Merge r224349 - AI does not correctly model the clobber case of Arith…

…Clz32 https://bugs.webkit.org/show_bug.cgi?id=179188 Reviewed by Michael Saboff. JSTests: * stress/arith-clz32-effects.js: Added. (foo): (valueOf): Source/JavaScriptCore: The non-Int32 case clobbers the world because it may call valueOf. * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
WebKit · Jan 24, 2018 · bcdbd1f · bcdbd1f
1 parent 843521e
commit bcdbd1f
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 0 deletions.
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,14 @@
+2017-11-02  Filip Pizlo  <fpizlo@apple.com>
+
+        AI does not correctly model the clobber case of ArithClz32
+        https://bugs.webkit.org/show_bug.cgi?id=179188
+
+        Reviewed by Michael Saboff.
+
+        * stress/arith-clz32-effects.js: Added.
+        (foo):
+        (valueOf):
+
 2017-11-01  Michael Saboff  <msaboff@apple.com>
 
         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.

diff --git a/JSTests/stress/arith-clz32-effects.js b/JSTests/stress/arith-clz32-effects.js
@@ -0,0 +1,30 @@
+function foo(o, v)
+{
+    var result = o.f;
+    Math.clz32(v);
+    return result + o.f;
+}
+
+noInline(foo);
+
+var o = {f: 42};
+o.g = 43; // Bust the transition watchpoint of {f}.
+
+for (var i = 0; i < 10000; ++i) {
+    var result = foo({f: 42}, "42");
+    if (result != 84)
+        throw "Error: bad result in loop: " + result;
+}
+
+var o = {f: 43};
+var result = foo(o, {
+    valueOf: function()
+    {
+        delete o.f;
+        o.__defineGetter__("f", function() { return 44; });
+    }
+});
+
+if (result != 87)
+    throw "Error: bad result at end: " + result;
+
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,15 @@
+2017-11-02  Filip Pizlo  <fpizlo@apple.com>
+
+        AI does not correctly model the clobber case of ArithClz32
+        https://bugs.webkit.org/show_bug.cgi?id=179188
+
+        Reviewed by Michael Saboff.
+
+        The non-Int32 case clobbers the world because it may call valueOf.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
 2017-11-01  Michael Saboff  <msaboff@apple.com>
 
         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.

diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
@@ -563,6 +563,14 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
             setConstant(node, jsNumber(clz32(value)));
             break;
         }
+        switch (node->child1().useKind()) {
+        case Int32Use:
+        case KnownInt32Use:
+            break;
+        default:
+            clobberWorld(node->origin.semantic, clobberLimit);
+            break;
+        }
         forNode(node).setType(SpecInt32Only);
         break;
     }