[webkit-changes] [WebKit/WebKit] 6cc943: Cherry-pick 259548.63 at safari-7615-branch (1b2eb138...
Yusuke Suzuki
noreply at github.com
Fri Feb 17 10:40:53 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 6cc943c3323a1a1368934c812e5e8ec08f54dcd4
https://github.com/WebKit/WebKit/commit/6cc943c3323a1a1368934c812e5e8ec08f54dcd4
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-02-17 (Fri, 17 Feb 2023)
Changed paths:
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Log Message:
-----------
Cherry-pick 259548.63 at safari-7615-branch (1b2eb138ef92). rdar://105598149
[JSC] ToThis object folding should check if AbstractValue is always an object
https://bugs.webkit.org/show_bug.cgi?id=251944
rdar://105175786
Reviewed by Geoffrey Garen and Mark Lam.
ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding.
This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects.
This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example.
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::isToThisAnIdentity):
Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch
Canonical link: https://commits.webkit.org/260455@main
More information about the webkit-changes
mailing list