Bug 120781

Summary: REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 115542    
Attachments:
Description Flags
the patch
none
the patch mhahnenberg: review+

Filip Pizlo
Reported 2013-09-05 11:08:03 PDT
Patch forthcoming.
Attachments
the patch (10.47 KB, patch)
2013-09-05 11:11 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (11.10 KB, patch)
2013-09-05 11:36 PDT, Filip Pizlo 		mhahnenberg: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2013-09-05 11:11:10 PDT
Created attachment 210638 [details] the patch
Filip Pizlo
Comment 2 2013-09-05 11:36:14 PDT
Created attachment 210640 [details] the patch
Oliver Hunt
Comment 3 2013-09-05 12:38:58 PDT
Comment on attachment 210640 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=210640&action=review > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:1089 > - destination.merge(SpecObjectOther); > + destination.merge(SpecObject); Do we end up with ToThis nodes in strict mode? If we do ToThis can be a primitive as it won't be boxed (this conversion is only for the global object -> global object proxy).
Filip Pizlo
Comment 4 2013-09-05 13:14:19 PDT
(In reply to comment #3) > (From update of attachment 210640 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=210640&action=review > > > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:1089 > > - destination.merge(SpecObjectOther); > > + destination.merge(SpecObject); > > Do we end up with ToThis nodes in strict mode? If we do ToThis can be a primitive as it won't be boxed (this conversion is only for the global object -> global object proxy). Hence the merge. If the value was a primitive before, this will say "primitive or object". If it was TOP before, then this will still say TOP.
Mark Hahnenberg
Comment 5 2013-09-05 13:24:22 PDT
Comment on attachment 210640 [details] the patch r=me
Filip Pizlo
Comment 6 2013-09-05 14:18:23 PDT
Landed in http://trac.webkit.org/changeset/155149
Mark Rowe (bdash)
Comment 7 2013-09-05 18:08:16 PDT
This broke the build so I rolled it out in r155166.
Filip Pizlo
Comment 8 2013-09-06 12:00:39 PDT
Relanded in http://trac.webkit.org/changeset/155201
Note You need to log in before you can comment on or make changes to this bug.