[ES6] DFG and FTL should be aware of that StringConstructor behavior for symbols becomes different from ToString
https://bugs.webkit.org/show_bug.cgi?id=143424
Reviewed by Geoffrey Garen.
In ES6, StringConstructor behavior becomes different from ToString abstract operations in the spec. (and JSValue::toString).
ToString(symbol) throws a type error.
However, String(symbol) produces SymbolDescriptiveString(symbol).
So, in DFG and FTL phase, they should not inline StringConstructor to ToString.
Now, in the template literals patch, ToString DFG operation is planned to be used.
And current ToString behavior is aligned to the spec (and JSValue::toString) and it's better.
So intead of changing ToString behavior, this patch adds CallStringConstructor operation into DFG and FTL.
In CallStringConstructor, all behavior in DFG analysis is the same.
Only the difference from ToString is, when calling DFG operation functions, it calls
operationCallStringConstructorOnCell and operationCallStringConstructor instead of
operationToStringOnCell and operationToString.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::propagate):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
(JSC::DFG::FixupPhase::attemptToMakeFastStringAdd):
(JSC::DFG::FixupPhase::fixupToString): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
(JSC::DFG::SpeculativeJIT::compileToStringOnCell): Deleted.
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStructureRegistrationPhase.cpp:
(JSC::DFG::StructureRegistrationPhase::run):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileToStringOrCallStringConstructor):
(JSC::FTL::LowerDFGToLLVM::compileToString): Deleted.
* runtime/StringConstructor.cpp:
(JSC::stringConstructor):
(JSC::callStringConstructor):
* runtime/StringConstructor.h:
* tests/stress/symbol-and-string-constructor.js: Added.
(performString):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@182433 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index 537faac..9e53a19 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -767,8 +767,9 @@
break;
}
- case ToString: {
- fixupToString(node);
+ case ToString:
+ case CallStringConstructor: {
+ fixupToStringOrCallStringConstructor(node);
break;
}
@@ -1363,7 +1364,7 @@
}
}
- void fixupToString(Node* node)
+ void fixupToStringOrCallStringConstructor(Node* node)
{
if (node->child1()->shouldSpeculateString()) {
fixEdge<StringUse>(node->child1());
@@ -1424,7 +1425,7 @@
m_indexInBlock, SpecString, ToString, node->origin, Edge(toPrimitive));
fixupToPrimitive(toPrimitive);
- fixupToString(toString);
+ fixupToStringOrCallStringConstructor(toString);
right.setNode(toString);
}
