Cherry-pick 259548.63@safari-7615-branch (1b2eb13). rdar://105598149

[JSC] ToThis object folding should check if AbstractValue is always an object https://bugs.webkit.org/show_bug.cgi?id=251944 rdar://105175786 Reviewed by Geoffrey Garen and Mark Lam. ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding. This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects. This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example. * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::isToThisAnIdentity): Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch Canonical link: https://commits.webkit.org/260455@main
WebKit · Feb 17, 2023 · 6cc943c · 6cc943c
1 parent 9789cde
commit 6cc943c
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
@@ -213,7 +213,8 @@ inline ToThisResult isToThisAnIdentity(ECMAMode ecmaMode, AbstractValue& valueFo
         }
     }
 
-    if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) {
+    bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject);
+    if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) {
         bool allStructuresAreJSScope = !valueForNode.m_structure.isClear();
         bool overridesToThis = false;
         valueForNode.m_structure.forEach([&](RegisteredStructure structure) {
@@ -230,9 +231,13 @@ inline ToThisResult isToThisAnIdentity(ECMAMode ecmaMode, AbstractValue& valueFo
             // If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation.
             allStructuresAreJSScope &= structure->classInfoForCells()->isSubClassOf(JSScope::info());
         });
+
+        // This is correct for strict mode even if this can have non objects, since the right semantics is Identity.
         if (!overridesToThis)
             return ToThisResult::Identity;
-        if (allStructuresAreJSScope) {
+
+        // But this folding is available only if input is always an object.
+        if (onlyObjects && allStructuresAreJSScope) {
             if (ecmaMode.isStrict())
                 return ToThisResult::Undefined;
             return ToThisResult::GlobalThis;