WebKit GIT trees - WebKit-https.git/commit

DirectArguments::create needs to initialize to undefined instead of the empty value
https://bugs.webkit.org/show_bug.cgi?id=186818
<rdar://problem/38415177>

Reviewed by Filip Pizlo.

JSTests:

* stress/create-direct-arguments-in-osr-should-initialize-to-undefined.js: Added.
(foo):
(bar):

Source/JavaScriptCore:

The bug here is that we will emit code that just loads from DirectArguments as
long as the index is within the known capacity of the arguments object (op_get_from_arguments).
The arguments object has at least enough capacity to hold the declared parameters.
When we materialized this object in OSR exit, we initialized up to to the capacity
with JSValue(). In OSR exit, though, we only filled up to the length of the
object with actual values. So we'd end up with a DirectArguments object with
capacity minus length slots of JSValue(). To fix this, we need initialize up to
capacity with jsUndefined during construction. The invariant of this object is
that the capacity minus length slots at the end are filled in with jsUndefined.

* runtime/DirectArguments.cpp:
(JSC::DirectArguments::create):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233000 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	sbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 20 Jun 2018 01:11:45 +0000 (01:11 +0000)
committer	sbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 20 Jun 2018 01:11:45 +0000 (01:11 +0000)
commit	afdef3172de6eb0c7ef1c1e1e2d736debec4d7b7
tree	1a93e6eba6cae0073937998149883aa00b1986a8	tree \| snapshot
parent	7d62988756b3fe4ee53fd8a6e2403640267423a3	commit \| diff

JSTests/ChangeLog		diff \| blob \| history
JSTests/stress/create-direct-arguments-in-osr-should-initialize-to-undefined.js	[new file with mode: 0644]	blob
Source/JavaScriptCore/ChangeLog		diff \| blob \| history
Source/JavaScriptCore/runtime/DirectArguments.cpp		diff \| blob \| history