WebKit Bugzilla
Attachment 356544 Details for
Bug 192386
: DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch.
bug-192386.patch (text/plain), 2.68 KB, created by
Mark Lam
on 2018-12-04 15:16:42 PST
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2018-12-04 15:16:42 PST
Size:
2.68 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 238877) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2018-12-04 Mark Lam <mark.lam@apple.com> >+ >+ DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility. >+ https://bugs.webkit.org/show_bug.cgi?id=192386 >+ <rdar://problem/46445516> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/regress-192386.js: Added. >+ > 2018-12-04 Caio Lima <ticaiolima@gmail.com> > > [ESNext][BigInt] Support logic operations >Index: JSTests/stress/regress-192386.js >=================================================================== >--- JSTests/stress/regress-192386.js (nonexistent) >+++ JSTests/stress/regress-192386.js (working copy) >@@ -0,0 +1,12 @@ >+//@ requireOptions("--jitPolicyScale=0") >+ >+function foo(x) { >+ try { >+ new x(); >+ } catch { >+ } >+} >+ >+foo(function() {}); >+for (let i = 0; i < 10000; ++i) >+ foo(() => undefined); >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 238876) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,16 @@ >+2018-12-04 Mark Lam <mark.lam@apple.com> >+ >+ DFG's StrengthReduction phase should not reduce Construct into DirectContruct when the executable does not have constructAbility. >+ https://bugs.webkit.org/show_bug.cgi?id=192386 >+ <rdar://problem/46445516> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ This violates an invariant documented by a RELEASE_ASSERT in operationLinkDirectCall(). >+ >+ * dfg/DFGStrengthReductionPhase.cpp: >+ (JSC::DFG::StrengthReductionPhase::handleNode): >+ > 2018-12-04 Caio Lima <ticaiolima@gmail.com> > > [ESNext][BigInt] Support logic operations >Index: Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp >=================================================================== >--- Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp (revision 238876) >+++ Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp (working copy) >@@ -914,6 +914,9 @@ private: > break; > > if (FunctionExecutable* functionExecutable = jsDynamicCast<FunctionExecutable*>(vm(), executable)) { >+ if (m_node->op() == Construct && functionExecutable->constructAbility() == ConstructAbility::CannotConstruct) >+ break; >+ > // We need to update m_parameterSlots before we get to the backend, but we don't > // want to do too much of this. > unsigned numAllocatedArgs =
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=356544">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192386
: 356544