DFG should not ASSERT if you have a double use of a variable that is not revealed to be a double
until after CFG simplification
https://bugs.webkit.org/show_bug.cgi?id=88927
<rdar://problem/11513971>
Source/JavaScriptCore:
Reviewed by Geoffrey Garen.
Speculation fixup needs to run if simplification did things, because simplification can change
predictions - particularly if you had a control flow path that stored weird things into a
variable, but that path got axed by the simplifier.
Running fixup in the fixpoint requires making it idempotent, which it previously wasn't. Only
one place needed to be changed, namely the un-MustGenerate-ion of ValueToInt32.
* dfg/DFGDriver.cpp:
(JSC::DFG::compile):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
LayoutTests:
Reviewed by Geoffrey Garen.
* fast/js/dfg-double-use-of-post-simplification-double-prediction-expected.txt: Added.
* fast/js/dfg-double-use-of-post-simplification-double-prediction.html: Added.
* fast/js/script-tests/dfg-double-use-of-post-simplification-double-prediction.js: Added.
(foo):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@120137 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index b256fac..f6e3c0a 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -150,7 +150,8 @@
}
case ValueToInt32: {
- if (m_graph[node.child1()].shouldSpeculateNumber()) {
+ if (m_graph[node.child1()].shouldSpeculateNumber()
+ && node.mustGenerate()) {
node.clearFlags(NodeMustGenerate);
m_graph.deref(m_compileIndex);
}
