DFG's StrengthReduction phase should not reduce Construct into DirectContruct when...
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Dec 2018 03:23:54 +0000 (03:23 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Dec 2018 03:23:54 +0000 (03:23 +0000)
commit2fd7480bc9825f445cb67fd67c06d2a26a81894d
tree69d374c79eb5db4f54289cb09ab9cef3c59b3627
parent4b1823a93437f38d3a05183a00ef0fbda991a49c
DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
https://bugs.webkit.org/show_bug.cgi?id=192386
<rdar://problem/46445516>

Reviewed by Saam Barati.

JSTests:

* stress/regress-192386.js: Added.

Source/JavaScriptCore:

This violates an invariant documented by a RELEASE_ASSERT in operationLinkDirectCall().

* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238884 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regress-192386.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp