Title: [204140] trunk
- Revision
- 204140
- Author
- [email protected]
- Date
- 2016-08-04 14:11:16 -0700 (Thu, 04 Aug 2016)
Log Message
ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()
https://bugs.webkit.org/show_bug.cgi?id=160562
JSTests:
Reviewed by Mark Lam.
* stress/instanceof-late-constant-folding.js: Added.
(Constructor):
(value):
(body):
Source/_javascript_Core:
<rdar://problem/27704825>
Reviewed by Mark Lam.
This patch fixes an issue where we would emit incorrect code in the DFG when constant folding would
convert a GetByOffset into a constant late in compilation. Additionally, it removes invalid assertions
associated with the assumption that this could not happen.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance): Deleted.
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (204139 => 204140)
--- trunk/JSTests/ChangeLog 2016-08-04 21:07:21 UTC (rev 204139)
+++ trunk/JSTests/ChangeLog 2016-08-04 21:11:16 UTC (rev 204140)
@@ -1,3 +1,15 @@
+2016-08-04 Keith Miller <[email protected]>
+
+ ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()
+ https://bugs.webkit.org/show_bug.cgi?id=160562
+
+ Reviewed by Mark Lam.
+
+ * stress/instanceof-late-constant-folding.js: Added.
+ (Constructor):
+ (value):
+ (body):
+
2016-08-04 Caitlin Potter <[email protected]>
[JSC] fix generator-syntax.js JSTest again after yield grammar fix
Added: trunk/JSTests/stress/instanceof-late-constant-folding.js (0 => 204140)
--- trunk/JSTests/stress/instanceof-late-constant-folding.js (rev 0)
+++ trunk/JSTests/stress/instanceof-late-constant-folding.js 2016-08-04 21:11:16 UTC (rev 204140)
@@ -0,0 +1,19 @@
+function Constructor(x) {}
+
+Object.defineProperty(Constructor, Symbol.hasInstance, {value: function() { return false; }});
+
+x = new Constructor();
+
+function body() {
+ var result = 0;
+ for (var i = 0; i < 100000; i++) {
+ if (x instanceof Constructor)
+ result++;
+ }
+
+ return result;
+}
+noInline(body);
+
+if (body())
+ throw "result incorrect";
Modified: trunk/Source/_javascript_Core/ChangeLog (204139 => 204140)
--- trunk/Source/_javascript_Core/ChangeLog 2016-08-04 21:07:21 UTC (rev 204139)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-08-04 21:11:16 UTC (rev 204140)
@@ -1,5 +1,22 @@
2016-08-04 Keith Miller <[email protected]>
+ ASSERTION FAILED: !hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell()
+ https://bugs.webkit.org/show_bug.cgi?id=160562
+ <rdar://problem/27704825>
+
+ Reviewed by Mark Lam.
+
+ This patch fixes an issue where we would emit incorrect code in the DFG when constant folding would
+ convert a GetByOffset into a constant late in compilation. Additionally, it removes invalid assertions
+ associated with the assumption that this could not happen.
+
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileOverridesHasInstance): Deleted.
+
+2016-08-04 Keith Miller <[email protected]>
+
Remove unused intrinsic member of NativeExecutable
https://bugs.webkit.org/show_bug.cgi?id=160560
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (204139 => 204140)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2016-08-04 21:07:21 UTC (rev 204139)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2016-08-04 21:11:16 UTC (rev 204140)
@@ -4576,11 +4576,10 @@
GPRReg resultGPR = result.gpr();
- // If we have proven that the constructor's Symbol.hasInstance will always be the one on Function.prototype[Symbol.hasInstance]
- // then we don't need a runtime check here. We don't worry about the case where the constructor's Symbol.hasInstance is a constant
- // but is not the default one as fixup should have converted this check to true.
- ASSERT(!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell());
- if (!hasInstanceValueNode->isCellConstant())
+ // It would be great if constant folding handled automatically the case where we knew the hasInstance function
+ // was a constant. Unfortunately, the folding rule for OverridesHasInstance is in the strength reduction phase
+ // since it relies on OSR information. https://bugs.webkit.org/show_bug.cgi?id=154832
+ if (!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction != hasInstanceValueNode->asCell())
notDefault = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValue.gpr(), TrustedImmPtr(defaultHasInstanceFunction));
// Check that base 'ImplementsDefaultHasInstance'.
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (204139 => 204140)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-08-04 21:07:21 UTC (rev 204139)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-08-04 21:11:16 UTC (rev 204140)
@@ -6482,8 +6482,6 @@
// Unlike in the DFG, we don't worry about cleaning this code up for the case where we have proven the hasInstanceValue is a constant as B3 should fix it for us.
- ASSERT(!m_node->child2().node()->isCellConstant() || defaultHasInstanceFunction == m_node->child2().node()->asCell());
-
ValueFromBlock notDefaultHasInstanceResult = m_out.anchor(m_out.booleanTrue);
m_out.branch(m_out.notEqual(hasInstance, m_out.constIntPtr(defaultHasInstanceFunction)), unsure(continuation), unsure(defaultHasInstance));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
