[webkit-changes] [WebKit/WebKit] 5c92de: [JSC] Inlined in_by_val does not have ValueProfile...

[Yusuke Suzuki]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 5c92de6a61ab777048959db43a409771875825a3
      https://github.com/WebKit/WebKit/commit/5c92de6a61ab777048959db43a409771875825a3
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2024-08-28 (Wed, 28 Aug 2024)

  Changed paths:
    A JSTests/stress/in-by-val-profile.js
    M Source/JavaScriptCore/dfg/DFGGraph.cpp

  Log Message:
  -----------
  [JSC] Inlined in_by_val does not have ValueProfile thus we should check that condition before using ValueProfile from OSR exit
https://bugs.webkit.org/show_bug.cgi?id=278810
rdar://132478663

Reviewed by Yijia Huang.

280973 at main allows DFG / FTL to inline InByVal's Proxy calls. As a result, we may encounter that ValueProfile update request
for in_by_val because it can be converted to sequence of calling. But because in_by_val's result is always boolean, we do not have ValueProfile.
But current code is not assuming that case and expecting that there is always ValueProfile for the DFG Node which has heapPrediction (but it is not for in_by_val).
This patch checks ValueProfile existence before using.

* JSTests/stress/in-by-val-profile.js: Added.
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
(JSC::DFG::Graph::methodOfGettingAValueProfileFor):

Canonical link: https://commits.webkit.org/282866@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications