DFG's StrengthReduction phase should not reduce Construct into DirectContruct when...
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Dec 2018 03:23:54 +0000 (03:23 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Dec 2018 03:23:54 +0000 (03:23 +0000)
https://bugs.webkit.org/show_bug.cgi?id=192386
<rdar://problem/46445516>

Reviewed by Saam Barati.

JSTests:

* stress/regress-192386.js: Added.

Source/JavaScriptCore:

This violates an invariant documented by a RELEASE_ASSERT in operationLinkDirectCall().

* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238884 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/regress-192386.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp

index 684db42..274fce0 100644 (file)
@@ -1,3 +1,13 @@
+2018-12-04  Mark Lam  <mark.lam@apple.com>
+
+        DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
+        https://bugs.webkit.org/show_bug.cgi?id=192386
+        <rdar://problem/46445516>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-192386.js: Added.
+
 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
 
         [ESNext][BigInt] Support logic operations
diff --git a/JSTests/stress/regress-192386.js b/JSTests/stress/regress-192386.js
new file mode 100644 (file)
index 0000000..26276e0
--- /dev/null
@@ -0,0 +1,12 @@
+//@ requireOptions("--jitPolicyScale=0")
+
+function foo(x) {
+    try {
+        new x();
+    } catch {
+    }
+}
+
+foo(function() {});
+for (let i = 0; i < 10000; ++i)
+    foo(() => undefined);
index 8809771..501fd76 100644 (file)
@@ -1,3 +1,16 @@
+2018-12-04  Mark Lam  <mark.lam@apple.com>
+
+        DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
+        https://bugs.webkit.org/show_bug.cgi?id=192386
+        <rdar://problem/46445516>
+
+        Reviewed by Saam Barati.
+
+        This violates an invariant documented by a RELEASE_ASSERT in operationLinkDirectCall().
+
+        * dfg/DFGStrengthReductionPhase.cpp:
+        (JSC::DFG::StrengthReductionPhase::handleNode):
+
 2018-12-04  Caio Lima  <ticaiolima@gmail.com>
 
         [ESNext][BigInt] Support logic operations
index 2370c79..9031605 100644 (file)
@@ -914,6 +914,9 @@ private:
                 break;
             
             if (FunctionExecutable* functionExecutable = jsDynamicCast<FunctionExecutable*>(vm(), executable)) {
+                if (m_node->op() == Construct && functionExecutable->constructAbility() == ConstructAbility::CannotConstruct)
+                    break;
+
                 // We need to update m_parameterSlots before we get to the backend, but we don't
                 // want to do too much of this.
                 unsigned numAllocatedArgs =