[webkit-changes] [220020] branches/safari-604-branch/Source/JavaScriptCore

[jmarcell]

Title: [220020] branches/safari-604-branch/Source/_javascript_Core

Revision

220020

Author

jmarc...@apple.com

Date

2017-07-28 15:19:40 -0700 (Fri, 28 Jul 2017)

Log Message

Cherry-pick r219895. rdar://problem/33595450

Modified Paths

branches/safari-604-branch/Source/_javascript_Core/ChangeLog
branches/safari-604-branch/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp

Diff

Modified: branches/safari-604-branch/Source/_javascript_Core/ChangeLog (220019 => 220020)

--- branches/safari-604-branch/Source/_javascript_Core/ChangeLog	2017-07-28 22:19:38 UTC (rev 220019)
+++ branches/safari-604-branch/Source/_javascript_Core/ChangeLog	2017-07-28 22:19:40 UTC (rev 220020)
@@ -1,3 +1,39 @@
+2017-07-28  Jason Marcell  <jmarc...@apple.com>
+
+        Cherry-pick r219895. rdar://problem/33595450
+
+    2017-07-25  Keith Miller  <keith_mil...@apple.com>
+
+            Remove Broken CompareEq constant folding phase.
+            https://bugs.webkit.org/show_bug.cgi?id=174846
+            <rdar://problem/32978808>
+
+            Reviewed by Saam Barati.
+
+            This bug happened when we would get code like the following:
+
+            a: JSConst(Undefined)
+            b: GetLocal(SomeObjectOrUndefined)
+            ...
+            c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
+
+            constant folding will turn this into:
+
+            a: JSConst(Undefined)
+            b: GetLocal(SomeObjectOrUndefined)
+            ...
+            c: CompareEq(Check:ObjectOrOther:b, Other:a)
+
+            But the SpeculativeJIT/FTL lowering will fail to check b
+            properly which leads to an assertion failure in the AI.
+
+            I'll follow up with a more robust fix later. For now, I'll remove the
+            case that generates the code. Removing the code appears to be perf
+            neutral.
+
+            * dfg/DFGConstantFoldingPhase.cpp:
+            (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
 2017-07-22  Jason Marcell  <jmarc...@apple.com>
 
         Cherry-pick r219633. rdar://problem/33465535

Modified: branches/safari-604-branch/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp (220019 => 220020)

--- branches/safari-604-branch/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp	2017-07-28 22:19:38 UTC (rev 220019)
+++ branches/safari-604-branch/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp	2017-07-28 22:19:40 UTC (rev 220020)
@@ -135,10 +135,8 @@
             }
 
             case CompareEq: {
-                if (!m_interpreter.needsTypeCheck(node->child1(), SpecOther))
-                    node->child1().setUseKind(OtherUse);
-                if (!m_interpreter.needsTypeCheck(node->child2(), SpecOther))
-                    node->child2().setUseKind(OtherUse);
+                // FIXME: We should add back the broken folding phase here for comparisions where we prove at least one side has type SpecOther.
+                // See: https://bugs.webkit.org/show_bug.cgi?id=174844
                 break;
             }
                 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes