MSVSphere Packaging Team
2 years ago
parent
1f7588cadd
commit
c8a3ee4982
@ -0,0 +1,55 @@
|
||||
From d44ded97d14cdb5ac2eb011203e5f4c45dfd94b9 Mon Sep 17 00:00:00 2001
|
||||
From: Yusuke Suzuki <ysuzuki@apple.com>
|
||||
Date: Wed, 8 Feb 2023 15:32:00 -0800
|
||||
Subject: [PATCH] Cherry-pick 1b2eb138ef92. rdar://problem/105236768
|
||||
|
||||
[JSC] ToThis object folding should check if AbstractValue is always an object
|
||||
https://bugs.webkit.org/show_bug.cgi?id=251944
|
||||
rdar://105175786
|
||||
|
||||
Reviewed by Geoffrey Garen and Mark Lam.
|
||||
|
||||
ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding.
|
||||
This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects.
|
||||
This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example.
|
||||
|
||||
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
|
||||
(JSC::DFG::isToThisAnIdentity):
|
||||
|
||||
Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch
|
||||
---
|
||||
.../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
|
||||
index ea7bcd6b7b31..ef3f6bbe376e 100644
|
||||
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
|
||||
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
|
||||
@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
|
||||
}
|
||||
}
|
||||
|
||||
- if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) {
|
||||
+ bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject);
|
||||
+ if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) {
|
||||
bool allStructuresAreJSScope = !valueForNode.m_structure.isClear();
|
||||
bool overridesToThis = false;
|
||||
valueForNode.m_structure.forEach([&](RegisteredStructure structure) {
|
||||
@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
|
||||
// If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation.
|
||||
allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis;
|
||||
});
|
||||
+
|
||||
+ // This is correct for strict mode even if this can have non objects, since the right semantics is Identity.
|
||||
if (!overridesToThis)
|
||||
return ToThisResult::Identity;
|
||||
- if (allStructuresAreJSScope) {
|
||||
+
|
||||
+ // But this folding is available only if input is always an object.
|
||||
+ if (onlyObjects && allStructuresAreJSScope) {
|
||||
if (ecmaMode.isStrict())
|
||||
return ToThisResult::Undefined;
|
||||
return ToThisResult::GlobalThis;
|
||||
--
|
||||
2.39.1
|
||||
|
||||
Loading…
Reference in new issue