NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 6 Jul 2017 05:01:33 +0000 (05:01 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 6 Jul 2017 05:01:33 +0000 (05:01 +0000)
commit685fa4c4d049606bd6f6b20fac2efd91bd25d051
tree4eb2f62115a18788b932508e60ade5bea501828d
parentf387b1eb45ba248e99bde05e1e15db8ea49d0d8b
NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
https://bugs.webkit.org/show_bug.cgi?id=174188
<rdar://problem/30581423>

Reviewed by Mark Lam.

JSTests:

* stress/new-array-having-a-bad-time-double.js: Added.
(assert):
(foo):

Source/JavaScriptCore:

We were calling lowJSValue(edge) when we were speculating the
edge as double. This isn't allowed. We should have been using
lowDouble.

This patch also adds a new option, called useArrayAllocationProfiling,
which defaults to true. When false, it will make the array allocation
profile not actually sample seen arrays. It'll force the allocation
profile's predicted indexing type to be ArrayWithUndecided. Adding
this option made it trivial to write a test for this bug.

* bytecode/ArrayAllocationProfile.cpp:
(JSC::ArrayAllocationProfile::updateIndexingType):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
* runtime/Options.h:

Tools:

* Scripts/run-jsc-stress-tests:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@219187 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/new-array-having-a-bad-time-double.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/runtime/Options.h
Tools/ChangeLog
Tools/Scripts/run-jsc-stress-tests