|
 |
2acba3 |
From d44ded97d14cdb5ac2eb011203e5f4c45dfd94b9 Mon Sep 17 00:00:00 2001
|
|
|
2acba3 |
From: Yusuke Suzuki <ysuzuki@apple.com>
|
|
|
2acba3 |
Date: Wed, 8 Feb 2023 15:32:00 -0800
|
|
|
2acba3 |
Subject: [PATCH] Cherry-pick 1b2eb138ef92. rdar://problem/105236768
|
|
|
2acba3 |
|
|
|
2acba3 |
[JSC] ToThis object folding should check if AbstractValue is always an object
|
|
|
2acba3 |
https://bugs.webkit.org/show_bug.cgi?id=251944
|
|
|
2acba3 |
rdar://105175786
|
|
|
2acba3 |
|
|
|
2acba3 |
Reviewed by Geoffrey Garen and Mark Lam.
|
|
|
2acba3 |
|
|
|
2acba3 |
ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding.
|
|
|
2acba3 |
This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects.
|
|
|
2acba3 |
This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example.
|
|
|
2acba3 |
|
|
|
2acba3 |
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
|
|
|
2acba3 |
(JSC::DFG::isToThisAnIdentity):
|
|
|
2acba3 |
|
|
|
2acba3 |
Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch
|
|
|
2acba3 |
---
|
|
|
2acba3 |
.../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h | 9 +++++++--
|
|
|
2acba3 |
1 file changed, 7 insertions(+), 2 deletions(-)
|
|
|
2acba3 |
|
|
|
2acba3 |
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
|
|
|
2acba3 |
index ea7bcd6b7b31..ef3f6bbe376e 100644
|
|
|
2acba3 |
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
|
|
|
2acba3 |
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
|
|
|
2acba3 |
@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
|
|
|
2acba3 |
}
|
|
|
2acba3 |
}
|
|
|
2acba3 |
|
|
|
2acba3 |
- if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) {
|
|
|
2acba3 |
+ bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject);
|
|
|
2acba3 |
+ if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) {
|
|
|
2acba3 |
bool allStructuresAreJSScope = !valueForNode.m_structure.isClear();
|
|
|
2acba3 |
bool overridesToThis = false;
|
|
|
2acba3 |
valueForNode.m_structure.forEach([&](RegisteredStructure structure) {
|
|
|
2acba3 |
@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
|
|
|
2acba3 |
// If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation.
|
|
|
2acba3 |
allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis;
|
|
|
2acba3 |
});
|
|
|
2acba3 |
+
|
|
|
2acba3 |
+ // This is correct for strict mode even if this can have non objects, since the right semantics is Identity.
|
|
|
2acba3 |
if (!overridesToThis)
|
|
|
2acba3 |
return ToThisResult::Identity;
|
|
|
2acba3 |
- if (allStructuresAreJSScope) {
|
|
|
2acba3 |
+
|
|
|
2acba3 |
+ // But this folding is available only if input is always an object.
|
|
|
2acba3 |
+ if (onlyObjects && allStructuresAreJSScope) {
|
|
|
2acba3 |
if (ecmaMode.isStrict())
|
|
|
2acba3 |
return ToThisResult::Undefined;
|
|
|
2acba3 |
return ToThisResult::GlobalThis;
|
|
|
2acba3 |
--
|
|
|
2acba3 |
2.39.1
|
|
|
2acba3 |
|