Changeset 103482 in webkit for trunk/Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h

Timestamp:

Dec 21, 2011, 6:23:42 PM (13 years ago)

Author:

[email protected]

Message:

Source/JavaScriptCore: DFG ConvertThis optimizations do not honor the distinction between the global object and the global this object
​https://bugs.webkit.org/show_bug.cgi?id=75058
<rdar://problem/10616612>
<rdar://problem/10617500>

Reviewed by Oliver Hunt.

Added a call to toThisObject() in the DFG when planting a direct reference to the global this object.
Instead of adding a separate toThisObject() method on JSCell which does not take ExecState*, I reascribed
a new contract: if you're calling toThisObject() on JSObject or one of its subtypes, then the ExecState*
is optional.

• dfg/DFGAssemblyHelpers.h:

(JSC::DFG::AssemblyHelpers::globalThisObjectFor):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• runtime/JSObject.h:

LayoutTests: DFG ConvertThis optimizations do not honor the distinction between the global object and the global this object
​https://bugs.webkit.org/show_bug.cgi?id=75058
<rdar://problem/10616612>

Reviewed by Oliver Hunt.

• fast/js/dfg-convert-this-dom-window-expected.txt: Added.
• fast/js/dfg-convert-this-dom-window.html: Added.
• fast/js/script-tests/dfg-convert-this-dom-window.js: Added.

(myObject.call):
(myFunction):
(myFunctionWithCall):
(myFunctionWithCall.call):

File:

• trunk/Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGAssemblyHelpers.h

@@ -269 +269 @@
     }
     
+    JSObject* globalThisObjectFor(CodeOrigin codeOrigin)
+    {
+        JSGlobalObject* object = globalObjectFor(codeOrigin);
+        return object->methodTable()->toThisObject(object, 0);
+    }
+    
     bool strictModeFor(CodeOrigin codeOrigin)
     {