Changeset 230488 in webkit

Timestamp:

Apr 10, 2018 12:45:54 PM (6 years ago)

Author:

fpizlo@apple.com

Message:

DFG AI and clobberize should agree with each other
​https://bugs.webkit.org/show_bug.cgi?id=184440

Reviewed by Saam Barati.

JSTests:

Add tests for all of the bugs I fixed.

• stress/direct-arguments-out-of-bounds-change-structure.js: Added.

(foo):

• stress/new-typed-array-cse-effects.js: Added.

(foo):

• stress/scoped-arguments-out-of-bounds-change-structure.js: Added.

(foo.theO):
(foo):

• stress/string-from-char-code-change-structure-not-dead.js: Added.

(foo):
(i.valueOf):
(weirdValue.valueOf):

• stress/string-from-char-code-change-structure.js: Added.

(foo):
(i.valueOf):
(weirdValue.valueOf):

Source/JavaScriptCore:

One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
agree with each other. That's what this patch does: it adds an assertion that AI's structure
state tracking must be equivalent to JSCell_structureID being clobbered.

One subtlety is that AI sometimes folds away structure clobbering using information that
clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
ObservedTransitions).

This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
clobberize missing a write(Heap).

This also makes some cases more precise in order to appease the assertion. Making things more
precise might make things faster, but I didn't measure it because that wasn't the goal.

• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• dfg/DFGAbstractInterpreter.h:
• dfg/DFGAbstractInterpreterClobberState.cpp: Added.

(WTF::printInternal):

• dfg/DFGAbstractInterpreterClobberState.h: Added.

(JSC::DFG::mergeClobberStates):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
(JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.

• dfg/DFGAtTailAbstractState.h:

(JSC::DFG::AtTailAbstractState::setClobberState):
(JSC::DFG::AtTailAbstractState::mergeClobberState):
(JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.

• dfg/DFGCFAPhase.cpp:

(JSC::DFG::CFAPhase::performBlockCFA):

• dfg/DFGClobberSet.cpp:

(JSC::DFG::writeSet):

• dfg/DFGClobberSet.h:
• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGInPlaceAbstractState.h:

(JSC::DFG::InPlaceAbstractState::clobberState const):
(JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
(JSC::DFG::InPlaceAbstractState::didClobber const):
(JSC::DFG::InPlaceAbstractState::setClobberState):
(JSC::DFG::InPlaceAbstractState::mergeClobberState):
(JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/direct-arguments-out-of-bounds-change-structure.js (added)
• JSTests/stress/new-typed-array-cse-effects.js (added)
• JSTests/stress/scoped-arguments-out-of-bounds-change-structure.js (added)
• JSTests/stress/string-from-char-code-change-structure-not-dead.js (added)
• JSTests/stress/string-from-char-code-change-structure.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/JavaScriptCore/Sources.txt (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterClobberState.cpp (added)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterClobberState.h (added)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (33 diffs)
• Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGCFAPhase.cpp (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGClobberSet.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGClobberSet.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2018-04-10  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG AI and clobberize should agree with each other
+        https://bugs.webkit.org/show_bug.cgi?id=184440
+
+        Reviewed by Saam Barati.
+        
+        Add tests for all of the bugs I fixed.
+
+        * stress/direct-arguments-out-of-bounds-change-structure.js: Added.
+        (foo):
+        * stress/new-typed-array-cse-effects.js: Added.
+        (foo):
+        * stress/scoped-arguments-out-of-bounds-change-structure.js: Added.
+        (foo.theO):
+        (foo):
+        * stress/string-from-char-code-change-structure-not-dead.js: Added.
+        (foo):
+        (i.valueOf):
+        (weirdValue.valueOf):
+        * stress/string-from-char-code-change-structure.js: Added.
+        (foo):
+        (i.valueOf):
+        (weirdValue.valueOf):
+
 2018-04-09  Leo Balter  <leonardo.balter@gmail.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2018-04-09  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG AI and clobberize should agree with each other
+        https://bugs.webkit.org/show_bug.cgi?id=184440
+
+        Reviewed by Saam Barati.
+        
+        One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
+        agree with each other. That's what this patch does: it adds an assertion that AI's structure
+        state tracking must be equivalent to JSCell_structureID being clobbered.
+        
+        One subtlety is that AI sometimes folds away structure clobbering using information that
+        clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
+        ObservedTransitions).
+        
+        This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
+        clobberize missing a write(Heap).
+        
+        This also makes some cases more precise in order to appease the assertion. Making things more
+        precise might make things faster, but I didn't measure it because that wasn't the goal.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * dfg/DFGAbstractInterpreter.h:
+        * dfg/DFGAbstractInterpreterClobberState.cpp: Added.
+        (WTF::printInternal):
+        * dfg/DFGAbstractInterpreterClobberState.h: Added.
+        (JSC::DFG::mergeClobberStates):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting):
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld):
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures):
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures):
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition):
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions):
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
+        * dfg/DFGAtTailAbstractState.h:
+        (JSC::DFG::AtTailAbstractState::setClobberState):
+        (JSC::DFG::AtTailAbstractState::mergeClobberState):
+        (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
+        * dfg/DFGCFAPhase.cpp:
+        (JSC::DFG::CFAPhase::performBlockCFA):
+        * dfg/DFGClobberSet.cpp:
+        (JSC::DFG::writeSet):
+        * dfg/DFGClobberSet.h:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGInPlaceAbstractState.h:
+        (JSC::DFG::InPlaceAbstractState::clobberState const):
+        (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const):
+        (JSC::DFG::InPlaceAbstractState::didClobber const):
+        (JSC::DFG::InPlaceAbstractState::setClobberState):
+        (JSC::DFG::InPlaceAbstractState::mergeClobberState):
+        (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.
+
 2018-04-10  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -343 +343 @@
                 0F5CF9841E9D537700C18692 /* AirLowerStackArgs.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5CF9831E9D537500C18692 /* AirLowerStackArgs.h */; };
                 0F5CF9891E9ED65200C18692 /* AirStackAllocation.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5CF9871E9ED64E00C18692 /* AirStackAllocation.h */; };
+                0F5E0FD8207C72730097F0DE /* DFGAbstractInterpreterClobberState.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5E0FD6207C72710097F0DE /* DFGAbstractInterpreterClobberState.h */; };
                 0F5EF91F16878F7D003E5C25 /* JITThunks.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5EF91C16878F78003E5C25 /* JITThunks.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F5F08CF146C7633000472A9 /* UnconditionalFinalizer.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5F08CE146C762F000472A9 /* UnconditionalFinalizer.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -2347 +2348 @@
                 0F5CF9871E9ED64E00C18692 /* AirStackAllocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AirStackAllocation.h; path = b3/air/AirStackAllocation.h; sourceTree = "<group>"; };
                 0F5D085C1B8CF99D001143B4 /* DFGNodeOrigin.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGNodeOrigin.cpp; path = dfg/DFGNodeOrigin.cpp; sourceTree = "<group>"; };
+                0F5E0FD6207C72710097F0DE /* DFGAbstractInterpreterClobberState.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGAbstractInterpreterClobberState.h; path = dfg/DFGAbstractInterpreterClobberState.h; sourceTree = "<group>"; };
+                0F5E0FD7207C72710097F0DE /* DFGAbstractInterpreterClobberState.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGAbstractInterpreterClobberState.cpp; path = dfg/DFGAbstractInterpreterClobberState.cpp; sourceTree = "<group>"; };
                 0F5EF91B16878F78003E5C25 /* JITThunks.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JITThunks.cpp; sourceTree = "<group>"; };
                 0F5EF91C16878F78003E5C25 /* JITThunks.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITThunks.h; sourceTree = "<group>"; };
@@ -7092 +7095 @@
                                 A77A423717A0BBFD00A8DB81 /* DFGAbstractHeap.h */,
                                 A704D8FE17A0BAA8006BA554 /* DFGAbstractInterpreter.h */,
+                                0F5E0FD7207C72710097F0DE /* DFGAbstractInterpreterClobberState.cpp */,
+                                0F5E0FD6207C72710097F0DE /* DFGAbstractInterpreterClobberState.h */,
                                 A704D8FF17A0BAA8006BA554 /* DFGAbstractInterpreterInlines.h */,
                                 0F55C19317276E4600CEABFD /* DFGAbstractValue.cpp */,
@@ -8216 +8221 @@
                                 8B3BF5E41E3D368B0076A87A /* AsyncGeneratorPrototype.lut.h in Headers */,
                                 8BC064961E1D845C00B2B8CA /* AsyncIteratorPrototype.h in Headers */,
+                                0F5E0FD8207C72730097F0DE /* DFGAbstractInterpreterClobberState.h in Headers */,
                                 6A38CFAA1E32B5AB0060206F /* AsyncStackTrace.h in Headers */,
                                 0F7CF9571DC125900098CC12 /* AtomicsObject.h in Headers */,

trunk/Source/JavaScriptCore/Sources.txt

@@ -275 +275 @@
 
 dfg/DFGAbstractHeap.cpp
+dfg/DFGAbstractInterpreterClobberState.cpp
 dfg/DFGAbstractValue.cpp
 dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h

@@ -151 +151 @@
 private:
     void clobberWorld(const CodeOrigin&, unsigned indexInBlock);
+    void didFoldClobberWorld();
     
     template<typename Functor>
@@ -156 +157 @@
     
     void clobberStructures(unsigned indexInBlock);
+    void didFoldClobberStructures();
+    
     void observeTransition(unsigned indexInBlock, RegisteredStructure from, RegisteredStructure to);
     void observeTransitions(unsigned indexInBlock, const TransitionVector&);
-    void setDidClobber();
     
     enum BooleanResult {

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -30 +30 @@
 #include "ArrayConstructor.h"
 #include "DFGAbstractInterpreter.h"
+#include "DFGAbstractInterpreterClobberState.h"
 #include "DOMJITGetterSetter.h"
 #include "DOMJITSignature.h"
@@ -98 +99 @@
     ASSERT(m_state.isValid());
     
-    m_state.setDidClobber(false);
+    m_state.setClobberState(AbstractInterpreterClobberState::NotClobbered);
 }
 
@@ -330 +331 @@
         // itself into a straight-line sequence of GetStack/PutStack.
         // https://bugs.webkit.org/show_bug.cgi?id=143071
-        clobberWorld(node->origin.semantic, clobberLimit);
+        switch (node->op()) {
+        case LoadVarargs:
+            clobberWorld(node->origin.semantic, clobberLimit);
+            break;
+        case ForwardVarargs:
+            break;
+        default:
+            DFG_CRASH(m_graph, node, "Bad opcode");
+            break;
+        }
         LoadVarargsData* data = node->loadVarargsData();
         m_state.variables().operand(data->count).setType(SpecInt32Only);
@@ -610 +620 @@
         JSValue operand = forNode(node->child1()).value();
         if (std::optional<double> number = operand.toNumberFromPrimitive()) {
+            switch (node->child1().useKind()) {
+            case Int32Use:
+            case KnownInt32Use:
+                break;
+            default:
+                didFoldClobberWorld();
+                break;
+            }
             uint32_t value = toUInt32(*number);
             setConstant(node, jsNumber(clz32(value)));
@@ -1017 +1035 @@
         JSValue operand = forNode(node->child1()).value();
         if (std::optional<double> number = operand.toNumberFromPrimitive()) {
+            if (node->child1().useKind() != DoubleRepUse)
+                didFoldClobberWorld();
+            
             double roundedValue = 0;
             if (node->op() == ArithRound)
@@ -1516 +1537 @@
     case CompareGreaterEq:
     case CompareEq: {
+        bool isClobbering = node->isBinaryUseKind(UntypedUse);
+        
+        if (isClobbering)
+            didFoldClobberWorld();
+        
         JSValue leftConst = forNode(node->child1()).value();
         JSValue rightConst = forNode(node->child2()).value();
@@ -1637 +1663 @@
         }
 
-        if (node->isBinaryUseKind(UntypedUse))
+        if (isClobbering)
             clobberWorld(node->origin.semantic, clobberLimit);
         forNode(node).setType(SpecBoolean);
@@ -1724 +1750 @@
         
     case StringFromCharCode:
+        switch (node->child1().useKind()) {
+        case Int32Use:
+            break;
+        case UntypedUse:
+            clobberWorld(node->origin.semantic, clobberLimit);
+            break;
+        default:
+            DFG_CRASH(m_graph, node, "Bad use kind");
+            break;
+        }
         forNode(node).setType(m_graph, SpecString);
         break;
@@ -1784 +1820 @@
         case Array::DirectArguments:
         case Array::ScopedArguments:
+            if (node->arrayMode().isOutOfBounds())
+                clobberWorld(node->origin.semantic, clobberLimit);
             forNode(node).makeHeapTop();
             break;
@@ -2070 +2108 @@
         JSValue childConst = forNode(node->child1()).value();
         if (childConst && childConst.isNumber()) {
+            didFoldClobberWorld();
             setConstant(node, childConst);
             break;
@@ -2078 +2117 @@
         if (!(forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean | SpecString | SpecSymbol))) {
             m_state.setFoundConstants(true);
+            didFoldClobberWorld();
             forNode(node) = forNode(node->child1());
             break;
@@ -2091 +2131 @@
         JSValue childConst = forNode(node->child1()).value();
         if (childConst && childConst.isNumber()) {
+            didFoldClobberWorld();
             setConstant(node, childConst);
             break;
@@ -2099 +2140 @@
         if (!(forNode(node->child1()).m_type & ~SpecBytecodeNumber)) {
             m_state.setFoundConstants(true);
+            didFoldClobberWorld();
             forNode(node) = forNode(node->child1());
             break;
@@ -2142 +2184 @@
             if (2 <= radix && radix <= 36) {
                 m_state.setFoundConstants(true);
+                didFoldClobberWorld();
                 forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
                 break;
@@ -2185 +2228 @@
 
     case Spread:
-        if (!m_graph.canDoFastSpread(node, forNode(node->child1())))
-            clobberWorld(node->origin.semantic, clobberLimit);
+        switch (node->child1()->op()) {
+        case PhantomNewArrayBuffer:
+        case PhantomCreateRest:
+            break;
+        default:
+            if (!m_graph.canDoFastSpread(node, forNode(node->child1())))
+                clobberWorld(node->origin.semantic, clobberLimit);
+            else
+                didFoldClobberWorld();
+            break;
+        }
 
         forNode(node).set(
@@ -2268 +2320 @@
                             m_graph.watchpoints().addLazily(rareData->allocationProfileWatchpointSet());
                             m_state.setFoundConstants(true);
+                            didFoldClobberWorld();
                             forNode(node).set(m_graph, structure);
                             break;
@@ -2292 +2345 @@
         if (!(source.m_type & ~SpecObject)) {
             m_state.setFoundConstants(true);
+            if (node->op() == ToObject)
+                didFoldClobberWorld();
             destination = source;
             break;
@@ -2316 +2371 @@
     case PhantomNewRegexp:
     case BottomValue:
-        m_state.setDidClobber(true); // Prevent constant folding.
         // This claims to return bottom.
         break;
@@ -2521 +2575 @@
     case GetById:
     case GetByIdFlush: {
-        if (!node->prediction()) {
-            m_state.setIsValid(false);
-            break;
-        }
-        
         AbstractValue& value = forNode(node->child1());
         if (value.m_structure.isFinite()
@@ -2545 +2594 @@
                 }
                 m_state.setFoundConstants(true);
+                didFoldClobberWorld();
                 forNode(node) = result;
                 break;
@@ -2674 +2724 @@
     case PutStructure:
         if (!forNode(node->child1()).m_structure.isClear()) {
-            if (forNode(node->child1()).m_structure.onlyStructure() == node->transition()->next)
+            if (forNode(node->child1()).m_structure.onlyStructure() == node->transition()->next) {
+                didFoldClobberStructures();
                 m_state.setFoundConstants(true);
-            else {
+            } else {
                 observeTransition(
                     clobberLimit, node->transition()->previous, node->transition()->next);
@@ -2689 +2740 @@
         // FIXME: We don't model the fact that the structureID is nuked, simply because currently
         // nobody would currently benefit from having that information. But it's a bug nonetheless.
+        if (node->op() == NukeStructureAndSetButterfly)
+            didFoldClobberStructures();
         forNode(node).clear(); // The result is not a JS value.
         break;
@@ -2788 +2841 @@
     case Arrayify: {
         if (node->arrayMode().alreadyChecked(m_graph, node, forNode(node->child1()))) {
+            didFoldClobberStructures();
             m_state.setFoundConstants(true);
             break;
@@ -2879 +2933 @@
 
             if (prototype && canFold) {
+                switch (node->child1().useKind()) {
+                case ArrayUse:
+                case FunctionUse:
+                case FinalObjectUse:
+                    break;
+                default:
+                    didFoldClobberWorld();
+                    break;
+                }
                 setConstant(node, *m_graph.freeze(prototype));
                 break;
@@ -3010 +3073 @@
         AbstractValue resultingValue;
         
+        if (node->multiPutByOffsetData().writesStructures())
+            didFoldClobberStructures();
+            
         for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
             const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
@@ -3140 +3206 @@
                     m_state.setFoundConstants(true);
                 
+                didFoldClobberWorld();
                 observeTransitions(clobberLimit, transitions);
                 if (forNode(node->child1()).changeStructure(m_graph, newSet) == Contradiction)
@@ -3367 +3434 @@
                 && (radix.asNumber() == 0 || radix.asNumber() == 10)) {
                 m_state.setFoundConstants(true);
+                if (node->child1().useKind() == UntypedUse)
+                    didFoldClobberWorld();
                 forNode(node).setType(SpecInt32Only);
                 break;
@@ -3467 +3536 @@
 {
     clobberStructures(clobberLimit);
+}
+
+template<typename AbstractStateType>
+void AbstractInterpreter<AbstractStateType>::didFoldClobberWorld()
+{
+    didFoldClobberStructures();
 }
 
@@ -3502 +3577 @@
 {
     forAllValues(clobberLimit, AbstractValue::clobberStructuresFor);
-    setDidClobber();
+    m_state.mergeClobberState(AbstractInterpreterClobberState::ClobberedStructures);
+    m_state.setStructureClobberState(StructuresAreClobbered);
+}
+
+template<typename AbstractStateType>
+void AbstractInterpreter<AbstractStateType>::didFoldClobberStructures()
+{
+    m_state.mergeClobberState(AbstractInterpreterClobberState::FoldedClobber);
 }
 
@@ -3513 +3595 @@
     
     ASSERT(!from->dfgShouldWatch()); // We don't need to claim to be in a clobbered state because 'from' was never watchable (during the time we were compiling), hence no constants ever introduced into the DFG IR that ever had a watchable structure would ever have the same structure as from.
+    
+    m_state.mergeClobberState(AbstractInterpreterClobberState::ObservedTransitions);
 }
 
@@ -3519 +3603 @@
     unsigned clobberLimit, const TransitionVector& vector)
 {
+    if (vector.isEmpty())
+        return;
+    
     AbstractValue::TransitionsObserver transitionsObserver(vector);
     forAllValues(clobberLimit, transitionsObserver);
@@ -3527 +3614 @@
             ASSERT(!vector[i].previous->dfgShouldWatch());
     }
-}
-
-template<typename AbstractStateType>
-void AbstractInterpreter<AbstractStateType>::setDidClobber()
-{
-    m_state.setDidClobber(true);
-    m_state.setStructureClobberState(StructuresAreClobbered);
+
+    m_state.mergeClobberState(AbstractInterpreterClobberState::ObservedTransitions);
 }
 
@@ -3633 +3715 @@
     JSValue child = forNode(node->child1()).value();
     if (std::optional<double> number = child.toNumberFromPrimitive()) {
+        if (node->child1().useKind() != DoubleRepUse)
+            didFoldClobberWorld();
         setConstant(node, jsDoubleNumber(equivalentFunction(*number)));
         return;

trunk/Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 #if ENABLE(DFG_JIT)
 
+#include "DFGAbstractInterpreterClobberState.h"
 #include "DFGAbstractValue.h"
 #include "DFGBasicBlock.h"
@@ -60 +61 @@
     StructureClobberState structureClobberState() const { return m_block->cfaStructureClobberStateAtTail; }
     
-    void setDidClobber(bool) { }
+    void setClobberState(AbstractInterpreterClobberState) { }
+    void mergeClobberState(AbstractInterpreterClobberState) { }
     void setStructureClobberState(StructureClobberState state) { RELEASE_ASSERT(state == m_block->cfaStructureClobberStateAtTail); }
     void setIsValid(bool isValid) { m_block->cfaDidFinish = isValid; }

trunk/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011, 2013-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30 +30 @@
 
 #include "DFGAbstractInterpreterInlines.h"
+#include "DFGClobberSet.h"
 #include "DFGGraph.h"
 #include "DFGInPlaceAbstractState.h"
@@ -164 +165 @@
         }
         for (unsigned i = 0; i < block->size(); ++i) {
+            Node* node = block->at(i);
             if (m_verbose) {
-                Node* node = block->at(i);
                 dataLogF("      %s @%u: ", Graph::opName(node->op()), node->index());
                 
@@ -180 +181 @@
                 break;
             }
+            
+            if (m_state.didClobberOrFolded() != writesOverlap(m_graph, node, JSCell_structureID))
+                DFG_CRASH(m_graph, node, toCString("AI-clobberize disagreement; AI says ", m_state.clobberState(), " while clobberize says ", writeSet(m_graph, node)).data());
         }
         if (m_verbose) {

trunk/Source/JavaScriptCore/dfg/DFGClobberSet.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -159 +159 @@
 }
 
+ClobberSet writeSet(Graph& graph, Node* node)
+{
+    ClobberSet result;
+    addWrites(graph, node, result);
+    return result;
+}
+
 bool readsOverlap(Graph& graph, Node* node, ClobberSet& readSet)
 {

trunk/Source/JavaScriptCore/dfg/DFGClobberSet.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -114 +114 @@
 void addReadsAndWrites(Graph&, Node*, ClobberSet& reads, ClobberSet& writes);
 
+ClobberSet writeSet(Graph&, Node*);
+
 bool readsOverlap(Graph&, Node*, ClobberSet&);
 bool writesOverlap(Graph&, Node*, ClobberSet&);

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -955 +955 @@
             
         case Array::ArrayStorage:
+            if (node->arrayMode().isOutOfBounds()) {
+                read(World);
+                write(Heap);
+                return;
+            }
+            read(Butterfly_publicLength);
+            read(Butterfly_vectorLength);
+            read(ArrayStorageProperties);
+            write(ArrayStorageProperties);
+            if (node->arrayMode().mayStoreToHole())
+                write(Butterfly_publicLength);
+            return;
+
         case Array::SlowPutArrayStorage:
-            // Give up on life for now.
-            read(World);
-            write(Heap);
+            if (node->arrayMode().mayStoreToHole()) {
+                read(World);
+                write(Heap);
+                return;
+            }
+            read(Butterfly_publicLength);
+            read(Butterfly_vectorLength);
+            read(ArrayStorageProperties);
+            write(ArrayStorageProperties);
             return;
 
@@ -1297 +1316 @@
 
     case NewArrayWithSize:
-    case NewTypedArray:
         read(HeapObjectCount);
         write(HeapObjectCount);
         return;
+
+    case NewTypedArray:
+        switch (node->child1().useKind()) {
+        case Int32Use:
+            read(HeapObjectCount);
+            write(HeapObjectCount);
+            return;
+        case UntypedUse:
+            read(World);
+            write(Heap);
+            return;
+        default:
+            DFG_CRASH(graph, node, "Bad use kind");
+        }
+        break;
 
     case NewArrayWithSpread: {
@@ -1538 +1571 @@
             return;
         }
-        
+
         if (node->isBinaryUseKind(UntypedUse)) {
             read(World);

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -784 +784 @@
             }
                 
+            case PhantomNewObject:
+            case PhantomNewFunction:
+            case PhantomNewGeneratorFunction:
+            case PhantomNewAsyncGeneratorFunction:
+            case PhantomNewAsyncFunction:
+            case PhantomCreateActivation:
+            case PhantomDirectArguments:
+            case PhantomClonedArguments:
+            case PhantomCreateRest:
+            case PhantomSpread:
+            case PhantomNewArrayWithSpread:
+            case PhantomNewArrayBuffer:
+            case PhantomNewRegexp:
+            case BottomValue:
+                alreadyHandled = true;
+                break;
+
             default:
                 break;

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -686 +686 @@
             
         case StringFromCharCode:
-            if (node->child1()->shouldSpeculateInt32())
+            if (node->child1()->shouldSpeculateInt32()) {
                 fixEdge<Int32Use>(node->child1());
-            else
+                node->clearFlags(NodeMustGenerate);
+            } else
                 fixEdge<UntypedUse>(node->child1());
             break;

trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 #if ENABLE(DFG_JIT)
 
+#include "DFGAbstractInterpreterClobberState.h"
 #include "DFGAbstractValue.h"
 #include "DFGBranchDirection.h"
@@ -91 +92 @@
     void reset();
     
+    AbstractInterpreterClobberState clobberState() const { return m_clobberState; }
+    
+    // Would have the last executed node clobbered things had we not found a way to fold it?
+    bool didClobberOrFolded() const { return clobberState() != AbstractInterpreterClobberState::NotClobbered; }
+    
     // Did the last executed node clobber the world?
-    bool didClobber() const { return m_didClobber; }
+    bool didClobber() const { return clobberState() == AbstractInterpreterClobberState::ClobberedStructures; }
     
     // Are structures currently clobbered?
@@ -115 +121 @@
     
     // Methods intended to be called from AbstractInterpreter.
-    void setDidClobber(bool didClobber) { m_didClobber = didClobber; }
+    void setClobberState(AbstractInterpreterClobberState state) { m_clobberState = state; }
+    void mergeClobberState(AbstractInterpreterClobberState state) { m_clobberState = mergeClobberStates(m_clobberState, state); }
     void setStructureClobberState(StructureClobberState value) { m_structureClobberState = value; }
     void setIsValid(bool isValid) { m_isValid = isValid; }
@@ -146 +153 @@
     
     bool m_isValid;
-    bool m_didClobber;
+    AbstractInterpreterClobberState m_clobberState;
     StructureClobberState m_structureClobberState;
     

trunk/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -283 +283 @@
     macro(StringCharCodeAt, NodeResultInt32) \
     macro(StringCharAt, NodeResultJS) \
-    macro(StringFromCharCode, NodeResultJS) \
+    macro(StringFromCharCode, NodeResultJS | NodeMustGenerate) \
     \
     /* Nodes for comparison operations. */\