Changeset 120137 in webkit for trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp

Timestamp:

Jun 12, 2012, 4:16:51 PM (13 years ago)

Author:

[email protected]

Message:

DFG should not ASSERT if you have a double use of a variable that is not revealed to be a double
until after CFG simplification
​https://bugs.webkit.org/show_bug.cgi?id=88927
<rdar://problem/11513971>

Source/JavaScriptCore:

Reviewed by Geoffrey Garen.

Speculation fixup needs to run if simplification did things, because simplification can change
predictions - particularly if you had a control flow path that stored weird things into a
variable, but that path got axed by the simplifier.

Running fixup in the fixpoint requires making it idempotent, which it previously wasn't. Only
one place needed to be changed, namely the un-MustGenerate-ion of ValueToInt32.

• dfg/DFGDriver.cpp:

(JSC::DFG::compile):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

LayoutTests:

Reviewed by Geoffrey Garen.

• fast/js/dfg-double-use-of-post-simplification-double-prediction-expected.txt: Added.
• fast/js/dfg-double-use-of-post-simplification-double-prediction.html: Added.
• fast/js/script-tests/dfg-double-use-of-post-simplification-double-prediction.js: Added.

(foo):

File:

• trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp

@@ -87 +87 @@
             break;
         dfg.resetExitStates();
+        performFixup(dfg);
     }
     performCSE(dfg, FixpointConverged);