Google Git
Sign in
webkit / WebKit / 507dca168fd4128ce8535aa2f80a25a567e94a31^! / . / Source / JavaScriptCore / dfg / DFGAbstractState.cpp
commit507dca168fd4128ce8535aa2f80a25a567e94a31[log] [tgz]
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Jul 17 23:27:31 2013 +0000
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Jul 17 23:27:31 2013 +0000
tree5b84075903119daa0dc9450b3b5d653fdc8e96c1
parent16bb7a638ad9579af6a90ea78f7e07e7e749f44d [diff] [blame]
DFG assumes that NewFunction will never pass its input through
https://bugs.webkit.org/show_bug.cgi?id=118798

Source/JavaScriptCore: 

Reviewed by Sam Weinig.
        
Previously the DFG was assuming that NewFunction always returns a function. That's not
the case. It may return whatever was passed to it, if it wasn't passed SpecEmpty.
        
This fact needed to be wired through the compiler.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::executeEffects):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::makeTop):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):

LayoutTests: 

Reviewed by Sam Weinig.

* fast/js/dfg-use-function-as-variable-expected.txt: Added.
* fast/js/dfg-use-function-as-variable-merge-structure-expected.txt: Added.
* fast/js/dfg-use-function-as-variable-merge-structure.html: Added.
* fast/js/dfg-use-function-as-variable-not-constant-expected.txt: Added.
* fast/js/dfg-use-function-as-variable-not-constant.html: Added.
* fast/js/dfg-use-function-as-variable-with-closure-expected.txt: Added.
* fast/js/dfg-use-function-as-variable-with-closure.html: Added.
* fast/js/dfg-use-function-as-variable.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-use-function-as-variable-merge-structure.js: Added.
(.x):
(run_tests):
* fast/js/script-tests/dfg-use-function-as-variable-not-constant.js: Added.
(run_tests.x):
(run_tests):
* fast/js/script-tests/dfg-use-function-as-variable-with-closure.js: Added.
(run_tests.x):
(run_tests.y):
(run_tests):
* fast/js/script-tests/dfg-use-function-as-variable.js: Added.
(run_tests.x):
(run_tests):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@152813 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
index 76e69ee..2ac79c7 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
+++ b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -1226,7 +1226,19 @@
         forNode(node).makeTop();
         break;
         
-    case NewFunction:
+    case NewFunction: {
+        AbstractValue& value = forNode(node);
+        value = forNode(node->child1());
+        
+        if (!(value.m_type & SpecEmpty)) {
+            m_foundConstants = true;
+            break;
+        }
+
+        value.set((value.m_type & ~SpecEmpty) | SpecFunction);
+        break;
+    }
+
     case NewFunctionExpression:
     case NewFunctionNoCheck:
         forNode(node).set(m_codeBlock->globalObjectFor(node->codeOrigin)->functionStructure());