DFG operationCreateThis slow path may get the wrong callee in case of inlining
https://bugs.webkit.org/show_bug.cgi?id=71647
Reviewed by Oliver Hunt.
No new tests because I only saw this manifest itself when I had other bugs
leading to spurious slow path executions.
* dfg/DFGJITCodeGenerator.h:
(JSC::DFG::callOperation):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@99502 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGOperations.cpp b/Source/JavaScriptCore/dfg/DFGOperations.cpp
index 10f0458..cdebceb 100644
--- a/Source/JavaScriptCore/dfg/DFGOperations.cpp
+++ b/Source/JavaScriptCore/dfg/DFGOperations.cpp
@@ -163,10 +163,8 @@
return JSValue::encode(JSValue::decode(encodedOp).toThisObject(exec));
}
-JSCell* DFG_OPERATION operationCreateThis(ExecState* exec, JSCell* prototype)
+inline JSCell* createThis(ExecState* exec, JSCell* prototype, JSFunction* constructor)
{
- JSFunction* constructor = asFunction(exec->callee());
-
#if !ASSERT_DISABLED
ConstructData constructData;
ASSERT(constructor->methodTable()->getConstructData(constructor, constructData) == ConstructTypeJS);
@@ -183,6 +181,16 @@
return constructEmptyObject(exec, structure);
}
+JSCell* DFG_OPERATION operationCreateThis(ExecState* exec, JSCell* prototype)
+{
+ return createThis(exec, prototype, asFunction(exec->callee()));
+}
+
+JSCell* DFG_OPERATION operationCreateThisInlined(ExecState* exec, JSCell* prototype, JSCell* constructor)
+{
+ return createThis(exec, prototype, static_cast<JSFunction*>(constructor));
+}
+
JSCell* DFG_OPERATION operationNewObject(ExecState* exec)
{
return constructEmptyObject(exec);
