[DFG] Should not fixup AnyIntUse in 32_64
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 22 Aug 2016 03:47:49 +0000 (03:47 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 22 Aug 2016 03:47:49 +0000 (03:47 +0000)
https://bugs.webkit.org/show_bug.cgi?id=161029

Reviewed by Saam Barati.

JSTests:

* typeProfiler/int52-dfg.js: Added.
(test):

Source/JavaScriptCore:

DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.

* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@204699 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/typeProfiler/int52-dfg.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

index d8f285b..b623d86 100644 (file)
@@ -1,5 +1,15 @@
 2016-08-21  Yusuke Suzuki  <utatane.tea@gmail.com>
 
+        [DFG] Should not fixup AnyIntUse in 32_64
+        https://bugs.webkit.org/show_bug.cgi?id=161029
+
+        Reviewed by Saam Barati.
+
+        * typeProfiler/int52-dfg.js: Added.
+        (test):
+
+2016-08-21  Yusuke Suzuki  <utatane.tea@gmail.com>
+
         Unreviewed, rolling out r204697
         https://bugs.webkit.org/show_bug.cgi?id=161029
 
diff --git a/JSTests/typeProfiler/int52-dfg.js b/JSTests/typeProfiler/int52-dfg.js
new file mode 100644 (file)
index 0000000..e8da5d4
--- /dev/null
@@ -0,0 +1,17 @@
+load("./driver/driver.js");
+
+function test()
+{
+    var ok = 0;
+    for (var i = 0; i < 1e4; ++i) {
+        // Int52. ProfileType should not use AnyIntUse edge in 32bit environment.
+        // If 32bit uses AnyIntUse, it leads crashing.
+        ok += 0xfffffffff;
+    }
+    return ok;
+}
+test();
+
+var types = findTypeForExpression(test, "ok += 0x");
+assert(types.instructionTypeSet.primitiveTypeNames.length === 1, "Primitive type names should one candidate.");
+assert(types.instructionTypeSet.primitiveTypeNames.indexOf(T.Integer) !== -1, "Primitive type names should contain 'Integer'");
index fae3dc0..80b5091 100644 (file)
@@ -1,5 +1,18 @@
 2016-08-21  Yusuke Suzuki  <utatane.tea@gmail.com>
 
+        [DFG] Should not fixup AnyIntUse in 32_64
+        https://bugs.webkit.org/show_bug.cgi?id=161029
+
+        Reviewed by Saam Barati.
+
+        DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
+        If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
+2016-08-21  Yusuke Suzuki  <utatane.tea@gmail.com>
+
         Unreviewed, rolling out r204697
         https://bugs.webkit.org/show_bug.cgi?id=161029
 
index 3bb156b..02784be 100644 (file)
@@ -1459,12 +1459,22 @@ private:
             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
             RuntimeTypeMask seenTypes = typeSet->seenTypes();
             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
-                if (node->child1()->shouldSpeculateInt32())
+                if (node->child1()->shouldSpeculateInt32()) {
                     fixEdge<Int32Use>(node->child1());
-                else
+                    node->remove();
+                    break;
+                }
+
+                if (enableInt52()) {
                     fixEdge<AnyIntUse>(node->child1());
-                node->remove();
-            } else if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
+                    node->remove();
+                    break;
+                }
+
+                // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
+            }
+
+            if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
                 fixEdge<NumberUse>(node->child1());
                 node->remove();
             } else if (typeSet->doesTypeConformTo(TypeString)) {