ASSERTION FAILED: isUInt32() in jsc-layout-tests.yaml/js/script-tests/dfg-uint32...
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Oct 2013 17:42:20 +0000 (17:42 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 7 Oct 2013 17:42:20 +0000 (17:42 +0000)
https://bugs.webkit.org/show_bug.cgi?id=122419

Source/JavaScriptCore:

Reviewed by Oliver Hunt.

AI was using JSValue::asUInt32() incorrectly. That method presumes that the input is
both a int32 and a uint32 (it's in the range [0, 2^31)). The UInt32ToNumber node is
instead dealing with an input that is always represented as a int32 but that has the
meaning of a uint32 - so AI should use JSValue::asInt32() and then do the cast.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):

LayoutTests:

Reviewed by Oliver Hunt.

* js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@157047 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

index 1d9055cd2d25d3d1466a009009f75ed909b5c06d..969e61811508f010dc2cd2cb5155ecd8af88ddbf 100644 (file)
@@ -1,3 +1,12 @@
+2013-10-07  Filip Pizlo  <fpizlo@apple.com>
+
+        ASSERTION FAILED: isUInt32() in jsc-layout-tests.yaml/js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js.layout-dfg-eager-no-cjit
+        https://bugs.webkit.org/show_bug.cgi?id=122419
+
+        Reviewed by Oliver Hunt.
+
+        * js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js:
+
 2013-10-07  Tim Horton  <timothy_horton@apple.com>
 
         -webkit-cross-fade paints SVGs at full opacity during cross-fade
index 9aa3e5f6069163c237f919ff4f331060901dbbce..dd5738be1c1746791f881b4b8457cd799eb2327c 100644 (file)
@@ -1,6 +1,3 @@
-// https://bugs.webkit.org/show_bug.cgi?id=122419
-//@ runLayoutTestDefault
-
 description(
 "Tests that UInt32ToNumber and OSR exit are aware of copy propagation and correctly recover both versions of a variable that was subject to a UInt32ToNumber cast."
 );
index 6db42a22280b9da35f4ffa760a60de14f5bf8acb..c2d393d990c89757ebb8078369065f509220d53f 100644 (file)
@@ -1,3 +1,18 @@
+2013-10-07  Filip Pizlo  <fpizlo@apple.com>
+
+        ASSERTION FAILED: isUInt32() in jsc-layout-tests.yaml/js/script-tests/dfg-uint32-to-number-in-middle-of-copy-propagation.js.layout-dfg-eager-no-cjit
+        https://bugs.webkit.org/show_bug.cgi?id=122419
+
+        Reviewed by Oliver Hunt.
+        
+        AI was using JSValue::asUInt32() incorrectly. That method presumes that the input is
+        both a int32 and a uint32 (it's in the range [0, 2^31)). The UInt32ToNumber node is
+        instead dealing with an input that is always represented as a int32 but that has the
+        meaning of a uint32 - so AI should use JSValue::asInt32() and then do the cast.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::::executeEffects):
+
 2013-10-07  Julien Brianceau  <jbriance@cisco.com>
 
         [sh4] Jump over maxJumpReplacementSize in revertJumpToMove.
index cc05a94e852b79e5213242679d5d6ef5792c64af..1424c4b3ca5f5a0ddd5ab1eec58237f39bf0ee90 100644 (file)
@@ -256,7 +256,8 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
         JSValue child = forNode(node->child1()).value();
         if (child && child.isNumber()) {
             ASSERT(child.isInt32());
-            setConstant(node, JSValue(child.asUInt32()));
+            uint32_t value = child.asInt32();
+            setConstant(node, jsNumber(value));
             break;
         }
         if (!node->canSpeculateInt32())