Google Git
Sign in
webkit / WebKit / d1a5d2f849d83b57634e69317753e38a2e703530^! / . / Source / JavaScriptCore / dfg / DFGFixupPhase.cpp
commitd1a5d2f849d83b57634e69317753e38a2e703530[log] [tgz]
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Mon May 02 17:38:15 2016 +0000
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Mon May 02 17:38:15 2016 +0000
tree99cedfd8582058ee56695046f56ddd6ff078c339
parent30bf4a4a06d36c0c469ba2e73b0b21340e17c382 [diff] [blame]
ToThis should be able to be eliminated in Constant Folding
https://bugs.webkit.org/show_bug.cgi?id=157213

Reviewed by Saam Barati.

This patch enables eliminating the ToThis value when we have abstract interpreter
indicates the node is not needed. Since there are Objects that override their
ToThis behavior we first check if we can eliminate the node by looking at its
speculated type. If the function is in strict mode then we can eliminate ToThis as
long as the speculated type is not SpecObjectOther since that contains objects
that may set OverridesToThis. If the function is not in strict mode then we can
eliminate ToThis as long is the speculated type is an object that is not SpecObjectOther.

If we can't eliminate with type information we can still eliminate the ToThis node with
the proven structure set. When ToThis only sees structures that do not set OverridesToThis
it can be eliminated. Additionally, if the function is in strict mode then we can eliminate
ToThis as long as all only the object structures don't set OverridesToThis.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::isToThisAnIdentity):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupToThis):
* tests/stress/to-this-global-object.js: Added.
(test):
(test2):
(get for):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@200325 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index 3d5f17f..c434bcc 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1728,6 +1728,9 @@
             return;
         }
 
+        // FIXME: This should cover other use cases but we don't have use kinds for them. It's not critical,
+        // however, since we cover all the missing cases in constant folding.
+        // https://bugs.webkit.org/show_bug.cgi?id=157213
         if (node->child1()->shouldSpeculateStringObject()) {
             fixEdge<StringObjectUse>(node->child1());
             node->convertToIdentity();