Title: [219895] trunk/Source/_javascript_Core
- Revision
- 219895
- Author
- keith_mil...@apple.com
- Date
- 2017-07-25 17:45:58 -0700 (Tue, 25 Jul 2017)
Log Message
Remove Broken CompareEq constant folding phase.
https://bugs.webkit.org/show_bug.cgi?id=174846
<rdar://problem/32978808>
Reviewed by Saam Barati.
This bug happened when we would get code like the following:
a: JSConst(Undefined)
b: GetLocal(SomeObjectOrUndefined)
...
c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
constant folding will turn this into:
a: JSConst(Undefined)
b: GetLocal(SomeObjectOrUndefined)
...
c: CompareEq(Check:ObjectOrOther:b, Other:a)
But the SpeculativeJIT/FTL lowering will fail to check b
properly which leads to an assertion failure in the AI.
I'll follow up with a more robust fix later. For now, I'll remove the
case that generates the code. Removing the code appears to be perf
neutral.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (219894 => 219895)
--- trunk/Source/_javascript_Core/ChangeLog 2017-07-26 00:45:04 UTC (rev 219894)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-07-26 00:45:58 UTC (rev 219895)
@@ -1,3 +1,35 @@
+2017-07-25 Keith Miller <keith_mil...@apple.com>
+
+ Remove Broken CompareEq constant folding phase.
+ https://bugs.webkit.org/show_bug.cgi?id=174846
+ <rdar://problem/32978808>
+
+ Reviewed by Saam Barati.
+
+ This bug happened when we would get code like the following:
+
+ a: JSConst(Undefined)
+ b: GetLocal(SomeObjectOrUndefined)
+ ...
+ c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
+
+ constant folding will turn this into:
+
+ a: JSConst(Undefined)
+ b: GetLocal(SomeObjectOrUndefined)
+ ...
+ c: CompareEq(Check:ObjectOrOther:b, Other:a)
+
+ But the SpeculativeJIT/FTL lowering will fail to check b
+ properly which leads to an assertion failure in the AI.
+
+ I'll follow up with a more robust fix later. For now, I'll remove the
+ case that generates the code. Removing the code appears to be perf
+ neutral.
+
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
2017-07-25 Matt Baker <mattba...@apple.com>
Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
Modified: trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp (219894 => 219895)
--- trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2017-07-26 00:45:04 UTC (rev 219894)
+++ trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2017-07-26 00:45:58 UTC (rev 219895)
@@ -135,10 +135,8 @@
}
case CompareEq: {
- if (!m_interpreter.needsTypeCheck(node->child1(), SpecOther))
- node->child1().setUseKind(OtherUse);
- if (!m_interpreter.needsTypeCheck(node->child2(), SpecOther))
- node->child2().setUseKind(OtherUse);
+ // FIXME: We should add back the broken folding phase here for comparisions where we prove at least one side has type SpecOther.
+ // See: https://bugs.webkit.org/show_bug.cgi?id=174844
break;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
