RESOLVED FIXED 189757
AI rule for MultiPutByOffset executes its effects in the wrong order 
https://bugs.webkit.org/show_bug.cgi?id=189757
Summary AI rule for MultiPutByOffset executes its effects in the wrong order
Saam Barati
Reported 2018-09-19 11:24:12 PDT
Look at this code: ``` observeTransitions(clobberLimit, transitions); if (forNode(node->child1()).changeStructure(m_graph, newSet) == Contradiction) m_state.setIsValid(false); setForNode(node->child2(), resultingValue); if (!!originalValue && !resultingValue) m_state.setIsValid(false); ``` However, we first need to execute the last three lines before the first three lines. This is because that's how the execution of the node happens at runtime. This can lead to bad results when resultingValue is the same as the base, e.g: ``` o.f = o; ```
Attachments
patch (3.92 KB, patch)
2018-09-19 12:02 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2018-09-19 11:25:04 PDT
<rdar://problem/43535257>
Saam Barati
Comment 2 2018-09-19 12:02:10 PDT
Created attachment 350139 [details] patch
Michael Saboff
Comment 3 2018-09-19 12:06:29 PDT
Comment on attachment 350139 [details] patch r=me
WebKit Commit Bot
Comment 4 2018-09-19 14:00:15 PDT
Comment on attachment 350139 [details] patch Clearing flags on attachment: 350139 Committed r236223: <https://trac.webkit.org/changeset/236223>
WebKit Commit Bot
Comment 5 2018-09-19 14:00:16 PDT
All reviewed patches have been landed. Closing bug.
Mark Lam
Comment 6 2018-10-03 16:28:21 PDT
*** Bug 188694 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.