ToThis constant folding in DFG is incorrect when the structure indicates that toThis is overridden
https://bugs.webkit.org/show_bug.cgi?id=159501
<rdar://problem/27109354>
Reviewed by Mark Lam.
We *cannot* constant fold ToThis when the structure of an object
indicates that toThis() is overridden. isToThisAnIdentity() inside
AbstractInterpreterInlines accidentally wrote the opposite rule.
The rule was written as we can constant fold ToThis only when
toThis() is overridden. To fix the bug, we must write the rule
as isToThisAnIdentity() can only be true as long as the structure
set indicates that no structures override toThis().
We could probably get more clever in the future and notice
when we're dealing with a constant |this| values. For example,
a ToThis might occur on a constant JSLexicalEnvironment. We could
implement the rules of JSLexicalEnvironment's toThis() implementation
inside AI/constant folding.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::isToThisAnIdentity):
* tests/stress/to-this-on-constant-lexical-environment.js: Added.
(foo.bar):
(foo.inner):
(foo):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@202936 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
index ebdc79c..0b23599 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
@@ -167,7 +167,7 @@
if (type.isObject() && type.overridesToThis())
overridesToThis = true;
});
- return overridesToThis;
+ return !overridesToThis;
}
return false;
