WebKit GIT trees - WebKit-https.git/commit

We are too conservative about the effects of PushWithScope
https://bugs.webkit.org/show_bug.cgi?id=175584

Patch by Robin Morisset <rmorisset@apple.com> on 2017-08-15
Reviewed by Saam Barati.

PushWithScope converts its argument to an object (this can throw a type error,
but has no other observable effect), and allocates a new scope, that it then
makes the new current scope. We were a bit too
conservative in saying that it clobbers the world.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@220783 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 16 Aug 2017 02:49:04 +0000 (02:49 +0000)
committer	commit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 16 Aug 2017 02:49:04 +0000 (02:49 +0000)
commit	0094c788c4350582e3e019aede88f6b6f3fb83ef
tree	94a9c11f30424d8d94c8006ac763595506dbed3b	tree \| snapshot
parent	1b8181eaecc34e3338f800a2f7df8916713f1694	commit \| diff

Source/JavaScriptCore/ChangeLog		diff \| blob \| history
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h		diff \| blob \| history
Source/JavaScriptCore/dfg/DFGClobberize.h		diff \| blob \| history
Source/JavaScriptCore/dfg/DFGDoesGC.cpp		diff \| blob \| history