<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><span class="vcard"><a class="email" href="mailto:fpizlo&#64;apple.com" title="Filip Pizlo &lt;fpizlo&#64;apple.com&gt;"> <span class="fn">Filip Pizlo</span></a>

</span> changed

              <a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Strict Equality on objects should only check that one of the two sides is an object."

   href="https://bugs.webkit.org/show_bug.cgi?id=145992">bug 145992</a>

        <br>

             <table border="1" cellspacing="0" cellpadding="8">

          <tr>

            <th>What</th>

            <th>Removed</th>

            <th>Added</th>

          </tr>

         <tr>

           <td style="text-align:right;">Attachment #255056 Flags</td>

           <td>review?

           </td>

           <td>review-

           </td>

         </tr></table>

      <p>

        <div>

            <b><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Strict Equality on objects should only check that one of the two sides is an object."

   href="https://bugs.webkit.org/show_bug.cgi?id=145992#c21">Comment # 21</a>

              on <a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Strict Equality on objects should only check that one of the two sides is an object."

   href="https://bugs.webkit.org/show_bug.cgi?id=145992">bug 145992</a>

              from <span class="vcard"><a class="email" href="mailto:fpizlo&#64;apple.com" title="Filip Pizlo &lt;fpizlo&#64;apple.com&gt;"> <span class="fn">Filip Pizlo</span></a>

</span></b>

        <pre>Comment on <span class=""><a href="attachment.cgi?id=255056&amp;action=diff" name="attach_255056" title="New Patch">attachment 255056</a> <a href="attachment.cgi?id=255056&amp;action=edit" title="New Patch">[details]</a></span>

New Patch

View in context: <a href="https://bugs.webkit.org/attachment.cgi?id=255056&amp;action=review">https://bugs.webkit.org/attachment.cgi?id=255056&amp;action=review</a>

<span class="quote">&gt; Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1177

&gt; +    SpeculateCellOperand op2(this, node-&gt;child2(), ManualOperandSpeculation);</span >

This is wrong.  You should be using JSValueOperand if the right hand side is UntypedUse.

<span class="quote">&gt; Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1185

&gt; +    if (m_state.forNode(node-&gt;child1()).m_type &amp; ~SpecObject) {

&gt; +        speculationCheck(

&gt; +            BadType, JSValueSource::unboxedCell(op1GPR), node-&gt;child1(), m_jit.branchIfNotObject(op1GPR));

&gt; +    }</span >

You should use DFG_TYPE_CHECK.

<span class="quote">&gt; Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:1190

&gt; +    JSValueOperand op2(this, node-&gt;child2(), ManualOperandSpeculation);</span >

You shouldn't need ManualOperandSpeculation if you're calling this with child2 having UntypedUse.

<span class="quote">&gt; Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1302

&gt; +    JSValueOperand op2(this, node-&gt;child2(), ManualOperandSpeculation);</span >

Ditto.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>