validateOSREntryValue with Int52 should box the value being checked into double format
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Mar 2019 01:06:01 +0000 (01:06 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 Mar 2019 01:06:01 +0000 (01:06 +0000)
https://bugs.webkit.org/show_bug.cgi?id=196313
<rdar://problem/49306703>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/validate-int-52-ai-state.js: Added.

Source/JavaScriptCore:

* dfg/DFGOSREntry.cpp:
(JSC::DFG::prepareOSREntry):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::validateAIState):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243596 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/validate-int-52-ai-state.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGOSREntry.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

index 19cd93d..774df94 100644 (file)
@@ -1,3 +1,13 @@
+2019-03-27  Saam Barati  <sbarati@apple.com>
+
+        validateOSREntryValue with Int52 should box the value being checked into double format
+        https://bugs.webkit.org/show_bug.cgi?id=196313
+        <rdar://problem/49306703>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/validate-int-52-ai-state.js: Added.
+
 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] Owner of watchpoints should validate at GC finalizing phase
diff --git a/JSTests/stress/validate-int-52-ai-state.js b/JSTests/stress/validate-int-52-ai-state.js
new file mode 100644 (file)
index 0000000..f3128fc
--- /dev/null
@@ -0,0 +1,5 @@
+//@ runDefault("--validateAbstractInterpreterState=1")
+
+for (var i = 0; i < 10000000; ++i) {
+    fiatInt52(0.0)
+}
index 270d044..7fb22db 100644 (file)
@@ -1,3 +1,16 @@
+2019-03-27  Saam Barati  <sbarati@apple.com>
+
+        validateOSREntryValue with Int52 should box the value being checked into double format
+        https://bugs.webkit.org/show_bug.cgi?id=196313
+        <rdar://problem/49306703>
+
+        Reviewed by Yusuke Suzuki.
+
+        * dfg/DFGOSREntry.cpp:
+        (JSC::DFG::prepareOSREntry):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::validateAIState):
+
 2019-03-27  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] Owner of watchpoints should validate at GC finalizing phase
index 4299730..8353dc4 100644 (file)
@@ -214,7 +214,7 @@ void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIn
                     "machine int.");
                 return nullptr;
             }
-            // Constant AnyInt value is stored as usual boxed value in AbstractValue.
+            value = jsDoubleNumber(value.asAnyInt());
             format = FlushedInt52;
         }
 
index 4f78465..9dfd810 100644 (file)
@@ -649,6 +649,10 @@ private:
                             dumpAndCrash();
                     } else {
                         input = JSValue::decode(context.gpr(reg)); 
+                        if (flushFormat == FlushedInt52) {
+                            RELEASE_ASSERT(input.isAnyInt());
+                            input = jsDoubleNumber(input.asAnyInt());
+                        }
                         if (!value.validateOSREntryValue(input, flushFormat))
                             dumpAndCrash();
                     }