Changeset 145145 in webkit for trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp

Timestamp:

Mar 7, 2013, 3:45:27 PM (12 years ago)

Author:

[email protected]

Message:

DFG should not get corrupted IR in the case of code that is dead, unreachable, and contains a chain of nodes that use each other in an untyped way
​https://bugs.webkit.org/show_bug.cgi?id=111783

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

Unreachable code is not touched by CFA and so thinks that even untyped uses are checked.
But dead untyped uses don't need checks and hence don't need to be Phantom'd. The DCE knew
this in findTypeCheckRoot() but not in eliminateIrrelevantPhantomChildren(), leading to a
Phantom node that had another Phantom node as one of its kids.

• dfg/DFGDCEPhase.cpp:

(JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):

LayoutTests:

Reviewed by Mark Hahnenberg.

• fast/js/dfg-dead-unreachable-code-with-chain-of-dead-unchecked-nodes-expected.txt: Added.
• fast/js/dfg-dead-unreachable-code-with-chain-of-dead-unchecked-nodes.html: Added.
• fast/js/jsc-test-list:
• fast/js/script-tests/dfg-dead-unreachable-code-with-chain-of-dead-unchecked-nodes.js: Added.

(foo.bar):
(foo):

File:

• trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp

@@ -160 +160 @@
             if (!edge)
                 continue;
-            if (edge.needsCheck())
-                continue;
-            node->children.removeEdgeFromBag(i--);
+            if (edge.isProved() || edge.useKind() == UntypedUse)
+                node->children.removeEdgeFromBag(i--);
         }
     }