Changeset 219895 in webkit
- Timestamp:
- Jul 25, 2017 5:45:58 PM (7 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r219889 r219895 1 2017-07-25 Keith Miller <keith_miller@apple.com> 2 3 Remove Broken CompareEq constant folding phase. 4 https://bugs.webkit.org/show_bug.cgi?id=174846 5 <rdar://problem/32978808> 6 7 Reviewed by Saam Barati. 8 9 This bug happened when we would get code like the following: 10 11 a: JSConst(Undefined) 12 b: GetLocal(SomeObjectOrUndefined) 13 ... 14 c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a) 15 16 constant folding will turn this into: 17 18 a: JSConst(Undefined) 19 b: GetLocal(SomeObjectOrUndefined) 20 ... 21 c: CompareEq(Check:ObjectOrOther:b, Other:a) 22 23 But the SpeculativeJIT/FTL lowering will fail to check b 24 properly which leads to an assertion failure in the AI. 25 26 I'll follow up with a more robust fix later. For now, I'll remove the 27 case that generates the code. Removing the code appears to be perf 28 neutral. 29 30 * dfg/DFGConstantFoldingPhase.cpp: 31 (JSC::DFG::ConstantFoldingPhase::foldConstants): 32 1 33 2017-07-25 Matt Baker <mattbaker@apple.com> 2 34 -
trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
r217108 r219895 136 136 137 137 case CompareEq: { 138 if (!m_interpreter.needsTypeCheck(node->child1(), SpecOther)) 139 node->child1().setUseKind(OtherUse); 140 if (!m_interpreter.needsTypeCheck(node->child2(), SpecOther)) 141 node->child2().setUseKind(OtherUse); 138 // FIXME: We should add back the broken folding phase here for comparisions where we prove at least one side has type SpecOther. 139 // See: https://bugs.webkit.org/show_bug.cgi?id=174844 142 140 break; 143 141 }
Note: See TracChangeset
for help on using the changeset viewer.
