Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Nov 2018 03:39:54 +0000 (03:39 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Nov 2018 03:39:54 +0000 (03:39 +0000)
commite9c509c0f6cad3d336f12ca3fa46b78a29c1f3ec
treed70bc8278aae297d6802189e5e923e1458ab6132
parentb59511643250e3896447ed9264a59f92f176888d
Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
https://bugs.webkit.org/show_bug.cgi?id=191895
<rdar://problem/46167406>

Reviewed by Mark Lam.

JSTests:

* stress/known-cell-use-needs-type-check-assertion.js: Added.
(foo):
(bar):

Source/JavaScriptCore:

We were asserting that the input edge should have type SpecCell but it should
really be SpecCellCheck since the type filter for KnownCellUse is SpecCellCheck.

This patch cleans up that assertion code by joining a bunch of cases into a
single function call which grabs the type filter for the edge UseKind and
asserts that the incoming edge meets the type filter criteria.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculate):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::speculate):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@238436 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/known-cell-use-needs-type-check-assertion.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp