[MERGE #5930 @meg-gupta] OS#18874701: Clear valuetype of profiledInstr, when it transforms from LdElemI_A to Ld_A

Meghana Gupta · Meghana Gupta · commit 5210a369c2b1 · 2019-02-06T17:29:31.000-08:00
Merge pull request #5930 from meg-gupta:vtbug Otherwise we may end up reading the profiled value type stored in the union (instr->AsProfiledInstr()->u) incorrectly.
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -13270,6 +13270,11 @@ GlobOpt::OptStackArgLenAndConst(IR::Instr* instr, Value** src1Val)
             {
                 instr->ClearBailOutInfo();
             }
+            if (instr->IsProfiledInstr())
+            {
+                Assert(opcode == Js::OpCode::Ld_A || opcode == Js::OpCode::Typeof);
+                instr->AsProfiledInstr()->u.FldInfo().valueType = ValueType::Uninitialized;
+            }
             *src1Val = this->OptSrc(instr->GetSrc1(), &instr);
             instr->m_func->hasArgLenAndConstOpt = true;
         };

Original file line number	Diff line number	Diff line change
`@@ -13270,6 +13270,11 @@ GlobOpt::OptStackArgLenAndConst(IR::Instr* instr, Value** src1Val)`
`13270`	`13270`	`{`
`13271`	`13271`	`instr->ClearBailOutInfo();`
`13272`	`13272`	`}`
	`13273`	`+ if (instr->IsProfiledInstr())`
	`13274`	`+ {`
	`13275`	`+ Assert(opcode == Js::OpCode::Ld_A \|\| opcode == Js::OpCode::Typeof);`
	`13276`	`+ instr->AsProfiledInstr()->u.FldInfo().valueType = ValueType::Uninitialized;`
	`13277`	`+ }`
`13273`	`13278`	`*src1Val = this->OptSrc(instr->GetSrc1(), &instr);`
`13274`	`13279`	`instr->m_func->hasArgLenAndConstOpt = true;`
`13275`	`13280`	`};`