-
fpizlo@apple.com authored
https://bugs.webkit.org/show_bug.cgi?id=75516 <rdar://problem/10640266> Source/JavaScriptCore: Reviewed by Gavin Barraclough. Removed the offending assertion, since it was wrong. Also hardened the code to make this case less likely by first having the propagator fixpoint converge, and then doing double voting combined with a second fixpoint. This is neutral on benchmarks and fixes the assertion in a fairly low-risk way (i.e. we won't vote a variable double until we've converged to the conclusion that it really is double). * dfg/DFGPropagator.cpp: (JSC::DFG::Propagator::propagatePredictions): * dfg/DFGVariableAccessData.h: (JSC::DFG::VariableAccessData::tallyVotesForShouldUseDoubleFormat): LayoutTests: Reviewed by Andy Estes. Created a fuzzer that produces sufficiently awkward data flow that includes variables that become either double, or integer, or mix of double and integer only after multiple iterations of a fixpoint. This crashes the compiler prior to this patch, but works with this patch. * fast/js/dfg-double-vote-fuzz-expected.txt: Added. * fast/js/dfg-double-vote-fuzz.html: Added. * fast/js/script-tests/dfg-double-vote-fuzz.js: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@104016 268f45cc-cd09-0410-ab3c-d52691b4dbfc
e793f71d