DFG JIT bug in typeof constant folding where the input to typeof is an object or function
https://bugs.webkit.org/show_bug.cgi?id=156034
<rdar://problem/25446785>
Reviewed by Ryosuke Niwa.
AI would constant fold TypeOf to the string "object" if it saw that
its input type didn't expand past the types contained in the set
"SpecObject - SpecObjectOther". But, SpecObject contains SpecFunction.
And typeof of a function should return "function". This patch fixes
this bug by making sure we constant fold to object iff the type
doesn't expand past the set "SpecObject - SpecObjectOther - SpecFunction".
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* tests/stress/typeof-dfg-function-or-object.js: Added.
(assert):
(foo.else.o):
(foo):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@198902 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
index 69e613c..0274820 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
@@ -1170,7 +1170,7 @@
// FIXME: We could use the masquerades-as-undefined watchpoint here.
// https://bugs.webkit.org/show_bug.cgi?id=144456
- if (!(abstractChild.m_type & ~(SpecObject - SpecObjectOther))) {
+ if (!(abstractChild.m_type & ~(SpecObject - SpecObjectOther - SpecFunction))) {
setConstant(node, *m_graph.freeze(vm->smallStrings.objectString()));
break;
}
