Remove Broken CompareEq constant folding phase.
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 26 Jul 2017 00:45:58 +0000 (00:45 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 26 Jul 2017 00:45:58 +0000 (00:45 +0000)
commitc6c0af699368bc3f7381d59b3fef3441b8058cd2
tree9dbbae0d1ce4da83ec4eb14a19cc20331e8fa88c
parent5279962d4e6ca52b9a7ec983a03b078600b41dde
Remove Broken CompareEq constant folding phase.
https://bugs.webkit.org/show_bug.cgi?id=174846
<rdar://problem/32978808>

Reviewed by Saam Barati.

This bug happened when we would get code like the following:

a: JSConst(Undefined)
b: GetLocal(SomeObjectOrUndefined)
...
c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)

constant folding will turn this into:

a: JSConst(Undefined)
b: GetLocal(SomeObjectOrUndefined)
...
c: CompareEq(Check:ObjectOrOther:b, Other:a)

But the SpeculativeJIT/FTL lowering will fail to check b
properly which leads to an assertion failure in the AI.

I'll follow up with a more robust fix later. For now, I'll remove the
case that generates the code. Removing the code appears to be perf
neutral.

* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@219895 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp