Context Navigation

← Previous Changeset
Next Changeset →

Changeset 227742 in webkit

Timestamp:

Jan 29, 2018 11:13:45 AM (6 years ago)

Author:

msaboff@apple.com

Message:

REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
https://bugs.webkit.org/show_bug.cgi?id=182249

Reviewed by Keith Miller.

JSTests:

New regression test.

stress/compare-clobber-untypeduse.js: Added.

Source/JavaScriptCore:

Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
Untyped and Object values when compared against built in types. Such comparisons can
invoke toNumber() or other methods.

dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

Location:

trunk

Files:

: 1 added
: 3 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/compare-clobber-untypeduse.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r227738
+                      r227742
+-01-29  Michael Saboff  <msaboff@apple.com>
+        REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
+        https://bugs.webkit.org/show_bug.cgi?id=182249
+        Reviewed by Keith Miller.
+        New regression test.
+        * stress/compare-clobber-untypeduse.js: Added.
 -01-29  Matt Lewis  <jlewis3@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r227738
+                      r227742
+-01-29  Michael Saboff  <msaboff@apple.com>
+        REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
+        https://bugs.webkit.org/show_bug.cgi?id=182249
+        Reviewed by Keith Miller.
+        Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
+        Untyped and Object values when compared against built in types.  Such comparisons can
+        invoke toNumber() or other methods.
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
 -01-29  Matt Lewis  <jlewis3@apple.com>

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

-                      r227723
+                      r227742
             return;
+        }
+        if (!node->isBinaryUseKind(UntypedUse)) {
+        if (node->op() == CompareEq && node->isBinaryUseKind(ObjectUse)) {
             def(PureValue(node));
             return;
+        }
+        read(World);
+        write(Heap);
+        if (node->child1().useKind() == UntypedUse || node->child1().useKind() == ObjectUse
+            || node->child2().useKind() == UntypedUse || node->child2().useKind() == ObjectUse) {
+            read(World);
+            write(Heap);
+            return;
+        }
+        def(PureValue(node));
         return;

Note: See TracChangeset for help on using the changeset viewer.