Fix DFG's doesGC() for a few more nodes.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Feb 2019 23:34:05 +0000 (23:34 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Feb 2019 23:34:05 +0000 (23:34 +0000)
commitf955322a97816a37befafb43c853b2310ae03dd9
treefebcce71f7a26fcf350cb28f391c182e026168b6
parentecb3831801b402056c168316f9bc89419ee4c77d
Fix DFG's doesGC() for a few more nodes.
https://bugs.webkit.org/show_bug.cgi?id=194307
<rdar://problem/47832956>

Reviewed by Yusuke Suzuki.

Fix doesGC() for the following nodes:

    NumberToStringWithValidRadixConstant:
        Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
        which can allocate a string.
        Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
        which can allocate a string.
        Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
        which can allocate a string.

    RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
        memory for all kinds of objects.
    RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
        RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
        these allocates memory for the match result.
    RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
        calls RegExpObject's collectMatches(), which allocates an array amongst
        other objects.

    StringFromCharCode:
        If the uint32 code to convert is greater than maxSingleCharacterString,
        we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
        which allocates a new string if the code is greater than maxSingleCharacterString.

Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
to use maxSingleCharacterString instead of a literal constant.

* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileFromCharCode):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240998 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGDoesGC.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp