Ignore:
Timestamp:
Mar 19, 2013, 3:22:06 PM (12 years ago)
Author:
[email protected]
Message:

Crash when loading http://www.jqchart.com/jquery/gauges/RadialGauge/LiveData
https://bugs.webkit.org/show_bug.cgi?id=112694

Reviewed by Filip Pizlo.

We were trying to convert an NewArray to a Phantom, but convertToPhantom doesn't handle
nodes with variable arguments. Added code to insert a Phantom node in front of all the
live children of a var args node. Added ASSERT not var args for convertToPhantom to
catch any other similar cases. Added a new convertToPhantomUnchecked() for converting
var arg nodes.

  • dfg/DFGDCEPhase.cpp:

(JSC::DFG::DCEPhase::run):

  • dfg/DFGNode.h:

(Node):
(JSC::DFG::Node::setOpAndDefaultNonExitFlags): Added ASSERT(!(m_flags & NodeHasVarArgs))
(JSC::DFG::Node::setOpAndDefaultNonExitFlagsUnchecked):
(JSC::DFG::Node::convertToPhantomUnchecked):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp

    r145145 r146268  
    3131#include "DFGBasicBlockInlines.h"
    3232#include "DFGGraph.h"
     33#include "DFGInsertionSet.h"
    3334#include "DFGPhase.h"
    3435#include "Operations.h"
     
    8586            if (!block)
    8687                continue;
     88
     89            InsertionSet insertionSet(m_graph);
     90
    8791            for (unsigned indexInBlock = block->size(); indexInBlock--;) {
    8892                Node* node = block->at(indexInBlock);
     
    117121                    break;
    118122                }
    119                    
     123
    120124                default: {
     125                    if (node->flags() & NodeHasVarArgs) {
     126                        for (unsigned childIdx = node->firstChild(); childIdx < node->firstChild() + node->numChildren(); childIdx++) {
     127                            Edge edge = m_graph.m_varArgChildren[childIdx];
     128
     129                            if (!edge || edge.isProved() || edge.useKind() == UntypedUse)
     130                                continue;
     131
     132                            insertionSet.insertNode(indexInBlock, SpecNone, Phantom, node->codeOrigin, edge);
     133                        }
     134
     135                        node->convertToPhantomUnchecked();
     136                        node->children.reset();
     137                        node->setRefCount(1);
     138                        break;
     139                    }
     140
    121141                    node->convertToPhantom();
    122142                    eliminateIrrelevantPhantomChildren(node);
     
    125145                } }
    126146            }
     147
     148            insertionSet.execute(block);
    127149        }
    128150       
Note: See TracChangeset for help on using the changeset viewer.