[Webkit-unassigned] [Bug 145992] Strict Equality on objects should only check that one of the two sides is an object.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jun 18 13:35:54 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=145992
Filip Pizlo <fpizlo at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #255056|review? |review-
Flags| |
--- Comment #21 from Filip Pizlo <fpizlo at apple.com> ---
Comment on attachment 255056
--> https://bugs.webkit.org/attachment.cgi?id=255056
New Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=255056&action=review
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1177
> + SpeculateCellOperand op2(this, node->child2(), ManualOperandSpeculation);
This is wrong. You should be using JSValueOperand if the right hand side is UntypedUse.
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1185
> + if (m_state.forNode(node->child1()).m_type & ~SpecObject) {
> + speculationCheck(
> + BadType, JSValueSource::unboxedCell(op1GPR), node->child1(), m_jit.branchIfNotObject(op1GPR));
> + }
You should use DFG_TYPE_CHECK.
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:1190
> + JSValueOperand op2(this, node->child2(), ManualOperandSpeculation);
You shouldn't need ManualOperandSpeculation if you're calling this with child2 having UntypedUse.
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1302
> + JSValueOperand op2(this, node->child2(), ManualOperandSpeculation);
Ditto.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150618/af8887a8/attachment.html>
More information about the webkit-unassigned
mailing list