Changeset 238436 in webkit


Ignore:
Timestamp:
Nov 21, 2018 7:39:54 PM (5 years ago)
Author:
sbarati@apple.com
Message:

Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
https://bugs.webkit.org/show_bug.cgi?id=191895
<rdar://problem/46167406>

Reviewed by Mark Lam.

JSTests:

  • stress/known-cell-use-needs-type-check-assertion.js: Added.

(foo):
(bar):

Source/JavaScriptCore:

We were asserting that the input edge should have type SpecCell but it should
really be SpecCellCheck since the type filter for KnownCellUse is SpecCellCheck.

This patch cleans up that assertion code by joining a bunch of cases into a
single function call which grabs the type filter for the edge UseKind and
asserts that the incoming edge meets the type filter criteria.

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::speculate):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::speculate):

Location:
trunk
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r238433 r238436  
     12018-11-21  Saam barati  <sbarati@apple.com>
     2
     3        Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
     4        https://bugs.webkit.org/show_bug.cgi?id=191895
     5        <rdar://problem/46167406>
     6
     7        Reviewed by Mark Lam.
     8
     9        * stress/known-cell-use-needs-type-check-assertion.js: Added.
     10        (foo):
     11        (bar):
     12
    1132018-11-21  Mark Lam  <mark.lam@apple.com>
    214

  • trunk/Source/JavaScriptCore/ChangeLog

    r238435 r238436  
     12018-11-21  Saam barati  <sbarati@apple.com>
     2
     3        Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
     4        https://bugs.webkit.org/show_bug.cgi?id=191895
     5        <rdar://problem/46167406>
     6
     7        Reviewed by Mark Lam.
     8
     9        We were asserting that the input edge should have type SpecCell but it should
     10        really be SpecCellCheck since the type filter for KnownCellUse is SpecCellCheck.
     11       
     12        This patch cleans up that assertion code by joining a bunch of cases into a
     13        single function call which grabs the type filter for the edge UseKind and
     14        asserts that the incoming edge meets the type filter criteria.
     15
     16        * dfg/DFGSpeculativeJIT.cpp:
     17        (JSC::DFG::SpeculativeJIT::speculate):
     18        * ftl/FTLLowerDFGToB3.cpp:
     19        (JSC::FTL::DFG::LowerDFGToB3::speculate):
     20
    1212018-11-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
    222

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r237972 r238436  
    1028710287    case UntypedUse:
    1028810288        break;
     10289    case DoubleRepUse:
     10290    case Int52RepUse:
    1028910291    case KnownInt32Use:
    10290         ASSERT(!needsTypeCheck(edge, SpecInt32Only));
    10291         break;
    10292     case DoubleRepUse:
    10293         ASSERT(!needsTypeCheck(edge, SpecFullDouble));
    10294         break;
    10295     case Int52RepUse:
    10296         ASSERT(!needsTypeCheck(edge, SpecAnyInt));
    10297         break;
    1029810292    case KnownCellUse:
    10299         ASSERT(!needsTypeCheck(edge, SpecCell));
    10300         break;
    1030110293    case KnownStringUse:
    10302         ASSERT(!needsTypeCheck(edge, SpecString));
    10303         break;
    1030410294    case KnownPrimitiveUse:
    10305         ASSERT(!needsTypeCheck(edge, SpecHeapTop & ~SpecObject));
     10295    case KnownOtherUse:
     10296    case KnownBooleanUse:
     10297        ASSERT(!m_interpreter.needsTypeCheck(edge));
    1030610298        break;
    1030710299    case Int32Use:
     
    1032810320        speculateBoolean(edge);
    1032910321        break;
    10330     case KnownBooleanUse:
    10331         ASSERT(!needsTypeCheck(edge, SpecBoolean));
    10332         break;
    1033310322    case CellUse:
    1033410323        speculateCell(edge);
     
    1040510394    case NotCellUse:
    1040610395        speculateNotCell(edge);
    10407         break;
    10408     case KnownOtherUse:
    10409         ASSERT(!needsTypeCheck(edge, SpecOther));
    1041010396        break;
    1041110397    case OtherUse:

  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r237972 r238436  
    1534015340        case DoubleRepUse:
    1534115341        case Int52RepUse:
     15342        case KnownCellUse:
     15343        case KnownBooleanUse:
    1534215344            ASSERT(!m_interpreter.needsTypeCheck(edge));
    1534315345            break;
     
    1535015352        case CellOrOtherUse:
    1535115353            speculateCellOrOther(edge);
    15352             break;
    15353         case KnownCellUse:
    15354             ASSERT(!m_interpreter.needsTypeCheck(edge));
    1535515354            break;
    1535615355        case AnyIntUse:
Note: See TracChangeset for help on using the changeset viewer.