Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 291f0457787d09848b9d55d64f1508c6e7f335f0
https://github.com/WebKit/WebKit/commit/291f0457787d09848b9d55d64f1508c6e7f335f0
Author: Shu-yu Guo <[email protected]>
Date: 2026-04-08 (Wed, 08 Apr 2026)
Changed paths:
A JSTests/stress/dfg-check-is-constant-generic-iterator.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGAbstractValue.h
M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
Log Message:
-----------
[JSC] DFG constant folding doesn't handle top correctly in CheckIsConstant
https://bugs.webkit.org/show_bug.cgi?id=311779
rdar://174288568
Reviewed by Keith Miller.
CheckIsConstant incorrectly treats all JSEmpty values as an actual empty
constant, whereas it may be a top value (i.e. indeterminate) when the
speculated type isn't SpecEmpty. This PR fixes it by not eliminating top
values.
Sidebar: AbstractValue::valueIsTop() exists, but isn't used at all right now
and hasn't been updated to consider SpecEmpty. This PR also fixes that and uses
it.
Test: JSTests/stress/dfg-check-is-constant-generic-iterator.js
* JSTests/stress/dfg-check-is-constant-generic-iterator.js: Added.
(symIter):
(opt):
(i.catch):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::valueIsTop const):
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
Canonical link: https://commits.webkit.org/310818@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
