git://git.webkit.org / WebKit-https.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 16e871b) | patch
ToString constant folds without preserving checks, causing us to break assumptions...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 May 2018 06:04:33 +0000 (06:04 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 1 May 2018 06:04:33 +0000 (06:04 +0000)
commiteece4cc56d0cff411f2af32960ecffda8705d8a9
treef2db8f318caf8aa22b0e308064a8056617ce7a15tree | snapshot
parent16e871b54e0ac1063d9f941ad4447b982bd0956ccommit | diff
ToString constant folds without preserving checks, causing us to break assumptions that the code would OSR exit
https://bugs.webkit.org/show_bug.cgi?id=185149
<rdar://problem/39455917>

Reviewed by Filip Pizlo.

JSTests:

* stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js: Added.

Source/JavaScriptCore:

The bug was that we were deleting checks that we shouldn't have deleted.
This patch makes a helper inside strength reduction that converts to
a LazyJSConstant while maintaining checks, and switches users of the
node API inside strength reduction to instead call the helper function.

This patch also fixes a potential bug where StringReplace and
StringReplaceRegExp may not preserve all their checks.

* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
(JSC::DFG::StrengthReductionPhase::convertToLazyJSValue):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231193 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog diff | blob | history
JSTests/stress/keep-checks-when-converting-to-lazy-js-constant-in-strength-reduction.js [new file with mode: 0644] blob
Source/JavaScriptCore/ChangeLog diff | blob | history
Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp diff | blob | history
Mirror of the WebKit open source project from svn.webkit.org.