[webkit-changes] [243344] trunk

[mark . lam]

Title: [243344] trunk

Revision

243344

Author

mark....@apple.com

Date

2019-03-21 16:34:31 -0700 (Thu, 21 Mar 2019)

Log Message

Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
https://bugs.webkit.org/show_bug.cgi?id=196116
<rdar://problem/48976951>

Reviewed by Filip Pizlo.

JSTests:

* stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.

Source/_javascript_Core:

The DFG backend should not make assumptions about what optimizations the front end
will or will not do.  The assertion asserts that the operand cannot be known to be
a cell.  However, it is not guaranteed that the front end will fold away this case.
Also, the DFG backend is perfectly capable of generating code to handle the case
where the operand is a cell.

The attached test case demonstrates a case where the operand can be a known cell.
The test needs to be run with the concurrent JIT and GC, and is racy.  It used to
trip up this assertion about once every 10 runs or so.

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp

Added Paths

• trunk/JSTests/stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js

Diff

Modified: trunk/JSTests/ChangeLog (243343 => 243344)

--- trunk/JSTests/ChangeLog	2019-03-21 23:16:09 UTC (rev 243343)
+++ trunk/JSTests/ChangeLog	2019-03-21 23:34:31 UTC (rev 243344)
@@ -1,3 +1,13 @@
+2019-03-21  Mark Lam  <mark....@apple.com>
+
+        Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
+        https://bugs.webkit.org/show_bug.cgi?id=196116
+        <rdar://problem/48976951>
+
+        Reviewed by Filip Pizlo.
+
+        * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js: Added.
+
 2019-03-21  Tadeu Zagallo  <tzaga...@apple.com>
 
         JSObject::putDirectIndexSlowOrBeyondVectorLength should check if indexIsSufficientlyBeyondLengthForSparseMap

Added: trunk/JSTests/stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js (0 => 243344)

--- trunk/JSTests/stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js	                        (rev 0)
+++ trunk/JSTests/stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js	2019-03-21 23:34:31 UTC (rev 243344)
@@ -0,0 +1,7 @@
+//@ runDefault("--collectContinuously=true", "--collectContinuouslyPeriodMS=0.15", "--useMaximalFlushInsertionPhase=true", "--useLLInt=false", "--useFTLJIT=false", "--jitPolicyScale=0")
+
+// This test exercises DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
+
+for (let i = 0; i < 25; i++)
+    'a'.match(/a/);
+

Modified: trunk/Source/_javascript_Core/ChangeLog (243343 => 243344)

--- trunk/Source/_javascript_Core/ChangeLog	2019-03-21 23:16:09 UTC (rev 243343)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-03-21 23:34:31 UTC (rev 243344)
@@ -1,3 +1,24 @@
+2019-03-21  Mark Lam  <mark....@apple.com>
+
+        Remove an invalid assertion in DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().
+        https://bugs.webkit.org/show_bug.cgi?id=196116
+        <rdar://problem/48976951>
+
+        Reviewed by Filip Pizlo.
+
+        The DFG backend should not make assumptions about what optimizations the front end
+        will or will not do.  The assertion asserts that the operand cannot be known to be
+        a cell.  However, it is not guaranteed that the front end will fold away this case.
+        Also, the DFG backend is perfectly capable of generating code to handle the case
+        where the operand is a cell.
+
+        The attached test case demonstrates a case where the operand can be a known cell.
+        The test needs to be run with the concurrent JIT and GC, and is racy.  It used to
+        trip up this assertion about once every 10 runs or so.
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined):
+
 2019-03-21  Tadeu Zagallo  <tzaga...@apple.com>
 
         JSC::createError should clear exception thrown by errorDescriptionForValue

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (243343 => 243344)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2019-03-21 23:16:09 UTC (rev 243343)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2019-03-21 23:34:31 UTC (rev 243344)
@@ -217,8 +217,6 @@
 
 void SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined(Edge operand)
 {
-    ASSERT_WITH_MESSAGE(!masqueradesAsUndefinedWatchpointIsStillValid() || !isKnownCell(operand.node()), "The Compare should have been eliminated, it is known to be always false.");
-
     JSValueOperand arg(this, operand, ManualOperandSpeculation);
     GPRReg argGPR = arg.gpr();
     

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes