[DFG] AI should convert CreateThis to NewObject if the prototype object is proved
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGConstantFoldingPhase.cpp
index b6df73186a7edf07629e277967161fd5e5a7d85c..bd8748acdc331a00e05c77e4ecbd54753f15571a 100644 (file)
@@ -636,6 +636,27 @@ private:
                 break;
             }
 
+            case CreateThis: {
+                if (JSValue base = m_state.forNode(node->child1()).m_value) {
+                    if (auto* function = jsDynamicCast<JSFunction*>(m_graph.m_vm, base)) {
+                        if (FunctionRareData* rareData = function->rareData()) {
+                            if (Structure* structure = rareData->objectAllocationStructure()) {
+                                // FIXME: we should be able to allocate a poly proto object here:
+                                // https://bugs.webkit.org/show_bug.cgi?id=177517
+                                if (structure->hasMonoProto()) {
+                                    m_graph.freeze(rareData);
+                                    m_graph.watchpoints().addLazily(rareData->allocationProfileWatchpointSet());
+                                    node->convertToNewObject(m_graph.registerStructure(structure));
+                                    changed = true;
+                                    break;
+                                }
+                            }
+                        }
+                    }
+                }
+                break;
+            }
+
             case ToNumber: {
                 if (m_state.forNode(node->child1()).m_type & ~SpecBytecodeNumber)
                     break;