convertToRegExpMatchFastGlobal must use KnownString as the child use kind
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 31 Aug 2018 07:45:02 +0000 (07:45 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 31 Aug 2018 07:45:02 +0000 (07:45 +0000)
commitd9495cd102722da4fe302c522c6d887e3cbadbd0
treee6447458b76223292730148226027156d7d9e8fe
parentc74bab9c1b7f3f875b0ac289347003e69ea345f2
convertToRegExpMatchFastGlobal must use KnownString as the child use kind
https://bugs.webkit.org/show_bug.cgi?id=189173
<rdar://problem/43501645>

Reviewed by Michael Saboff.

JSTests:

* stress/may-exit-should-be-false-regexp-constant-folding.js: Added.
(foo):
(bar):

Source/JavaScriptCore:

We were crashing during validation because mayExit returned true
at a point in the program when we weren't allowed to exit.

The issue was is in StrengthReduction: we end up emitting code that
had a StringUse on an edge after a node that did side effects and before
an ExitOK/bytecode number transition. However, StrenghReduction did the
right thing here and also emitted the type checks before the node with
side effects. It just did bad bookkeeping. The node we convert to needs
to use KnownStringUse instead of StringUse for the child edge.

* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
(JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
(JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
(JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
* dfg/DFGNode.h:
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235538 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/may-exit-should-be-false-regexp-constant-folding.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGNode.cpp
Source/JavaScriptCore/dfg/DFGNode.h
Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp