Title: [200597] trunk/Source/_javascript_Core
- Revision
- 200597
- Author
- keith_mil...@apple.com
- Date
- 2016-05-09 16:51:20 -0700 (Mon, 09 May 2016)
Log Message
CallObjectConstructor should not call operationToThis in the FTL
https://bugs.webkit.org/show_bug.cgi?id=157492
<rdar://problem/26149904>
Reviewed by Mark Lam.
At some point when I was working on intrinsifying the Object
constructor, I realized that the Object constructor was different
from the ToObject operation. I fixed the DFG but I guess I didn't
fix the FTL.
This patch fixes an issue with www.wunderground.com not loading
the 10-day forecast and local map.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
* tests/stress/call-object-constructor.js: Added.
(test):
(assert):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (200596 => 200597)
--- trunk/Source/_javascript_Core/ChangeLog 2016-05-09 23:48:17 UTC (rev 200596)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-05-09 23:51:20 UTC (rev 200597)
@@ -1,3 +1,25 @@
+2016-05-09 Keith Miller <keith_mil...@apple.com>
+
+ CallObjectConstructor should not call operationToThis in the FTL
+ https://bugs.webkit.org/show_bug.cgi?id=157492
+ <rdar://problem/26149904>
+
+ Reviewed by Mark Lam.
+
+ At some point when I was working on intrinsifying the Object
+ constructor, I realized that the Object constructor was different
+ from the ToObject operation. I fixed the DFG but I guess I didn't
+ fix the FTL.
+
+ This patch fixes an issue with www.wunderground.com not loading
+ the 10-day forecast and local map.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor):
+ * tests/stress/call-object-constructor.js: Added.
+ (test):
+ (assert):
+
2016-05-09 Saam barati <sbar...@apple.com>
Getter and setter on super are called with wrong "this" object
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (200596 => 200597)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-05-09 23:48:17 UTC (rev 200596)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-05-09 23:51:20 UTC (rev 200597)
@@ -1458,6 +1458,7 @@
void compileCallObjectConstructor()
{
+ JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
LValue value = lowJSValue(m_node->child1());
LBasicBlock isCellCase = m_out.newBlock();
@@ -1471,7 +1472,7 @@
m_out.branch(isObject(value), usually(continuation), rarely(slowCase));
m_out.appendTo(slowCase, continuation);
- ValueFromBlock slowResult = m_out.anchor(vmCall(m_out.int64, m_out.operation(operationToObject), m_callFrame, value));
+ ValueFromBlock slowResult = m_out.anchor(vmCall(m_out.int64, m_out.operation(operationObjectConstructor), m_callFrame, m_out.constIntPtr(globalObject), value));
m_out.jump(continuation);
m_out.appendTo(continuation, lastNext);
Added: trunk/Source/_javascript_Core/tests/stress/call-object-constructor.js (0 => 200597)
--- trunk/Source/_javascript_Core/tests/stress/call-object-constructor.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/call-object-constructor.js 2016-05-09 23:51:20 UTC (rev 200597)
@@ -0,0 +1,18 @@
+function test(n) {
+ return n === Object(n);
+}
+noInline(test);
+
+function assert(condition) {
+ if (!condition)
+ throw new Error("assertion failed");
+}
+
+for (i = 0; i < 100000; i++) {
+ assert(!test(null));
+ assert(!test(undefined));
+ assert(!test(1));
+ assert(!test(""));
+ assert(!test(Symbol.iterator));
+ assert(test({}));
+}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
