Ignore:
Timestamp:
Apr 24, 2015, 10:19:07 PM (10 years ago)
Author:
[email protected]
Message:

CRASH in operationCreateDirectArgumentsDuringExit()
https://bugs.webkit.org/show_bug.cgi?id=143962

Reviewed by Geoffrey Garen.

We shouldn't assume that constant-like OSR exit values are always recoverable. They are only
recoverable so long as they are live. Therefore, OSR exit should track liveness of
constants instead of assuming that they are always live.

  • dfg/DFGGenerationInfo.h:

(JSC::DFG::GenerationInfo::noticeOSRBirth):
(JSC::DFG::GenerationInfo::appendBirth):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCurrentBlock):

  • dfg/DFGVariableEvent.cpp:

(JSC::DFG::VariableEvent::dump):

  • dfg/DFGVariableEvent.h:

(JSC::DFG::VariableEvent::birth):
(JSC::DFG::VariableEvent::id):
(JSC::DFG::VariableEvent::dataFormat):

  • dfg/DFGVariableEventStream.cpp:

(JSC::DFG::VariableEventStream::reconstruct):

  • tests/stress/phantom-direct-arguments-clobber-argument-count.js: Added.

(foo):
(bar):

  • tests/stress/phantom-direct-arguments-clobber-callee.js: Added.

(foo):
(bar):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGGenerationInfo.h

    r182919 r183307  
    154154    void noticeOSRBirth(VariableEventStream& stream, Node* node, VirtualRegister virtualRegister)
    155155    {
    156         if (m_isConstant)
    157             return;
    158156        if (m_node != node)
    159157            return;
     
    165163        m_bornForOSR = true;
    166164       
    167         if (m_registerFormat != DataFormatNone)
     165        if (m_isConstant)
     166            appendBirth(stream);
     167        else if (m_registerFormat != DataFormatNone)
    168168            appendFill(BirthToFill, stream);
    169169        else if (m_spillFormat != DataFormatNone)
     
    380380
    381381private:
     382    void appendBirth(VariableEventStream& stream)
     383    {
     384        stream.appendAndLog(VariableEvent::birth(MinifiedID(m_node)));
     385    }
     386   
    382387    void appendFill(VariableEventKind kind, VariableEventStream& stream)
    383388    {
Note: See TracChangeset for help on using the changeset viewer.