need to didFoldClobberWorld when we constant fold GetByVal
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 24 Jul 2018 01:32:20 +0000 (01:32 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 24 Jul 2018 01:32:20 +0000 (01:32 +0000)
https://bugs.webkit.org/show_bug.cgi?id=187917
<rdar://problem/42505095>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/get-by-val-fold-did-clobber-world.js: Added.
(__f_443):

Source/JavaScriptCore:

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@234128 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/get-by-val-fold-did-clobber-world.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

index 865a914..e40deac 100644 (file)
@@ -1,3 +1,14 @@
+2018-07-23  Saam Barati  <sbarati@apple.com>
+
+        need to didFoldClobberWorld when we constant fold GetByVal
+        https://bugs.webkit.org/show_bug.cgi?id=187917
+        <rdar://problem/42505095>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/get-by-val-fold-did-clobber-world.js: Added.
+        (__f_443):
+
 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
 
         [INTL] Language tags are not canonicalized
diff --git a/JSTests/stress/get-by-val-fold-did-clobber-world.js b/JSTests/stress/get-by-val-fold-did-clobber-world.js
new file mode 100644 (file)
index 0000000..27a6f4c
--- /dev/null
@@ -0,0 +1,9 @@
+var __v_1673 = [16];
+function __f_443() {
+    for (var __v_1679 = 0; __v_1679 < 1e5; ++__v_1679) {
+        for (var __v_1680 = 0; __v_1680 < 7; ++__v_1680) {
+            var __v_1681 = __v_1673[__v_1680];
+        }
+    }
+}
+__f_443()
index c5f359b..22a1d91 100644 (file)
@@ -1,3 +1,14 @@
+2018-07-23  Saam Barati  <sbarati@apple.com>
+
+        need to didFoldClobberWorld when we constant fold GetByVal
+        https://bugs.webkit.org/show_bug.cgi?id=187917
+        <rdar://problem/42505095>
+
+        Reviewed by Yusuke Suzuki.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
 2018-07-23  Andy VanWagoner  <andy@vanwagoner.family>
 
         [INTL] Language tags are not canonicalized
index ea425d1..c048472 100644 (file)
@@ -1886,7 +1886,6 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
                             && globalObject->arrayPrototypeChainIsSane()) {
                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
-                            didFoldClobberWorld();
                             // Note that Array::Double and Array::Int32 return JSValue if array mode is OutOfBounds.
                             setConstant(node, jsUndefined());
                             return true;
@@ -1923,9 +1922,6 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
                     if (!value)
                         return false;
 
-                    if (node->arrayMode().isOutOfBounds())
-                        didFoldClobberWorld();
-
                     if (value.isCell())
                         setConstant(node, *m_graph.freeze(value.asCell()));
                     else
@@ -1936,7 +1932,25 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
                 return false;
             };
 
-            if (foldGetByValOnConstantProperty(m_graph.child(node, 0), m_graph.child(node, 1)))
+            bool didFold = false;
+            switch (node->arrayMode().type()) {
+            case Array::Generic:
+            case Array::Int32:
+            case Array::Double:
+            case Array::Contiguous:
+            case Array::ArrayStorage:
+            case Array::SlowPutArrayStorage:
+                if (foldGetByValOnConstantProperty(m_graph.child(node, 0), m_graph.child(node, 1))) {
+                    if (!node->arrayMode().isInBounds())
+                        didFoldClobberWorld();
+                    didFold = true;
+                }
+                break;
+            default:
+                break;
+            }
+
+            if (didFold)
                 break;
         }