For example, we transform code like: a: DoubleConstant(1.0) b: ToString(Check:Int32:@a) c: Unreachable to b: LazyJSConstant c: Unreachable Where we no longer exit in the latter case, causing us to crash.
<rdar://problem/39455917>
Created attachment 339162 [details] patch
Comment on attachment 339162 [details] patch Attachment 339162 [details] did not pass jsc-ews (mac): Output: http://webkit-queues.webkit.org/results/7517368 New failing tests: microbenchmarks/string-replace.js.ftl-eager-no-cjit-b3o1 microbenchmarks/v8-regexp-search.js.ftl-no-cjit-no-put-stack-validate stress/string-replace-constant-folding-replacer-not-string.js.ftl-no-cjit-no-put-stack-validate v8-v6/v8-regexp.js.ftl-no-cjit-no-inline-validate microbenchmarks/string-replace.js.ftl-no-cjit-no-put-stack-validate microbenchmarks/v8-regexp-search.js.dfg-maximal-flush-validate-no-cjit microbenchmarks/v8-regexp-search.js.ftl-no-cjit-no-inline-validate microbenchmarks/string-replace-empty.js.dfg-maximal-flush-validate-no-cjit v8-v6/v8-regexp.js.dfg-maximal-flush-validate-no-cjit microbenchmarks/string-replace-empty.js.ftl-no-cjit-no-inline-validate v8-v6/v8-regexp.js.no-cjit-validate-phases microbenchmarks/v8-regexp-search.js.dfg-eager-no-cjit-validate microbenchmarks/string-replace-empty.js.ftl-eager-no-cjit-b3o1 microbenchmarks/v8-regexp-search.js.ftl-eager-no-cjit-b3o1 microbenchmarks/string-replace-empty.js.dfg-eager-no-cjit-validate stress/v8-regexp-strict.js.dfg-maximal-flush-validate-no-cjit stress/v8-regexp-strict.js.ftl-no-cjit-no-put-stack-validate stress/v8-regexp-strict.js.ftl-no-cjit-validate-sampling-profiler v8-v6/v8-regexp.js.ftl-eager-no-cjit microbenchmarks/string-replace-empty.js.ftl-eager-no-cjit microbenchmarks/string-replace.js.dfg-maximal-flush-validate-no-cjit stress/v8-regexp-strict.js.no-cjit-validate-phases microbenchmarks/string-replace.js.no-cjit-validate-phases v8-v6/v8-regexp.js.ftl-no-cjit-no-put-stack-validate stress/v8-regexp-strict.js.ftl-no-cjit-no-inline-validate stress/string-replace-constant-folding-replacer-not-string.js.no-cjit-validate-phases microbenchmarks/string-replace.js.ftl-no-cjit-no-inline-validate stress/string-replace-constant-folding-replacer-not-string.js.dfg-maximal-flush-validate-no-cjit stress/v8-regexp-strict.js.dfg-eager-no-cjit-validate microbenchmarks/v8-regexp-search.js.ftl-eager-no-cjit microbenchmarks/string-replace-empty.js.no-cjit-validate-phases microbenchmarks/string-replace.js.ftl-no-cjit-validate-sampling-profiler stress/v8-regexp-strict.js.ftl-eager-no-cjit-b3o1 microbenchmarks/string-replace.js.ftl-eager-no-cjit microbenchmarks/string-replace-empty.js.ftl-no-cjit-validate-sampling-profiler stress/string-replace-constant-folding-replacer-not-string.js.ftl-no-cjit-no-inline-validate stress/v8-regexp-strict.js.ftl-eager-no-cjit microbenchmarks/string-replace-empty.js.ftl-no-cjit-no-put-stack-validate microbenchmarks/string-replace.js.dfg-eager-no-cjit-validate microbenchmarks/v8-regexp-search.js.ftl-no-cjit-validate-sampling-profiler stress/string-replace-constant-folding-replacer-not-string.js.ftl-no-cjit-validate-sampling-profiler v8-v6/v8-regexp.js.dfg-eager-no-cjit-validate microbenchmarks/v8-regexp-search.js.no-cjit-validate-phases v8-v6/v8-regexp.js.ftl-eager-no-cjit-b3o1 v8-v6/v8-regexp.js.ftl-no-cjit-validate-sampling-profiler
Created attachment 339182 [details] patch for landing It appears I made tests fail when I converted one of the callsities. I switched that back to the non-check emitting version. However, I saw conversion also didn't preserve checks, so I added for it to retain its checks.
Comment on attachment 339182 [details] patch for landing Clearing flags on attachment: 339182 Committed r231193: <https://trac.webkit.org/changeset/231193>
All reviewed patches have been landed. Closing bug.