[JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit...
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 22 Jul 2018 19:24:34 +0000 (19:24 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 22 Jul 2018 19:24:34 +0000 (19:24 +0000)
commit23d7fd3ced340b7d3bd61dadf3323ed78fd9f672
tree8d4c4c70525fd4baff763367b08d773fc1a61f3f
parentf1926a5fc5232a88d0dddd22f2ec7a58400d7abb
[JSC] GetByIdVariant and InByIdVariant do not need slot base if they are not "hit" variants
https://bugs.webkit.org/show_bug.cgi?id=187891

Reviewed by Saam Barati.

JSTests:

* stress/in-miss-variant-merge.js: Added.
(shouldBe):
(test):
* stress/miss-variant-merge.js: Added.
(shouldBe):
(test):

Source/JavaScriptCore:

When merging GetByIdVariant and InByIdVariant, we accidentally make merging failed if
two variants are mergeable but they have "Miss" status. We make merging failed if
the merged OPCSet says hasOneSlotBaseCondition() is false. But it is only reasonable
if the variant has "Hit" status. This bug is revealed when we introduce CreateThis in FTL,
which patch have more chances to merge variants.

This patch fixes this issue by checking `!isPropertyUnset()` / `isHit()`. PutByIdVariant
is not related since it does not use this check in Transition case.

* bytecode/GetByIdVariant.cpp:
(JSC::GetByIdVariant::attemptToMerge):
* bytecode/InByIdVariant.cpp:
(JSC::InByIdVariant::attemptToMerge):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234090 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/in-miss-variant-merge.js [new file with mode: 0644]
JSTests/stress/miss-variant-merge.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/GetByIdVariant.cpp
Source/JavaScriptCore/bytecode/InByIdVariant.cpp