- Revision
- 235538
- Author
- [email protected]
- Date
- 2018-08-31 00:45:02 -0700 (Fri, 31 Aug 2018)
Log Message
convertToRegExpMatchFastGlobal must use KnownString as the child use kind
https://bugs.webkit.org/show_bug.cgi?id=189173
<rdar://problem/43501645>
Reviewed by Michael Saboff.
JSTests:
* stress/may-exit-should-be-false-regexp-constant-folding.js: Added.
(foo):
(bar):
Source/_javascript_Core:
We were crashing during validation because mayExit returned true
at a point in the program when we weren't allowed to exit.
The issue was is in StrengthReduction: we end up emitting code that
had a StringUse on an edge after a node that did side effects and before
an ExitOK/bytecode number transition. However, StrenghReduction did the
right thing here and also emitted the type checks before the node with
side effects. It just did bad bookkeeping. The node we convert to needs
to use KnownStringUse instead of StringUse for the child edge.
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
(JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
(JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
(JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
* dfg/DFGNode.h:
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (235537 => 235538)
--- trunk/JSTests/ChangeLog 2018-08-31 04:27:44 UTC (rev 235537)
+++ trunk/JSTests/ChangeLog 2018-08-31 07:45:02 UTC (rev 235538)
@@ -1,3 +1,15 @@
+2018-08-31 Saam barati <[email protected]>
+
+ convertToRegExpMatchFastGlobal must use KnownString as the child use kind
+ https://bugs.webkit.org/show_bug.cgi?id=189173
+ <rdar://problem/43501645>
+
+ Reviewed by Michael Saboff.
+
+ * stress/may-exit-should-be-false-regexp-constant-folding.js: Added.
+ (foo):
+ (bar):
+
2018-08-30 Saam barati <[email protected]>
CSE DataViewGet* DFG nodes
Added: trunk/JSTests/stress/may-exit-should-be-false-regexp-constant-folding.js (0 => 235538)
--- trunk/JSTests/stress/may-exit-should-be-false-regexp-constant-folding.js (rev 0)
+++ trunk/JSTests/stress/may-exit-should-be-false-regexp-constant-folding.js 2018-08-31 07:45:02 UTC (rev 235538)
@@ -0,0 +1,25 @@
+//@ runDefault("--jitPolicyScale=0", "--useConcurrentJIT=0", "--validateGraphAtEachPhase=1")
+
+let re0 = /a/;
+let str0 = 'b';
+function foo() {
+ /a/.exec('b');
+ for (var i = 0; i < 6; i++) {
+ }
+ for (var i = 0; i < 3; i++) {
+ re0.exec('a');
+ }
+ str0.match(/a/);
+ for (var i = 0; i < 2; i++) {
+ str0.match(/a/g);
+ }
+}
+function bar() {
+ for (var i = 0; i < 6; i++) {
+ 'a'.match(/b/);
+ }
+}
+
+foo();
+bar();
+foo();
Modified: trunk/Source/_javascript_Core/ChangeLog (235537 => 235538)
--- trunk/Source/_javascript_Core/ChangeLog 2018-08-31 04:27:44 UTC (rev 235537)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-08-31 07:45:02 UTC (rev 235538)
@@ -1,3 +1,30 @@
+2018-08-31 Saam barati <[email protected]>
+
+ convertToRegExpMatchFastGlobal must use KnownString as the child use kind
+ https://bugs.webkit.org/show_bug.cgi?id=189173
+ <rdar://problem/43501645>
+
+ Reviewed by Michael Saboff.
+
+ We were crashing during validation because mayExit returned true
+ at a point in the program when we weren't allowed to exit.
+
+ The issue was is in StrengthReduction: we end up emitting code that
+ had a StringUse on an edge after a node that did side effects and before
+ an ExitOK/bytecode number transition. However, StrenghReduction did the
+ right thing here and also emitted the type checks before the node with
+ side effects. It just did bad bookkeeping. The node we convert to needs
+ to use KnownStringUse instead of StringUse for the child edge.
+
+ * dfg/DFGNode.cpp:
+ (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
+ (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
+ (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
+ (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
+ * dfg/DFGNode.h:
+ * dfg/DFGStrengthReductionPhase.cpp:
+ (JSC::DFG::StrengthReductionPhase::handleNode):
+
2018-08-30 Saam barati <[email protected]>
Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (235537 => 235538)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-08-31 04:27:44 UTC (rev 235537)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-08-31 07:45:02 UTC (rev 235538)
@@ -2217,12 +2217,12 @@
case RegExpMatchFast:
ASSERT(node->child2().useKind() == RegExpObjectUse);
- ASSERT(node->child3().useKind() == StringUse);
+ ASSERT(node->child3().useKind() == StringUse || node->child3().useKind() == KnownStringUse);
setTypeForNode(node, SpecOther | SpecArray);
break;
case RegExpMatchFastGlobal:
- ASSERT(node->child2().useKind() == StringUse);
+ ASSERT(node->child2().useKind() == StringUse || node->child2().useKind() == KnownStringUse);
setTypeForNode(node, SpecOther | SpecArray);
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGNode.cpp (235537 => 235538)
--- trunk/Source/_javascript_Core/dfg/DFGNode.cpp 2018-08-31 04:27:44 UTC (rev 235537)
+++ trunk/Source/_javascript_Core/dfg/DFGNode.cpp 2018-08-31 07:45:02 UTC (rev 235538)
@@ -268,22 +268,22 @@
clearFlags(NodeMustGenerate);
}
-void Node::convertToRegExpExecNonGlobalOrSticky(FrozenValue* regExp)
+void Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks(FrozenValue* regExp)
{
ASSERT(op() == RegExpExec);
setOpAndDefaultFlags(RegExpExecNonGlobalOrSticky);
children.child1() = Edge(children.child1().node(), KnownCellUse);
- children.child2() = Edge(children.child3().node(), StringUse);
+ children.child2() = Edge(children.child3().node(), KnownStringUse);
children.child3() = Edge();
m_opInfo = regExp;
}
-void Node::convertToRegExpMatchFastGlobal(FrozenValue* regExp)
+void Node::convertToRegExpMatchFastGlobalWithoutChecks(FrozenValue* regExp)
{
ASSERT(op() == RegExpMatchFast);
setOpAndDefaultFlags(RegExpMatchFastGlobal);
children.child1() = Edge(children.child1().node(), KnownCellUse);
- children.child2() = Edge(children.child3().node(), StringUse);
+ children.child2() = Edge(children.child3().node(), KnownStringUse);
children.child3() = Edge();
m_opInfo = regExp;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGNode.h (235537 => 235538)
--- trunk/Source/_javascript_Core/dfg/DFGNode.h 2018-08-31 04:27:44 UTC (rev 235537)
+++ trunk/Source/_javascript_Core/dfg/DFGNode.h 2018-08-31 07:45:02 UTC (rev 235538)
@@ -757,8 +757,8 @@
void convertToCallDOM(Graph&);
- void convertToRegExpExecNonGlobalOrSticky(FrozenValue* regExp);
- void convertToRegExpMatchFastGlobal(FrozenValue* regExp);
+ void convertToRegExpExecNonGlobalOrStickyWithoutChecks(FrozenValue* regExp);
+ void convertToRegExpMatchFastGlobalWithoutChecks(FrozenValue* regExp);
void convertToSetRegExpObjectLastIndex()
{
Modified: trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp (235537 => 235538)
--- trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp 2018-08-31 04:27:44 UTC (rev 235537)
+++ trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp 2018-08-31 07:45:02 UTC (rev 235538)
@@ -508,7 +508,7 @@
m_insertionSet.insertConstantForUse(
m_nodeIndex, origin, jsNumber(0), UntypedUse));
origin = origin.withInvalidExit();
- m_node->convertToRegExpMatchFastGlobal(m_graph.freeze(regExp));
+ m_node->convertToRegExpMatchFastGlobalWithoutChecks(m_graph.freeze(regExp));
m_node->origin = origin;
m_changed = true;
break;
@@ -774,7 +774,7 @@
NodeOrigin origin = m_node->origin;
m_insertionSet.insertNode(
m_nodeIndex, SpecNone, Check, origin, m_node->children.justChecks());
- m_node->convertToRegExpExecNonGlobalOrSticky(m_graph.freeze(regExp));
+ m_node->convertToRegExpExecNonGlobalOrStickyWithoutChecks(m_graph.freeze(regExp));
m_changed = true;
return true;
};
