[webkit-changes] [197155] trunk/Source/JavaScriptCore

[benjamin]

Title: [197155] trunk/Source/_javascript_Core

Revision

197155

Author

benja...@webkit.org

Date

2016-02-25 18:04:42 -0800 (Thu, 25 Feb 2016)

Log Message

[JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
https://bugs.webkit.org/show_bug.cgi?id=154664

Reviewed by Saam Barati.

When doing OSR Enter into a constructor, we lose the information
that this may have been set to empty by a previously executed block.

All the code just assumed the type for a FlushedJS value and thus
not an empty value. It was then okay to eliminate the TDZ checks.

In this patch, the values on root entry now assume they may be empty.
As a result, the SetArgument() for "this" has "empty" as possible
type and the TDZ checks are no longer eliminated.

* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (197154 => 197155)

--- trunk/Source/_javascript_Core/ChangeLog	2016-02-26 02:04:01 UTC (rev 197154)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-02-26 02:04:42 UTC (rev 197155)
@@ -1,3 +1,23 @@
+2016-02-25  Benjamin Poulain  <benja...@webkit.org>
+
+        [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
+        https://bugs.webkit.org/show_bug.cgi?id=154664
+
+        Reviewed by Saam Barati.
+
+        When doing OSR Enter into a constructor, we lose the information
+        that this may have been set to empty by a previously executed block.
+
+        All the code just assumed the type for a FlushedJS value and thus
+        not an empty value. It was then okay to eliminate the TDZ checks.
+
+        In this patch, the values on root entry now assume they may be empty.
+        As a result, the SetArgument() for "this" has "empty" as possible
+        type and the TDZ checks are no longer eliminated.
+
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::initialize):
+
 2016-02-25  Ada Chan  <adac...@apple.com>
 
         Update the definition of ENABLE_VIDEO_PRESENTATION_MODE for Mac platform

Modified: trunk/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp (197154 => 197155)

--- trunk/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp	2016-02-26 02:04:01 UTC (rev 197154)
+++ trunk/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp	2016-02-26 02:04:42 UTC (rev 197155)
@@ -121,7 +121,7 @@
             root->valuesAtHead.argument(i).setType(m_graph, SpecCell);
             break;
         case FlushedJSValue:
-            root->valuesAtHead.argument(i).makeHeapTop();
+            root->valuesAtHead.argument(i).makeBytecodeTop();
             break;
         default:
             DFG_CRASH(m_graph, nullptr, "Bad flush format for argument");

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes