Title: [238884] trunk
- Revision
- 238884
- Author
- [email protected]
- Date
- 2018-12-04 19:23:54 -0800 (Tue, 04 Dec 2018)
Log Message
DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
https://bugs.webkit.org/show_bug.cgi?id=192386
<rdar://problem/46445516>
Reviewed by Saam Barati.
JSTests:
* stress/regress-192386.js: Added.
Source/_javascript_Core:
This violates an invariant documented by a RELEASE_ASSERT in operationLinkDirectCall().
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (238883 => 238884)
--- trunk/JSTests/ChangeLog 2018-12-05 02:18:07 UTC (rev 238883)
+++ trunk/JSTests/ChangeLog 2018-12-05 03:23:54 UTC (rev 238884)
@@ -1,3 +1,13 @@
+2018-12-04 Mark Lam <[email protected]>
+
+ DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
+ https://bugs.webkit.org/show_bug.cgi?id=192386
+ <rdar://problem/46445516>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-192386.js: Added.
+
2018-12-04 Caio Lima <[email protected]>
[ESNext][BigInt] Support logic operations
Added: trunk/JSTests/stress/regress-192386.js (0 => 238884)
--- trunk/JSTests/stress/regress-192386.js (rev 0)
+++ trunk/JSTests/stress/regress-192386.js 2018-12-05 03:23:54 UTC (rev 238884)
@@ -0,0 +1,12 @@
+//@ requireOptions("--jitPolicyScale=0")
+
+function foo(x) {
+ try {
+ new x();
+ } catch {
+ }
+}
+
+foo(function() {});
+for (let i = 0; i < 10000; ++i)
+ foo(() => undefined);
Modified: trunk/Source/_javascript_Core/ChangeLog (238883 => 238884)
--- trunk/Source/_javascript_Core/ChangeLog 2018-12-05 02:18:07 UTC (rev 238883)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-12-05 03:23:54 UTC (rev 238884)
@@ -1,3 +1,16 @@
+2018-12-04 Mark Lam <[email protected]>
+
+ DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
+ https://bugs.webkit.org/show_bug.cgi?id=192386
+ <rdar://problem/46445516>
+
+ Reviewed by Saam Barati.
+
+ This violates an invariant documented by a RELEASE_ASSERT in operationLinkDirectCall().
+
+ * dfg/DFGStrengthReductionPhase.cpp:
+ (JSC::DFG::StrengthReductionPhase::handleNode):
+
2018-12-04 Caio Lima <[email protected]>
[ESNext][BigInt] Support logic operations
Modified: trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp (238883 => 238884)
--- trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp 2018-12-05 02:18:07 UTC (rev 238883)
+++ trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp 2018-12-05 03:23:54 UTC (rev 238884)
@@ -914,6 +914,9 @@
break;
if (FunctionExecutable* functionExecutable = jsDynamicCast<FunctionExecutable*>(vm(), executable)) {
+ if (m_node->op() == Construct && functionExecutable->constructAbility() == ConstructAbility::CannotConstruct)
+ break;
+
// We need to update m_parameterSlots before we get to the backend, but we don't
// want to do too much of this.
unsigned numAllocatedArgs =
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
