[JSC] AI should not propagate AbstractValue relying on constant folding phase
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 6 Mar 2019 22:34:30 +0000 (22:34 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 6 Mar 2019 22:34:30 +0000 (22:34 +0000)
commitbba081df76d818701107c4151a8db94a8ac8e080
treeaffc312d1590785905066ef10c9c4053a71bf306
parenta8446b58745413522b9914f52b1f86867cd042c2
[JSC] AI should not propagate AbstractValue relying on constant folding phase
https://bugs.webkit.org/show_bug.cgi?id=195375

Reviewed by Saam Barati.

JSTests:

* stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js: Added.
(let.array):

Source/JavaScriptCore:

MakeRope rule in AI attempts to propagate the node, which will be produced after constant folding phase runs.
This is wrong since we do not guarantee that constant folding phase runs after AI runs (e.g. DFGSpeculativeJIT
and FTLLowerDFGToB3 run AI). This results in the bug that the value produced at runtime is different from the
proven constant value in AI. In the attached test, AI says the value is SpecStringIdent while the resulted value
at runtime is SpecStringVar, resulting in wrong MakeRope code. This patch removes the path propagating the node
relying on constant folding phase.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242568 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/make-rope-should-not-propagate-constant-folded-value-in-ai.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h