DFG assumes that NewFunction will never pass its input through
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 17 Jul 2013 23:27:31 +0000 (23:27 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 17 Jul 2013 23:27:31 +0000 (23:27 +0000)
commitb28f7bbed9a8075eee920172758ae53f5de483ef
tree5b84075903119daa0dc9450b3b5d653fdc8e96c1
parent99db41926e359bea5f37652ccfc02bfb1f24dc64
DFG assumes that NewFunction will never pass its input through
https://bugs.webkit.org/show_bug.cgi?id=118798

Source/JavaScriptCore:

Reviewed by Sam Weinig.

Previously the DFG was assuming that NewFunction always returns a function. That's not
the case. It may return whatever was passed to it, if it wasn't passed SpecEmpty.

This fact needed to be wired through the compiler.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::makeTop):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):

LayoutTests:

Reviewed by Sam Weinig.

* fast/js/dfg-use-function-as-variable-expected.txt: Added.
* fast/js/dfg-use-function-as-variable-merge-structure-expected.txt: Added.
* fast/js/dfg-use-function-as-variable-merge-structure.html: Added.
* fast/js/dfg-use-function-as-variable-not-constant-expected.txt: Added.
* fast/js/dfg-use-function-as-variable-not-constant.html: Added.
* fast/js/dfg-use-function-as-variable-with-closure-expected.txt: Added.
* fast/js/dfg-use-function-as-variable-with-closure.html: Added.
* fast/js/dfg-use-function-as-variable.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-use-function-as-variable-merge-structure.js: Added.
(.x):
(run_tests):
* fast/js/script-tests/dfg-use-function-as-variable-not-constant.js: Added.
(run_tests.x):
(run_tests):
* fast/js/script-tests/dfg-use-function-as-variable-with-closure.js: Added.
(run_tests.x):
(run_tests.y):
(run_tests):
* fast/js/script-tests/dfg-use-function-as-variable.js: Added.
(run_tests.x):
(run_tests):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@152813 268f45cc-cd09-0410-ab3c-d52691b4dbfc
24 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/js/dfg-use-function-as-variable-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/dfg-use-function-as-variable-merge-structure-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/dfg-use-function-as-variable-merge-structure.html [new file with mode: 0644]
LayoutTests/fast/js/dfg-use-function-as-variable-not-constant-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/dfg-use-function-as-variable-not-constant.html [new file with mode: 0644]
LayoutTests/fast/js/dfg-use-function-as-variable-with-closure-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/dfg-use-function-as-variable-with-closure.html [new file with mode: 0644]
LayoutTests/fast/js/dfg-use-function-as-variable.html [new file with mode: 0644]
LayoutTests/fast/js/jsc-test-list
LayoutTests/fast/js/script-tests/dfg-use-function-as-variable-merge-structure.js [new file with mode: 0644]
LayoutTests/fast/js/script-tests/dfg-use-function-as-variable-not-constant.js [new file with mode: 0644]
LayoutTests/fast/js/script-tests/dfg-use-function-as-variable-with-closure.js [new file with mode: 0644]
LayoutTests/fast/js/script-tests/dfg-use-function-as-variable.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractState.cpp
Source/JavaScriptCore/dfg/DFGAbstractValue.h
Source/JavaScriptCore/dfg/DFGGraph.cpp
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/dfg/DFGOperations.h
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp