Title: [233716] trunk
- Revision
- 233716
- Author
- msab...@apple.com
- Date
- 2018-07-10 17:35:02 -0700 (Tue, 10 Jul 2018)
Log Message
DFG JIT: compileMathIC produces incorrect machine code
https://bugs.webkit.org/show_bug.cgi?id=187537
Reviewed by Saam Barati.
JSTests:
Added new test case.
* stress/arith-mul-with-constants.js:
(testArithMulWithTypeConfusedConstant.testMult):
(testArithMulWithTypeConfusedConstant):
Source/_javascript_Core:
Added checks for constant multipliers in JITMulGenerator::generateInline(). If we have a constant multiplier,
fall back to the fast path generator which handles such cases.
* jit/JITMulGenerator.cpp:
(JSC::JITMulGenerator::generateInline):
Modified Paths
Diff
Modified: trunk/JSTests/ChangeLog (233715 => 233716)
--- trunk/JSTests/ChangeLog 2018-07-11 00:27:18 UTC (rev 233715)
+++ trunk/JSTests/ChangeLog 2018-07-11 00:35:02 UTC (rev 233716)
@@ -1,5 +1,18 @@
2018-07-10 Michael Saboff <msab...@apple.com>
+ DFG JIT: compileMathIC produces incorrect machine code
+ https://bugs.webkit.org/show_bug.cgi?id=187537
+
+ Reviewed by Saam Barati.
+
+ Added new test case.
+
+ * stress/arith-mul-with-constants.js:
+ (testArithMulWithTypeConfusedConstant.testMult):
+ (testArithMulWithTypeConfusedConstant):
+
+2018-07-10 Michael Saboff <msab...@apple.com>
+
YARR: . doesn't match non-BMP Unicode characters in some cases
https://bugs.webkit.org/show_bug.cgi?id=187248
Modified: trunk/JSTests/stress/arith-mul-with-constants.js (233715 => 233716)
--- trunk/JSTests/stress/arith-mul-with-constants.js 2018-07-11 00:27:18 UTC (rev 233715)
+++ trunk/JSTests/stress/arith-mul-with-constants.js 2018-07-11 00:35:02 UTC (rev 233716)
@@ -219,4 +219,23 @@
}
}
}
-testArithMul42WrittenAsDouble();
\ No newline at end of file
+testArithMul42WrittenAsDouble();
+
+function testArithMulWithTypeConfusedConstant() {
+ let v1 = 1.0;
+
+ function testMult(v2) {
+ let v3 = [];
+ if (v3) {
+ v3 = v1 + 1;
+ }
+ return v2 * v3;
+ }
+
+ for (let i = 13.37; i < 10000; i++) {
+ let result = testMult(i);
+ if ((result / 2 - i) > 0.1E-20)
+ throw "testArithMulWithTypeConfusedConstant(i) = " + result + ", expected " + (i * 2);
+ }
+}
+testArithMulWithTypeConfusedConstant();
Modified: trunk/Source/_javascript_Core/ChangeLog (233715 => 233716)
--- trunk/Source/_javascript_Core/ChangeLog 2018-07-11 00:27:18 UTC (rev 233715)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-07-11 00:35:02 UTC (rev 233716)
@@ -1,3 +1,16 @@
+2018-07-10 Michael Saboff <msab...@apple.com>
+
+ DFG JIT: compileMathIC produces incorrect machine code
+ https://bugs.webkit.org/show_bug.cgi?id=187537
+
+ Reviewed by Saam Barati.
+
+ Added checks for constant multipliers in JITMulGenerator::generateInline(). If we have a constant multiplier,
+ fall back to the fast path generator which handles such cases.
+
+ * jit/JITMulGenerator.cpp:
+ (JSC::JITMulGenerator::generateInline):
+
2018-07-10 Filip Pizlo <fpi...@apple.com>
Change the reoptimization backoff base to 1.3 from 2
Modified: trunk/Source/_javascript_Core/jit/JITMulGenerator.cpp (233715 => 233716)
--- trunk/Source/_javascript_Core/jit/JITMulGenerator.cpp 2018-07-11 00:27:18 UTC (rev 233715)
+++ trunk/Source/_javascript_Core/jit/JITMulGenerator.cpp 2018-07-11 00:35:02 UTC (rev 233716)
@@ -46,10 +46,12 @@
if (lhs.isOnlyNonNumber() && rhs.isOnlyNonNumber())
return JITMathICInlineResult::DontGenerate;
- if (lhs.isOnlyNumber() && rhs.isOnlyNumber()) {
+ if (lhs.isOnlyNumber() && rhs.isOnlyNumber() && !m_leftOperand.isConst() && !m_rightOperand.isConst()) {
if (!jit.supportsFloatingPoint())
return JITMathICInlineResult::DontGenerate;
+ ASSERT(m_left);
+ ASSERT(m_right);
if (!m_leftOperand.definitelyIsNumber())
state.slowPathJumps.append(jit.branchIfNotNumber(m_left, m_scratchGPR));
if (!m_rightOperand.definitelyIsNumber())
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
