InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Nov 2018 20:29:33 +0000 (20:29 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Nov 2018 20:29:33 +0000 (20:29 +0000)
commit704416a50282ae188caa3dc9aca01360b5924b87
treeb8c8e3f1c2bad840a3509862428d333ce1cdd9a6
parenta751fd566d1f7e2a38f5ae58749992d47d6f255e
InPlaceAbstractState::endBasicBlock rule for SetLocal should filter the value based on the flush format
https://bugs.webkit.org/show_bug.cgi?id=191956
<rdar://problem/45665806>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/end-basic-block-set-local-should-filter-type.js: Added.
(bar):
(foo):

Source/JavaScriptCore:

This is a similar bug to what Keith fixed in r232134. The issue is if we have
a program like this:

a: JSConstant(jsNumber(0))
b: SetLocal(Int32:@a, loc1, FlushedInt32)
c: ArrayifyToStructure(Cell:@a)
d: Jump(...)

At the point in the program right after the Jump, a GetLocal for loc1
would return whatever the ArrayifyToStructure resulting type is. This breaks
the invariant that a GetLocal must return a value that is a subtype of its
FlushFormat. InPlaceAbstractState::endBasicBlock will know if a SetLocal is
the final node touching a local slot. If so, it'll see if any nodes later
in the block may have refined the type of the value stored in that slot. If
so, endBasicBlock() further refines the type to ensure that any GetLocals
loading from the same slot will result in having this more refined type.
However, we must ensure that this logic only considers types within the
hierarchy of the variable access data's FlushFormat, otherwise, we may
break the invariant that a GetLocal's type is a subtype of its FlushFormat.

* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::endBasicBlock):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238511 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/end-basic-block-set-local-should-filter-type.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp