Changeset 168480 in webkit for trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

Timestamp:

May 8, 2014, 12:07:45 PM (11 years ago)

Author:

[email protected]

Message:

SSA conversion should delete PhantomLocals for captured variables
​https://bugs.webkit.org/show_bug.cgi?id=132693

Reviewed by Mark Hahnenberg.

• dfg/DFGCommon.cpp:

(JSC::DFG::startCrashing): Parallel JIT and a JIT bug means that we man dump IR in parallel. This is the workaround. This patch uses it in all of the places where we dump IR and crash.

• dfg/DFGCommon.h:
• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::injectTypeConversionsForEdge): Use the workaround.

• dfg/DFGLivenessAnalysisPhase.cpp:

(JSC::DFG::LivenessAnalysisPhase::run): Use the workaround.

• dfg/DFGSSAConversionPhase.cpp:

(JSC::DFG::SSAConversionPhase::run): Fix the bug - it's true that PhantomLocal for captured variables doesn't need anything done to it, but it's wrong that we didn't delete it outright.

• dfg/DFGValidate.cpp: Use the workaround.
• tests/stress/phantom-local-captured-but-not-flushed-to-ssa.js: Added.

(foo):
(bar):

File:

• trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

@@ -46 +46 @@
     #define VALIDATE(context, assertion) do { \
         if (!(assertion)) { \
+            startCrashing(); \
             dataLogF("\n\n\nAt "); \
             reportValidationContext context; \
@@ -57 +58 @@
     #define V_EQUAL(context, left, right) do { \
         if (left != right) { \
+            startCrashing(); \
             dataLogF("\n\n\nAt "); \
             reportValidationContext context; \