Changeset 184781 in webkit for trunk/Source/JavaScriptCore/tests

Timestamp:

May 22, 2015, 11:48:03 AM (10 years ago)

Author:

[email protected]

Message:

Arguments elimination phase mishandles arity check failure in its reduction of LoadVarargs to GetStack/PutStacks
​https://bugs.webkit.org/show_bug.cgi?id=145298

Reviewed by Geoffrey Garen.

• dfg/DFGArgumentsEliminationPhase.cpp: Fix the bug. I restructured the loop to make it more obvious that we're initializing everything that we're supposed to initialize.
• dfg/DFGNode.h: Add a comment to clarify something I was confused about while writing this code.
• dfg/DFGPutStackSinkingPhase.cpp: Hacking on PutStacks made me think deep thoughts, and I added some FIXMEs.
• tests/stress/fold-load-varargs-arity-check-fail-barely.js: Added. This test crashes or fails before this patch.
• tests/stress/fold-load-varargs-arity-check-fail.js: Added. This is even more sure to crash or fail.
• tests/stress/simplify-varargs-mandatory-minimum-smaller-than-limit.js: Added. Not sure if we had coverage for this case before.

Location:

trunk/Source/JavaScriptCore/tests/stress

Files:

• fold-load-varargs-arity-check-fail-barely.js (added)
• fold-load-varargs-arity-check-fail.js (added)
• simplify-varargs-mandatory-minimum-smaller-than-limit.js (added)