Should not predict OtherObj for ToThis with primitive types under strict mode
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 31 Jan 2016 23:05:10 +0000 (23:05 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 31 Jan 2016 23:05:10 +0000 (23:05 +0000)
commit0f8dfdd0b5b4644374feac828eb189564592ae22
tree216d702d4a8fcca08a83fc597e2aa828e273bd7b
parentde6dd13cd249cc915c9a9c99de2a33510a7d6ee0
Should not predict OtherObj for ToThis with primitive types under strict mode
https://bugs.webkit.org/show_bug.cgi?id=153544

Reviewed by Filip Pizlo.

Currently, ToThis predicates OtherObj for primitive values.
But it's not true in strict mode.
In strict mode, ToThis does nothing on primitive values.

In this patch, we

1. fix prediction. Handles primitive types in strict mode. And we also handles StringObject.
2. convert it to Identity if the argument should be predicted as primitive types.

This optimization is important to implement Primitive.prototype.methods[1].
Otherwise, we always got BadType OSR exits.

[1]: https://bugs.webkit.org/show_bug.cgi?id=143889

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToThis):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* tests/stress/to-this-boolean.js: Added.
(Boolean.prototype.negate):
(Boolean.prototype.negate2):
* tests/stress/to-this-double.js: Added.
(Number.prototype.negate):
* tests/stress/to-this-int32.js: Added.
(Number.prototype.negate):
* tests/stress/to-this-int52.js: Added.
(Number.prototype.negate):
* tests/stress/to-this-number.js: Added.
(Number.prototype.negate):
* tests/stress/to-this-string.js: Added.
(String.prototype.prefix):
(String.prototype.first):
(String.prototype.second):
* tests/stress/to-this-symbol.js: Added.
(Symbol.prototype.identity):
(Symbol.prototype.identity2):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@195938 268f45cc-cd09-0410-ab3c-d52691b4dbfc
12 files changed:
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
Source/JavaScriptCore/tests/stress/to-this-boolean.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-this-double.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-this-int32.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-this-int52.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-this-number.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-this-string.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/to-this-symbol.js [new file with mode: 0644]