Title: [250536] trunk
- Revision
- 250536
- Author
- ysuz...@apple.com
- Date
- 2019-09-30 17:00:06 -0700 (Mon, 30 Sep 2019)
Log Message
[JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
https://bugs.webkit.org/show_bug.cgi?id=202382
<rdar://problem/52669112>
Reviewed by Saam Barati.
JSTests:
* stress/compare-eq-bool-number-folding.js: Added.
(test):
Source/_javascript_Core:
If CompareEq(Untyped, Untyped) finds that it gets proven Boolean and Number types on its arguments,
we fold it to constant False. But this is wrong since `false == 0` is true in JS.
This patch adds leastUpperBoundOfEquivalentSpeculations, which merges Number, BigInt, and Boolean types
if one of them are seen.
* bytecode/SpeculatedType.cpp:
(JSC::leastUpperBoundOfEquivalentSpeculations):
(JSC::valuesCouldBeEqual):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (250535 => 250536)
--- trunk/JSTests/ChangeLog 2019-09-30 23:56:46 UTC (rev 250535)
+++ trunk/JSTests/ChangeLog 2019-10-01 00:00:06 UTC (rev 250536)
@@ -1,3 +1,14 @@
+2019-09-30 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
+ https://bugs.webkit.org/show_bug.cgi?id=202382
+ <rdar://problem/52669112>
+
+ Reviewed by Saam Barati.
+
+ * stress/compare-eq-bool-number-folding.js: Added.
+ (test):
+
2019-09-27 Yusuke Suzuki <ysuz...@apple.com>
[JSC] Keep JSString::value(ExecState*)'s result as String instead of `const String&`
Added: trunk/JSTests/stress/compare-eq-bool-number-folding.js (0 => 250536)
--- trunk/JSTests/stress/compare-eq-bool-number-folding.js (rev 0)
+++ trunk/JSTests/stress/compare-eq-bool-number-folding.js 2019-10-01 00:00:06 UTC (rev 250536)
@@ -0,0 +1,11 @@
+//@ runDefault("--useConcurrentJIT=0", "--jitPolicyScale=0.1")
+
+function test() {
+ var [w, y] = [false, 0, null];
+ if (w != y)
+ throw 0;
+}
+noInline(test);
+
+for (var i = 0; i < 2000; ++i)
+ test();
Modified: trunk/Source/_javascript_Core/ChangeLog (250535 => 250536)
--- trunk/Source/_javascript_Core/ChangeLog 2019-09-30 23:56:46 UTC (rev 250535)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-10-01 00:00:06 UTC (rev 250536)
@@ -1,3 +1,20 @@
+2019-09-30 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] AI folds CompareEq wrongly when it sees proven Boolean and Number
+ https://bugs.webkit.org/show_bug.cgi?id=202382
+ <rdar://problem/52669112>
+
+ Reviewed by Saam Barati.
+
+ If CompareEq(Untyped, Untyped) finds that it gets proven Boolean and Number types on its arguments,
+ we fold it to constant False. But this is wrong since `false == 0` is true in JS.
+ This patch adds leastUpperBoundOfEquivalentSpeculations, which merges Number, BigInt, and Boolean types
+ if one of them are seen.
+
+ * bytecode/SpeculatedType.cpp:
+ (JSC::leastUpperBoundOfEquivalentSpeculations):
+ (JSC::valuesCouldBeEqual):
+
2019-09-28 Adrian Perez de Castro <ape...@igalia.com>
[GTK][WPE] Fix non-unified build issue caused by r250440
Modified: trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp (250535 => 250536)
--- trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp 2019-09-30 23:56:46 UTC (rev 250535)
+++ trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp 2019-10-01 00:00:06 UTC (rev 250536)
@@ -624,10 +624,21 @@
return type;
}
+static inline SpeculatedType leastUpperBoundOfEquivalentSpeculations(SpeculatedType type)
+{
+ type = leastUpperBoundOfStrictlyEquivalentSpeculations(type);
+
+ // Boolean or BigInt can be converted to Number when performing non-strict equal.
+ if (type & (SpecIntAnyFormat | SpecNonIntAsDouble | SpecBoolean | SpecBigInt))
+ type |= (SpecIntAnyFormat | SpecNonIntAsDouble | SpecBoolean | SpecBigInt);
+
+ return type;
+}
+
bool valuesCouldBeEqual(SpeculatedType a, SpeculatedType b)
{
- a = leastUpperBoundOfStrictlyEquivalentSpeculations(a);
- b = leastUpperBoundOfStrictlyEquivalentSpeculations(b);
+ a = leastUpperBoundOfEquivalentSpeculations(a);
+ b = leastUpperBoundOfEquivalentSpeculations(b);
// Anything could be equal to a string.
if (a & SpecString)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
