Title: [202487] trunk/Source/_javascript_Core
- Revision
- 202487
- Author
- [email protected]
- Date
- 2016-06-27 09:48:31 -0700 (Mon, 27 Jun 2016)
Log Message
DFGByteCodeParsing does not handle calling the Object constructor with no arguments correctly
https://bugs.webkit.org/show_bug.cgi?id=159117
<rdar://problem/26996781>
Reviewed by Saam Barati.
DFGByteCodeParsing always assumed there would be an argument to the Object constructor.
This is clearly not always the case and we should be able to handle it.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
* tests/stress/indirect-call-object-constructor-with-no-arguments.js: Added.
(let.foo.Object.test):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (202486 => 202487)
--- trunk/Source/_javascript_Core/ChangeLog 2016-06-27 16:01:00 UTC (rev 202486)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-06-27 16:48:31 UTC (rev 202487)
@@ -1,3 +1,19 @@
+2016-06-25 Keith Miller <[email protected]>
+
+ DFGByteCodeParsing does not handle calling the Object constructor with no arguments correctly
+ https://bugs.webkit.org/show_bug.cgi?id=159117
+ <rdar://problem/26996781>
+
+ Reviewed by Saam Barati.
+
+ DFGByteCodeParsing always assumed there would be an argument to the Object constructor.
+ This is clearly not always the case and we should be able to handle it.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+ * tests/stress/indirect-call-object-constructor-with-no-arguments.js: Added.
+ (let.foo.Object.test):
+
2016-06-24 Filip Pizlo <[email protected]>
B3 should die sooner if a Value has the wrong number of children
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (202486 => 202487)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2016-06-27 16:01:00 UTC (rev 202486)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2016-06-27 16:48:31 UTC (rev 202487)
@@ -2690,7 +2690,11 @@
if (function->classInfo() == ObjectConstructor::info() && kind == CodeForCall) {
insertChecks();
- Node* result = addToGraph(CallObjectConstructor, get(virtualRegisterForArgument(1, registerOffset)));
+ Node* result;
+ if (argumentCountIncludingThis <= 1)
+ result = addToGraph(NewObject, OpInfo(function->globalObject()->objectStructureForObjectConstructor()));
+ else
+ result = addToGraph(CallObjectConstructor, get(virtualRegisterForArgument(1, registerOffset)));
set(VirtualRegister(resultOperand), result);
return true;
}
Added: trunk/Source/_javascript_Core/tests/stress/indirect-call-object-constructor-with-no-arguments.js (0 => 202487)
--- trunk/Source/_javascript_Core/tests/stress/indirect-call-object-constructor-with-no-arguments.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/indirect-call-object-constructor-with-no-arguments.js 2016-06-27 16:48:31 UTC (rev 202487)
@@ -0,0 +1,9 @@
+let foo = Object
+
+function test() {
+ return foo();
+}
+noInline(test);
+
+for (i = 0; i < 100000; i++)
+ test();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
