Local CSE wrongly CSEs array accesses with different result types.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Apr 2017 19:04:47 +0000 (19:04 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Apr 2017 19:04:47 +0000 (19:04 +0000)
commit563c9a2cc88c09e52d64d05cc23bb69684ec8ac5
treeab2ea47292d092ad4057fdba420187f81f11a572
parentd5f227cfba19c28fa14147cbcf96f8a6661cff6b
Local CSE wrongly CSEs array accesses with different result types.
https://bugs.webkit.org/show_bug.cgi?id=170990
<rdar://problem/31705945>

Reviewed by Saam Barati.

JSTests:

* stress/regress-170990.js: Added.

Source/JavaScriptCore:

The fix is to use different LocationKind enums for the different type of array
result types.  This makes the HeapLocation values different based on the result
types, and allows CSE to discern between them.

* dfg/DFGCSEPhase.cpp:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
(JSC::DFG::indexedPropertyLocForResultType):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@215748 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regress-170990.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
Source/JavaScriptCore/dfg/DFGClobberize.h
Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
Source/JavaScriptCore/dfg/DFGHeapLocation.h