Title: [205446] releases/WebKitGTK/webkit-2.12
- Revision
- 205446
- Author
- carlo...@webkit.org
- Date
- 2016-09-05 02:53:17 -0700 (Mon, 05 Sep 2016)
Log Message
Merge r204699 - [DFG] Should not fixup AnyIntUse in 32_64
https://bugs.webkit.org/show_bug.cgi?id=161029
Reviewed by Saam Barati.
JSTests:
* typeProfiler/int52-dfg.js: Added.
(test):
Source/_javascript_Core:
DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
Modified Paths
Added Paths
Diff
Added: releases/WebKitGTK/webkit-2.12/JSTests/typeProfiler/int52-dfg.js (0 => 205446)
--- releases/WebKitGTK/webkit-2.12/JSTests/typeProfiler/int52-dfg.js (rev 0)
+++ releases/WebKitGTK/webkit-2.12/JSTests/typeProfiler/int52-dfg.js 2016-09-05 09:53:17 UTC (rev 205446)
@@ -0,0 +1,17 @@
+load("./driver/driver.js");
+
+function test()
+{
+ var ok = 0;
+ for (var i = 0; i < 1e4; ++i) {
+ // Int52. ProfileType should not use AnyIntUse edge in 32bit environment.
+ // If 32bit uses AnyIntUse, it leads crashing.
+ ok += 0xfffffffff;
+ }
+ return ok;
+}
+test();
+
+var types = findTypeForExpression(test, "ok += 0x");
+assert(types.instructionTypeSet.primitiveTypeNames.length === 1, "Primitive type names should one candidate.");
+assert(types.instructionTypeSet.primitiveTypeNames.indexOf(T.Integer) !== -1, "Primitive type names should contain 'Integer'");
Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog (205445 => 205446)
--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog 2016-09-05 09:35:33 UTC (rev 205445)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog 2016-09-05 09:53:17 UTC (rev 205446)
@@ -1,3 +1,16 @@
+2016-08-21 Yusuke Suzuki <utatane....@gmail.com>
+
+ [DFG] Should not fixup AnyIntUse in 32_64
+ https://bugs.webkit.org/show_bug.cgi?id=161029
+
+ Reviewed by Saam Barati.
+
+ DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
+ If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+
2016-05-03 Michael Saboff <msab...@apple.com>
Crash: Array.prototype.slice() and .splice() can call fastSlice() after an array is truncated
Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (205445 => 205446)
--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2016-09-05 09:35:33 UTC (rev 205445)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2016-09-05 09:53:17 UTC (rev 205446)
@@ -1369,12 +1369,22 @@
RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
RuntimeTypeMask seenTypes = typeSet->seenTypes();
if (typeSet->doesTypeConformTo(TypeMachineInt)) {
- if (node->child1()->shouldSpeculateInt32())
+ if (node->child1()->shouldSpeculateInt32()) {
fixEdge<Int32Use>(node->child1());
- else
+ node->remove();
+ break;
+ }
+
+ if (enableInt52()) {
fixEdge<MachineIntUse>(node->child1());
- node->remove();
- } else if (typeSet->doesTypeConformTo(TypeNumber | TypeMachineInt)) {
+ node->remove();
+ break;
+ }
+
+ // Must not perform fixEdge<NumberUse> here since the type set only includes TypeMachineInt. Double values should be logged.
+ }
+
+ if (typeSet->doesTypeConformTo(TypeNumber | TypeMachineInt)) {
fixEdge<NumberUse>(node->child1());
node->remove();
} else if (typeSet->doesTypeConformTo(TypeString)) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
