Incorrect type speculation reported by ToPrimitive https://bugs.webkit.org/show_bug.cgi?id=119458 Reviewed by Mark Hahnenberg. Make sure that we report the correct type possibilities for the output from ToPrimitive * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::::executeEffects): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153674 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: b06642f9c7d9fac7ea826a7dbed284989bd83f2a [log] [tgz]
author: oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Aug 02 22:38:28 2013 +0000
committer: oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Fri Aug 02 22:38:28 2013 +0000
tree: 308271264b5bed72f697ad2cfc3e6affb927dfee
parent: d4c07a3247bd3f7cc3998cb19052057519a0dcc4 [diff] [blame]
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
index 38a3763..e426520 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -982,10 +982,9 @@
         clobberWorld(node->codeOrigin, clobberLimit);
         
         SpeculatedType type = source.m_type;
-        if (type & ~(SpecNumber | SpecString | SpecBoolean)) {
-            type &= (SpecNumber | SpecString | SpecBoolean);
-            type |= SpecString;
-        }
+        if (type & ~(SpecNumber | SpecString | SpecBoolean))
+            type = (SpecTop & ~SpecCell) | SpecString;
+
         destination.setType(type);
         if (destination.isClear())
             m_state.setIsValid(false);
commit	b06642f9c7d9fac7ea826a7dbed284989bd83f2a	[log] [tgz]
author	oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Fri Aug 02 22:38:28 2013 +0000
committer	oliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Fri Aug 02 22:38:28 2013 +0000
tree	308271264b5bed72f697ad2cfc3e6affb927dfee
parent	d4c07a3247bd3f7cc3998cb19052057519a0dcc4 [diff] [blame]