Local CSE wrongly CSEs array accesses with different result types.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Apr 2017 19:04:47 +0000 (19:04 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 25 Apr 2017 19:04:47 +0000 (19:04 +0000)
commitd7ea8343e94e3b1809f15bbd04176e2857fc0af9
treeab2ea47292d092ad4057fdba420187f81f11a572
parent0c4143108d76831b9b2ac68b7b4b4d929e85f615
Local CSE wrongly CSEs array accesses with different result types.
https://bugs.webkit.org/show_bug.cgi?id=170990
<rdar://problem/31705945>

Reviewed by Saam Barati.

JSTests:

* stress/regress-170990.js: Added.

Source/JavaScriptCore:

The fix is to use different LocationKind enums for the different type of array
result types.  This makes the HeapLocation values different based on the result
types, and allows CSE to discern between them.

* dfg/DFGCSEPhase.cpp:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGHeapLocation.cpp:
(WTF::printInternal):
* dfg/DFGHeapLocation.h:
(JSC::DFG::indexedPropertyLocForResultType):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@215748 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regress-170990.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
Source/JavaScriptCore/dfg/DFGClobberize.h
Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
Source/JavaScriptCore/dfg/DFGHeapLocation.h