Changeset 103981 in webkit for trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

Timestamp:

Jan 3, 2012, 4:06:42 PM (13 years ago)

Author:

[email protected]

Message:

REGRESSION (r98196-98236): Incorrect layout of iGoogle with RSS feeds
​https://bugs.webkit.org/show_bug.cgi?id=75303
<rdar://problem/10633533>

Source/JavaScriptCore:

Reviewed by Gavin Barraclough.

The this argument was not being kept alive in some cases during inlining and intrinsic
optimizations.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleCall):
(JSC::DFG::ByteCodeParser::emitFunctionCheck):
(JSC::DFG::ByteCodeParser::handleInlining):

LayoutTests:

Reviewed by Gavin Barraclough.

• fast/js/dfg-inline-unused-this-expected.txt: Added.
• fast/js/dfg-inline-unused-this-method-check-expected.txt: Added.
• fast/js/dfg-inline-unused-this-method-check.html: Added.
• fast/js/dfg-inline-unused-this.html: Added.
• fast/js/dfg-intrinsic-unused-this-expected.txt: Added.
• fast/js/dfg-intrinsic-unused-this-method-check-expected.txt: Added.
• fast/js/dfg-intrinsic-unused-this-method-check.html: Added.
• fast/js/dfg-intrinsic-unused-this.html: Added.
• fast/js/script-tests/dfg-inline-unused-this-method-check.js: Added.

(foo):
(bar):
(baz):

• fast/js/script-tests/dfg-inline-unused-this.js: Added.

(foo):
(bar):
(baz):

• fast/js/script-tests/dfg-intrinsic-unused-this-method-check.js: Added.

(bar):
(baz):

• fast/js/script-tests/dfg-intrinsic-unused-this.js: Added.

(bar):
(baz):

File:

• trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (4 diffs)

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -81 +81 @@
     // Handle calls. This resolves issues surrounding inlining and intrinsics.
     void handleCall(Interpreter*, Instruction* currentInstruction, NodeType op, CodeSpecializationKind);
+    void emitFunctionCheck(JSFunction* expectedFunction, NodeIndex callTarget, int registerOffset, CodeSpecializationKind);
     // Handle inlining. Return true if it succeeded, false if we need to plant a call.
     bool handleInlining(bool usesResult, int callTarget, NodeIndex callTargetNodeIndex, int resultOperand, bool certainAboutExpectedFunction, JSFunction*, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, CodeSpecializationKind);
@@ -941 +942 @@
         if (intrinsic != NoIntrinsic) {
             if (!certainAboutExpectedFunction)
-                addToGraph(CheckFunction, OpInfo(expectedFunction), callTarget);
+                emitFunctionCheck(expectedFunction, callTarget, registerOffset, kind);
             
             if (handleIntrinsic(usesResult, resultOperand, intrinsic, registerOffset, argumentCountIncludingThis, prediction)) {
@@ -960 +961 @@
 }
 
+void ByteCodeParser::emitFunctionCheck(JSFunction* expectedFunction, NodeIndex callTarget, int registerOffset, CodeSpecializationKind kind)
+{
+    NodeIndex thisArgument;
+    if (kind == CodeForCall)
+        thisArgument = get(registerOffset + argumentToOperand(0));
+    else
+        thisArgument = NoNode;
+    addToGraph(CheckFunction, OpInfo(expectedFunction), callTarget, thisArgument);
+}
+
 bool ByteCodeParser::handleInlining(bool usesResult, int callTarget, NodeIndex callTargetNodeIndex, int resultOperand, bool certainAboutExpectedFunction, JSFunction* expectedFunction, int registerOffset, int argumentCountIncludingThis, unsigned nextOffset, CodeSpecializationKind kind)
 {
@@ -1009 +1020 @@
     // are flushed.
     if (!certainAboutExpectedFunction)
-        addToGraph(CheckFunction, OpInfo(expectedFunction), callTargetNodeIndex);
+        emitFunctionCheck(expectedFunction, callTargetNodeIndex, registerOffset, kind);
     
     // FIXME: Don't flush constants!