Changeset 155730 in webkit for trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

Timestamp:

Sep 13, 2013, 4:18:19 PM (12 years ago)

Author:

[email protected]

Message:

DFG AI assumes that ToThis can never return non-object if it is passed an object, and operationToThis will get the wrong value of isStrictMode() if there's inlining
​https://bugs.webkit.org/show_bug.cgi?id=121330

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg and Oliver Hunt.

Also print whether a function is strict mode in debug dumps.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpAssumingJITType):

• bytecode/CodeOrigin.cpp:

(JSC::InlineCallFrame::dumpInContext):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

• dfg/DFGOperations.cpp:
• dfg/DFGOperations.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

Tools:

Reviewed by Mark Hahnenberg and Oliver Hunt.

We should run tests even if they don't have expected files yet.

• Scripts/run-layout-jsc:

LayoutTests:

Reviewed by Mark Hahnenberg and Oliver Hunt.

• js/dfg-strict-mode-to-this-expected.txt: Added.
• js/dfg-strict-mode-to-this.html: Added.
• js/jsc-test-list:
• js/script-tests/dfg-strict-mode-to-this.js: Added.

(thingy.bar):
(thingy.foo):
(thingy):

File:

• trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1045 +1045 @@
         AbstractValue& destination = forNode(node);
             
-        destination = source;
-        destination.merge(SpecObject);
+        if (m_graph.executableFor(node->codeOrigin)->isStrictMode())
+            destination.makeHeapTop();
+        else {
+            destination = source;
+            destination.merge(SpecObject);
+        }
         break;
     }