Modified: trunk/Source/_javascript_Core/ChangeLog (185599 => 185600)
--- trunk/Source/_javascript_Core/ChangeLog 2015-06-16 18:41:21 UTC (rev 185599)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-06-16 19:17:40 UTC (rev 185600)
@@ -1,3 +1,15 @@
+2015-06-15 Filip Pizlo <fpi...@apple.com>
+
+ FTL boolify() UntypedUse is wrong in the masquerades-as-undefined case
+ https://bugs.webkit.org/show_bug.cgi?id=146002
+
+ Reviewed by Darin Adler.
+
+ * ftl/FTLLowerDFGToLLVM.cpp: Put this in an anonymous namespace. We should have done that all along. It makes it easier to add debug code.
+ (JSC::FTL::DFG::LowerDFGToLLVM::boolify): Fix the bug.
+ * tests/stress/logical-not-masquerades.js: Added. This test creates a masquerader so that the watchpoint is invalid. Previously this would fail for the normal object cases.
+ (foo):
+
2015-06-16 Andreas Kling <akl...@apple.com>
[JSC] Pre-bake final Structure for RegExp matches arrays.
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp (185599 => 185600)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2015-06-16 18:41:21 UTC (rev 185599)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2015-06-16 19:17:40 UTC (rev 185600)
@@ -63,8 +63,10 @@
using namespace DFG;
-static std::atomic<int> compileCounter;
+namespace {
+std::atomic<int> compileCounter;
+
#if ASSERT_DISABLED
NO_RETURN_DUE_TO_CRASH static void ftlUnreachable()
{
@@ -6301,7 +6303,7 @@
else {
LBasicBlock masqueradesCase = FTL_NEW_BLOCK(m_out, ("Boolify untyped masquerades case"));
- results.append(m_out.anchor(m_out.booleanFalse));
+ results.append(m_out.anchor(m_out.booleanTrue));
m_out.branch(
m_out.testIsZero8(
@@ -8660,6 +8662,8 @@
unsigned m_tbaaStructKind;
};
+} // anonymous namespace
+
void lowerDFGToLLVM(State& state)
{
LowerDFGToLLVM lowering(state);
Added: trunk/Source/_javascript_Core/tests/stress/logical-not-masquerades.js (0 => 185600)
--- trunk/Source/_javascript_Core/tests/stress/logical-not-masquerades.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/logical-not-masquerades.js 2015-06-16 19:17:40 UTC (rev 185600)
@@ -0,0 +1,33 @@
+function foo(value) {
+ return !!value;
+}
+
+noInline(foo);
+
+var tests = [
+ [0, false],
+ [1, true],
+ [0/0, false],
+ [0/-1, false],
+ [0.0, false],
+ ["", false],
+ ["f", true],
+ ["hello", true],
+ [{}, true],
+ [[], true],
+ [null, false],
+ [void 0, false],
+ [false, false],
+ [true, true],
+ [makeMasquerader(), false]
+];
+
+for (var i = 0; i < 10000; ++i) {
+ for (var j = 0; j < tests.length; ++j) {
+ var input = tests[j][0];
+ var expected = tests[j][1];
+ var result = foo(input);
+ if (result !== expected)
+ throw "Error: bad result for " + input + ": " + result;
+ }
+}