DFG JIT: compileMathIC produces incorrect machine code
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Jul 2018 00:35:02 +0000 (00:35 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 11 Jul 2018 00:35:02 +0000 (00:35 +0000)
https://bugs.webkit.org/show_bug.cgi?id=187537

Reviewed by Saam Barati.

JSTests:

Added new test case.

* stress/arith-mul-with-constants.js:
(testArithMulWithTypeConfusedConstant.testMult):
(testArithMulWithTypeConfusedConstant):

Source/JavaScriptCore:

Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
fall back to the fast path generator which handles such cases.

* jit/JITMulGenerator.cpp:
(JSC::JITMulGenerator::generateInline):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233716 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/arith-mul-with-constants.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/JITMulGenerator.cpp

index 427bb6d..5930b6d 100644 (file)
@@ -1,5 +1,18 @@
 2018-07-10  Michael Saboff  <msaboff@apple.com>
 
+        DFG JIT: compileMathIC produces incorrect machine code
+        https://bugs.webkit.org/show_bug.cgi?id=187537
+
+        Reviewed by Saam Barati.
+
+        Added new test case.
+
+        * stress/arith-mul-with-constants.js:
+        (testArithMulWithTypeConfusedConstant.testMult):
+        (testArithMulWithTypeConfusedConstant):
+
+2018-07-10  Michael Saboff  <msaboff@apple.com>
+
         YARR: . doesn't match non-BMP Unicode characters in some cases
         https://bugs.webkit.org/show_bug.cgi?id=187248
 
index 156ab79..194dd29 100644 (file)
@@ -219,4 +219,23 @@ function testArithMul42WrittenAsDouble() {
         }
     }
 }
-testArithMul42WrittenAsDouble();
\ No newline at end of file
+testArithMul42WrittenAsDouble();
+
+function testArithMulWithTypeConfusedConstant() {
+    let v1 = 1.0;
+
+    function testMult(v2) {
+        let v3 = [];
+        if (v3) {
+            v3 = v1 + 1;
+        }
+        return v2 * v3;
+    }
+
+    for (let i = 13.37; i < 10000; i++) {
+        let result = testMult(i);
+        if ((result / 2 - i) > 0.1E-20)
+            throw "testArithMulWithTypeConfusedConstant(i) = " + result + ", expected " + (i * 2);
+    }
+}
+testArithMulWithTypeConfusedConstant();
index 38e583b..2a1eb35 100644 (file)
@@ -1,3 +1,16 @@
+2018-07-10  Michael Saboff  <msaboff@apple.com>
+
+        DFG JIT: compileMathIC produces incorrect machine code
+        https://bugs.webkit.org/show_bug.cgi?id=187537
+
+        Reviewed by Saam Barati.
+
+        Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
+        fall back to the fast path generator which handles such cases.
+
+        * jit/JITMulGenerator.cpp:
+        (JSC::JITMulGenerator::generateInline):
+
 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
 
         Change the reoptimization backoff base to 1.3 from 2
index 93c69e2..2fae85a 100644 (file)
@@ -46,10 +46,12 @@ JITMathICInlineResult JITMulGenerator::generateInline(CCallHelpers& jit, MathICG
     if (lhs.isOnlyNonNumber() && rhs.isOnlyNonNumber())
         return JITMathICInlineResult::DontGenerate;
 
-    if (lhs.isOnlyNumber() && rhs.isOnlyNumber()) {
+    if (lhs.isOnlyNumber() && rhs.isOnlyNumber() && !m_leftOperand.isConst() && !m_rightOperand.isConst()) {
         if (!jit.supportsFloatingPoint())
             return JITMathICInlineResult::DontGenerate;
 
+        ASSERT(m_left);
+        ASSERT(m_right);
         if (!m_leftOperand.definitelyIsNumber())
             state.slowPathJumps.append(jit.branchIfNotNumber(m_left, m_scratchGPR));
         if (!m_rightOperand.definitelyIsNumber())