CompareEq should be using KnownOtherUse instead of OtherUse
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 20 Jul 2018 19:16:29 +0000 (19:16 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 20 Jul 2018 19:16:29 +0000 (19:16 +0000)
commitb6343dd7de1f53946885abd5678e764f2572bcca
treeacaa091640a0cf87e8c12e30ef588e1ad4b1ade3
parent52858ce71f58df5ba4d7316907a0329598a84f42
CompareEq should be using KnownOtherUse instead of OtherUse
https://bugs.webkit.org/show_bug.cgi?id=186814
<rdar://problem/39720030>

Reviewed by Filip Pizlo.

JSTests:

* stress/compare-eq-should-use-known-other-use.js: Added.
(bar):
(i.func):

Source/JavaScriptCore:

CompareEq in fixup phase was doing this:
insertCheck(child, OtherUse)
setUseKind(child, OtherUse)
And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
lead to edge verification crashing because a phase may optimize the check out
by removing the node. However, AI may not be privy to that optimization, and
AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
backend to actually emit a check here, but it does not.

This exact pattern is why we have KnownXYZ use kinds. This patch introduces
KnownOtherUse and changes the above pattern to be:
insertCheck(child, OtherUse)
setUseKind(child, KnownOtherUse)

* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculate):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
(JSC::DFG::shouldNotHaveTypeCheck):
(JSC::DFG::checkMayCrashIfInputIsEmpty):
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::handle):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
(JSC::FTL::DFG::LowerDFGToB3::speculate):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234060 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/compare-eq-should-use-known-other-use.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGSafeToExecute.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGUseKind.cpp
Source/JavaScriptCore/dfg/DFGUseKind.h
Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp
Source/JavaScriptCore/ftl/FTLCapabilities.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp