Diff
Index: branches/safari-607-branch
===================================================================
--- branches/safari-607-branch 2019-02-06 18:59:01 UTC (rev 241031)
+++ branches/safari-607-branch 2019-02-06 19:09:55 UTC (rev 241032)
Property changes: branches/safari-607-branch
Modified: svn:mergeinfo
-/trunk:53455,239940,240329,240335
\ No newline at end of property
+/trunk:53455,239940,240329,240335,240616
\ No newline at end of property
Modified: branches/safari-607-branch/JSTests/ChangeLog (241031 => 241032)
--- branches/safari-607-branch/JSTests/ChangeLog 2019-02-06 18:59:01 UTC (rev 241031)
+++ branches/safari-607-branch/JSTests/ChangeLog 2019-02-06 19:09:55 UTC (rev 241032)
@@ -1,3 +1,19 @@
+2019-01-28 Mark Lam <mark....@apple.com>
+
+ Cherry-pick r240616. rdar://problem/47774497
+
+ 2019-01-28 Mark Lam <mark....@apple.com>
+
+ ToString node actually does GC.
+ https://bugs.webkit.org/show_bug.cgi?id=193920
+ <rdar://problem/46695900>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/dfg-to-string-on-int-does-gc.js: Added.
+ * stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
+ * stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.
+
2019-01-28 Babak Shafiei <bshaf...@apple.com>
Cherry-pick r240449. rdar://problem/47586886
Copied: branches/safari-607-branch/JSTests/stress/dfg-to-string-on-int-does-gc.js (from rev 240616, trunk/JSTests/stress/dfg-to-string-on-int-does-gc.js) (0 => 241032)
--- branches/safari-607-branch/JSTests/stress/dfg-to-string-on-int-does-gc.js (rev 0)
+++ branches/safari-607-branch/JSTests/stress/dfg-to-string-on-int-does-gc.js 2019-02-06 19:09:55 UTC (rev 241032)
@@ -0,0 +1,26 @@
+//@ requireOptions("--exceptionStackTraceLimit=0", "--defaultErrorStackTraceLimit=0", "--forceRAMSize=1000000", "--forceDebuggerBytecodeGeneration=1", "--useZombieMode=1", "--jitPolicyScale=0", "--collectContinuously=1", "--useConcurrentJIT=0")
+
+function assert(b) {
+ if (!b)
+ throw new Error('aa');
+}
+
+var exception;
+try {
+ let target = function (x, y) {
+ const actual = '' + x;
+ target(x);
+ };
+ let handler = {
+ apply: function (theTarget, thisArg, argArray) {
+ return theTarget.apply([], argArray);
+ }
+ };
+ let proxy = new Proxy(target, handler);
+ assert(proxy(10, 20) === 'foo');
+} catch(e) {
+ exception = e;
+}
+
+if (exception != "RangeError: Maximum call stack size exceeded.")
+ throw "FAILED";
Copied: branches/safari-607-branch/JSTests/stress/dfg-to-string-on-string-object-does-not-gc.js (from rev 240616, trunk/JSTests/stress/dfg-to-string-on-string-object-does-not-gc.js) (0 => 241032)
--- branches/safari-607-branch/JSTests/stress/dfg-to-string-on-string-object-does-not-gc.js (rev 0)
+++ branches/safari-607-branch/JSTests/stress/dfg-to-string-on-string-object-does-not-gc.js 2019-02-06 19:09:55 UTC (rev 241032)
@@ -0,0 +1,26 @@
+//@ requireOptions("--exceptionStackTraceLimit=0", "--defaultErrorStackTraceLimit=0", "--forceRAMSize=1000000", "--forceDebuggerBytecodeGeneration=1", "--useZombieMode=1", "--jitPolicyScale=0", "--collectContinuously=1", "--useConcurrentJIT=0")
+
+function assert(b) {
+ if (!b)
+ throw new Error('aa');
+}
+
+var exception;
+try {
+ let target = function (x, y) {
+ const actual = '' + x;
+ target(x);
+ };
+ let handler = {
+ apply: function (theTarget, thisArg, argArray) {
+ return theTarget.apply([], argArray);
+ }
+ };
+ let proxy = new Proxy(target, handler);
+ assert(proxy(new String("10"), new String("20")) === 'foo');
+} catch(e) {
+ exception = e;
+}
+
+if (exception != "RangeError: Maximum call stack size exceeded.")
+ throw "FAILED";
Copied: branches/safari-607-branch/JSTests/stress/dfg-to-string-on-string-or-string-object-does-not-gc.js (from rev 240616, trunk/JSTests/stress/dfg-to-string-on-string-or-string-object-does-not-gc.js) (0 => 241032)
--- branches/safari-607-branch/JSTests/stress/dfg-to-string-on-string-or-string-object-does-not-gc.js (rev 0)
+++ branches/safari-607-branch/JSTests/stress/dfg-to-string-on-string-or-string-object-does-not-gc.js 2019-02-06 19:09:55 UTC (rev 241032)
@@ -0,0 +1,34 @@
+//@ requireOptions("--exceptionStackTraceLimit=0", "--defaultErrorStackTraceLimit=0", "--forceRAMSize=1000000", "--forceDebuggerBytecodeGeneration=1", "--useZombieMode=1", "--jitPolicyScale=0", "--collectContinuously=1", "--useConcurrentJIT=0")
+
+function assert(b) {
+ if (!b)
+ throw new Error('aa');
+}
+
+let alternate = true;
+var exception;
+try {
+ function alter(x) {
+ alternate = !alternate;
+ if (alternate)
+ return new String(x);
+ return x;
+ }
+ noInline(alter);
+ let target = function (x, y) {
+ const actual = '' + alter(x);
+ target(x);
+ };
+ let handler = {
+ apply: function (theTarget, thisArg, argArray) {
+ return theTarget.apply([], argArray);
+ }
+ };
+ let proxy = new Proxy(target, handler);
+ assert(proxy("10", "20") === 'foo');
+} catch(e) {
+ exception = e;
+}
+
+if (exception != "RangeError: Maximum call stack size exceeded.")
+ throw "FAILED";
Modified: branches/safari-607-branch/Source/_javascript_Core/ChangeLog (241031 => 241032)
--- branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-02-06 18:59:01 UTC (rev 241031)
+++ branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-02-06 19:09:55 UTC (rev 241032)
@@ -1,3 +1,21 @@
+2019-01-28 Mark Lam <mark....@apple.com>
+
+ Cherry-pick r240616. rdar://problem/47774497
+
+ 2019-01-28 Mark Lam <mark....@apple.com>
+
+ ToString node actually does GC.
+ https://bugs.webkit.org/show_bug.cgi?id=193920
+ <rdar://problem/46695900>
+
+ Reviewed by Yusuke Suzuki.
+
+ Other than for StringObjectUse and StringOrStringObjectUse, ToString and
+ CallStringConstructor can allocate new JSStrings, and hence, can GC.
+
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+
2019-01-30 Babak Shafiei <bshaf...@apple.com>
Cherry-pick r240633. rdar://problem/47682687
Modified: branches/safari-607-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp (241031 => 241032)
--- branches/safari-607-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2019-02-06 18:59:01 UTC (rev 241031)
+++ branches/safari-607-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2019-02-06 19:09:55 UTC (rev 241032)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -197,8 +197,6 @@
case LogicalNot:
case ToPrimitive:
case ToNumber:
- case ToString:
- case CallStringConstructor:
case NumberToStringWithRadix:
case NumberToStringWithValidRadixConstant:
case InByVal:
@@ -383,6 +381,17 @@
case MapSet:
return true;
+ case CallStringConstructor:
+ case ToString:
+ switch (node->child1().useKind()) {
+ case StringObjectUse:
+ case StringOrStringObjectUse:
+ return false;
+ default:
+ break;
+ }
+ return true;
+
case GetIndexedPropertyStorage:
if (node->arrayMode().type() == Array::String)
return true;
