[JSC] DFG_ASSERT failed in lowInt52
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 8 May 2019 04:56:34 +0000 (04:56 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 8 May 2019 04:56:34 +0000 (04:56 +0000)
https://bugs.webkit.org/show_bug.cgi?id=197569

Reviewed by Saam Barati.

JSTests:

* stress/getstack-int52.js: Added.
(opt):
(main):

Source/JavaScriptCore:

GetStack with FlushedInt52 should load the flushed value in Int52 form and put the result in m_int52Values / m_strictInt52Values. Previously,
we load it in JSValue / Int32 form and lowInt52 fails to get appropriate one since GetStack does not put the result in m_int52Values / m_strictInt52Values.

* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetStack):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245051 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/getstack-int52.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

index 5f4a9a4..cde66f5 100644 (file)
@@ -1,5 +1,16 @@
 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
 
+        [JSC] DFG_ASSERT failed in lowInt52
+        https://bugs.webkit.org/show_bug.cgi?id=197569
+
+        Reviewed by Saam Barati.
+
+        * stress/getstack-int52.js: Added.
+        (opt):
+        (main):
+
+2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
+
         JSC: A bug in BytecodeGenerator::emitEqualityOpImpl
         https://bugs.webkit.org/show_bug.cgi?id=197479
 
diff --git a/JSTests/stress/getstack-int52.js b/JSTests/stress/getstack-int52.js
new file mode 100644 (file)
index 0000000..75bea91
--- /dev/null
@@ -0,0 +1,26 @@
+//@ runDefault("--useConcurrentJIT=0")
+
+function opt(arr, start, end) {
+    parseInt();
+    for (var i = start; i < end; i++) {
+        if (i === 10) {
+            end |= 0;
+        }
+        arr[i] = 2.3023e-320;
+    }
+}
+
+function main() {
+    let arr = new Array(1000);
+    arr.fill(1.1);
+
+    for (let i = 0; i < 10000; i++) {
+        opt(arr, 0, 1000);
+    }
+
+    opt(arr, 0, 100000);
+    opt(arr, 0, 0x80000001);
+}
+
+main();
+main();
index 048d557..b876d10 100644 (file)
@@ -1,5 +1,18 @@
 2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
 
+        [JSC] DFG_ASSERT failed in lowInt52
+        https://bugs.webkit.org/show_bug.cgi?id=197569
+
+        Reviewed by Saam Barati.
+
+        GetStack with FlushedInt52 should load the flushed value in Int52 form and put the result in m_int52Values / m_strictInt52Values. Previously,
+        we load it in JSValue / Int32 form and lowInt52 fails to get appropriate one since GetStack does not put the result in m_int52Values / m_strictInt52Values.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetStack):
+
+2019-05-07  Yusuke Suzuki  <ysuzuki@apple.com>
+
         [JSC] LLIntPrototypeLoadAdaptiveStructureWatchpoint does not require Bag<>
         https://bugs.webkit.org/show_bug.cgi?id=197645
 
index c2564d3..8ba6dde 100644 (file)
@@ -1923,12 +1923,20 @@ private:
         
         DFG_ASSERT(m_graph, m_node, isConcrete(data->format), data->format);
         
-        if (data->format == FlushedDouble)
+        switch (data->format) {
+        case FlushedDouble:
             setDouble(m_out.loadDouble(addressFor(data->machineLocal)));
-        else if (isInt32Speculation(value.m_type))
-            setInt32(m_out.load32(payloadFor(data->machineLocal)));
-        else
-            setJSValue(m_out.load64(addressFor(data->machineLocal)));
+            break;
+        case FlushedInt52:
+            setInt52(m_out.load64(addressFor(data->machineLocal)));
+            break;
+        default:
+            if (isInt32Speculation(value.m_type))
+                setInt32(m_out.load32(payloadFor(data->machineLocal)));
+            else
+                setJSValue(m_out.load64(addressFor(data->machineLocal)));
+            break;
+        }
     }
     
     void compilePutStack()