AI rule for ValueMod/ValueDiv produce constants with the wrong format when the result...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 8 Jan 2020 07:23:30 +0000 (07:23 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 8 Jan 2020 07:23:30 +0000 (07:23 +0000)
https://bugs.webkit.org/show_bug.cgi?id=205906
<rdar://problem/56108519>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/ai-value-div-should-result-in-constant-int-where-possible.js: Added.
(foo.bar.f):
(foo.):
(foo):
* stress/ai-value-mod-should-result-in-constant-int-where-possible.js: Added.
(foo.bar.f):
(foo.):
(foo):

Source/JavaScriptCore:

The runtime code for ValueMod and ValueDiv produces an int32 when the result
is of int32 value. However, the AI was saying the result is in double format.
This patch fixes AI to produce a JSValue in the right format.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantDivOp):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254188 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/ai-value-div-should-result-in-constant-int-where-possible.js [new file with mode: 0644]
JSTests/stress/ai-value-mod-should-result-in-constant-int-where-possible.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

index 883ee7d..0e77834 100644 (file)
@@ -1,3 +1,20 @@
+2020-01-07  Saam Barati  <sbarati@apple.com>
+
+        AI rule for ValueMod/ValueDiv produce constants with the wrong format when the result can be an int32
+        https://bugs.webkit.org/show_bug.cgi?id=205906
+        <rdar://problem/56108519>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/ai-value-div-should-result-in-constant-int-where-possible.js: Added.
+        (foo.bar.f):
+        (foo.):
+        (foo):
+        * stress/ai-value-mod-should-result-in-constant-int-where-possible.js: Added.
+        (foo.bar.f):
+        (foo.):
+        (foo):
+
 2020-01-06  Alexey Shvayka  <shvaikalesh@gmail.com>
 
         String.prototype.replace() incorrectly handles named references on RegExp w/o named groups
diff --git a/JSTests/stress/ai-value-div-should-result-in-constant-int-where-possible.js b/JSTests/stress/ai-value-div-should-result-in-constant-int-where-possible.js
new file mode 100644 (file)
index 0000000..80b3291
--- /dev/null
@@ -0,0 +1,21 @@
+//@ runDefault("--useRandomizingFuzzerAgent=1", "--validateAbstractInterpreterState=1", "--jitPolicyScale=0", "--useConcurrentJIT=0")
+
+function foo() {
+    for (let i = 0; i < 3; i++) {
+        const o = {};
+        function bar(a0) {
+            let x;
+            do {
+                function f() { z; }
+                x = o;
+                const y = typeof x === a0;
+                [a0, 0.1];
+                const z = 0 + y;
+                const c = z / 1.0 + 0;
+            } while (!x);
+        }
+        bar(0);
+    }
+}
+
+foo();
diff --git a/JSTests/stress/ai-value-mod-should-result-in-constant-int-where-possible.js b/JSTests/stress/ai-value-mod-should-result-in-constant-int-where-possible.js
new file mode 100644 (file)
index 0000000..80b3291
--- /dev/null
@@ -0,0 +1,21 @@
+//@ runDefault("--useRandomizingFuzzerAgent=1", "--validateAbstractInterpreterState=1", "--jitPolicyScale=0", "--useConcurrentJIT=0")
+
+function foo() {
+    for (let i = 0; i < 3; i++) {
+        const o = {};
+        function bar(a0) {
+            let x;
+            do {
+                function f() { z; }
+                x = o;
+                const y = typeof x === a0;
+                [a0, 0.1];
+                const z = 0 + y;
+                const c = z / 1.0 + 0;
+            } while (!x);
+        }
+        bar(0);
+    }
+}
+
+foo();
index b498244..868aa29 100644 (file)
@@ -1,3 +1,18 @@
+2020-01-07  Saam Barati  <sbarati@apple.com>
+
+        AI rule for ValueMod/ValueDiv produce constants with the wrong format when the result can be an int32
+        https://bugs.webkit.org/show_bug.cgi?id=205906
+        <rdar://problem/56108519>
+
+        Reviewed by Yusuke Suzuki.
+
+        The runtime code for ValueMod and ValueDiv produces an int32 when the result
+        is of int32 value. However, the AI was saying the result is in double format.
+        This patch fixes AI to produce a JSValue in the right format.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::handleConstantDivOp):
+
 2020-01-07  Said Abou-Hallawa  <sabouhallawa@apple.com>
 
         Implement css3-images image-orientation
index b6f94d4..23ec63a 100644 (file)
@@ -323,10 +323,17 @@ bool AbstractInterpreter<AbstractStateType>::handleConstantDivOp(Node* node)
             if (isClobbering)
                 didFoldClobberWorld();
 
-            if (isDivOperation)
-                setConstant(node, jsDoubleNumber(left.asNumber() / right.asNumber()));
-            else
-                setConstant(node, jsDoubleNumber(fmod(left.asNumber(), right.asNumber())));
+            if (isDivOperation) {
+                if (op == ValueDiv)
+                    setConstant(node, jsNumber(left.asNumber() / right.asNumber()));
+                else
+                    setConstant(node, jsDoubleNumber(left.asNumber() / right.asNumber()));
+            } else {
+                if (op == ValueMod)
+                    setConstant(node, jsNumber(fmod(left.asNumber(), right.asNumber())));
+                else
+                    setConstant(node, jsDoubleNumber(fmod(left.asNumber(), right.asNumber())));
+            }
 
             return true;
         }