<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[238436] trunk</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/238436">238436</a></dd>
<dt>Author</dt> <dd>sbarati@apple.com</dd>
<dt>Date</dt> <dd>2018-11-21 19:39:54 -0800 (Wed, 21 Nov 2018)</dd>
</dl>

<h3>Log Message</h3>
<pre>Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
https://bugs.webkit.org/show_bug.cgi?id=191895
<rdar://problem/46167406>

Reviewed by Mark Lam.

JSTests:

* stress/known-cell-use-needs-type-check-assertion.js: Added.
(foo):
(bar):

Source/JavaScriptCore:

We were asserting that the input edge should have type SpecCell but it should
really be SpecCellCheck since the type filter for KnownCellUse is SpecCellCheck.

This patch cleans up that assertion code by joining a bunch of cases into a
single function call which grabs the type filter for the edge UseKind and
asserts that the incoming edge meets the type filter criteria.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculate):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::speculate):</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkJSTestsChangeLog">trunk/JSTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
</ul>

<h3>Added Paths</h3>
<ul>
<li><a href="#trunkJSTestsstressknowncelluseneedstypecheckassertionjs">trunk/JSTests/stress/known-cell-use-needs-type-check-assertion.js</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkJSTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/JSTests/ChangeLog (238435 => 238436)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/ChangeLog  2018-11-22 02:57:14 UTC (rev 238435)
+++ trunk/JSTests/ChangeLog     2018-11-22 03:39:54 UTC (rev 238436)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2018-11-21  Saam barati  <sbarati@apple.com>
+
+        Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
+        https://bugs.webkit.org/show_bug.cgi?id=191895
+        <rdar://problem/46167406>
+
+        Reviewed by Mark Lam.
+
+        * stress/known-cell-use-needs-type-check-assertion.js: Added.
+        (foo):
+        (bar):
+
</ins><span class="cx"> 2018-11-21  Mark Lam  <mark.lam@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Creating a wasm memory that is bigger than the ArrayBuffer limit but smaller than the spec limit should throw OOME not RangeError.
</span></span></pre></div>
<a id="trunkJSTestsstressknowncelluseneedstypecheckassertionjs"></a>
<div class="addfile"><h4>Added: trunk/JSTests/stress/known-cell-use-needs-type-check-assertion.js (0 => 238436)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/JSTests/stress/known-cell-use-needs-type-check-assertion.js                                (rev 0)
+++ trunk/JSTests/stress/known-cell-use-needs-type-check-assertion.js   2018-11-22 03:39:54 UTC (rev 238436)
</span><span class="lines">@@ -0,0 +1,14 @@
</span><ins>+//@ runDefault("--useTypeProfiler=1")
+
+function foo(z) {
+    bar(z);
+}
+function bar(o) {
+    o.x = 0;
+}
+let p = 0;
+let k = {};
+for (var i = 0; i < 100000; ++i) {
+    bar(p);
+    foo(k);
+}
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (238435 => 238436)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog    2018-11-22 02:57:14 UTC (rev 238435)
+++ trunk/Source/JavaScriptCore/ChangeLog       2018-11-22 03:39:54 UTC (rev 238436)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2018-11-21  Saam barati  <sbarati@apple.com>
+
+        Fix assertion in KnownCellUse inside SpeculativeJIT::speculate
+        https://bugs.webkit.org/show_bug.cgi?id=191895
+        <rdar://problem/46167406>
+
+        Reviewed by Mark Lam.
+
+        We were asserting that the input edge should have type SpecCell but it should
+        really be SpecCellCheck since the type filter for KnownCellUse is SpecCellCheck.
+        
+        This patch cleans up that assertion code by joining a bunch of cases into a
+        single function call which grabs the type filter for the edge UseKind and
+        asserts that the incoming edge meets the type filter criteria.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::speculate):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::speculate):
+
</ins><span class="cx"> 2018-11-21  Yusuke Suzuki  <yusukesuzuki@slowstart.org>
</span><span class="cx"> 
</span><span class="cx">         [JSC] Use ProtoCallFrame::numberOfRegisters instead of raw number `4`
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (238435 => 238436)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp    2018-11-22 02:57:14 UTC (rev 238435)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp       2018-11-22 03:39:54 UTC (rev 238436)
</span><span class="lines">@@ -10286,23 +10286,15 @@
</span><span class="cx">     switch (edge.useKind()) {
</span><span class="cx">     case UntypedUse:
</span><span class="cx">         break;
</span><del>-    case KnownInt32Use:
-        ASSERT(!needsTypeCheck(edge, SpecInt32Only));
-        break;
</del><span class="cx">     case DoubleRepUse:
</span><del>-        ASSERT(!needsTypeCheck(edge, SpecFullDouble));
-        break;
</del><span class="cx">     case Int52RepUse:
</span><del>-        ASSERT(!needsTypeCheck(edge, SpecAnyInt));
-        break;
</del><ins>+    case KnownInt32Use:
</ins><span class="cx">     case KnownCellUse:
</span><del>-        ASSERT(!needsTypeCheck(edge, SpecCell));
-        break;
</del><span class="cx">     case KnownStringUse:
</span><del>-        ASSERT(!needsTypeCheck(edge, SpecString));
-        break;
</del><span class="cx">     case KnownPrimitiveUse:
</span><del>-        ASSERT(!needsTypeCheck(edge, SpecHeapTop & ~SpecObject));
</del><ins>+    case KnownOtherUse:
+    case KnownBooleanUse:
+        ASSERT(!m_interpreter.needsTypeCheck(edge));
</ins><span class="cx">         break;
</span><span class="cx">     case Int32Use:
</span><span class="cx">         speculateInt32(edge);
</span><span class="lines">@@ -10327,9 +10319,6 @@
</span><span class="cx">     case BooleanUse:
</span><span class="cx">         speculateBoolean(edge);
</span><span class="cx">         break;
</span><del>-    case KnownBooleanUse:
-        ASSERT(!needsTypeCheck(edge, SpecBoolean));
-        break;
</del><span class="cx">     case CellUse:
</span><span class="cx">         speculateCell(edge);
</span><span class="cx">         break;
</span><span class="lines">@@ -10405,9 +10394,6 @@
</span><span class="cx">     case NotCellUse:
</span><span class="cx">         speculateNotCell(edge);
</span><span class="cx">         break;
</span><del>-    case KnownOtherUse:
-        ASSERT(!needsTypeCheck(edge, SpecOther));
-        break;
</del><span class="cx">     case OtherUse:
</span><span class="cx">         speculateOther(edge);
</span><span class="cx">         break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (238435 => 238436)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp      2018-11-22 02:57:14 UTC (rev 238435)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2018-11-22 03:39:54 UTC (rev 238436)
</span><span class="lines">@@ -15339,6 +15339,8 @@
</span><span class="cx">         case KnownOtherUse:
</span><span class="cx">         case DoubleRepUse:
</span><span class="cx">         case Int52RepUse:
</span><ins>+        case KnownCellUse:
+        case KnownBooleanUse:
</ins><span class="cx">             ASSERT(!m_interpreter.needsTypeCheck(edge));
</span><span class="cx">             break;
</span><span class="cx">         case Int32Use:
</span><span class="lines">@@ -15350,9 +15352,6 @@
</span><span class="cx">         case CellOrOtherUse:
</span><span class="cx">             speculateCellOrOther(edge);
</span><span class="cx">             break;
</span><del>-        case KnownCellUse:
-            ASSERT(!m_interpreter.needsTypeCheck(edge));
-            break;
</del><span class="cx">         case AnyIntUse:
</span><span class="cx">             speculateAnyInt(edge);
</span><span class="cx">             break;
</span></span></pre>
</div>
</div>

</body>
</html>