[Webkit-unassigned] [Bug 68500] DFG does not support compiling functions as constructors

Wed Sep 21 14:58:05 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=68500

--- Comment #3 from Filip Pizlo <fpizlo at apple.com>  2011-09-21 14:58:05 PST ---
> > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1538
> > +        SpeculateCellOperand proto(this, node.child1());
> 
> 'this' is always a cell. Does the DFG know that? Something good to fix in a follow-up patch, if not. (SpeculateCellOperand here is fine, but you should make sure the branch gets elided under the covers.)

The code you're referring to is speculating that the function.prototype is a cell.  Is that guaranteed?

> 
> > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1563
> > +        // Need to verify that the prototype is an object. If we have reason to believe
> > +        // that it's a FinalObject then we speculate on that directly. Otherwise we
> > +        // do the slow (structure-based) check.
> > +        if (shouldSpeculateFinalObject(node.child1()))
> > +            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(protoGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsFinalObjectVPtr)));
> > +        else {
> > +            m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSCell::structureOffset()), scratchGPR);
> > +            slowPath.append(m_jit.branch8(MacroAssembler::Below, MacroAssembler::Address(scratchGPR, Structure::typeInfoTypeOffset()), MacroAssembler::TrustedImm32(ObjectType)));
> > +        }
> > +        
> > +        // Load the inheritorID (the Structure that objects who have protoGPR as the prototype
> > +        // use to refer to that prototype). If the inheritorID is not set, go to slow path.
> > +        m_jit.loadPtr(MacroAssembler::Address(protoGPR, JSObject::offsetOfInheritorID()), scratchGPR);
> > +        slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, scratchGPR));
> 
> You could remove all of this loading and  branching in a follow-up patch if you made assignments to function.prototype eagerly jettison the function's constructor code.

That would be interesting.  It would have to be done carefully, like making sure that there is no way any other JS code can execute in the prologue of the constructor.  I think that this should be trivially true once you know that .prototype is not insane.

For now though, I'm going for softer targets.  Like all of the insanity on the put_by_id's that follow create_this.  We don't do anything special for them right now in DFG.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.