Skip to content
  • fpizlo@apple.com's avatar
    REGRESSION: Sometimes, operations on proven strings ignore changes to the string prototype · f0d8277b
    fpizlo@apple.com authored
    https://bugs.webkit.org/show_bug.cgi?id=113353
    <rdar://problem/13510778>
    
    Source/JavaScriptCore: 
    
    Reviewed by Mark Hahnenberg and Geoffrey Garen.
            
    ToString should call speculateStringObject() even if you know that it's a string object, since
    it calls it to also get the watchpoint. Note that even with this change, if you do
    Phantom(Check:StringObject:@a), it might get eliminated just because we proved that @a is a
    string object (thereby eliminating the prototype watchpoint); that's fine since ToString is
    MustGenerate and never decays to Phantom.
    
    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
    (JSC::DFG::SpeculativeJIT::speculateStringObject):
    (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
    * dfg/DFGSpeculativeJIT.h:
    (SpeculativeJIT):
    (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
    
    LayoutTests: 
    
    Reviewed by Mark Hahnenberg and Geoffrey Garen.
    
    * fast/js/jsc-test-list:
    * fast/js/dfg-phantom-base-expected.txt: Added.
    * fast/js/dfg-phantom-base.html: Added.
    * fast/js/dfg-to-string-toString-becomes-bad-with-check-structure-expected.txt: Added.
    * fast/js/dfg-to-string-toString-becomes-bad-with-check-structure.html: Added.
    
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@146947 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    f0d8277b