[DFG] AI should convert CreateThis to NewObject if the prototype object is proved
Created attachment 334951 [details] Patch
Created attachment 334958 [details] Patch
Created attachment 334959 [details] Patch
Created attachment 335422 [details] Patch
Created attachment 335435 [details] Patch
Ping review?
Comment on attachment 335435 [details] Patch Thank you!
Comment on attachment 335435 [details] Patch Clearing flags on attachment: 335435 Committed r229520: <https://trac.webkit.org/changeset/229520>
All reviewed patches have been landed. Closing bug.
https://arewefastyet.com/#machine=29&view=single&suite=octane&subtest=RayTrace 10.1% win in Octane/Raytrace.
It looks like this change caused assertion failures on the debug bot: https://build.webkit.org/builders/Apple%20High%20Sierra%20Debug%20JSC%20%28Tests%29/builds/739 stress/dfg-rare-data.js.default: ASSERTION FAILED: m_op == CallObjectConstructor stress/dfg-rare-data.js.default: ./dfg/DFGNode.h(729) : void JSC::DFG::Node::convertToNewObject(JSC::DFG::RegisteredStructure) stress/dfg-rare-data.js.default: 1 0x10d15708d WTFCrash stress/dfg-rare-data.js.default: 2 0x10c276ad5 JSC::DFG::Node::convertToNewObject(JSC::DFG::RegisteredStructure) stress/dfg-rare-data.js.default: 3 0x10c273b47 JSC::DFG::ConstantFoldingPhase::foldConstants(JSC::DFG::BasicBlock*) stress/dfg-rare-data.js.default: 4 0x10c270c1a JSC::DFG::ConstantFoldingPhase::run() stress/dfg-rare-data.js.default: 5 0x10c270a0e bool JSC::DFG::runAndLog<JSC::DFG::ConstantFoldingPhase>(JSC::DFG::ConstantFoldingPhase&) stress/dfg-rare-data.js.default: 6 0x10c26817e bool JSC::DFG::runPhase<JSC::DFG::ConstantFoldingPhase>(JSC::DFG::Graph&) stress/dfg-rare-data.js.default: 7 0x10c268145 JSC::DFG::performConstantFolding(JSC::DFG::Graph&) stress/dfg-rare-data.js.default: 8 0x10c3b629d JSC::DFG::Plan::compileInThreadImpl() stress/dfg-rare-data.js.default: 9 0x10c3b47c2 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) stress/dfg-rare-data.js.default: 10 0x10c68f16c JSC::DFG::Worklist::ThreadBody::work() stress/dfg-rare-data.js.default: 11 0x10d165667 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const stress/dfg-rare-data.js.default: 12 0x10d1652f9 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() stress/dfg-rare-data.js.default: 13 0x10d17306b WTF::Function<void ()>::operator()() const stress/dfg-rare-data.js.default: 14 0x10d1e356f WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) stress/dfg-rare-data.js.default: 15 0x10d1e8cf5 WTF::wtfThreadEntryPoint(void*) stress/dfg-rare-data.js.default: 16 0x7fff689ce6c1 _pthread_body stress/dfg-rare-data.js.default: 17 0x7fff689ce56d _pthread_body stress/dfg-rare-data.js.default: 18 0x7fff689cdc5d thread_start stress/dfg-rare-data.js.default: test_script_7453: line 2: 59221 Segmentation fault: 11 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true dfg-rare-data.js ) stress/dfg-rare-data.js.default: ERROR: Unexpected exit code: 139
<rdar://problem/38397885>
(In reply to Ryan Haddad from comment #11) > It looks like this change caused assertion failures on the debug bot: > https://build.webkit.org/builders/ > Apple%20High%20Sierra%20Debug%20JSC%20%28Tests%29/builds/739 > > stress/dfg-rare-data.js.default: ASSERTION FAILED: m_op == > CallObjectConstructor > stress/dfg-rare-data.js.default: ./dfg/DFGNode.h(729) : void > JSC::DFG::Node::convertToNewObject(JSC::DFG::RegisteredStructure) > stress/dfg-rare-data.js.default: 1 0x10d15708d WTFCrash > stress/dfg-rare-data.js.default: 2 0x10c276ad5 > JSC::DFG::Node::convertToNewObject(JSC::DFG::RegisteredStructure) > stress/dfg-rare-data.js.default: 3 0x10c273b47 > JSC::DFG::ConstantFoldingPhase::foldConstants(JSC::DFG::BasicBlock*) > stress/dfg-rare-data.js.default: 4 0x10c270c1a > JSC::DFG::ConstantFoldingPhase::run() > stress/dfg-rare-data.js.default: 5 0x10c270a0e bool > JSC::DFG::runAndLog<JSC::DFG::ConstantFoldingPhase>(JSC::DFG:: > ConstantFoldingPhase&) > stress/dfg-rare-data.js.default: 6 0x10c26817e bool > JSC::DFG::runPhase<JSC::DFG::ConstantFoldingPhase>(JSC::DFG::Graph&) > stress/dfg-rare-data.js.default: 7 0x10c268145 > JSC::DFG::performConstantFolding(JSC::DFG::Graph&) > stress/dfg-rare-data.js.default: 8 0x10c3b629d > JSC::DFG::Plan::compileInThreadImpl() > stress/dfg-rare-data.js.default: 9 0x10c3b47c2 > JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) > stress/dfg-rare-data.js.default: 10 0x10c68f16c > JSC::DFG::Worklist::ThreadBody::work() > stress/dfg-rare-data.js.default: 11 0x10d165667 > WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() > const > stress/dfg-rare-data.js.default: 12 0x10d1652f9 WTF::Function<void > ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker > const&)::$_0>::call() > stress/dfg-rare-data.js.default: 13 0x10d17306b WTF::Function<void > ()>::operator()() const > stress/dfg-rare-data.js.default: 14 0x10d1e356f > WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) > stress/dfg-rare-data.js.default: 15 0x10d1e8cf5 > WTF::wtfThreadEntryPoint(void*) > stress/dfg-rare-data.js.default: 16 0x7fff689ce6c1 _pthread_body > stress/dfg-rare-data.js.default: 17 0x7fff689ce56d _pthread_body > stress/dfg-rare-data.js.default: 18 0x7fff689cdc5d thread_start > stress/dfg-rare-data.js.default: test_script_7453: line 2: 59221 > Segmentation fault: 11 ( "$@" > ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false > --useFunctionDotArguments\=true --validateExceptionChecks\=true > --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true > dfg-rare-data.js ) > stress/dfg-rare-data.js.default: ERROR: Unexpected exit code: 139 Thanks, this is simply ASSERT becomes obsolete. I'll fix it soon
Committed r229570: <https://trac.webkit.org/changeset/229570>