AbstractValue can represent more than int52
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 20 Apr 2019 00:37:43 +0000 (00:37 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 20 Apr 2019 00:37:43 +0000 (00:37 +0000)
commit232adc428ad5dec302d53f49342c871087c82c0a
tree8cddb30a35aeb0fcb745de9e8b7522e9bd164e74
parent45db27fe7d4d06eddd4de5703e24d10efdf49a1b
AbstractValue can represent more than int52
https://bugs.webkit.org/show_bug.cgi?id=197118
<rdar://problem/49969960>

Reviewed by Michael Saboff.

JSTests:

* stress/abstract-value-can-include-int52.js: Added.
(foo):
(index.index.8.index.60.index.65.index.1234.index.1234.parseInt.string_appeared_here.String.fromCharCode):

Source/JavaScriptCore:

Let's analyze this control flow diamond:

#0
branch #1, #2

#1:
PutStack(JSValue, loc42)
Jump #3

#2:
PutStack(Int52, loc42)
Jump #3

#3:
...

Our abstract value for loc42 at the head of #3 will contain an abstract
value that us the union of Int52 with other things. Obviously in the
above program, a GetStack for loc42 would be inavlid, since it might
be loading either JSValue or Int52. However, the abstract interpreter
just tracks what the value could be, and it could be Int52 or JSValue.

When I did the Int52 refactoring, I expected such things to never happen,
but it turns out it does. We should just allow for this instead of asserting
against it since it's valid IR to do the above.

* bytecode/SpeculatedType.cpp:
(JSC::dumpSpeculation):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::checkConsistency const):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244480 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/abstract-value-can-include-int52.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/SpeculatedType.cpp
Source/JavaScriptCore/dfg/DFGAbstractValue.cpp
Source/JavaScriptCore/dfg/DFGAbstractValue.h