Object allocation not sinking properly through CheckStructure
authorbasile_clement@apple.com <basile_clement@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 4 May 2015 18:37:58 +0000 (18:37 +0000)
committerbasile_clement@apple.com <basile_clement@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 4 May 2015 18:37:58 +0000 (18:37 +0000)
commitdad76496a813e57ae6a7c1461207aedb89aec0f3
tree52281a6d3f5bee3e07f4be05965ebe8170ef2854
parent54bd14e51145b012605975945202e0d9c0618f7b
Object allocation not sinking properly through CheckStructure
https://bugs.webkit.org/show_bug.cgi?id=144465

Reviewed by Filip Pizlo.

Currently, sinking an allocation through a CheckStructure will
completely ignore all structure checking, which is obviously wrong.

A CheckStructureImmediate node type was present for that purpose, but
the CheckStructures were not properly replaced.  This ensures that
CheckStructure nodes are replaced by CheckStructureImmediate nodes when
sunk through, and that structure checking happens correctly.

* dfg/DFGNode.h:
(JSC::DFG::Node::convertToCheckStructureImmediate): Added.
(JSC::DFG::Node::hasStructureSet):
* dfg/DFGObjectAllocationSinkingPhase.cpp:
(JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileCheckStructure):
(JSC::FTL::LowerDFGToLLVM::compileCheckStructureImmediate):
(JSC::FTL::LowerDFGToLLVM::checkStructure):
* tests/stress/sink_checkstructure.js: Added.
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@183752 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGNode.h
Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp
Source/JavaScriptCore/tests/stress/sink_checkstructure.js [new file with mode: 0644]