[webkit-changes] [245447] releases/WebKitGTK/webkit-2.24

[carlosgc]

Title: [245447] releases/WebKitGTK/webkit-2.24

Revision

245447

Author

carlo...@webkit.org

Date

2019-05-17 04:24:54 -0700 (Fri, 17 May 2019)

Log Message

Merge r245051 - [JSC] DFG_ASSERT failed in lowInt52
https://bugs.webkit.org/show_bug.cgi?id=197569

Reviewed by Saam Barati.

JSTests:

* stress/getstack-int52.js: Added.
(opt):
(main):

Source/_javascript_Core:

GetStack with FlushedInt52 should load the flushed value in Int52 form and put the result in m_int52Values / m_strictInt52Values. Previously,
we load it in JSValue / Int32 form and lowInt52 fails to get appropriate one since GetStack does not put the result in m_int52Values / m_strictInt52Values.

* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetStack):

Modified Paths

• releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog
• releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp

Added Paths

• releases/WebKitGTK/webkit-2.24/JSTests/stress/getstack-int52.js

Diff

Modified: releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog (245446 => 245447)

--- releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog	2019-05-17 11:24:49 UTC (rev 245446)
+++ releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog	2019-05-17 11:24:54 UTC (rev 245447)
@@ -1,3 +1,14 @@
+2019-05-07  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] DFG_ASSERT failed in lowInt52
+        https://bugs.webkit.org/show_bug.cgi?id=197569
+
+        Reviewed by Saam Barati.
+
+        * stress/getstack-int52.js: Added.
+        (opt):
+        (main):
+
 2019-05-06  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] We should check OOM for description string of Symbol

Added: releases/WebKitGTK/webkit-2.24/JSTests/stress/getstack-int52.js (0 => 245447)

--- releases/WebKitGTK/webkit-2.24/JSTests/stress/getstack-int52.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.24/JSTests/stress/getstack-int52.js	2019-05-17 11:24:54 UTC (rev 245447)
@@ -0,0 +1,26 @@
+//@ runDefault("--useConcurrentJIT=0")
+
+function opt(arr, start, end) {
+    parseInt();
+    for (var i = start; i < end; i++) {
+        if (i === 10) {
+            end |= 0;
+        }
+        arr[i] = 2.3023e-320;
+    }
+}
+
+function main() {
+    let arr = new Array(1000);
+    arr.fill(1.1);
+
+    for (let i = 0; i < 10000; i++) {
+        opt(arr, 0, 1000);
+    }
+
+    opt(arr, 0, 100000);
+    opt(arr, 0, 0x80000001);
+}
+
+main();
+main();

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog (245446 => 245447)

--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog	2019-05-17 11:24:49 UTC (rev 245446)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog	2019-05-17 11:24:54 UTC (rev 245447)
@@ -1,3 +1,16 @@
+2019-05-07  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] DFG_ASSERT failed in lowInt52
+        https://bugs.webkit.org/show_bug.cgi?id=197569
+
+        Reviewed by Saam Barati.
+
+        GetStack with FlushedInt52 should load the flushed value in Int52 form and put the result in m_int52Values / m_strictInt52Values. Previously,
+        we load it in JSValue / Int32 form and lowInt52 fails to get appropriate one since GetStack does not put the result in m_int52Values / m_strictInt52Values.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
+
 2019-05-06  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] We should check OOM for description string of Symbol

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (245446 => 245447)

--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2019-05-17 11:24:49 UTC (rev 245446)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2019-05-17 11:24:54 UTC (rev 245447)
@@ -1765,12 +1765,20 @@
         
         DFG_ASSERT(m_graph, m_node, isConcrete(data->format), data->format);
         
-        if (data->format == FlushedDouble)
+        switch (data->format) {
+        case FlushedDouble:
             setDouble(m_out.loadDouble(addressFor(data->machineLocal)));
-        else if (isInt32Speculation(value.m_type))
-            setInt32(m_out.load32(payloadFor(data->machineLocal)));
-        else
-            setJSValue(m_out.load64(addressFor(data->machineLocal)));
+            break;
+        case FlushedInt52:
+            setInt52(m_out.load64(addressFor(data->machineLocal)));
+            break;
+        default:
+            if (isInt32Speculation(value.m_type))
+                setInt32(m_out.load32(payloadFor(data->machineLocal)));
+            else
+                setJSValue(m_out.load64(addressFor(data->machineLocal)));
+            break;
+        }
     }
     
     void compilePutStack()

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes