https://bugs.webkit.org/show_bug.cgi?id=189173
<rdar://problem/
43501645>
Reviewed by Michael Saboff.
JSTests:
* stress/may-exit-should-be-false-regexp-constant-folding.js: Added.
(foo):
(bar):
Source/JavaScriptCore:
We were crashing during validation because mayExit returned true
at a point in the program when we weren't allowed to exit.
The issue was is in StrengthReduction: we end up emitting code that
had a StringUse on an edge after a node that did side effects and before
an ExitOK/bytecode number transition. However, StrenghReduction did the
right thing here and also emitted the type checks before the node with
side effects. It just did bad bookkeeping. The node we convert to needs
to use KnownStringUse instead of StringUse for the child edge.
* dfg/DFGNode.cpp:
(JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
(JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
(JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
(JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
* dfg/DFGNode.h:
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235538
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2018-08-31 Saam barati <sbarati@apple.com>
+
+ convertToRegExpMatchFastGlobal must use KnownString as the child use kind
+ https://bugs.webkit.org/show_bug.cgi?id=189173
+ <rdar://problem/43501645>
+
+ Reviewed by Michael Saboff.
+
+ * stress/may-exit-should-be-false-regexp-constant-folding.js: Added.
+ (foo):
+ (bar):
+
2018-08-30 Saam barati <sbarati@apple.com>
CSE DataViewGet* DFG nodes
--- /dev/null
+//@ runDefault("--jitPolicyScale=0", "--useConcurrentJIT=0", "--validateGraphAtEachPhase=1")
+
+let re0 = /a/;
+let str0 = 'b';
+function foo() {
+ /a/.exec('b');
+ for (var i = 0; i < 6; i++) {
+ }
+ for (var i = 0; i < 3; i++) {
+ re0.exec('a');
+ }
+ str0.match(/a/);
+ for (var i = 0; i < 2; i++) {
+ str0.match(/a/g);
+ }
+}
+function bar() {
+ for (var i = 0; i < 6; i++) {
+ 'a'.match(/b/);
+ }
+}
+
+foo();
+bar();
+foo();
+2018-08-31 Saam barati <sbarati@apple.com>
+
+ convertToRegExpMatchFastGlobal must use KnownString as the child use kind
+ https://bugs.webkit.org/show_bug.cgi?id=189173
+ <rdar://problem/43501645>
+
+ Reviewed by Michael Saboff.
+
+ We were crashing during validation because mayExit returned true
+ at a point in the program when we weren't allowed to exit.
+
+ The issue was is in StrengthReduction: we end up emitting code that
+ had a StringUse on an edge after a node that did side effects and before
+ an ExitOK/bytecode number transition. However, StrenghReduction did the
+ right thing here and also emitted the type checks before the node with
+ side effects. It just did bad bookkeeping. The node we convert to needs
+ to use KnownStringUse instead of StringUse for the child edge.
+
+ * dfg/DFGNode.cpp:
+ (JSC::DFG::Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks):
+ (JSC::DFG::Node::convertToRegExpMatchFastGlobalWithoutChecks):
+ (JSC::DFG::Node::convertToRegExpExecNonGlobalOrSticky): Deleted.
+ (JSC::DFG::Node::convertToRegExpMatchFastGlobal): Deleted.
+ * dfg/DFGNode.h:
+ * dfg/DFGStrengthReductionPhase.cpp:
+ (JSC::DFG::StrengthReductionPhase::handleNode):
+
2018-08-30 Saam barati <sbarati@apple.com>
Switch int8_t to GPRReg in StructureStubInfo because sizeof(GPRReg) == sizeof(int8_t)
case RegExpMatchFast:
ASSERT(node->child2().useKind() == RegExpObjectUse);
- ASSERT(node->child3().useKind() == StringUse);
+ ASSERT(node->child3().useKind() == StringUse || node->child3().useKind() == KnownStringUse);
setTypeForNode(node, SpecOther | SpecArray);
break;
case RegExpMatchFastGlobal:
- ASSERT(node->child2().useKind() == StringUse);
+ ASSERT(node->child2().useKind() == StringUse || node->child2().useKind() == KnownStringUse);
setTypeForNode(node, SpecOther | SpecArray);
break;
clearFlags(NodeMustGenerate);
}
-void Node::convertToRegExpExecNonGlobalOrSticky(FrozenValue* regExp)
+void Node::convertToRegExpExecNonGlobalOrStickyWithoutChecks(FrozenValue* regExp)
{
ASSERT(op() == RegExpExec);
setOpAndDefaultFlags(RegExpExecNonGlobalOrSticky);
children.child1() = Edge(children.child1().node(), KnownCellUse);
- children.child2() = Edge(children.child3().node(), StringUse);
+ children.child2() = Edge(children.child3().node(), KnownStringUse);
children.child3() = Edge();
m_opInfo = regExp;
}
-void Node::convertToRegExpMatchFastGlobal(FrozenValue* regExp)
+void Node::convertToRegExpMatchFastGlobalWithoutChecks(FrozenValue* regExp)
{
ASSERT(op() == RegExpMatchFast);
setOpAndDefaultFlags(RegExpMatchFastGlobal);
children.child1() = Edge(children.child1().node(), KnownCellUse);
- children.child2() = Edge(children.child3().node(), StringUse);
+ children.child2() = Edge(children.child3().node(), KnownStringUse);
children.child3() = Edge();
m_opInfo = regExp;
}
void convertToCallDOM(Graph&);
- void convertToRegExpExecNonGlobalOrSticky(FrozenValue* regExp);
- void convertToRegExpMatchFastGlobal(FrozenValue* regExp);
+ void convertToRegExpExecNonGlobalOrStickyWithoutChecks(FrozenValue* regExp);
+ void convertToRegExpMatchFastGlobalWithoutChecks(FrozenValue* regExp);
void convertToSetRegExpObjectLastIndex()
{
m_insertionSet.insertConstantForUse(
m_nodeIndex, origin, jsNumber(0), UntypedUse));
origin = origin.withInvalidExit();
- m_node->convertToRegExpMatchFastGlobal(m_graph.freeze(regExp));
+ m_node->convertToRegExpMatchFastGlobalWithoutChecks(m_graph.freeze(regExp));
m_node->origin = origin;
m_changed = true;
break;
NodeOrigin origin = m_node->origin;
m_insertionSet.insertNode(
m_nodeIndex, SpecNone, Check, origin, m_node->children.justChecks());
- m_node->convertToRegExpExecNonGlobalOrSticky(m_graph.freeze(regExp));
+ m_node->convertToRegExpExecNonGlobalOrStickyWithoutChecks(m_graph.freeze(regExp));
m_changed = true;
return true;
};
git://git.webkit.org / WebKit-https.git / commitdiff