Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6cc943c3323a1a1368934c812e5e8ec08f54dcd4
https://github.com/WebKit/WebKit/commit/6cc943c3323a1a1368934c812e5e8ec08f54dcd4
Author: Yusuke Suzuki <[email protected]>
Date: 2023-02-17 (Fri, 17 Feb 2023)
Changed paths:
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Log Message:
-----------
Cherry-pick 259548.63@safari-7615-branch (1b2eb138ef92). rdar://105598149
[JSC] ToThis object folding should check if AbstractValue is always an
object
https://bugs.webkit.org/show_bug.cgi?id=251944
rdar://105175786
Reviewed by Geoffrey Garen and Mark Lam.
ToThis can become Identity for strict mode if it is just primitive values
or its object does not have toThis function overriding.
This is correct, but folding ToThis to Undefined etc. (not Identity) needs
to check that an input only contains objects.
This patch adds appropriate checks to prevent from converting
ToThis(GlobalObject | Int32) to Undefined for example.
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::isToThisAnIdentity):
Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch
Canonical link: https://commits.webkit.org/260455@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
