Diff
Modified: releases/WebKitGTK/webkit-2.2/LayoutTests/ChangeLog (164282 => 164283)
--- releases/WebKitGTK/webkit-2.2/LayoutTests/ChangeLog 2014-02-18 11:39:05 UTC (rev 164282)
+++ releases/WebKitGTK/webkit-2.2/LayoutTests/ChangeLog 2014-02-18 11:55:49 UTC (rev 164283)
@@ -1,3 +1,18 @@
+2013-09-13 Filip Pizlo <[email protected]>
+
+ DFG AI assumes that ToThis can never return non-object if it is passed an object, and operationToThis will get the wrong value of isStrictMode() if there's inlining
+ https://bugs.webkit.org/show_bug.cgi?id=121330
+
+ Reviewed by Mark Hahnenberg and Oliver Hunt.
+
+ * js/dfg-strict-mode-to-this-expected.txt: Added.
+ * js/dfg-strict-mode-to-this.html: Added.
+ * js/jsc-test-list:
+ * js/script-tests/dfg-strict-mode-to-this.js: Added.
+ (thingy.bar):
+ (thingy.foo):
+ (thingy):
+
2013-12-06 Lukasz Gajowy <[email protected]>
[ATK] Missing aria roles mappings
Added: releases/WebKitGTK/webkit-2.2/LayoutTests/js/dfg-strict-mode-to-this-expected.txt (0 => 164283)
--- releases/WebKitGTK/webkit-2.2/LayoutTests/js/dfg-strict-mode-to-this-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.2/LayoutTests/js/dfg-strict-mode-to-this-expected.txt 2014-02-18 11:55:49 UTC (rev 164283)
@@ -0,0 +1,10 @@
+Tests that doing to-this conversion in strict mode doesn't cause us to believe that if the input is an object then the output is also an object.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS thingy() is false on all iterations including after DFG tier-up.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: releases/WebKitGTK/webkit-2.2/LayoutTests/js/dfg-strict-mode-to-this.html (0 => 164283)
--- releases/WebKitGTK/webkit-2.2/LayoutTests/js/dfg-strict-mode-to-this.html (rev 0)
+++ releases/WebKitGTK/webkit-2.2/LayoutTests/js/dfg-strict-mode-to-this.html 2014-02-18 11:55:49 UTC (rev 164283)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: releases/WebKitGTK/webkit-2.2/LayoutTests/js/script-tests/dfg-strict-mode-to-this.js (0 => 164283)
--- releases/WebKitGTK/webkit-2.2/LayoutTests/js/script-tests/dfg-strict-mode-to-this.js (rev 0)
+++ releases/WebKitGTK/webkit-2.2/LayoutTests/js/script-tests/dfg-strict-mode-to-this.js 2014-02-18 11:55:49 UTC (rev 164283)
@@ -0,0 +1,14 @@
+description("Tests that doing to-this conversion in strict mode doesn't cause us to believe that if the input is an object then the output is also an object.");
+
+function thingy() {
+ "use strict";
+ function bar() {
+ return this instanceof Object;
+ }
+ function foo() {
+ return bar();
+ }
+ return foo();
+}
+
+dfgShouldBe(thingy, "thingy()", "false");
Modified: releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/ChangeLog (164282 => 164283)
--- releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/ChangeLog 2014-02-18 11:39:05 UTC (rev 164282)
+++ releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/ChangeLog 2014-02-18 11:55:49 UTC (rev 164283)
@@ -1,3 +1,25 @@
+2013-09-13 Filip Pizlo <[email protected]>
+
+ DFG AI assumes that ToThis can never return non-object if it is passed an object, and operationToThis will get the wrong value of isStrictMode() if there's inlining
+ https://bugs.webkit.org/show_bug.cgi?id=121330
+
+ Reviewed by Mark Hahnenberg and Oliver Hunt.
+
+ Also print whether a function is strict mode in debug dumps.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpAssumingJITType):
+ * bytecode/CodeOrigin.cpp:
+ (JSC::InlineCallFrame::dumpInContext):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::::executeEffects):
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2013-09-10 Filip Pizlo <[email protected]>
Introduce a SpecInt48 type and be more careful about what we mean by "Top"
Modified: releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/bytecode/CodeBlock.cpp (164282 => 164283)
--- releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/bytecode/CodeBlock.cpp 2014-02-18 11:39:05 UTC (rev 164282)
+++ releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/bytecode/CodeBlock.cpp 2014-02-18 11:55:49 UTC (rev 164283)
@@ -140,6 +140,8 @@
out.print(" (SABI)");
if (ownerExecutable()->neverInline())
out.print(" (NeverInline)");
+ if (ownerExecutable()->isStrictMode())
+ out.print(" (StrictMode)");
out.print("]");
}
Modified: releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/bytecode/CodeOrigin.cpp (164282 => 164283)
--- releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/bytecode/CodeOrigin.cpp 2014-02-18 11:39:05 UTC (rev 164282)
+++ releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/bytecode/CodeOrigin.cpp 2014-02-18 11:55:49 UTC (rev 164283)
@@ -110,7 +110,10 @@
void InlineCallFrame::dumpInContext(PrintStream& out, DumpContext* context) const
{
- out.print(briefFunctionInformation(), ":<", RawPointer(executable.get()), ", bc#", caller.bytecodeIndex, ", ", specializationKind());
+ out.print(briefFunctionInformation(), ":<", RawPointer(executable.get()));
+ if (executable->isStrictMode())
+ out.print(" (StrictMode)");
+ out.print(", bc#", caller.bytecodeIndex, ", ", specializationKind());
if (callee)
out.print(", known callee: ", inContext(JSValue(callee.get()), context));
else
Modified: releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (164282 => 164283)
--- releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2014-02-18 11:39:05 UTC (rev 164282)
+++ releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2014-02-18 11:55:49 UTC (rev 164283)
@@ -1071,8 +1071,12 @@
AbstractValue& source = forNode(node->child1());
AbstractValue& destination = forNode(node);
- destination = source;
- destination.merge(SpecObject);
+ if (m_graph.executableFor(node->codeOrigin)->isStrictMode())
+ destination.makeHeapTop();
+ else {
+ destination = source;
+ destination.merge(SpecObject);
+ }
break;
}
Modified: releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGOperations.cpp (164282 => 164283)
--- releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGOperations.cpp 2014-02-18 11:39:05 UTC (rev 164282)
+++ releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGOperations.cpp 2014-02-18 11:55:49 UTC (rev 164283)
@@ -465,9 +465,17 @@
VM* vm = &exec->vm();
NativeCallFrameTracer tracer(vm, exec);
- return JSValue::encode(JSValue::decode(encodedOp).toThis(exec, exec->codeBlock()->isStrictMode() ? StrictMode : NotStrictMode));
+ return JSValue::encode(JSValue::decode(encodedOp).toThis(exec, NotStrictMode));
}
+EncodedJSValue DFG_OPERATION operationToThisStrict(ExecState* exec, EncodedJSValue encodedOp)
+{
+ VM* vm = &exec->vm();
+ NativeCallFrameTracer tracer(vm, exec);
+
+ return JSValue::encode(JSValue::decode(encodedOp).toThis(exec, StrictMode));
+}
+
JSCell* DFG_OPERATION operationCreateThis(ExecState* exec, JSObject* constructor, int32_t inlineCapacity)
{
VM* vm = &exec->vm();
Modified: releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGOperations.h (164282 => 164283)
--- releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGOperations.h 2014-02-18 11:39:05 UTC (rev 164282)
+++ releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGOperations.h 2014-02-18 11:55:49 UTC (rev 164283)
@@ -134,6 +134,7 @@
JSCell* DFG_OPERATION operationNewObject(ExecState*, Structure*) WTF_INTERNAL;
JSCell* DFG_OPERATION operationCreateThis(ExecState*, JSObject* constructor, int32_t inlineCapacity) WTF_INTERNAL;
EncodedJSValue DFG_OPERATION operationToThis(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
+EncodedJSValue DFG_OPERATION operationToThisStrict(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
EncodedJSValue DFG_OPERATION operationValueAdd(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
EncodedJSValue DFG_OPERATION operationValueAddNotNumber(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
EncodedJSValue DFG_OPERATION operationGetByVal(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty) WTF_INTERNAL;
Modified: releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (164282 => 164283)
--- releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-02-18 11:39:05 UTC (rev 164282)
+++ releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-02-18 11:55:49 UTC (rev 164283)
@@ -3668,9 +3668,14 @@
TrustedImm32(FinalObjectType)));
m_jit.move(thisValuePayloadGPR, tempGPR);
m_jit.move(thisValueTagGPR, tempTagGPR);
+ J_DFGOperation_EJ function;
+ if (m_jit.graph().executableFor(node->codeOrigin)->isStrictMode())
+ function = operationToThisStrict;
+ else
+ function = operationToThis;
addSlowPathGenerator(
slowPathCall(
- slowCases, this, operationToThis,
+ slowCases, this, function,
JSValueRegs(tempTagGPR, tempGPR), thisValueTagGPR, thisValuePayloadGPR));
jsValueResult(tempTagGPR, tempGPR, node);
Modified: releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (164282 => 164283)
--- releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2014-02-18 11:39:05 UTC (rev 164282)
+++ releases/WebKitGTK/webkit-2.2/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2014-02-18 11:55:49 UTC (rev 164283)
@@ -3584,8 +3584,13 @@
MacroAssembler::Address(tempGPR, Structure::typeInfoTypeOffset()),
TrustedImm32(FinalObjectType)));
m_jit.move(thisValueGPR, tempGPR);
+ J_DFGOperation_EJ function;
+ if (m_jit.graph().executableFor(node->codeOrigin)->isStrictMode())
+ function = operationToThisStrict;
+ else
+ function = operationToThis;
addSlowPathGenerator(
- slowPathCall(slowCases, this, operationToThis, tempGPR, thisValueGPR));
+ slowPathCall(slowCases, this, function, tempGPR, thisValueGPR));
jsValueResult(tempGPR, node);
break;
Modified: releases/WebKitGTK/webkit-2.2/Tools/ChangeLog (164282 => 164283)
--- releases/WebKitGTK/webkit-2.2/Tools/ChangeLog 2014-02-18 11:39:05 UTC (rev 164282)
+++ releases/WebKitGTK/webkit-2.2/Tools/ChangeLog 2014-02-18 11:55:49 UTC (rev 164283)
@@ -1,3 +1,14 @@
+2013-09-13 Filip Pizlo <[email protected]>
+
+ DFG AI assumes that ToThis can never return non-object if it is passed an object, and operationToThis will get the wrong value of isStrictMode() if there's inlining
+ https://bugs.webkit.org/show_bug.cgi?id=121330
+
+ Reviewed by Mark Hahnenberg and Oliver Hunt.
+
+ We should run tests even if they don't have expected files yet.
+
+ * Scripts/run-layout-jsc:
+
2014-01-08 Alberto Garcia <[email protected]>
Fix some compilation warnings
