Remove invalid assertion in DFG's compileDoubleRep().
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 1 Feb 2019 22:47:19 +0000 (22:47 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 1 Feb 2019 22:47:19 +0000 (22:47 +0000)
https://bugs.webkit.org/show_bug.cgi?id=194130
<rdar://problem/47699474>

Reviewed by Saam Barati.

JSTests:

* stress/constant-fold-double-rep-into-double-constant.js: Added.

Source/JavaScriptCore:

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileDoubleRep):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240878 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/constant-fold-double-rep-into-double-constant.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

index ec90504..8d03fbc 100644 (file)
@@ -1,3 +1,13 @@
+2019-02-01  Mark Lam  <mark.lam@apple.com>
+
+        Remove invalid assertion in DFG's compileDoubleRep().
+        https://bugs.webkit.org/show_bug.cgi?id=194130
+        <rdar://problem/47699474>
+
+        Reviewed by Saam Barati.
+
+        * stress/constant-fold-double-rep-into-double-constant.js: Added.
+
 2019-01-30  Ross Kirsling  <ross.kirsling@sony.com>
 
         Import latest Test262 updates.
diff --git a/JSTests/stress/constant-fold-double-rep-into-double-constant.js b/JSTests/stress/constant-fold-double-rep-into-double-constant.js
new file mode 100644 (file)
index 0000000..4591c1c
--- /dev/null
@@ -0,0 +1,14 @@
+function bar(o) {
+    for (let i = 0; i < 2; i++)
+        o[i] = undefined;
+    o.length = undefined;
+    return o;
+}
+
+function foo(a) {
+    bar(a);
+    undefined + bar(0) + bar(0);
+    for(let i = 0; i < 10000000; i++) {}
+}
+
+foo({});
index f35d51c..d021748 100644 (file)
@@ -1,3 +1,14 @@
+2019-02-01  Mark Lam  <mark.lam@apple.com>
+
+        Remove invalid assertion in DFG's compileDoubleRep().
+        https://bugs.webkit.org/show_bug.cgi?id=194130
+        <rdar://problem/47699474>
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileDoubleRep):
+
 2019-02-01  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] Unify CodeBlock IsoSubspaces
index 16e431c..9ec916f 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -2585,8 +2585,6 @@ void SpeculativeJIT::compileDoubleRep(Node* node)
     
     case NotCellUse:
     case NumberUse: {
-        ASSERT(!node->child1()->isNumberConstant()); // This should have been constant folded.
-
         SpeculatedType possibleTypes = m_state.forNode(node->child1()).m_type;
         if (isInt32Speculation(possibleTypes)) {
             SpeculateInt32Operand op1(this, node->child1(), ManualOperandSpeculation);