Changeset 156003 in webkit for trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

Timestamp:

Sep 17, 2013, 2:57:25 PM (12 years ago)

Author:

[email protected]

Message:

DFG doesn't properly keep scope alive for op_put_to_scope
​https://bugs.webkit.org/show_bug.cgi?id=121519

Reviewed by Michael Saboff.

This was a latent bug that can't actually occur in ToT. It was uncovered by causing slow
path calls in the baseline JIT for op_put_to_scope in places where we couldn't before (but
which were necessary for gen GC).

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

File:

• trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -3113 +3113 @@
                 Node* base = cellConstantWithStructureCheck(globalObject, status.oldStructure());
                 handlePutByOffset(base, identifierNumber, static_cast<PropertyOffset>(operand), get(value));
+                // Keep scope alive until after put.
+                addToGraph(Phantom, get(scope));
                 break;
             }
@@ -3120 +3122 @@
                 ASSERT(!entry.couldBeWatched() || !m_graph.watchpoints().isStillValid(entry.watchpointSet()));
                 addToGraph(PutGlobalVar, OpInfo(operand), get(value));
+                // Keep scope alive until after put.
+                addToGraph(Phantom, get(scope));
                 break;
             }