[webkit-changes] [WebKit/WebKit] ae0d71: Cherry-pick 1b2eb138ef92. rdar://problem/105236768
Yusuke Suzuki
noreply at github.com
Wed Feb 15 01:37:50 PST 2023
Branch: refs/heads/webkitglib/2.38
Home: https://github.com/WebKit/WebKit
Commit: ae0d71e5d25e617db34a34c7875e36e0b3838003
https://github.com/WebKit/WebKit/commit/ae0d71e5d25e617db34a34c7875e36e0b3838003
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-02-15 (Wed, 15 Feb 2023)
Changed paths:
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Log Message:
-----------
Cherry-pick 1b2eb138ef92. rdar://problem/105236768
[JSC] ToThis object folding should check if AbstractValue is always an object
https://bugs.webkit.org/show_bug.cgi?id=251944
rdar://105175786
Reviewed by Geoffrey Garen and Mark Lam.
ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding.
This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects.
This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example.
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::isToThisAnIdentity):
Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch
More information about the webkit-changes
mailing list