[Webkit-unassigned] [Bug 68500] DFG does not support compiling functions as constructors

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 21 14:46:10 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=68500





--- Comment #2 from Geoffrey Garen <ggaren at apple.com>  2011-09-21 14:46:10 PST ---
(From update of attachment 108234)
r=me

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1538
> +        SpeculateCellOperand proto(this, node.child1());

'this' is always a cell. Does the DFG know that? Something good to fix in a follow-up patch, if not. (SpeculateCellOperand here is fine, but you should make sure the branch gets elided under the covers.)

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1563
> +        // Need to verify that the prototype is an object. If we have reason to believe
> +        // that it's a FinalObject then we speculate on that directly. Otherwise we
> +        // do the slow (structure-based) check.
> +        if (shouldSpeculateFinalObject(node.child1()))
> +            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsFinalObjectVPtr)));
> +        else {
> +            m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSCell::structureOffset()), scratchGPR);
> +            slowPath.append(m_jit.branch8(MacroAssembler::Below, MacroAssembler::Address(scratchGPR, Structure::typeInfoTypeOffset()), MacroAssembler::TrustedImm32(ObjectType)));
> +        }
> +        
> +        // Load the inheritorID (the Structure that objects who have protoGPR as the prototype
> +        // use to refer to that prototype). If the inheritorID is not set, go to slow path.
> +        m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSObject::offsetOfInheritorID()), scratchGPR);
> +        slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, scratchGPR));

You could remove all of this loading and  branching in a follow-up patch if you made assignments to function.prototype eagerly jettison the function's constructor code.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list