ToString node actually does GC.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 29 Jan 2019 00:41:45 +0000 (00:41 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 29 Jan 2019 00:41:45 +0000 (00:41 +0000)
commitd58056630522c275b608b690641f80aa8431a08b
tree3878bc94503ff76e2a35fae2836f4fe8c529e955
parent50c13bf80b0d2386eefcb419a91c0ada4cbd4edd
ToString node actually does GC.
https://bugs.webkit.org/show_bug.cgi?id=193920
<rdar://problem/46695900>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/dfg-to-string-on-int-does-gc.js: Added.
* stress/dfg-to-string-on-string-object-does-not-gc.js: Added.
* stress/dfg-to-string-on-string-or-string-object-does-not-gc.js: Added.

Source/JavaScriptCore:

Other than for StringObjectUse and StringOrStringObjectUse, ToString and
CallStringConstructor can allocate new JSStrings, and hence, can GC.

* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240616 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/dfg-to-string-on-int-does-gc.js [new file with mode: 0644]
JSTests/stress/dfg-to-string-on-string-object-does-not-gc.js [new file with mode: 0644]
JSTests/stress/dfg-to-string-on-string-or-string-object-does-not-gc.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGDoesGC.cpp