArray(JSValue value)
 
 inline bool isJSArray(JSCell* cell)
 {
-    ASSERT((cell->classInfo() == JSArray::info()) == (cell->type() == ArrayType));
-    return cell->type() == ArrayType;
+    return cell->classInfo() == JSArray::info();
 }
 
 inline bool isJSArray(JSValue v) { return v.isCell() && isJSArray(v.asCell()); }
diff --git a/Source/JavaScriptCore/runtime/JSArrayInlines.h b/Source/JavaScriptCore/runtime/JSArrayInlines.h
deleted file mode 100644 (file)
index 5c85315..0000000
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- *  Copyright (C) 2016 Apple Inc. All rights reserved.
- *
- *  This library is free software; you can redistribute it and/or
- *  modify it under the terms of the GNU Lesser General Public
- *  License as published by the Free Software Foundation; either
- *  version 2 of the License, or (at your option) any later version.
- *
- *  This library is distributed in the hope that it will be useful,
- *  but WITHOUT ANY WARRANTY; without even the implied warranty of
- *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- *  Lesser General Public License for more details.
- *
- *  You should have received a copy of the GNU Lesser General Public
- *  License along with this library; if not, write to the Free Software
- *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
- *
- */
-
-#ifndef JSArrayInlines_h
-#define JSArrayInlines_h
-
-#include "JSArray.h"
-#include "JSCellInlines.h"
-#include "Structure.h"
-
-namespace JSC {
-
-IndexingType JSArray::memCopyWithIndexingType(IndexingType other)
-{
-    IndexingType type = indexingType();
-    if (!(type & IsArray && other & IsArray))
-        return NonArray;
-
-    if (hasAnyArrayStorage(type) || hasAnyArrayStorage(other))
-        return NonArray;
-
-    if (type == ArrayWithUndecided)
-        return other;
-
-    if (other == ArrayWithUndecided)
-        return type;
-
-    // We can memcpy an Int32 and a Contiguous into a Contiguous array since
-    // both share the same memory layout for Int32 numbers.
-    if ((type == ArrayWithInt32 || type == ArrayWithContiguous)
-        && (other == ArrayWithInt32 || other == ArrayWithContiguous)) {
-        if (other == ArrayWithContiguous)
-            return other;
-        return type;
-    }
-
-    if (type != other)
-        return NonArray;
-
-    return type;
-}
-
-bool JSArray::canFastCopy(VM& vm, JSArray* otherArray)
-{
-    if (hasAnyArrayStorage(this->indexingType()) || hasAnyArrayStorage(otherArray->indexingType()))
-        return false;
-    // FIXME: We should have a watchpoint for indexed properties on Array.prototype and Object.prototype
-    // instead of walking the prototype chain. https://bugs.webkit.org/show_bug.cgi?id=155592
-    if (otherArray->structure(vm)->holesMustForwardToPrototype(vm)
-        || otherArray->structure(vm)->holesMustForwardToPrototype(vm))
-        return false;
-    return true;
-}
-
-} // namespace JSC
-
-#endif /* JSArrayInlines_h */
index de61850..1c92a20 100644 (file)
@@ -681,11 +681,7 @@ putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Construct
     JSFunction* privateFuncInstanceOf = JSFunction::create(vm, this, 0, String(), objectPrivateFuncInstanceOf);
     JSFunction* privateFuncThisTimeValue = JSFunction::create(vm, this, 0, String(), dateProtoFuncGetTime);
     JSFunction* privateFuncThisNumberValue = JSFunction::create(vm, this, 0, String(), numberProtoFuncValueOf);
-    JSFunction* privateFuncIsArrayConstructor = JSFunction::create(vm, this, 0, String(), arrayConstructorPrivateFuncIsArrayConstructor, IsArrayConstructorIntrinsic);
-    JSFunction* privateFuncIsJSArray = JSFunction::create(vm, this, 0, String(), arrayProtoPrivateFuncIsJSArray, IsJSArrayIntrinsic);
-    JSFunction* privateFuncConcatMemcpy = JSFunction::create(vm, this, 0, String(), arrayProtoPrivateFuncConcatMemcpy);
-    JSFunction* privateFuncAppendMemcpy = JSFunction::create(vm, this, 0, String(), arrayProtoPrivateFuncAppendMemcpy);
-    JSFunction* privateFuncConcatSlowPath = JSFunction::createBuiltinFunction(vm, arrayPrototypeConcatSlowPathCodeGenerator(vm), this);
+    JSFunction* privateFuncIsArrayConstructor = JSFunction::create(vm, this, 0, String(), arrayConstructorPrivateFuncIsArrayConstructor);
 
     JSObject* arrayIteratorPrototype = ArrayIteratorPrototype::create(vm, this, ArrayIteratorPrototype::createStructure(vm, this, m_iteratorPrototype.get()));
     JSFunction* privateFuncCreateArrayIterator = JSFunction::createBuiltinFunction(vm, arrayPrototypeCreateArrayIteratorConstructorCodeGenerator(vm), this);
@@ -712,6 +708,7 @@ putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Construct
         GlobalPropertyInfo(vm.propertyNames->NaN, jsNaN(), DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->Infinity, jsNumber(std::numeric_limits<double>::infinity()), DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->undefinedKeyword, jsUndefined(), DontEnum | DontDelete | ReadOnly),
+        GlobalPropertyInfo(vm.propertyNames->ObjectPrivateName, objectConstructor, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->ownEnumerablePropertyKeysPrivateName, JSFunction::create(vm, this, 0, String(), ownEnumerablePropertyKeys), DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->getTemplateObjectPrivateName, privateFuncGetTemplateObject, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->enqueueJobPrivateName, JSFunction::create(vm, this, 0, String(), enqueueJob), DontEnum | DontDelete | ReadOnly),
@@ -725,6 +722,7 @@ putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Construct
         GlobalPropertyInfo(vm.propertyNames->hasInstanceBoundFunctionPrivateName, privateFuncHasInstanceBoundFunction, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->instanceOfPrivateName, privateFuncInstanceOf, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->BuiltinLogPrivateName, builtinLog, DontEnum | DontDelete | ReadOnly),
+        GlobalPropertyInfo(vm.propertyNames->ArrayPrivateName, arrayConstructor, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->NumberPrivateName, numberConstructor, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->RegExpPrivateName, m_regExpConstructor.get(), DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->StringPrivateName, stringConstructor, DontEnum | DontDelete | ReadOnly),
@@ -747,10 +745,6 @@ putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Construct
         GlobalPropertyInfo(vm.propertyNames->isMapPrivateName, JSFunction::create(vm, this, 1, String(), privateFuncIsMap), DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->isArrayPrivateName, arrayConstructor->getDirect(vm, vm.propertyNames->isArray), DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->isArrayConstructorPrivateName, privateFuncIsArrayConstructor, DontEnum | DontDelete | ReadOnly),
-        GlobalPropertyInfo(vm.propertyNames->isJSArrayPrivateName, privateFuncIsJSArray, DontEnum | DontDelete | ReadOnly),
-        GlobalPropertyInfo(vm.propertyNames->concatMemcpyPrivateName, privateFuncConcatMemcpy, DontEnum | DontDelete | ReadOnly),
-        GlobalPropertyInfo(vm.propertyNames->appendMemcpyPrivateName, privateFuncAppendMemcpy, DontEnum | DontDelete | ReadOnly),
-        GlobalPropertyInfo(vm.propertyNames->builtinNames().concatSlowPathPrivateName(), privateFuncConcatSlowPath, DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->MapIteratorPrivateName, JSFunction::create(vm, this, 1, String(), privateFuncMapIterator), DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->mapIteratorNextPrivateName, JSFunction::create(vm, this, 0, String(), privateFuncMapIteratorNext), DontEnum | DontDelete | ReadOnly),
         GlobalPropertyInfo(vm.propertyNames->builtinNames().arrayIteratorValueNextPrivateName(), privateFuncArrayIteratorValueNext, DontEnum | DontDelete | ReadOnly),
index 76a6b9a..21934bc 100644 (file)
@@ -60,7 +60,6 @@ enum JSType : uint8_t {
     PureForwardingProxyType,
     ImpureProxyType,
     WithScopeType,
-    ArrayType,
     DirectArgumentsType,
     ScopedArgumentsType,
 
index 4db986e..d148ab0 100644 (file)
@@ -91,13 +91,6 @@ inline JSObject* constructEmptyObject(ExecState* exec)
     return constructEmptyObject(exec, exec->lexicalGlobalObject()->objectStructureForObjectConstructor());
 }
 
-inline JSObject* constructObject(ExecState* exec, JSGlobalObject* globalObject, JSValue arg)
-{
-    if (arg.isUndefinedOrNull())
-        return constructEmptyObject(exec, globalObject->objectPrototype());
-    return arg.toObject(exec, globalObject);
-}
-
 // Section 6.2.4.4 of the ES6 specification.
 // https://tc39.github.io/ecma262/#sec-frompropertydescriptor
 inline JSObject* constructObjectFromPropertyDescriptor(ExecState* exec, const PropertyDescriptor& descriptor)
index a4c86a7..3f46fdf 100644 (file)
 - path: es6/Proxy_internal_get_calls_Array.from.js
   cmd: runES6 :normal
 - path: es6/Proxy_internal_get_calls_Array.prototype.concat.js
-  cmd: runES6 :normal
+  cmd: runES6 :fail
 - path: es6/Proxy_internal_get_calls_Array.prototype.pop.js
   cmd: runES6 :normal
 - path: es6/Proxy_internal_get_calls_Array.prototype.reverse.js
 - path: es6/well-known_symbols_Symbol.hasInstance.js
   cmd: runES6 :normal
 - path: es6/well-known_symbols_Symbol.isConcatSpreadable.js
-  cmd: runES6 :normal
+  cmd: runES6 :fail
 - path: es6/well-known_symbols_Symbol.match.js
   cmd: runES6 :normal
 - path: es6/well-known_symbols_Symbol.replace.js
diff --git a/Source/JavaScriptCore/tests/stress/array-concat-spread-object.js b/Source/JavaScriptCore/tests/stress/array-concat-spread-object.js
deleted file mode 100644 (file)
index 13b551e..0000000
+++ /dev/null
@@ -1,48 +0,0 @@
-// This file tests is concat spreadable.
-
-function arrayEq(a, b) {
-    if (a.length !== b.length)
-        return false;
-    for (let i = 0; i < a.length; i++) {
-        if (a[i] !== b[i])
-            return false;
-    }
-    return true;
-}
-
-
-{
-    let o = {0:1, 1:2, 2:3, length:3};
-
-    // Test it works with proxies by default
-    for (let i = 0; i < 100000; i++) {
-        if (!arrayEq(Array.prototype.concat.call(o,o), [o,o]))
-            throw "failed normally with an object"
-    }
-
-    // Test it works with spreadable true
-    o[Symbol.isConcatSpreadable] = true;
-    for (let i = 0; i < 100000; i++) {
-        let result = Array.prototype.concat.call(o,o)
-        if (!arrayEq(result, [1,2,3,1,2,3]))
-            throw "failed with spread got: " + result;
-    }
-
-    // Test it works with many things
-    o[Symbol.isConcatSpreadable] = true;
-    let other = {}
-    for (let i = 0; i < 100000; i++) {
-        let result = Array.prototype.concat.call(o,o,true,[1,2],other)
-        if (!arrayEq(result, [1,2,3,1,2,3,true,1,2,other]))
-            throw "failed with spread got: " + result;
-    }
-
-    // Test it works with strings
-    String.prototype[Symbol.isConcatSpreadable] = true;
-    for (let i = 0; i < 100000; i++) {
-        let result = Array.prototype.concat.call("hi","hi")
-        // This is what the spec says is the correct answer... D:
-        if (!arrayEq(result, ["h", "i", "hi"]))
-            throw "failed with string got: " + result + " on iteration " + i;
-    }
-}
diff --git a/Source/JavaScriptCore/tests/stress/array-concat-spread-proxy-exception-check.js b/Source/JavaScriptCore/tests/stress/array-concat-spread-proxy-exception-check.js
deleted file mode 100644 (file)
index 81b06cc..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-function arrayEq(a, b) {
-    if (a.length !== b.length)
-        return false;
-    for (let i = 0; i < a.length; i++) {
-        if (a[i] !== b[i])
-            return false;
-    }
-    return true;
-}
-
-{
-    let concat = Array.prototype.concat;
-    noInline(concat);
-    let array = [1, 2, 3];
-    let {proxy:p, revoke} = Proxy.revocable(array, { get : function(o, k) { return o[k]; } });
-
-    concat.call(p,p);
-
-    for (let i = 0; i < 100000; i++) {
-        if (!arrayEq(concat.call(p,p), [1,2,3,1,2,3]))
-            throw "bad";
-    }
-    revoke();
-    failed = true;
-    try {
-        concat.call(p,p);
-    } catch (e) {
-        failed = false;
-    }
-
-    if (failed)
-        throw "bad"
-
-}
diff --git a/Source/JavaScriptCore/tests/stress/array-concat-spread-proxy.js b/Source/JavaScriptCore/tests/stress/array-concat-spread-proxy.js
deleted file mode 100644 (file)
index e2cbd48..0000000
+++ /dev/null
@@ -1,39 +0,0 @@
-// This file tests is concat spreadable.
-
-function arrayEq(a, b) {
-    if (a.length !== b.length)
-        return false;
-    for (let i = 0; i < a.length; i++) {
-        if (a[i] !== b[i])
-            return false;
-    }
-    return true;
-}
-
-
-{
-    let array = [1,2,3];
-    let {proxy:p, revoke} = Proxy.revocable(array, { get : function(o, k) { return o[k]; } });
-
-    // Test it works with proxies by default
-    for (let i = 0; i < 100000; i++) {
-        if (!arrayEq(Array.prototype.concat.call(p,p), [1,2,3,1,2,3]))
-            throw "failed normally with a proxy"
-    }
-
-    // Test it works with spreadable false.
-    p[Symbol.isConcatSpreadable] = false;
-    for (let i = 0; i < 100000; i++) {
-        if (!arrayEq(Array.prototype.concat.call(p,p), [p,p]))
-            throw "failed with no spread"
-    }
-
-    p[Symbol.isConcatSpreadable] = undefined;
-    revoke();
-    passed = true;
-    try {
-        Array.prototype.concat.call(p,[]);
-        passed = false;
-    } catch (e) { }
-
-}
diff --git a/Source/JavaScriptCore/tests/stress/array-concat-with-slow-indexingtypes.js b/Source/JavaScriptCore/tests/stress/array-concat-with-slow-indexingtypes.js
deleted file mode 100644 (file)
index 492efb1..0000000
+++ /dev/null
@@ -1,35 +0,0 @@
-function arrayEq(a, b) {
-    if (a.length !== b.length)
-        return false;
-    for (let i = 0; i < a.length; i++) {
-        if (a[i] !== b[i])
-            return false;
-    }
-    return true;
-}
-
-
-{
-
-    array = [1,2];
-    Object.defineProperty(array, 2, { get: () => { return 1; } });
-
-    for (let i = 0; i < 100000; i++) {
-        if (!arrayEq(Array.prototype.concat.call(array,array), [1,2,1,1,2,1]))
-            throw "failed normally with a getter"
-        if (!arrayEq(Array.prototype.concat.call([],array), [1,2,1]))
-            throw "failed with undecided and a getter"
-    }
-
-    // Test with indexed types on prototype.
-    array = [1,2];
-    array.length = 3;
-    Array.prototype[2] = 1;
-
-    for (let i = 0; i < 100000; i++) {
-        if (!arrayEq(Array.prototype.concat.call(array,array), [1,2,1,1,2,1]))
-            throw "failed normally with an indexed prototype"
-        if (!arrayEq(Array.prototype.concat.call([],array), [1,2,1]))
-            throw "failed with undecided and an indexed prototype"
-    }
-}
index 8477d5b..cd0ef21 100644 (file)
@@ -16,9 +16,6 @@ if (!(result instanceof A))
 
 Object.defineProperty(Array, Symbol.species, { value: Int32Array, configurable: true });
 
-// We can't write to the length property on a typed array by default.
-Object.defineProperty(Int32Array.prototype, "length", { value: 0, writable: true });
-
 result = foo.concat([1]);
 if (!(result instanceof Int32Array))
     throw "concat failed";