[[GetPrototypeOf]] should be a fully virtual method in the method table
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 6 Mar 2016 23:05:45 +0000 (23:05 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 6 Mar 2016 23:05:45 +0000 (23:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=155002

Reviewed by Filip Pizlo.

This patch makes us more consistent with how the ES6 specification models the
[[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable
is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
still allows directly accessing the prototype for situations where this
is the desired behavior. This is equivalent to getting the internal
[[Prototype]] field as described in the specification.

* API/JSObjectRef.cpp:
(JSObjectGetPrototype):
(JSObjectSetPrototype):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
(JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
(JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_instanceof):
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_instanceof):
* jit/JITOperations.cpp:
* jit/JITOperations.h:
* jsc.cpp:
(functionCreateProxy):
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* runtime/ArrayPrototype.cpp:
(JSC::speciesConstructArray):
* runtime/ClassInfo.h:
* runtime/FunctionPrototype.cpp:
(JSC::functionProtoFuncBind):
* runtime/IntlCollatorPrototype.cpp:
(JSC::IntlCollatorPrototypeGetterCompare):
* runtime/IntlDateTimeFormatPrototype.cpp:
(JSC::IntlDateTimeFormatPrototypeGetterFormat):
* runtime/IntlNumberFormatPrototype.cpp:
(JSC::IntlNumberFormatPrototypeGetterFormat):
* runtime/JSBoundFunction.cpp:
(JSC::hasInstanceBoundFunction):
(JSC::getBoundFunctionStructure):
(JSC::JSBoundFunction::create):
* runtime/JSBoundFunction.h:
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSCell.cpp:
(JSC::JSCell::setPrototype):
(JSC::JSCell::getPrototype):
* runtime/JSCell.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::hasLegacyProfiler):
(JSC::lastInPrototypeChain):
(JSC::JSGlobalObject::objectPrototypeIsSane):
(JSC::JSGlobalObject::arrayPrototypeChainIsSane):
(JSC::JSGlobalObject::stringPrototypeChainIsSane):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::finishCreation):
* runtime/JSGlobalObjectFunctions.cpp:
(JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
(JSC::GlobalFuncProtoGetterFunctor::operator()):
(JSC::globalFuncProtoGetter):
* runtime/JSLexicalEnvironment.cpp:
(JSC::JSLexicalEnvironment::getOwnPropertySlot):
* runtime/JSObject.cpp:
(JSC::JSObject::calculatedClassName):
(JSC::JSObject::putInlineSlow):
(JSC::JSObject::setPrototypeWithCycleCheck):
(JSC::JSObject::setPrototype):
(JSC::JSObject::getPrototype):
(JSC::JSObject::defaultHasInstance):
(JSC::objectPrivateFuncInstanceOf):
(JSC::JSObject::getPropertyNames):
(JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
(JSC::JSObject::attemptToInterceptPutByIndexOnHole):
(JSC::JSObject::getGenericPropertyNames):
* runtime/JSObject.h:
(JSC::JSObject::finishCreation):
(JSC::JSObject::JSObject):
(JSC::JSObject::getPrototypeDirect):
(JSC::JSObject::getPrototype):
(JSC::JSObject::getOwnNonIndexPropertySlot):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::getNonIndexPropertySlot):
(JSC::JSObject::prototype): Deleted.
* runtime/JSObjectInlines.h:
(JSC::JSObject::canPerformFastPutInline):
* runtime/JSProxy.cpp:
(JSC::JSProxy::setTarget):
* runtime/JSTypedArrayViewConstructor.cpp:
(JSC::constructTypedArrayView):
* runtime/ObjectConstructor.cpp:
(JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
(JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
(JSC::objectConstructorGetPrototypeOf):
* runtime/ObjectPrototype.cpp:
(JSC::objectProtoFuncIsPrototypeOf):
* runtime/ProxyObject.cpp:
(JSC::performProxyGet):
(JSC::ProxyObject::performSetPrototype):
* runtime/StructureInlines.h:
(JSC::Structure::isValid):
* tests/stress/proxy-has-property.js:
(assert.let.h1.has):
(assert.let.h2.has):
(assert):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@197645 268f45cc-cd09-0410-ab3c-d52691b4dbfc

40 files changed:
Source/JavaScriptCore/API/JSObjectRef.cpp
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/dfg/DFGOperations.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/jit/JITOpcodes.cpp
Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
Source/JavaScriptCore/jit/JITOperations.cpp
Source/JavaScriptCore/jit/JITOperations.h
Source/JavaScriptCore/jsc.cpp
Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
Source/JavaScriptCore/llint/LowLevelInterpreter.asm
Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/ClassInfo.h
Source/JavaScriptCore/runtime/FunctionPrototype.cpp
Source/JavaScriptCore/runtime/IntlCollatorPrototype.cpp
Source/JavaScriptCore/runtime/IntlDateTimeFormatPrototype.cpp
Source/JavaScriptCore/runtime/IntlNumberFormatPrototype.cpp
Source/JavaScriptCore/runtime/JSBoundFunction.cpp
Source/JavaScriptCore/runtime/JSBoundFunction.h
Source/JavaScriptCore/runtime/JSCJSValue.cpp
Source/JavaScriptCore/runtime/JSCell.cpp
Source/JavaScriptCore/runtime/JSCell.h
Source/JavaScriptCore/runtime/JSGlobalObject.cpp
Source/JavaScriptCore/runtime/JSGlobalObject.h
Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp
Source/JavaScriptCore/runtime/JSLexicalEnvironment.cpp
Source/JavaScriptCore/runtime/JSObject.cpp
Source/JavaScriptCore/runtime/JSObject.h
Source/JavaScriptCore/runtime/JSObjectInlines.h
Source/JavaScriptCore/runtime/JSProxy.cpp
Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp
Source/JavaScriptCore/runtime/ObjectConstructor.cpp
Source/JavaScriptCore/runtime/ObjectPrototype.cpp
Source/JavaScriptCore/runtime/ProxyObject.cpp
Source/JavaScriptCore/runtime/StructureInlines.h
Source/JavaScriptCore/tests/stress/proxy-has-property.js

index 1534bdc..a8eaf05 100644 (file)
@@ -267,8 +267,8 @@ JSValueRef JSObjectGetPrototype(JSContextRef ctx, JSObjectRef object)
     ExecState* exec = toJS(ctx);
     JSLockHolder locker(exec);
 
-    JSObject* jsObject = toJS(object);
-    return toRef(exec, jsObject->prototype());
+    JSObject* jsObject = toJS(object); 
+    return toRef(exec, jsObject->getPrototypeDirect());
 }
 
 void JSObjectSetPrototype(JSContextRef ctx, JSObjectRef object, JSValueRef value)
index 6c86922..85f76ff 100644 (file)
@@ -1,3 +1,123 @@
+2016-03-06  Saam barati  <sbarati@apple.com>
+
+        [[GetPrototypeOf]] should be a fully virtual method in the method table
+        https://bugs.webkit.org/show_bug.cgi?id=155002
+
+        Reviewed by Filip Pizlo.
+
+        This patch makes us more consistent with how the ES6 specification models the
+        [[GetPrototypeOf]] trap. Moving this method into ClassInfo::methodTable 
+        is a prerequisite for implementing Proxy.[[GetPrototypeOf]]. This patch
+        still allows directly accessing the prototype for situations where this
+        is the desired behavior. This is equivalent to getting the internal
+        [[Prototype]] field as described in the specification. 
+
+        * API/JSObjectRef.cpp:
+        (JSObjectGetPrototype):
+        (JSObjectSetPrototype):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
+        (JSC::DFG::SpeculativeJIT::compileCheckTypeInfoFlags):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
+        (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOfCustom):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof):
+        * jit/JITOpcodes32_64.cpp:
+        (JSC::JIT::emit_op_instanceof):
+        (JSC::JIT::emitSlow_op_instanceof):
+        * jit/JITOperations.cpp:
+        * jit/JITOperations.h:
+        * jsc.cpp:
+        (functionCreateProxy):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * llint/LowLevelInterpreter.asm:
+        * llint/LowLevelInterpreter32_64.asm:
+        * llint/LowLevelInterpreter64.asm:
+        * runtime/ArrayPrototype.cpp:
+        (JSC::speciesConstructArray):
+        * runtime/ClassInfo.h:
+        * runtime/FunctionPrototype.cpp:
+        (JSC::functionProtoFuncBind):
+        * runtime/IntlCollatorPrototype.cpp:
+        (JSC::IntlCollatorPrototypeGetterCompare):
+        * runtime/IntlDateTimeFormatPrototype.cpp:
+        (JSC::IntlDateTimeFormatPrototypeGetterFormat):
+        * runtime/IntlNumberFormatPrototype.cpp:
+        (JSC::IntlNumberFormatPrototypeGetterFormat):
+        * runtime/JSBoundFunction.cpp:
+        (JSC::hasInstanceBoundFunction):
+        (JSC::getBoundFunctionStructure):
+        (JSC::JSBoundFunction::create):
+        * runtime/JSBoundFunction.h:
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::putToPrimitive):
+        * runtime/JSCell.cpp:
+        (JSC::JSCell::setPrototype):
+        (JSC::JSCell::getPrototype):
+        * runtime/JSCell.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::hasLegacyProfiler):
+        (JSC::lastInPrototypeChain):
+        (JSC::JSGlobalObject::objectPrototypeIsSane):
+        (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
+        (JSC::JSGlobalObject::stringPrototypeChainIsSane):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::finishCreation):
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::GlobalFuncProtoGetterFunctor::GlobalFuncProtoGetterFunctor):
+        (JSC::GlobalFuncProtoGetterFunctor::operator()):
+        (JSC::globalFuncProtoGetter):
+        * runtime/JSLexicalEnvironment.cpp:
+        (JSC::JSLexicalEnvironment::getOwnPropertySlot):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::calculatedClassName):
+        (JSC::JSObject::putInlineSlow):
+        (JSC::JSObject::setPrototypeWithCycleCheck):
+        (JSC::JSObject::setPrototype):
+        (JSC::JSObject::getPrototype):
+        (JSC::JSObject::defaultHasInstance):
+        (JSC::objectPrivateFuncInstanceOf):
+        (JSC::JSObject::getPropertyNames):
+        (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
+        (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
+        (JSC::JSObject::getGenericPropertyNames):
+        * runtime/JSObject.h:
+        (JSC::JSObject::finishCreation):
+        (JSC::JSObject::JSObject):
+        (JSC::JSObject::getPrototypeDirect):
+        (JSC::JSObject::getPrototype):
+        (JSC::JSObject::getOwnNonIndexPropertySlot):
+        (JSC::JSObject::getPropertySlot):
+        (JSC::JSObject::getNonIndexPropertySlot):
+        (JSC::JSObject::prototype): Deleted.
+        * runtime/JSObjectInlines.h:
+        (JSC::JSObject::canPerformFastPutInline):
+        * runtime/JSProxy.cpp:
+        (JSC::JSProxy::setTarget):
+        * runtime/JSTypedArrayViewConstructor.cpp:
+        (JSC::constructTypedArrayView):
+        * runtime/ObjectConstructor.cpp:
+        (JSC::ObjectConstructorGetPrototypeOfFunctor::ObjectConstructorGetPrototypeOfFunctor):
+        (JSC::ObjectConstructorGetPrototypeOfFunctor::operator()):
+        (JSC::objectConstructorGetPrototypeOf):
+        * runtime/ObjectPrototype.cpp:
+        (JSC::objectProtoFuncIsPrototypeOf):
+        * runtime/ProxyObject.cpp:
+        (JSC::performProxyGet):
+        (JSC::ProxyObject::performSetPrototype):
+        * runtime/StructureInlines.h:
+        (JSC::Structure::isValid):
+        * tests/stress/proxy-has-property.js:
+        (assert.let.h1.has):
+        (assert.let.h2.has):
+        (assert):
+
 2016-03-06  Filip Pizlo  <fpizlo@apple.com>
 
         RegExpMatchesArray doesn't know how to have a bad time
index d2c1447..61be090 100644 (file)
@@ -1392,6 +1392,15 @@ int64_t JIT_OPERATION operationConvertDoubleToInt52(double value)
     return tryConvertToInt52(value);
 }
 
+size_t JIT_OPERATION operationDefaultHasInstance(ExecState* exec, JSCell* value, JSCell* proto) // Returns jsBoolean(True|False) on 64-bit.
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    if (JSObject::defaultHasInstance(exec, value, proto))
+        return 1;
+    return 0;
+}
+
 void JIT_OPERATION operationProcessTypeProfilerLogDFG(ExecState* exec) 
 {
     exec->vm().typeProfilerLog()->processLogEntries(ASCIILiteral("Log Full, called from inside DFG."));
index d3c56df..c818f7f 100644 (file)
@@ -155,6 +155,8 @@ void JIT_OPERATION operationLoadVarargs(ExecState*, int32_t firstElementDest, En
 int64_t JIT_OPERATION operationConvertBoxedDoubleToInt52(EncodedJSValue);
 int64_t JIT_OPERATION operationConvertDoubleToInt52(double);
 
+size_t JIT_OPERATION operationDefaultHasInstance(ExecState*, JSCell* value, JSCell* proto);
+
 void JIT_OPERATION operationProcessTypeProfilerLogDFG(ExecState*) WTF_INTERNAL;
 
 void JIT_OPERATION debugOperationPrintSpeculationFailure(ExecState*, void*, void*) WTF_INTERNAL;
index 09913ea..fbc1d29 100644 (file)
@@ -2740,6 +2740,8 @@ void SpeculativeJIT::compileInstanceOfForObject(Node*, GPRReg valueReg, GPRReg p
     
     // Walk up the prototype chain of the value (in scratchReg), comparing to prototypeReg.
     MacroAssembler::Label loop(&m_jit);
+    MacroAssembler::Jump performDefaultHasInstance = m_jit.branch8(MacroAssembler::Equal,
+        MacroAssembler::Address(scratchReg, JSCell::typeInfoTypeOffset()), TrustedImm32(ProxyObjectType));
     m_jit.emitLoadStructure(scratchReg, scratchReg, scratch2Reg);
     m_jit.loadPtr(MacroAssembler::Address(scratchReg, Structure::prototypeOffset() + CellPayloadOffset), scratchReg);
     MacroAssembler::Jump isInstance = m_jit.branchPtr(MacroAssembler::Equal, scratchReg, prototypeReg);
@@ -2755,7 +2757,18 @@ void SpeculativeJIT::compileInstanceOfForObject(Node*, GPRReg valueReg, GPRReg p
 #else
     m_jit.move(MacroAssembler::TrustedImm32(0), scratchReg);
 #endif
-    MacroAssembler::Jump putResult = m_jit.jump();
+    MacroAssembler::JumpList doneJumps; 
+    doneJumps.append(m_jit.jump());
+
+    performDefaultHasInstance.link(&m_jit);
+    silentSpillAllRegisters(scratchReg);
+    callOperation(operationDefaultHasInstance, scratchReg, valueReg, prototypeReg); 
+    silentFillAllRegisters(scratchReg);
+    m_jit.exceptionCheck();
+#if USE(JSVALUE64)
+    m_jit.or32(TrustedImm32(ValueFalse), scratchReg);
+#endif
+    doneJumps.append(m_jit.jump());
     
     isInstance.link(&m_jit);
 #if USE(JSVALUE64)
@@ -2764,7 +2777,7 @@ void SpeculativeJIT::compileInstanceOfForObject(Node*, GPRReg valueReg, GPRReg p
     m_jit.move(MacroAssembler::TrustedImm32(1), scratchReg);
 #endif
     
-    putResult.link(&m_jit);
+    doneJumps.link(&m_jit);
 }
 
 void SpeculativeJIT::compileCheckTypeInfoFlags(Node* node)
index 0d3db0b..4de893c 100644 (file)
@@ -5947,6 +5947,8 @@ private:
         LBasicBlock loop = FTL_NEW_BLOCK(m_out, ("InstanceOf loop"));
         LBasicBlock notYetInstance = FTL_NEW_BLOCK(m_out, ("InstanceOf not yet instance"));
         LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("InstanceOf continuation"));
+        LBasicBlock loadPrototypeDirect = FTL_NEW_BLOCK(m_out, ("Instanceof defaultPrototypeFunction"));
+        LBasicBlock defaultHasInstanceSlow = FTL_NEW_BLOCK(m_out, ("Instanceof defaultPrototypeFunction"));
         
         LValue condition;
         if (m_node->child1().useKind() == UntypedUse)
@@ -5964,8 +5966,14 @@ private:
         ValueFromBlock originalValue = m_out.anchor(cell);
         m_out.jump(loop);
         
-        m_out.appendTo(loop, notYetInstance);
+        m_out.appendTo(loop, loadPrototypeDirect);
         LValue value = m_out.phi(m_out.int64, originalValue);
+        LValue type = m_out.load8ZeroExt32(value, m_heaps.JSCell_typeInfoType);
+        m_out.branch(
+            m_out.notEqual(type, m_out.constInt32(ProxyObjectType)),
+            usually(loadPrototypeDirect), rarely(defaultHasInstanceSlow));
+
+        m_out.appendTo(loadPrototypeDirect, notYetInstance);
         LValue structure = loadStructure(value);
         LValue currentPrototype = m_out.load64(structure, m_heaps.Structure_prototype);
         ValueFromBlock isInstanceResult = m_out.anchor(m_out.booleanTrue);
@@ -5973,14 +5981,22 @@ private:
             m_out.equal(currentPrototype, prototype),
             unsure(continuation), unsure(notYetInstance));
         
-        m_out.appendTo(notYetInstance, continuation);
+        m_out.appendTo(notYetInstance, defaultHasInstanceSlow);
         ValueFromBlock notInstanceResult = m_out.anchor(m_out.booleanFalse);
         m_out.addIncomingToPhi(value, m_out.anchor(currentPrototype));
         m_out.branch(isCell(currentPrototype), unsure(loop), unsure(continuation));
+
+        m_out.appendTo(defaultHasInstanceSlow, continuation);
+        // We can use the value that we're looping with because we
+        // can just continue off from wherever we bailed from the
+        // loop.
+        ValueFromBlock defaultHasInstanceResult = m_out.anchor(
+            vmCall(m_out.boolean, m_out.operation(operationDefaultHasInstance), m_callFrame, value, prototype));
+        m_out.jump(continuation);
         
         m_out.appendTo(continuation, lastNext);
         setBoolean(
-            m_out.phi(m_out.boolean, notCellResult, isInstanceResult, notInstanceResult));
+            m_out.phi(m_out.boolean, notCellResult, isInstanceResult, notInstanceResult, defaultHasInstanceResult));
     }
 
     void compileInstanceOfCustom()
index 1fa4ebc..6094976 100644 (file)
@@ -153,6 +153,8 @@ void JIT::emit_op_instanceof(Instruction* currentInstruction)
     move(TrustedImm64(JSValue::encode(jsBoolean(true))), regT0);
     Label loop(this);
 
+    addSlowCase(branch8(Equal, Address(regT2, JSCell::typeInfoTypeOffset()), TrustedImm32(ProxyObjectType)));
+
     // Load the prototype of the object in regT2.  If this is equal to regT1 - WIN!
     // Otherwise, check if we've hit null - if we have then drop out of the loop, if not go again.
     emitLoadStructure(regT2, regT2, regT3);
@@ -857,6 +859,7 @@ void JIT::emitSlow_op_instanceof(Instruction* currentInstruction, Vector<SlowCas
     linkSlowCaseIfNotJSCell(iter, value);
     linkSlowCaseIfNotJSCell(iter, proto);
     linkSlowCase(iter);
+    linkSlowCase(iter);
     emitGetVirtualRegister(value, regT0);
     emitGetVirtualRegister(proto, regT1);
     callOperation(operationInstanceOf, dst, regT0, regT1);
index b27afcd..a99d7f0 100644 (file)
@@ -233,6 +233,8 @@ void JIT::emit_op_instanceof(Instruction* currentInstruction)
     move(TrustedImm32(1), regT0);
     Label loop(this);
 
+    addSlowCase(branch8(Equal, Address(regT2, JSCell::typeInfoTypeOffset()), TrustedImm32(ProxyObjectType)));
+
     // Load the prototype of the cell in regT2.  If this is equal to regT1 - WIN!
     // Otherwise, check if we've hit null - if we have then drop out of the loop, if not go again.
     loadPtr(Address(regT2, JSCell::structureIDOffset()), regT2);
@@ -263,6 +265,7 @@ void JIT::emitSlow_op_instanceof(Instruction* currentInstruction, Vector<SlowCas
     linkSlowCaseIfNotJSCell(iter, value);
     linkSlowCaseIfNotJSCell(iter, proto);
     linkSlowCase(iter);
+    linkSlowCase(iter);
 
     emitLoad(value, regT1, regT0);
     emitLoad(proto, regT3, regT2);
index 7a88ca4..69f370b 100644 (file)
@@ -1779,8 +1779,6 @@ EncodedJSValue JIT_OPERATION operationInstanceOf(ExecState* exec, EncodedJSValue
     JSValue value = JSValue::decode(encodedValue);
     JSValue proto = JSValue::decode(encodedProto);
     
-    ASSERT(!value.isObject() || !proto.isObject());
-
     bool result = JSObject::defaultHasInstance(exec, value, proto);
     return JSValue::encode(jsBoolean(result));
 }
index 1c4c1a6..63a2b9c 100644 (file)
@@ -196,6 +196,7 @@ typedef int64_t JIT_OPERATION(*Q_JITOperation_D)(double);
 typedef int32_t JIT_OPERATION (*Z_JITOperation_D)(double);
 typedef int32_t JIT_OPERATION (*Z_JITOperation_E)(ExecState*);
 typedef int32_t JIT_OPERATION (*Z_JITOperation_EC)(ExecState*, JSCell*);
+typedef int32_t JIT_OPERATION (*Z_JITOperation_ECC)(ExecState*, JSCell*, JSCell*);
 typedef int32_t JIT_OPERATION (*Z_JITOperation_EGC)(ExecState*, JSGlobalObject*, JSCell*);
 typedef int32_t JIT_OPERATION (*Z_JITOperation_ESJss)(ExecState*, size_t, JSString*);
 typedef int32_t JIT_OPERATION (*Z_JITOperation_EJ)(ExecState*, EncodedJSValue);
index c45bbec..befeef9 100644 (file)
@@ -1228,7 +1228,7 @@ EncodedJSValue JSC_HOST_CALL functionCreateProxy(ExecState* exec)
     if (!target.isObject())
         return JSValue::encode(jsUndefined());
     JSObject* jsTarget = asObject(target.asCell());
-    Structure* structure = JSProxy::createStructure(exec->vm(), exec->lexicalGlobalObject(), jsTarget->prototype());
+    Structure* structure = JSProxy::createStructure(exec->vm(), exec->lexicalGlobalObject(), jsTarget->getPrototypeDirect());
     JSProxy* proxy = JSProxy::create(exec->vm(), structure, jsTarget);
     return JSValue::encode(proxy);
 }
index 7658779..f66c7da 100644 (file)
@@ -526,7 +526,6 @@ LLINT_SLOW_PATH_DECL(slow_path_instanceof)
     LLINT_BEGIN();
     JSValue value = LLINT_OP_C(2).jsValue();
     JSValue proto = LLINT_OP_C(3).jsValue();
-    ASSERT(!value.isObject() || !proto.isObject());
     LLINT_RETURN(jsBoolean(JSObject::defaultHasInstance(exec, value, proto)));
 }
 
index 8870808..e8ae7e5 100644 (file)
@@ -1706,6 +1706,11 @@ _llint_op_copy_rest:
     callSlowPath(_slow_path_copy_rest)
     dispatch(4)
 
+_llint_op_instanceof:
+    traceExecution()
+    callSlowPath(_llint_slow_path_instanceof)
+    dispatch(4)
+
 
 # Lastly, make sure that we can link even though we don't support all opcodes.
 # These opcodes should never arise when using LLInt or either JIT. We assert
index 7f931e5..5649797 100644 (file)
@@ -1206,34 +1206,6 @@ _llint_op_overrides_has_instance:
     storei 1, PayloadOffset[cfr, t3, 8]
     dispatch(4)
 
-_llint_op_instanceof:
-    traceExecution()
-    # Actually do the work.
-    loadi 12[PC], t0
-    loadi 4[PC], t3
-    loadConstantOrVariablePayload(t0, CellTag, t1, .opInstanceofSlow)
-    bbb JSCell::m_type[t1], ObjectType, .opInstanceofSlow
-    loadi 8[PC], t0
-    loadConstantOrVariablePayload(t0, CellTag, t2, .opInstanceofSlow)
-    
-    # Register state: t1 = prototype, t2 = value
-    move 1, t0
-.opInstanceofLoop:
-    loadp JSCell::m_structureID[t2], t2
-    loadi Structure::m_prototype + PayloadOffset[t2], t2
-    bpeq t2, t1, .opInstanceofDone
-    btinz t2, .opInstanceofLoop
-
-    move 0, t0
-.opInstanceofDone:
-    storei BooleanTag, TagOffset[cfr, t3, 8]
-    storei t0, PayloadOffset[cfr, t3, 8]
-    dispatch(4)
-
-.opInstanceofSlow:
-    callSlowPath(_llint_slow_path_instanceof)
-    dispatch(4)
-
 _llint_op_instanceof_custom:
     traceExecution()
     callSlowPath(_llint_slow_path_instanceof_custom)
index 2385044..0e47af3 100644 (file)
@@ -1093,34 +1093,6 @@ _llint_op_overrides_has_instance:
     dispatch(4)
 
 
-_llint_op_instanceof:
-    traceExecution()
-    # Actually do the work.
-    loadisFromInstruction(3, t0)
-    loadConstantOrVariableCell(t0, t1, .opInstanceofSlow)
-    bbb JSCell::m_type[t1], ObjectType, .opInstanceofSlow
-    loadisFromInstruction(2, t0)
-    loadConstantOrVariableCell(t0, t2, .opInstanceofSlow)
-    
-    # Register state: t1 = prototype, t2 = value
-    move 1, t0
-.opInstanceofLoop:
-    loadStructureAndClobberFirstArg(t2, t3)
-    loadq Structure::m_prototype[t3], t2
-    bqeq t2, t1, .opInstanceofDone
-    btqz t2, tagMask, .opInstanceofLoop
-
-    move 0, t0
-.opInstanceofDone:
-    orq ValueFalse, t0
-    loadisFromInstruction(1, t3)
-    storeq t0, [cfr, t3, 8]
-    dispatch(4)
-
-.opInstanceofSlow:
-    callSlowPath(_llint_slow_path_instanceof)
-    dispatch(4)
-
 _llint_op_instanceof_custom:
     traceExecution()
     callSlowPath(_llint_slow_path_instanceof_custom)
index cf24cf6..8ecc7ea 100644 (file)
@@ -184,7 +184,7 @@ static ALWAYS_INLINE std::pair<SpeciesConstructResult, JSObject*> speciesConstru
         // Fast path in the normal case where the user has not set an own constructor and the Array.prototype.constructor is normal.
         // We need prototype check for subclasses of Array, which are Array objects but have a different prototype by default.
         if (LIKELY(!thisObject->hasCustomProperties()
-            && thisObject->globalObject()->arrayPrototype() == thisObject->prototype()
+            && thisObject->globalObject()->arrayPrototype() == thisObject->getPrototypeDirect()
             && !thisObject->globalObject()->arrayPrototype()->didChangeConstructorOrSpeciesProperties()))
             return std::make_pair(SpeciesConstructResult::FastPath, nullptr);
 
index 22bc43d..484e737 100644 (file)
@@ -112,6 +112,9 @@ struct MethodTable {
     typedef bool (*SetPrototypeFunctionPtr)(JSObject*, ExecState*, JSValue, bool shouldThrowIfCantSet);
     SetPrototypeFunctionPtr setPrototype;
 
+    typedef JSValue (*GetPrototypeFunctionPtr)(JSObject*, ExecState*);
+    GetPrototypeFunctionPtr getPrototype;
+
     typedef void (*DumpToStreamFunctionPtr)(const JSCell*, PrintStream&);
     DumpToStreamFunctionPtr dumpToStream;
 
@@ -166,6 +169,7 @@ struct MethodTable {
         &ClassName::preventExtensions, \
         &ClassName::isExtensible, \
         &ClassName::setPrototype, \
+        &ClassName::getPrototype, \
         &ClassName::dumpToStream, \
         &ClassName::estimatedSize \
     }, \
index 2679af7..977fab9 100644 (file)
@@ -168,7 +168,7 @@ EncodedJSValue JSC_HOST_CALL functionProtoFuncBind(ExecState* exec)
     }
 
     JSString* name = target.get(exec, exec->propertyNames().name).toString(exec);
-    return JSValue::encode(JSBoundFunction::create(vm, globalObject, targetObject, exec->argument(0), boundArgs, length, name->value(exec)));
+    return JSValue::encode(JSBoundFunction::create(vm, exec, globalObject, targetObject, exec->argument(0), boundArgs, length, name->value(exec)));
 }
 
 } // namespace JSC
index 1c2fea9..03d98de 100644 (file)
@@ -129,7 +129,9 @@ EncodedJSValue JSC_HOST_CALL IntlCollatorPrototypeGetterCompare(ExecState* state
             return JSValue::encode(throwOutOfMemoryError(state));
 
         // c. Let bc be BoundFunctionCreate(F, «this value»).
-        boundCompare = JSBoundFunction::create(vm, globalObject, targetObject, collator, boundArgs, 2, ASCIILiteral("compare"));
+        boundCompare = JSBoundFunction::create(vm, state, globalObject, targetObject, collator, boundArgs, 2, ASCIILiteral("compare"));
+        if (vm.exception())
+            return JSValue::encode(JSValue());
         // d. Set collator.[[boundCompare]] to bc.
         collator->setBoundCompare(vm, boundCompare);
     }
index ff48ec4..d2c54d6 100644 (file)
@@ -134,7 +134,9 @@ EncodedJSValue JSC_HOST_CALL IntlDateTimeFormatPrototypeGetterFormat(ExecState*
             return JSValue::encode(throwOutOfMemoryError(state));
 
         // c. Let bf be BoundFunctionCreate(F, «this value»).
-        boundFormat = JSBoundFunction::create(vm, globalObject, targetObject, dtf, boundArgs, 1, ASCIILiteral("format"));
+        boundFormat = JSBoundFunction::create(vm, state, globalObject, targetObject, dtf, boundArgs, 1, ASCIILiteral("format"));
+        if (vm.exception())
+            return JSValue::encode(JSValue());
         // d. Set dtf.[[boundFormat]] to bf.
         dtf->setBoundFormat(vm, boundFormat);
     }
index 58c64c5..4bb2ee4 100644 (file)
@@ -122,7 +122,9 @@ EncodedJSValue JSC_HOST_CALL IntlNumberFormatPrototypeGetterFormat(ExecState* st
             return JSValue::encode(throwOutOfMemoryError(state));
 
         // c. Let bf be BoundFunctionCreate(F, «this value»).
-        boundFormat = JSBoundFunction::create(vm, globalObject, targetObject, nf, boundArgs, 1, ASCIILiteral("format"));
+        boundFormat = JSBoundFunction::create(vm, state, globalObject, targetObject, nf, boundArgs, 1, ASCIILiteral("format"));
+        if (vm.exception())
+            return JSValue::encode(JSValue());
         // d. Set nf.[[boundFormat]] to bf.
         nf->setBoundFormat(vm, boundFormat);
     }
index 690cb91..9143785 100644 (file)
@@ -87,9 +87,11 @@ EncodedJSValue JSC_HOST_CALL hasInstanceBoundFunction(ExecState* exec)
     return JSValue::encode(jsBoolean(boundObject->targetFunction()->hasInstance(exec, value)));
 }
 
-inline Structure* getBoundFunctionStructure(VM& vm, JSGlobalObject* globalObject, JSObject* targetFunction)
+inline Structure* getBoundFunctionStructure(VM& vm, ExecState* exec, JSGlobalObject* globalObject, JSObject* targetFunction)
 {
-    JSValue prototype = targetFunction->structure(vm)->storedPrototype();
+    JSValue prototype = targetFunction->getPrototype(vm, exec);
+    if (UNLIKELY(vm.exception()))
+        return nullptr;
     JSFunction* targetJSFunction = jsDynamicCast<JSFunction*>(targetFunction);
 
     // We only cache the structure of the bound function if the bindee is a JSFunction since there
@@ -117,13 +119,15 @@ inline Structure* getBoundFunctionStructure(VM& vm, JSGlobalObject* globalObject
     return result;
 }
 
-JSBoundFunction* JSBoundFunction::create(VM& vm, JSGlobalObject* globalObject, JSObject* targetFunction, JSValue boundThis, JSValue boundArgs, int length, const String& name)
+JSBoundFunction* JSBoundFunction::create(VM& vm, ExecState* exec, JSGlobalObject* globalObject, JSObject* targetFunction, JSValue boundThis, JSValue boundArgs, int length, const String& name)
 {
     ConstructData constructData;
     ConstructType constructType = JSC::getConstructData(targetFunction, constructData);
     bool canConstruct = constructType != ConstructType::None;
     NativeExecutable* executable = vm.getHostFunction(boundFunctionCall, canConstruct ? boundFunctionConstruct : callHostFunctionAsConstructor, ASCIILiteral("Function.prototype.bind result"));
-    Structure* structure = getBoundFunctionStructure(vm, globalObject, targetFunction);
+    Structure* structure = getBoundFunctionStructure(vm, exec, globalObject, targetFunction);
+    if (UNLIKELY(vm.exception()))
+        return nullptr;
     JSBoundFunction* function = new (NotNull, allocateCell<JSBoundFunction>(vm.heap)) JSBoundFunction(vm, globalObject, structure, targetFunction, boundThis, boundArgs);
 
     function->finishCreation(vm, executable, length, makeString("bound ", name));
index 320ba63..89eba8d 100644 (file)
@@ -40,7 +40,7 @@ public:
     typedef JSFunction Base;
     const static unsigned StructureFlags = ~ImplementsDefaultHasInstance & Base::StructureFlags;
 
-    static JSBoundFunction* create(VM&, JSGlobalObject*, JSObject* targetFunction, JSValue boundThis, JSValue boundArgs, int, const String&);
+    static JSBoundFunction* create(VM&, ExecState*, JSGlobalObject*, JSObject* targetFunction, JSValue boundThis, JSValue boundArgs, int, const String&);
     
     static bool customHasInstance(JSObject*, ExecState*, JSValue);
 
index b9dd0a4..c3fdac7 100644 (file)
@@ -143,7 +143,7 @@ void JSValue::putToPrimitive(ExecState* exec, PropertyName propertyName, JSValue
     JSValue prototype;
     if (propertyName != exec->propertyNames().underscoreProto) {
         for (; !obj->structure()->hasReadOnlyOrGetterSetterPropertiesExcludingProto(); obj = asObject(prototype)) {
-            prototype = obj->prototype();
+            prototype = obj->getPrototypeDirect();
             if (prototype.isNull()) {
                 if (slot.isStrictMode())
                     throwTypeError(exec, StrictModeReadonlyPropertyWriteError);
@@ -178,7 +178,9 @@ void JSValue::putToPrimitive(ExecState* exec, PropertyName propertyName, JSValue
             break;
         }
 
-        prototype = obj->prototype();
+        prototype = obj->getPrototype(vm, exec);
+        if (vm.exception())
+            return;
         if (prototype.isNull())
             break;
     }
index 48f5a1a..243b805 100644 (file)
@@ -285,4 +285,9 @@ bool JSCell::setPrototype(JSObject*, ExecState*, JSValue, bool)
     RELEASE_ASSERT_NOT_REACHED();
 }
 
+JSValue JSCell::getPrototype(JSObject*, ExecState*)
+{
+    RELEASE_ASSERT_NOT_REACHED();
+}
+
 } // namespace JSC
index e0dd164..43da049 100644 (file)
@@ -209,6 +209,7 @@ protected:
     static NO_RETURN_DUE_TO_CRASH bool preventExtensions(JSObject*, ExecState*);
     static NO_RETURN_DUE_TO_CRASH bool isExtensible(JSObject*, ExecState*);
     static NO_RETURN_DUE_TO_CRASH bool setPrototype(JSObject*, ExecState*, JSValue, bool);
+    static NO_RETURN_DUE_TO_CRASH JSValue getPrototype(JSObject*, ExecState*);
 
     static String className(const JSObject*);
     JS_EXPORT_PRIVATE static bool customHasInstance(JSObject*, ExecState*, JSValue);
index 2f60f16..23c070d 100644 (file)
@@ -613,7 +613,7 @@ putDirectWithoutTransition(vm, vm.propertyNames-> jsName, lowerName ## Construct
         putDirectWithoutTransition(vm, Identifier::fromString(exec, "$vm"), dollarVM, DontEnum);
     }
 
-    resetPrototype(vm, prototype());
+    resetPrototype(vm, getPrototypeDirect());
 }
 
 bool JSGlobalObject::hasLegacyProfiler() const
@@ -669,8 +669,8 @@ void JSGlobalObject::addFunction(ExecState* exec, const Identifier& propertyName
 static inline JSObject* lastInPrototypeChain(JSObject* object)
 {
     JSObject* o = object;
-    while (o->prototype().isObject())
-        o = asObject(o->prototype());
+    while (o->getPrototypeDirect().isObject())
+        o = asObject(o->getPrototypeDirect());
     return o;
 }
 
@@ -726,7 +726,7 @@ inline void ObjectsWithBrokenIndexingFinder::visit(JSCell* cell)
             break;
         }
         
-        JSValue prototypeValue = current->prototype();
+        JSValue prototypeValue = current->getPrototypeDirect();
         if (prototypeValue.isNull())
             break;
         current = asObject(prototypeValue);
@@ -785,20 +785,20 @@ void JSGlobalObject::haveABadTime(VM& vm)
 bool JSGlobalObject::objectPrototypeIsSane()
 {
     return !hasIndexedProperties(m_objectPrototype->indexingType())
-        && m_objectPrototype->prototype().isNull();
+        && m_objectPrototype->getPrototypeDirect().isNull();
 }
 
 bool JSGlobalObject::arrayPrototypeChainIsSane()
 {
     return !hasIndexedProperties(m_arrayPrototype->indexingType())
-        && m_arrayPrototype->prototype() == m_objectPrototype.get()
+        && m_arrayPrototype->getPrototypeDirect() == m_objectPrototype.get()
         && objectPrototypeIsSane();
 }
 
 bool JSGlobalObject::stringPrototypeChainIsSane()
 {
     return !hasIndexedProperties(m_stringPrototype->indexingType())
-        && m_stringPrototype->prototype() == m_objectPrototype.get()
+        && m_stringPrototype->getPrototypeDirect() == m_objectPrototype.get()
         && objectPrototypeIsSane();
 }
 
index af54e5f..f7bee80 100644 (file)
@@ -379,7 +379,7 @@ protected:
         structure()->setGlobalObject(vm, this);
         m_runtimeFlags = m_globalObjectMethodTable->javaScriptRuntimeFlags(this);
         init(vm);
-        setGlobalThis(vm, JSProxy::create(vm, JSProxy::createStructure(vm, this, prototype(), PureForwardingProxyType), this));
+        setGlobalThis(vm, JSProxy::create(vm, JSProxy::createStructure(vm, this, getPrototypeDirect(), PureForwardingProxyType), this));
     }
 
     void finishCreation(VM& vm, JSObject* thisValue)
index 8e94704..7374ec4 100644 (file)
@@ -784,8 +784,9 @@ EncodedJSValue JSC_HOST_CALL globalFuncThrowTypeError(ExecState* exec)
 
 class GlobalFuncProtoGetterFunctor {
 public:
-    GlobalFuncProtoGetterFunctor(JSObject* thisObject)
-        : m_hasSkippedFirstFrame(false)
+    GlobalFuncProtoGetterFunctor(ExecState* exec, JSObject* thisObject)
+        : m_exec(exec)
+        , m_hasSkippedFirstFrame(false)
         , m_thisObject(thisObject)
         , m_result(JSValue::encode(jsUndefined()))
     {
@@ -801,12 +802,13 @@ public:
         }
 
         if (m_thisObject->allowsAccessFrom(visitor->callFrame()))
-            m_result = JSValue::encode(m_thisObject->prototype());
+            m_result = JSValue::encode(m_thisObject->getPrototype(m_exec->vm(), m_exec));
 
         return StackVisitor::Done;
     }
 
 private:
+    ExecState* m_exec;
     bool m_hasSkippedFirstFrame;
     JSObject* m_thisObject;
     EncodedJSValue m_result;
@@ -822,7 +824,10 @@ EncodedJSValue JSC_HOST_CALL globalFuncProtoGetter(ExecState* exec)
     if (!thisObject)
         return JSValue::encode(exec->thisValue().synthesizePrototype(exec));
 
-    GlobalFuncProtoGetterFunctor functor(thisObject);
+    GlobalFuncProtoGetterFunctor functor(exec, thisObject);
+    // This can throw but it's just unneeded extra work to check for it. The return
+    // value from this function is only used as the return value from a host call.
+    // Therefore, the return value is only used if there wasn't an exception.
     exec->iterate(functor);
     return functor.result();
 }
index e99bbba..c0c09ea 100644 (file)
@@ -76,7 +76,7 @@ bool JSLexicalEnvironment::getOwnPropertySlot(JSObject* object, ExecState* exec,
     // We don't call through to JSObject because there's no way to give a 
     // lexical environment object getter properties or a prototype.
     ASSERT(!thisObject->hasGetterSetterProperties());
-    ASSERT(thisObject->prototype().isNull());
+    ASSERT(thisObject->getPrototypeDirect().isNull());
     return false;
 }
 
index 2f52a1f..2167b4b 100644 (file)
@@ -272,7 +272,7 @@ String JSObject::calculatedClassName(JSObject* object)
 {
     String prototypeFunctionName;
     ExecState* exec = object->globalObject()->globalExec();
-    PropertySlot slot(object->structure()->storedPrototype(), PropertySlot::InternalMethodType::VMInquiry);
+    PropertySlot slot(object->getPrototypeDirect(), PropertySlot::InternalMethodType::VMInquiry);
     PropertyName constructor(exec->propertyNames().constructor);
     if (object->getPropertySlot(exec, constructor, slot)) {
         if (slot.isValue()) {
@@ -430,11 +430,14 @@ void JSObject::putInlineSlow(ExecState* exec, PropertyName propertyName, JSValue
             }
         }
         if (obj->type() == ProxyObjectType && propertyName != vm.propertyNames->underscoreProto) {
+            // FIXME: We shouldn't unconditionally perform [[Set]] here.
+            // We need to do more because this is observable behavior.
+            // https://bugs.webkit.org/show_bug.cgi?id=155012
             ProxyObject* proxy = jsCast<ProxyObject*>(obj);
             proxy->ProxyObject::put(proxy, exec, propertyName, value, slot);
             return;
         }
-        JSValue prototype = obj->prototype();
+        JSValue prototype = obj->getPrototypeDirect();
         if (prototype.isNull())
             break;
         obj = asObject(prototype);
@@ -1201,7 +1204,7 @@ bool JSObject::setPrototypeWithCycleCheck(VM& vm, ExecState* exec, JSValue proto
 {
     ASSERT(methodTable(vm)->toThis(this, exec, NotStrictMode) == this);
 
-    if (this->prototype() == prototype)
+    if (this->getPrototypeDirect() == prototype)
         return true;
 
     bool isExtensible = this->isExtensible(exec);
@@ -1215,13 +1218,16 @@ bool JSObject::setPrototypeWithCycleCheck(VM& vm, ExecState* exec, JSValue proto
     }
 
     JSValue nextPrototype = prototype;
+    MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;
     while (nextPrototype && nextPrototype.isObject()) {
         if (nextPrototype == this) {
             if (shouldThrowIfCantSet)
                 vm.throwException(exec, createError(exec, ASCIILiteral("cyclic __proto__ value")));
             return false;
         }
-        nextPrototype = asObject(nextPrototype)->prototype();
+        if (UNLIKELY(asObject(nextPrototype)->methodTable(vm)->getPrototype != defaultGetPrototype))
+            break; // We're done. Set the prototype.
+        nextPrototype = asObject(nextPrototype)->getPrototypeDirect();
     }
     setPrototypeDirect(vm, prototype);
     return true;
@@ -1232,6 +1238,11 @@ bool JSObject::setPrototype(JSObject* object, ExecState* exec, JSValue prototype
     return object->setPrototypeWithCycleCheck(exec->vm(), exec, prototype, shouldThrowIfCantSet);
 }
 
+JSValue JSObject::getPrototype(JSObject* object, ExecState*)
+{
+    return object->getPrototypeDirect();
+}
+
 bool JSObject::setPrototype(VM& vm, ExecState* exec, JSValue prototype, bool shouldThrowIfCantSet)
 {
     return methodTable(vm)->setPrototype(this, exec, prototype, shouldThrowIfCantSet);
@@ -1572,12 +1583,19 @@ bool JSObject::defaultHasInstance(ExecState* exec, JSValue value, JSValue proto)
         return false;
     }
 
+    VM& vm = exec->vm();
     JSObject* object = asObject(value);
-    while ((object = object->prototype().getObject())) {
+    while (true) {
+        JSValue objectValue = object->getPrototype(vm, exec);
+        if (UNLIKELY(vm.exception()))
+            return false;
+        if (!objectValue.isObject())
+            return false;
+        object = asObject(objectValue);
         if (proto == object)
             return true;
     }
-    return false;
+    ASSERT_NOT_REACHED();
 }
 
 EncodedJSValue JSC_HOST_CALL objectPrivateFuncInstanceOf(ExecState* exec)
@@ -1590,24 +1608,29 @@ EncodedJSValue JSC_HOST_CALL objectPrivateFuncInstanceOf(ExecState* exec)
 
 void JSObject::getPropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
 {
-    object->methodTable(exec->vm())->getOwnPropertyNames(object, exec, propertyNames, mode);
-    if (UNLIKELY(exec->hadException()))
+    VM& vm = exec->vm();
+    object->methodTable(vm)->getOwnPropertyNames(object, exec, propertyNames, mode);
+    if (UNLIKELY(vm.exception()))
         return;
 
-    if (object->prototype().isNull())
+    JSValue nextProto = object->getPrototype(vm, exec);
+    if (UNLIKELY(vm.exception()))
+        return;
+    if (nextProto.isNull())
         return;
 
-    VM& vm = exec->vm();
-    JSObject* prototype = asObject(object->prototype());
+    JSObject* prototype = asObject(nextProto);
     while(1) {
         if (prototype->structure(vm)->typeInfo().overridesGetPropertyNames()) {
             prototype->methodTable(vm)->getPropertyNames(prototype, exec, propertyNames, mode);
             break;
         }
         prototype->methodTable(vm)->getOwnPropertyNames(prototype, exec, propertyNames, mode);
-        if (UNLIKELY(exec->hadException()))
+        if (UNLIKELY(vm.exception()))
+            return;
+        nextProto = prototype->getPrototype(vm, exec);
+        if (UNLIKELY(vm.exception()))
             return;
-        JSValue nextProto = prototype->prototype();
         if (nextProto.isNull())
             break;
         prototype = asObject(nextProto);
@@ -2027,7 +2050,7 @@ bool JSObject::attemptToInterceptPutByIndexOnHoleForPrototype(ExecState* exec, J
             return true;
         }
         
-        JSValue prototypeValue = current->prototype();
+        JSValue prototypeValue = current->getPrototypeDirect();
         if (prototypeValue.isNull())
             return false;
         
@@ -2037,7 +2060,7 @@ bool JSObject::attemptToInterceptPutByIndexOnHoleForPrototype(ExecState* exec, J
 
 bool JSObject::attemptToInterceptPutByIndexOnHole(ExecState* exec, unsigned i, JSValue value, bool shouldThrow)
 {
-    JSValue prototypeValue = prototype();
+    JSValue prototypeValue = getPrototypeDirect();
     if (prototypeValue.isNull())
         return false;
     
@@ -3029,13 +3052,16 @@ void JSObject::getGenericPropertyNames(JSObject* object, ExecState* exec, Proper
 {
     VM& vm = exec->vm();
     object->methodTable(vm)->getOwnPropertyNames(object, exec, propertyNames, EnumerationMode(mode, JSObjectPropertiesMode::Exclude));
-    if (UNLIKELY(exec->hadException()))
+    if (UNLIKELY(vm.exception()))
         return;
 
-    if (object->prototype().isNull())
+    JSValue nextProto = object->getPrototype(vm, exec);
+    if (UNLIKELY(vm.exception()))
+        return;
+    if (nextProto.isNull())
         return;
 
-    JSObject* prototype = asObject(object->prototype());
+    JSObject* prototype = asObject(nextProto);
     while (true) {
         if (prototype->structure(vm)->typeInfo().overridesGetPropertyNames()) {
             prototype->methodTable(vm)->getPropertyNames(prototype, exec, propertyNames, mode);
@@ -3044,7 +3070,9 @@ void JSObject::getGenericPropertyNames(JSObject* object, ExecState* exec, Proper
         prototype->methodTable(vm)->getOwnPropertyNames(prototype, exec, propertyNames, mode);
         if (UNLIKELY(exec->hadException()))
             return;
-        JSValue nextProto = prototype->prototype();
+        nextProto = prototype->getPrototype(vm, exec);
+        if (UNLIKELY(vm.exception()))
+            return;
         if (nextProto.isNull())
             break;
         prototype = asObject(nextProto);
index 9da05da..796c841 100644 (file)
@@ -103,7 +103,19 @@ public:
     JS_EXPORT_PRIVATE static String className(const JSObject*);
     JS_EXPORT_PRIVATE static String calculatedClassName(JSObject*);
 
-    JSValue prototype() const;
+    // This is the fully virtual [[GetPrototypeOf]] internal function defined
+    // in the ECMAScript 6 specification. Use this when doing a [[GetPrototypeOf]] 
+    // operation as dictated in the specification.
+    JSValue getPrototype(VM&, ExecState*);
+    JS_EXPORT_PRIVATE static JSValue getPrototype(JSObject*, ExecState*);
+    // This gets the prototype directly off of the structure. This does not do
+    // dynamic dispatch on the getPrototype method table method. It is not valid 
+    // to use this when performing a [[GetPrototypeOf]] operation in the specification.
+    // It is valid to use though when you know that you want to directly get it
+    // without consulting the method table. This is akin to getting the [[Prototype]]
+    // internal field directly as described in the specification.
+    JSValue getPrototypeDirect() const;
+
     // This sets the prototype without checking for cycles and without
     // doing dynamic dispatch on [[SetPrototypeOf]] operation in the specification.
     // It is not valid to use this when performing a [[SetPrototypeOf]] operation in
@@ -759,7 +771,7 @@ protected:
     {
         Base::finishCreation(vm);
         ASSERT(inherits(info()));
-        ASSERT(prototype().isNull() || Heap::heap(this) == Heap::heap(prototype()));
+        ASSERT(getPrototypeDirect().isNull() || Heap::heap(this) == Heap::heap(getPrototypeDirect()));
         ASSERT(structure()->isObject());
         ASSERT(classInfo());
     }
@@ -1124,11 +1136,20 @@ inline JSObject::JSObject(VM& vm, Structure* structure, Butterfly* butterfly)
     vm.heap.ascribeOwner(this, butterfly);
 }
 
-inline JSValue JSObject::prototype() const
+inline JSValue JSObject::getPrototypeDirect() const
 {
     return structure()->storedPrototype();
 }
 
+inline JSValue JSObject::getPrototype(VM& vm, ExecState* exec)
+{
+    auto getPrototypeMethod = methodTable(vm)->getPrototype;
+    MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;
+    if (LIKELY(getPrototypeMethod == defaultGetPrototype))
+        return getPrototypeDirect();
+    return getPrototypeMethod(this, exec);
+}
+
 // It is safe to call this method with a PropertyName that is actually an index,
 // but if so will always return false (doesn't search index storage).
 ALWAYS_INLINE bool JSObject::getOwnNonIndexPropertySlot(VM& vm, Structure& structure, PropertyName propertyName, PropertySlot& slot)
@@ -1204,6 +1225,7 @@ ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, PropertyName prope
             // parsing the int again.
             return object->getNonIndexPropertySlot(exec, propertyName, slot);
         }
+        ASSERT(object->type() != ProxyObjectType);
         Structure& structure = *structureIDTable.get(object->structureID());
         if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
             return true;
@@ -1223,11 +1245,21 @@ ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, unsigned propertyN
     VM& vm = exec->vm();
     auto& structureIDTable = vm.heap.structureIDTable();
     JSObject* object = this;
+    MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;
     while (true) {
         Structure& structure = *structureIDTable.get(object->structureID());
         if (structure.classInfo()->methodTable.getOwnPropertySlotByIndex(object, exec, propertyName, slot))
             return true;
-        JSValue prototype = structure.storedPrototype();
+        if (UNLIKELY(vm.exception()))
+            return false;
+        JSValue prototype;
+        if (LIKELY(structure.classInfo()->methodTable.getPrototype == defaultGetPrototype || slot.internalMethodType() == PropertySlot::InternalMethodType::VMInquiry))
+            prototype = structure.storedPrototype();
+        else {
+            prototype = object->getPrototype(vm, exec);
+            if (vm.exception())
+                return false;
+        }
         if (!prototype.isObject())
             return false;
         object = asObject(prototype);
@@ -1242,14 +1274,26 @@ ALWAYS_INLINE bool JSObject::getNonIndexPropertySlot(ExecState* exec, PropertyNa
     VM& vm = exec->vm();
     auto& structureIDTable = vm.heap.structureIDTable();
     JSObject* object = this;
+    MethodTable::GetPrototypeFunctionPtr defaultGetPrototype = JSObject::getPrototype;
     while (true) {
         Structure& structure = *structureIDTable.get(object->structureID());
         if (LIKELY(!TypeInfo::overridesGetOwnPropertySlot(object->inlineTypeFlags()))) {
             if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot))
                 return true;
-        } else if (structure.classInfo()->methodTable.getOwnPropertySlot(object, exec, propertyName, slot))
-            return true;
-        JSValue prototype = structure.storedPrototype();
+        } else {
+            if (structure.classInfo()->methodTable.getOwnPropertySlot(object, exec, propertyName, slot))
+                return true;
+            if (UNLIKELY(vm.exception()))
+                return false;
+        }
+        JSValue prototype;
+        if (LIKELY(structure.classInfo()->methodTable.getPrototype == defaultGetPrototype || slot.internalMethodType() == PropertySlot::InternalMethodType::VMInquiry))
+            prototype = structure.storedPrototype();
+        else {
+            prototype = object->getPrototype(vm, exec);
+            if (vm.exception())
+                return false;
+        }
         if (!prototype.isObject())
             return false;
         object = asObject(prototype);
index db170f2..f3d2b82 100644 (file)
@@ -42,7 +42,7 @@ ALWAYS_INLINE bool JSObject::canPerformFastPutInline(ExecState* exec, VM& vm, Pr
         if (obj->structure(vm)->hasReadOnlyOrGetterSetterPropertiesExcludingProto() || obj->type() == ProxyObjectType)
             return false;
 
-        prototype = obj->prototype();
+        prototype = obj->getPrototypeDirect();
         if (prototype.isNull())
             return true;
 
index 937c088..40d31fd 100644 (file)
@@ -47,7 +47,7 @@ void JSProxy::setTarget(VM& vm, JSGlobalObject* globalObject)
 {
     ASSERT_ARG(globalObject, globalObject);
     m_target.set(vm, this, globalObject);
-    setPrototypeDirect(vm, globalObject->prototype());
+    setPrototypeDirect(vm, globalObject->getPrototypeDirect());
 
     PrototypeMap& prototypeMap = vm.prototypeMap;
     if (!prototypeMap.isPrototype(this))
index 843e437..96e3fe1 100644 (file)
@@ -77,7 +77,7 @@ static EncodedJSValue JSC_HOST_CALL constructTypedArrayView(ExecState* exec)
     if (object->methodTable()->getConstructData(object, data) == ConstructType::None)
         return JSValue::encode(throwTypeError(exec, "new.target passed to TypedArray is not a valid constructor."));
 
-    for (; !value.isNull(); value = jsCast<JSObject*>(value)->prototype()) {
+    for (; !value.isNull(); value = jsCast<JSObject*>(value)->getPrototypeDirect()) {
         if (jsDynamicCast<JSTypedArrayViewConstructor*>(value))
             return JSValue::encode(throwTypeError(exec, "Unable to find TypedArray constructor that inherits from TypedArray."));
         if (jsDynamicCast<JSGenericTypedArrayViewConstructor<JSInt8Array>*>(value))
index bc0a252..daf1d6e 100644 (file)
@@ -150,8 +150,9 @@ CallType ObjectConstructor::getCallData(JSCell*, CallData& callData)
 
 class ObjectConstructorGetPrototypeOfFunctor {
 public:
-    ObjectConstructorGetPrototypeOfFunctor(JSObject* object)
-        : m_hasSkippedFirstFrame(false)
+    ObjectConstructorGetPrototypeOfFunctor(ExecState* exec, JSObject* object)
+        : m_exec(exec)
+        , m_hasSkippedFirstFrame(false)
         , m_object(object)
         , m_result(jsUndefined())
     {
@@ -167,11 +168,12 @@ public:
         }
 
         if (m_object->allowsAccessFrom(visitor->callFrame()))
-            m_result = m_object->prototype();
+            m_result = m_object->getPrototype(m_exec->vm(), m_exec);
         return StackVisitor::Done;
     }
 
 private:
+    ExecState* m_exec;
     bool m_hasSkippedFirstFrame;
     JSObject* m_object;
     JSValue m_result;
@@ -179,7 +181,10 @@ private:
 
 JSValue objectConstructorGetPrototypeOf(ExecState* exec, JSObject* object)
 {
-    ObjectConstructorGetPrototypeOfFunctor functor(object);
+    ObjectConstructorGetPrototypeOfFunctor functor(exec, object);
+    // This can throw but it's just unneeded extra work to check for it. The return
+    // value from this function is only used as the return value from a host call.
+    // Therefore, the return value is only used if there wasn't an exception.
     exec->iterate(functor);
     return functor.result();
 }
index 326c75e..8a675b0 100644 (file)
@@ -101,14 +101,19 @@ EncodedJSValue JSC_HOST_CALL objectProtoFuncIsPrototypeOf(ExecState* exec)
     if (!exec->argument(0).isObject())
         return JSValue::encode(jsBoolean(false));
 
-    JSValue v = asObject(exec->argument(0))->prototype();
+    VM& vm = exec->vm();
+    JSValue v = asObject(exec->argument(0))->getPrototype(vm, exec);
+    if (UNLIKELY(vm.exception()))
+        return JSValue::encode(JSValue());
 
     while (true) {
         if (!v.isObject())
             return JSValue::encode(jsBoolean(false));
         if (v == thisObj)
             return JSValue::encode(jsBoolean(true));
-        v = asObject(v)->prototype();
+        v = asObject(v)->getPrototype(vm, exec);
+        if (UNLIKELY(vm.exception()))
+            return JSValue::encode(JSValue());
     }
 }
 
index 016a268..9fb6a11 100644 (file)
@@ -90,11 +90,10 @@ static EncodedJSValue performProxyGet(ExecState* exec, EncodedJSValue thisValue,
     // FIXME: make it so that custom getters take both the |this| value and the slotBase (property holder).
     // https://bugs.webkit.org/show_bug.cgi?id=154320
     while (true) {
-        if (LIKELY(proxyObjectAsObject->inherits(ProxyObject::info())))
+        if (LIKELY(proxyObjectAsObject->type() == ProxyObjectType))
             break;
 
-        Structure& structure = *vm.heap.structureIDTable().get(proxyObjectAsObject->structureID());
-        JSValue prototype = structure.storedPrototype();
+        JSValue prototype = proxyObjectAsObject->getPrototypeDirect();
         RELEASE_ASSERT(prototype.isObject());
         proxyObjectAsObject = asObject(prototype);
     }
@@ -1006,7 +1005,9 @@ bool ProxyObject::performSetPrototype(ExecState* exec, JSValue prototype, bool s
     if (targetIsExtensible)
         return true;
 
-    JSValue targetPrototype = target->prototype();
+    JSValue targetPrototype = target->getPrototype(vm, exec);
+    if (vm.exception())
+        return false;
     if (!sameValue(exec, prototype, targetPrototype)) {
         throwVMTypeError(exec, ASCIILiteral("Proxy 'setPrototypeOf' trap returned true when its target is non-extensible and the new prototype value is not the same as the current prototype value. It should have returned false."));
         return false;
index 21bcaa5..de75b4f 100644 (file)
@@ -210,7 +210,7 @@ inline bool Structure::isValid(JSGlobalObject* globalObject, StructureChain* cac
         if (asObject(prototype)->structure() != cachedStructure->get())
             return false;
         ++cachedStructure;
-        prototype = asObject(prototype)->prototype();
+        prototype = asObject(prototype)->getPrototypeDirect();
     }
     return prototype.isNull() && !*cachedStructure;
 }
index d774949..4f51df8 100644 (file)
@@ -367,3 +367,79 @@ function assert(b) {
         assert(threw);
     }
 }
+
+{
+    let e1 = null;
+    let e2 = null;
+    let t1 = {};
+    let called1 = false;
+    let h1 = {
+        has: function(theTarget, propName) {
+            called1 = true;
+            e1 = new Error;
+            throw e1;
+            return false;
+        }
+    };
+    let p1 = new Proxy(t1, h1);
+
+    let t2 = {};
+    t2.__proto__ = p1;
+    let h2 = {
+        has: function(theTarget, propName) {
+            e2 = new Error;
+            throw e2;
+            return false;
+        }
+    };
+    let p2 = new Proxy(t2, h2);
+    for (let i = 0; i < 500; i++) {
+        let threw = false;
+        try {
+            10 in p2;
+        } catch(e) {
+            assert(e === e2);
+            threw = true;
+        }
+        assert(threw);
+        assert(!called1);
+    }
+}
+
+{
+    let e1 = null;
+    let e2 = null;
+    let t1 = {};
+    let called1 = false;
+    let h1 = {
+        has: function(theTarget, propName) {
+            called1 = true;
+            e1 = new Error;
+            throw e1;
+            return false;
+        }
+    };
+    let p1 = new Proxy(t1, h1);
+
+    let t2 = {};
+    t2.__proto__ = p1;
+    let h2 = {
+        has: function(theTarget, propName) {
+            e2 = new Error;
+            throw e2;
+            return false;
+        }
+    };
+    let p2 = new Proxy(t2, h2);
+    for (let i = 0; i < 500; i++) {
+        let threw = false;
+        try {
+            "foo" in p2;
+        } catch(e) {
+            assert(e === e2);
+            threw = true;
+        }
+        assert(threw);
+        assert(!called1);
+    }
+}