Changeset 229987 in webkit


Ignore:
Timestamp:
Mar 26, 2018 2:01:16 PM (6 years ago)
Author:
fpizlo@apple.com
Message:

DFG should know that CreateThis can be effectful
https://bugs.webkit.org/show_bug.cgi?id=184013

Reviewed by Saam Barati.

JSTests:

  • stress/create-this-property-change.js: Added.

(Foo):
(RealBar):
(get if):

  • stress/create-this-structure-change-without-cse.js: Added.

(Foo):
(RealBar):
(get if):

  • stress/create-this-structure-change.js: Added.

(Foo):
(RealBar):
(get if):

Source/JavaScriptCore:

As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this
is a proxy.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

Location:
trunk
Files:
3 added
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r229957 r229987  
     12018-03-26  Filip Pizlo  <fpizlo@apple.com>
     2
     3        DFG should know that CreateThis can be effectful
     4        https://bugs.webkit.org/show_bug.cgi?id=184013
     5
     6        Reviewed by Saam Barati.
     7
     8        * stress/create-this-property-change.js: Added.
     9        (Foo):
     10        (RealBar):
     11        (get if):
     12        * stress/create-this-structure-change-without-cse.js: Added.
     13        (Foo):
     14        (RealBar):
     15        (get if):
     16        * stress/create-this-structure-change.js: Added.
     17        (Foo):
     18        (RealBar):
     19        (get if):
     20
    1212018-03-22  Yusuke Suzuki  <utatane.tea@gmail.com>
    222

  • trunk/Source/JavaScriptCore/ChangeLog

    r229969 r229987  
     12018-03-26  Filip Pizlo  <fpizlo@apple.com>
     2
     3        DFG should know that CreateThis can be effectful
     4        https://bugs.webkit.org/show_bug.cgi?id=184013
     5
     6        Reviewed by Saam Barati.
     7
     8        As shown in the tests added in JSTests, CreateThis can be effectful if the constructor this
     9        is a proxy.
     10
     11        * dfg/DFGAbstractInterpreterInlines.h:
     12        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
     13        * dfg/DFGClobberize.h:
     14        (JSC::DFG::clobberize):
     15
    1162018-03-25  Saam Barati  <sbarati@apple.com>
    217

  • trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

    r229520 r229987  
    11/*
    2  * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    22752275            }
    22762276        }
     2277        clobberWorld(node->origin.semantic, clobberLimit);
    22772278        forNode(node).setType(m_graph, SpecFinalObject);
    22782279        break;

  • trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

    r229514 r229987  
    11/*
    2  * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    273273        return;
    274274
    275     case HasGenericProperty:
    276     case HasStructureProperty:
    277     case GetPropertyEnumerator: {
    278         read(World);
    279         write(Heap);
    280         return;
    281     }
    282 
    283275    case GetEnumerableLength: {
    284276        read(Heap);
    285277        write(SideState);
    286         return;
    287     }
    288 
    289     case GetDirectPname: {
    290         // This reads and writes heap because it can end up calling a generic getByVal
    291         // if the Structure changed, which could in turn end up calling a getter.
    292         read(World);
    293         write(Heap);
    294278        return;
    295279    }
     
    538522        return;
    539523
    540     case ToObject:
    541         read(World);
    542         write(Heap);
    543         return;
    544 
    545524    case CallObjectConstructor:
    546525        read(HeapObjectCount);
     
    549528
    550529    case ToThis:
    551     case CreateThis:
    552530        read(MiscFields);
    553531        read(HeapObjectCount);
     
    646624    case ResolveScopeForHoistingFuncDeclInEval:
    647625    case ResolveScope:
     626    case ToObject:
     627    case HasGenericProperty:
     628    case HasStructureProperty:
     629    case GetPropertyEnumerator:
     630    case GetDirectPname:
     631    case InstanceOfCustom:
     632    case ToNumber:
     633    case NumberToStringWithRadix:
     634    case CreateThis:
    648635        read(World);
    649636        write(Heap);
     
    10301017        read(JSCell_structureID);
    10311018        def(HeapLocation(InstanceOfLoc, JSCell_structureID, node->child1(), node->child2()), LazyNode(node));
    1032         return;
    1033 
    1034     case InstanceOfCustom:
    1035         read(World);
    1036         write(Heap);
    10371019        return;
    10381020
     
    15721554        return;
    15731555
    1574     case ToNumber: {
    1575         read(World);
    1576         write(Heap);
    1577         return;
    1578     }
    1579        
    15801556    case ToString:
    15811557    case CallStringConstructor:
     
    17181694    case ToLowerCase:
    17191695        def(PureValue(node));
    1720         return;
    1721 
    1722     case NumberToStringWithRadix:
    1723         // If the radix is invalid, NumberToStringWithRadix can throw an error.
    1724         read(World);
    1725         write(Heap);
    17261696        return;
    17271697
Note: See TracChangeset for help on using the changeset viewer.