Skip to content
Permalink
Browse files
DFGByteCodeParsing does not handle calling the Object constructor wit…
…h no arguments correctly

https://bugs.webkit.org/show_bug.cgi?id=159117
<rdar://problem/26996781>

Reviewed by Saam Barati.

DFGByteCodeParsing always assumed there would be an argument to the Object constructor.
This is clearly not always the case and we should be able to handle it.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
* tests/stress/indirect-call-object-constructor-with-no-arguments.js: Added.
(let.foo.Object.test):

Canonical link: https://commits.webkit.org/177240@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@202487 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
kmiller68 committed Jun 27, 2016
1 parent 360004c commit d9e7285dc9986aa822b5ef29835b4b78d423cdbd
@@ -1,3 +1,19 @@
2016-06-25 Keith Miller <keith_miller@apple.com>

DFGByteCodeParsing does not handle calling the Object constructor with no arguments correctly
https://bugs.webkit.org/show_bug.cgi?id=159117
<rdar://problem/26996781>

Reviewed by Saam Barati.

DFGByteCodeParsing always assumed there would be an argument to the Object constructor.
This is clearly not always the case and we should be able to handle it.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
* tests/stress/indirect-call-object-constructor-with-no-arguments.js: Added.
(let.foo.Object.test):

2016-06-24 Filip Pizlo <fpizlo@apple.com>

B3 should die sooner if a Value has the wrong number of children
@@ -2690,7 +2690,11 @@ bool ByteCodeParser::handleConstantInternalFunction(
if (function->classInfo() == ObjectConstructor::info() && kind == CodeForCall) {
insertChecks();

Node* result = addToGraph(CallObjectConstructor, get(virtualRegisterForArgument(1, registerOffset)));
Node* result;
if (argumentCountIncludingThis <= 1)
result = addToGraph(NewObject, OpInfo(function->globalObject()->objectStructureForObjectConstructor()));
else
result = addToGraph(CallObjectConstructor, get(virtualRegisterForArgument(1, registerOffset)));
set(VirtualRegister(resultOperand), result);
return true;
}
@@ -0,0 +1,9 @@
let foo = Object

function test() {
return foo();
}
noInline(test);

for (i = 0; i < 100000; i++)
test();

0 comments on commit d9e7285

Please sign in to comment.