+2017-03-21 Mark Lam <mark.lam@apple.com>
+
+ The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds on a negative constant min bound.
+ https://bugs.webkit.org/show_bug.cgi?id=169933
+ <rdar://problem/31105125>
+
+ Reviewed by Filip Pizlo and Geoffrey Garen.
+
+ Also fixed the bit-rotted RangeKey::dump() function.
+
+ * dfg/DFGIntegerCheckCombiningPhase.cpp:
+ (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
+
2017-03-21 Csaba Osztrogonác <ossy@webkit.org>
[ARM] Add missing MacroAssembler functions after r214187
/*
- * Copyright (C) 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
out.print("ArrayBounds(");
break;
}
- out.print(m_source, ", ", m_key, ")");
+ if (m_source)
+ out.print(m_source);
+ else
+ out.print("null");
+ out.print(", ");
+ if (m_key)
+ out.print(m_key);
+ else
+ out.print("null");
+ out.print(")");
}
RangeKind m_kind;
Node* maxNode;
if (!data.m_key.m_source) {
- minNode = 0;
+ // data.m_key.m_source being null means that we're comparing against int32 constants (see rangeKeyAndAddend()).
+ // Since CheckInBounds does an unsigned comparison, if the minBound >= 0, it is also covered by the
+ // maxBound comparison. However, if minBound < 0, then CheckInBounds should always fail its speculation check.
+ // We'll force an OSR exit in that case.
+ minNode = nullptr;
+ if (range.m_minBound < 0)
+ m_insertionSet.insertNode(nodeIndex, SpecNone, ForceOSRExit, node->origin);
maxNode = m_insertionSet.insertConstant(
nodeIndex, maxOrigin, jsNumber(range.m_maxBound));
} else {
git://git.webkit.org / WebKit-https.git / commitdiff