AI rule for MultiPutByOffset executes its effects in the wrong order
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 19 Sep 2018 21:00:08 +0000 (21:00 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 19 Sep 2018 21:00:08 +0000 (21:00 +0000)
commit7fd369caa961bc15e9d0c7b29b1e4b158fb48fab
tree7a19c9c362d7d56821c4d1075e6f4386f9fe25f3
parentb4f4064b4d68b0963cbd79d46850fdd80f59f190
AI rule for MultiPutByOffset executes its effects in the wrong order
https://bugs.webkit.org/show_bug.cgi?id=189757
<rdar://problem/43535257>

Reviewed by Michael Saboff.

JSTests:

* stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
(foo):
(Foo):
(g):

Source/JavaScriptCore:

The AI rule for MultiPutByOffset was executing effects in the wrong order.
It first executed the transition effects and the effects on the base, and
then executed the filtering effects on the value being stored. However, you
can end up with the wrong type when the base and the value being stored
are the same. E.g, in a program like `o.f = o`. These effects need to happen
in the opposite order, modeling what happens in the runtime executing of
MultiPutByOffset.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236223 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/multi-put-by-offset-must-filter-value-before-filtering-base.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h