Merging an IC variant may lead to the IC status containing overlapping structure...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 21 Nov 2018 05:15:31 +0000 (05:15 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 21 Nov 2018 05:15:31 +0000 (05:15 +0000)
commitc763d1d3bfc8c4972196a5f8610801f98de13b41
treefc495f872bbebe3a173db99daadaf46124f3e6ef
parent6ce153d33d1c45719e2fc418b920d3be97b0bd42
Merging an IC variant may lead to the IC status containing overlapping structure sets
https://bugs.webkit.org/show_bug.cgi?id=191869
<rdar://problem/45403453>

Reviewed by Mark Lam.

JSTests:

* stress/merging-ic-variants-should-bail-if-structures-overlap.js: Added.

Source/JavaScriptCore:

When merging two IC variant lists, we may end up in a world where we have
overlapping structure sets. We defend against this when we append a new
variant, but we should also defend against it once we merge in a new variant.

Consider this case with MultiPutByOffset, where we merge two PutByIdStatuses
together, P1 and P2.

Let's consider these structures:
s1 = {}
s2 = {p: 0}
s3 = {p: 0, p2: 1}

P1 contains these variants:
Transition: [s1 => s2]
Replace: [s2, s3]

P2 contains:
Replace: [s2]

Because of the ordering of the variants, we may end up combining
P2's replace into P1's transition, forming this new list:
Transition: [(s1, s2) => s2]
Replace: [s2, s3]

Obviously the ideal thing here is to have some ordering when we merge
in variants to choose the most ideal option. It'd be ideal for P2's
Replace to be merged into P1's replace.

If we notice that this is super important, we can implement some kind
of ordering. None of our tests (until this patch) stress this. This patch
just makes it so we defend against this crazy scenario by falling back
to the slow path gracefully. This prevents us from emitting invalid
IR in FTL->B3 lowering by creating a switch with two case labels being
identical values.

* bytecode/ICStatusUtils.h:
(JSC::appendICStatusVariant):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238411 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/merging-ic-variants-should-bail-if-structures-overlap.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/ICStatusUtils.h