From 014b9dad4ec5c432410254c0d0cab7d20b1f31d7 Mon Sep 17 00:00:00 2001 From: Jason Schonberg Date: Mon, 29 Sep 2025 14:34:48 -0400 Subject: [PATCH] From: amaxcz Date: Fri, 19 Sep 2025 11:55:30 +0000 Subject: [PATCH] JSC: fix op_instanceof handler for 32-bit C-loop build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit JSC: fix op_instanceof handler for 32-bit C-loop build Fixes missing 'op_instanceof' handler in LowLevelInterpreter32_64.asm which breaks 32‑bit builds. * No ChangeLog (raw external patch). Upstream-Status: Backport [https://bugs.webkit.org/show_bug.cgi?id=299166] Signed-off-by: Jason Schonberg --- .../llint/LowLevelInterpreter32_64.asm | 95 ++++++++++++++++++- 1 file changed, 94 insertions(+), 1 deletion(-) diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm index 0d7c92bb..0b81cc1a 100644 --- a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm +++ b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm @@ -3437,4 +3437,97 @@ slowPathOp(enumerator_has_own_property) slowPathOp(mod) llintSlowPathOp(has_structure_with_flags) -llintSlowPathOp(instanceof) + +llintOpWithMetadata(op_instanceof, OpInstanceof, macro (size, get, dispatch, metadata, return) + + macro getAndLoadConstantOrVariable(fieldName, tagReg, payloadReg) + get(fieldName, t5) + loadConstantOrVariable(size, t5, tagReg, payloadReg) + end + + macro isObject(field, falseLabel) + getAndLoadConstantOrVariable(field, t0, t1) + bineq t0, CellTag, falseLabel + bbneq JSCell::m_type[t1], ObjectType, falseLabel + end + + macro overridesHasInstance(hasInstanceField, constructorField, trueLabel) + getAndLoadConstantOrVariable(hasInstanceField, t0, t1) + bineq t0, CellTag, trueLabel + loadp CodeBlock[cfr], t2 + loadp CodeBlock::m_globalObject[t2], t2 + loadp JSGlobalObject::m_functionProtoHasInstanceSymbolFunction[t2], t2 + bpneq t1, t2, trueLabel + + get(constructorField, t5) + loadConstantOrVariablePayload(size, t5, CellTag, t1, trueLabel) + btbz JSCell::m_flags[t1], ImplementsDefaultHasInstance, trueLabel + end + + macro storeValue(tagReg, payloadReg, fieldName) + move tagReg, t0 + move payloadReg, t1 + get(fieldName, t5) + storei t0, TagOffset[cfr, t5, 8] + storei t1, PayloadOffset[cfr, t5, 8] + end + +.getHasInstance: + isObject(m_constructor, .throwStaticError) + get(m_constructor, t5) + metadata(t2, t6) + loadConstantOrVariablePayload(size, t5, CellTag, t3, .getHasInstanceSlow) + performGetByIDHelper(OpInstanceof, m_hasInstanceModeMetadata, m_hasInstanceValueProfile, .getHasInstanceSlow, size, + macro (resultTag, resultPayload) + storeValue(resultTag, resultPayload, m_hasInstanceOrPrototype) + jmp .getPrototype + end) + jmp .getPrototype + +.getHasInstanceSlow: + callSlowPath(_llint_slow_path_get_hasInstance_from_instanceof) + branchIfException(_llint_throw_from_slow_path_trampoline) + jmp .getPrototype + +.getHasInstanceInlinedGetterOSRReturnPoint: + # This path is taken when exiting to the LLInt from an inlined getter for Symbol.hasInstance. + getterSetterOSRExitReturnPoint(op_instanceof, size) + valueProfile(size, OpInstanceof, m_hasInstanceValueProfile, r1, r0, t2) + storeValue(r1, r0, m_hasInstanceOrPrototype) + +.getPrototype: + overridesHasInstance(m_hasInstanceOrPrototype, m_constructor, .instanceofCustom) + isObject(m_value, .false) + get(m_constructor, t5) + metadata(t2, t6) + loadConstantOrVariablePayload(size, t5, CellTag, t3, .getPrototypeSlow) + performGetByIDHelper(OpInstanceof, m_prototypeModeMetadata, m_prototypeValueProfile, .getPrototypeSlow, size, + macro (resultTag, resultPayload) + storeValue(resultTag, resultPayload, m_hasInstanceOrPrototype) + jmp .instanceof + end) + jmp .instanceof + +.getPrototypeSlow: + callSlowPath(_llint_slow_path_get_prototype_from_instanceof) + branchIfException(_llint_throw_from_slow_path_trampoline) + jmp .instanceof + +.instanceof: + callSlowPath(_llint_slow_path_instanceof_from_instanceof) + dispatch() + +.throwStaticError: + callSlowPath(_slow_path_throw_static_error_from_instanceof) + dispatch() + +.instanceofCustom: + callSlowPath(_slow_path_instanceof_custom_from_instanceof) + dispatch() + +.false: + get(m_dst, t5) + storei BooleanTag, TagOffset[cfr, t5, 8] + storei 0, PayloadOffset[cfr, t5, 8] + dispatch() +end)