AI does not correctly model the clobber case of ArithClz32
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 Nov 2017 19:17:25 +0000 (19:17 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 2 Nov 2017 19:17:25 +0000 (19:17 +0000)
https://bugs.webkit.org/show_bug.cgi?id=179188

Reviewed by Michael Saboff.

JSTests:

* stress/arith-clz32-effects.js: Added.
(foo):
(valueOf):

Source/JavaScriptCore:

The non-Int32 case clobbers the world because it may call valueOf.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@224349 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/arith-clz32-effects.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

index 9edda19..8ad85c1 100644 (file)
@@ -1,3 +1,14 @@
+2017-11-02  Filip Pizlo  <fpizlo@apple.com>
+
+        AI does not correctly model the clobber case of ArithClz32
+        https://bugs.webkit.org/show_bug.cgi?id=179188
+
+        Reviewed by Michael Saboff.
+
+        * stress/arith-clz32-effects.js: Added.
+        (foo):
+        (valueOf):
+
 2017-11-01  Michael Saboff  <msaboff@apple.com>
 
         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
diff --git a/JSTests/stress/arith-clz32-effects.js b/JSTests/stress/arith-clz32-effects.js
new file mode 100644 (file)
index 0000000..b58e428
--- /dev/null
@@ -0,0 +1,30 @@
+function foo(o, v)
+{
+    var result = o.f;
+    Math.clz32(v);
+    return result + o.f;
+}
+
+noInline(foo);
+
+var o = {f: 42};
+o.g = 43; // Bust the transition watchpoint of {f}.
+
+for (var i = 0; i < 10000; ++i) {
+    var result = foo({f: 42}, "42");
+    if (result != 84)
+        throw "Error: bad result in loop: " + result;
+}
+
+var o = {f: 43};
+var result = foo(o, {
+    valueOf: function()
+    {
+        delete o.f;
+        o.__defineGetter__("f", function() { return 44; });
+    }
+});
+
+if (result != 87)
+    throw "Error: bad result at end: " + result;
+
index 199ba24..045631e 100644 (file)
@@ -1,3 +1,15 @@
+2017-11-02  Filip Pizlo  <fpizlo@apple.com>
+
+        AI does not correctly model the clobber case of ArithClz32
+        https://bugs.webkit.org/show_bug.cgi?id=179188
+
+        Reviewed by Michael Saboff.
+
+        The non-Int32 case clobbers the world because it may call valueOf.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
 2017-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         Unreviewed, release throw scope
index 80d1032..0204373 100644 (file)
@@ -618,6 +618,14 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
             setConstant(node, jsNumber(clz32(value)));
             break;
         }
+        switch (node->child1().useKind()) {
+        case Int32Use:
+        case KnownInt32Use:
+            break;
+        default:
+            clobberWorld(node->origin.semantic, clobberLimit);
+            break;
+        }
         forNode(node).setType(SpecInt32Only);
         break;
     }