[JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 8 Mar 2019 01:53:35 +0000 (01:53 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 8 Mar 2019 01:53:35 +0000 (01:53 +0000)
commitaec75285160fb96c9f11322c7046eb5b521abc1c
treecb47a1289d24383353bea3347e498eec23917d2e
parent66d044601f63c3462fce3a2c6f1d91f91f2ff5f0
[JSC] StringFromCharCode fast path should accept 0xff in DFG and FTL
https://bugs.webkit.org/show_bug.cgi?id=195429

Reviewed by Saam Barati.

JSTests:

* stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js: Added.
(foo):
* stress/string-from-char-code-255.js: Added.

Source/JavaScriptCore:

We can create single characters without allocation up to 0xff character code. But currently, DFGSpeculativeJIT and FTLLowerDFGToB3 go to the slow path
for 0xff case. On the other hand, DFG DoesGC phase says GC won't happen if the child is int32 constant and it is <= 0xff. So, if you have `String.fromCharCode(0xff)`,
this breaks the assumption in DFG DoesGC. The correct fix is changing the check in DFGSpeculativeJIT and FTLLowerDFGToB3 from AboveOrEqual to Above.
Note that ThunkGenerators's StringFromCharCode thunk was correct.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileFromCharCode):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242626 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/must-handled-values-should-not-be-used-as-proven-constants-in-cfa.js [new file with mode: 0644]
JSTests/stress/string-from-char-code-255.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp