[JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 Oct 2019 00:00:06 +0000 (00:00 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 Oct 2019 00:00:06 +0000 (00:00 +0000)
commit28ababb4c3f7f95632c121bc9947137a6fd6c736
tree654e3796a258c9cbb11438ca80cf6acbb4075403
parent79b86f6636f51212acd5672e47482c686c945d51
[JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
https://bugs.webkit.org/show_bug.cgi?id=202382
<rdar://problem/52669112>

Reviewed by Saam Barati.

JSTests:

* stress/compare-eq-bool-number-folding.js: Added.
(test):

Source/JavaScriptCore:

If CompareEq(Untyped, Untyped) finds that it gets proven Boolean and Number types on its arguments,
we fold it to constant False. But this is wrong since `false == 0` is true in JS.
This patch adds leastUpperBoundOfEquivalentSpeculations, which merges Number, BigInt, and Boolean types
if one of them are seen.

* bytecode/SpeculatedType.cpp:
(JSC::leastUpperBoundOfEquivalentSpeculations):
(JSC::valuesCouldBeEqual):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250536 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/compare-eq-bool-number-folding.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/SpeculatedType.cpp