We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 17 Sep 2018 22:21:32 +0000 (22:21 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 17 Sep 2018 22:21:32 +0000 (22:21 +0000)
commit1ff3f0d5ce73c5fcf22e17e6ad96874d4f19b232
treedb7212c34ef5c51c58a1599c6e48348adc46919b
parentc782d60881a675afa8845c31af202faac63bec2e
We must convert ProfileType to CheckStructureOrEmpty instead of CheckStructure
https://bugs.webkit.org/show_bug.cgi?id=189676
<rdar://problem/39682897>

Reviewed by Michael Saboff.

JSTests:

* typeProfiler/check-structure-or-empty-in-fixup.js: Added.
(A):
(K):
(i.catch):

Source/JavaScriptCore:

Because the incoming value may be TDZ, CheckStructure may end up crashing.
Since the Type Profile does not currently record TDZ values in any of its
data structures, this is not a semantic change in how it will show you data.
It just fixes crashes when we emit a CheckStructure and the incoming value
is TDZ.

* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGNode.h:
(JSC::DFG::Node::convertToCheckStructureOrEmpty):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236089 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/typeProfiler/check-structure-or-empty-in-fixup.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGNode.h