Title: [243596] trunk
- Revision
- 243596
- Author
- sbar...@apple.com
- Date
- 2019-03-27 18:06:01 -0700 (Wed, 27 Mar 2019)
Log Message
validateOSREntryValue with Int52 should box the value being checked into double format
https://bugs.webkit.org/show_bug.cgi?id=196313
<rdar://problem/49306703>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/validate-int-52-ai-state.js: Added.
Source/_javascript_Core:
* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::validateAIState):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (243595 => 243596)
--- trunk/JSTests/ChangeLog 2019-03-28 01:02:05 UTC (rev 243595)
+++ trunk/JSTests/ChangeLog 2019-03-28 01:06:01 UTC (rev 243596)
@@ -1,3 +1,13 @@
+2019-03-27 Saam Barati <sbar...@apple.com>
+
+ validateOSREntryValue with Int52 should box the value being checked into double format
+ https://bugs.webkit.org/show_bug.cgi?id=196313
+ <rdar://problem/49306703>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/validate-int-52-ai-state.js: Added.
+
2019-03-27 Yusuke Suzuki <ysuz...@apple.com>
[JSC] Owner of watchpoints should validate at GC finalizing phase
Added: trunk/JSTests/stress/validate-int-52-ai-state.js (0 => 243596)
--- trunk/JSTests/stress/validate-int-52-ai-state.js (rev 0)
+++ trunk/JSTests/stress/validate-int-52-ai-state.js 2019-03-28 01:06:01 UTC (rev 243596)
@@ -0,0 +1,5 @@
+//@ runDefault("--validateAbstractInterpreterState=1")
+
+for (var i = 0; i < 10000000; ++i) {
+ fiatInt52(0.0)
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (243595 => 243596)
--- trunk/Source/_javascript_Core/ChangeLog 2019-03-28 01:02:05 UTC (rev 243595)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-03-28 01:06:01 UTC (rev 243596)
@@ -1,3 +1,16 @@
+2019-03-27 Saam Barati <sbar...@apple.com>
+
+ validateOSREntryValue with Int52 should box the value being checked into double format
+ https://bugs.webkit.org/show_bug.cgi?id=196313
+ <rdar://problem/49306703>
+
+ Reviewed by Yusuke Suzuki.
+
+ * dfg/DFGOSREntry.cpp:
+ (JSC::DFG::prepareOSREntry):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
+
2019-03-27 Yusuke Suzuki <ysuz...@apple.com>
[JSC] Owner of watchpoints should validate at GC finalizing phase
Modified: trunk/Source/_javascript_Core/dfg/DFGOSREntry.cpp (243595 => 243596)
--- trunk/Source/_javascript_Core/dfg/DFGOSREntry.cpp 2019-03-28 01:02:05 UTC (rev 243595)
+++ trunk/Source/_javascript_Core/dfg/DFGOSREntry.cpp 2019-03-28 01:06:01 UTC (rev 243596)
@@ -214,7 +214,7 @@
"machine int.");
return nullptr;
}
- // Constant AnyInt value is stored as usual boxed value in AbstractValue.
+ value = jsDoubleNumber(value.asAnyInt());
format = FlushedInt52;
}
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (243595 => 243596)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-03-28 01:02:05 UTC (rev 243595)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-03-28 01:06:01 UTC (rev 243596)
@@ -649,6 +649,10 @@
dumpAndCrash();
} else {
input = JSValue::decode(context.gpr(reg));
+ if (flushFormat == FlushedInt52) {
+ RELEASE_ASSERT(input.isAnyInt());
+ input = jsDoubleNumber(input.asAnyInt());
+ }
if (!value.validateOSREntryValue(input, flushFormat))
dumpAndCrash();
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
