[DFG] AI should convert CreateThis to NewObject if the prototype object is proved
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGAbstractInterpreterInlines.h
index de6a8c6753a3632e970326f79731c70725cdeca6..e7f1585c658342700c53b18ed1c85ef1f50128b7 100644 (file)
@@ -2257,7 +2257,23 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
     }
 
     case CreateThis: {
-        // FIXME: We can fold this to NewObject if the incoming callee is a constant.
+        if (JSValue base = forNode(node->child1()).m_value) {
+            if (auto* function = jsDynamicCast<JSFunction*>(m_vm, base)) {
+                if (FunctionRareData* rareData = function->rareData()) {
+                    if (Structure* structure = rareData->objectAllocationStructure()) {
+                        // FIXME: we should be able to allocate a poly proto object here:
+                        // https://bugs.webkit.org/show_bug.cgi?id=177517
+                        if (structure->hasMonoProto()) {
+                            m_graph.freeze(rareData);
+                            m_graph.watchpoints().addLazily(rareData->allocationProfileWatchpointSet());
+                            m_state.setFoundConstants(true);
+                            forNode(node).set(m_graph, structure);
+                            break;
+                        }
+                    }
+                }
+            }
+        }
         forNode(node).setType(m_graph, SpecFinalObject);
         break;
     }