120781 – REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG

RESOLVED FIXED Bug 120781

REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG

https://bugs.webkit.org/show_bug.cgi?id=120781

Summary REGRESSION(149636, merged in 153145): ToThis conversion doesn't work in the DFG

Filip Pizlo

Reported 2013-09-05 11:08:03 PDT

Patch forthcoming.

Attachments
the patch (10.47 KB, patch) 2013-09-05 11:11 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
the patch (11.10 KB, patch) 2013-09-05 11:36 PDT, Filip Pizlo	mhahnenberg: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2013-09-05 11:11:10 PDT

Created attachment 210638 [details] the patch

Filip Pizlo

Comment 2 2013-09-05 11:36:14 PDT

Created attachment 210640 [details] the patch

Oliver Hunt

Comment 3 2013-09-05 12:38:58 PDT

Comment on attachment 210640 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=210640&action=review > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:1089 > - destination.merge(SpecObjectOther); > + destination.merge(SpecObject); Do we end up with ToThis nodes in strict mode? If we do ToThis can be a primitive as it won't be boxed (this conversion is only for the global object -> global object proxy).

Filip Pizlo

Comment 4 2013-09-05 13:14:19 PDT

(In reply to comment #3) > (From update of attachment 210640 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=210640&action=review > > > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:1089 > > - destination.merge(SpecObjectOther); > > + destination.merge(SpecObject); > > Do we end up with ToThis nodes in strict mode? If we do ToThis can be a primitive as it won't be boxed (this conversion is only for the global object -> global object proxy). Hence the merge. If the value was a primitive before, this will say "primitive or object". If it was TOP before, then this will still say TOP.

Mark Hahnenberg

Comment 5 2013-09-05 13:24:22 PDT

Comment on attachment 210640 [details] the patch r=me

Filip Pizlo

Comment 6 2013-09-05 14:18:23 PDT

Landed in http://trac.webkit.org/changeset/155149

Mark Rowe (bdash)

Comment 7 2013-09-05 18:08:16 PDT

This broke the build so I rolled it out in r155166.

Filip Pizlo

Comment 8 2013-09-06 12:00:39 PDT

Relanded in http://trac.webkit.org/changeset/155201

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Filip Pizlo

Reported

2013-09-05 11:08 PDT

Modified

2013-09-06 12:00 PDT History

CC List

7 users Show

URL

Keywords

Depends on

Blocks

115542

Dependancies

tree graph