[Webkit-unassigned] [Bug 163208] [ES6]. Implement Annex B.3.3 function hoisting rules for eval

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 23 17:34:01 PST 2016 

https://bugs.webkit.org/show_bug.cgi?id=163208

--- Comment #20 from GSkachkov <gskachkov at gmail.com> ---
Comment on attachment 296084
  --> https://bugs.webkit.org/attachment.cgi?id=296084
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=296084&action=review

>> Source/JavaScriptCore/bytecode/CodeBlock.cpp:2876
>> +        // Fixme: we do not have llint optimization for those op_codes
> 
> Please file a bug for this if you think we should do it. That said, this is way more than a LLInt optimization, knowing which scope you'll resolve to helps in all tiers.

Done

>> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:769
>> +    }
> 
> Do you mind elaborating on your previous example for why you said this is needed, I don't quite get it.

I've removed this change. It seems that not ready yet.

>> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:2193
>> +    // resolve_scope dst, id, ResolveType, skipLocalScope
> 
> This comment is wrong. It has the wrong bytecode name.

Removed

>> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:2208
>> +    // resolve_scope dst, scope id
> 
> Ditto.

Removed

>> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:1109
>> +                break;
> 
> This feels wrong, AI should be able to handle a constant you don't expect. That said, I think this only allows for scope arguments, however, I think this would break if a `with` scope or some other scope was the argument to this. It seems totally possible that other scopes can be your constant argument here.

Yeah. I've just removed this part. I did not managed to find case when child.value().isObject() is valid. So Only forNode(node).setType(m_graph, SpecBoolean) is left.

>> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2848
>> +    case ResolveClosestVarScope:
> 
> You also need a rule for IsVarScopeType here.
> Did this not cause any issues for you? If seems like it should lead to a crash, so please add a test that stresses this.

Done

>> Source/JavaScriptCore/dfg/DFGNode.h:994
>> +    }
> 
> should be uint32_t

Removed

>> Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:2118
>> +    loadisFromInstruction(4, t0)
> 
> I don't think this is needed.

Removed

>> Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:2124
>> +    loadisFromInstruction(4, t0)
> 
> Ditto

Removed

>> Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:2069
>> +    loadisFromInstruction(4, t0)
> 
> ditto

Removed

>> Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:2075
>> +    loadisFromInstruction(4, t0)
> 
> ditto

Removed

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161224/86219ffc/attachment-0001.html>

More information about the webkit-unassigned mailing list