AbstractValue::validateOSREntryValue is wrong for Int52 constants
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 11 Apr 2019 06:26:37 +0000 (06:26 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 11 Apr 2019 06:26:37 +0000 (06:26 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196801
<rdar://problem/49771122>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.

Source/JavaScriptCore:

validateOSREntryValue should not care about the format of the incoming
value for Int52s. This patch normalizes the format of m_value and
the incoming value when comparing them.

* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::validateOSREntryValue const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244185 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractValue.h

index c6369c1..3b1cf82 100644 (file)
@@ -1,3 +1,13 @@
+2019-04-10  Saam Barati  <sbarati@apple.com>
+
+        AbstractValue::validateOSREntryValue is wrong for Int52 constants
+        https://bugs.webkit.org/show_bug.cgi?id=196801
+        <rdar://problem/49771122>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js: Added.
+
 2019-04-10  Robin Morisset  <rmorisset@apple.com>
 
         We should clear m_needsOverflowCheck when hitting an exception in defineProperties in ObjectConstructor.cpp
diff --git a/JSTests/stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js b/JSTests/stress/abstract-value-int52-constant-validation-should-not-care-about-representation.js
new file mode 100644 (file)
index 0000000..0385c7a
--- /dev/null
@@ -0,0 +1,9 @@
+//@ runDefault("--validateAbstractInterpreterState=1", "--validateAbstractInterpreterStateProbability=1.0", "--useConcurrentJIT=0")
+
+let ab = new ArrayBuffer(4);
+let dv = new DataView(ab);
+for (let i = 0; i < 2000; i++) {
+    dv.setUint32(0, 0);
+    for (let j = 0; j < 1000; ++j) {
+    }
+}
index 82144df..35b39e7 100644 (file)
@@ -1,5 +1,20 @@
 2019-04-10  Saam Barati  <sbarati@apple.com>
 
+        AbstractValue::validateOSREntryValue is wrong for Int52 constants
+        https://bugs.webkit.org/show_bug.cgi?id=196801
+        <rdar://problem/49771122>
+
+        Reviewed by Yusuke Suzuki.
+
+        validateOSREntryValue should not care about the format of the incoming
+        value for Int52s. This patch normalizes the format of m_value and
+        the incoming value when comparing them.
+
+        * dfg/DFGAbstractValue.h:
+        (JSC::DFG::AbstractValue::validateOSREntryValue const):
+
+2019-04-10  Saam Barati  <sbarati@apple.com>
+
         ArithSub over Int52 has shouldCheckOverflow as always true
         https://bugs.webkit.org/show_bug.cgi?id=196796
 
index 1d0b48f..70544d9 100644 (file)
@@ -388,13 +388,23 @@ struct AbstractValue {
         if (isBytecodeTop())
             return true;
         
-        if (!!m_value && m_value != value)
-            return false;
-        
         if (format == FlushedInt52) {
+            if (!isInt52Any())
+                return false;
+
             if (!validateTypeAcceptingBoxedInt52(value))
                 return false;
+
+            if (!!m_value) {
+                ASSERT(m_value.isAnyInt());
+                ASSERT(value.isAnyInt());
+                if (jsDoubleNumber(m_value.asAnyInt()) != jsDoubleNumber(value.asAnyInt()))
+                    return false;
+            }
         } else {
+            if (!!m_value && m_value != value)
+                return false;
+        
             if (mergeSpeculations(m_type, speculationFromValue(value)) != m_type)
                 return false;