PutStructure AI rule needs to call didFoldClobberStructures when the incoming value...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 1 Jun 2018 03:06:25 +0000 (03:06 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 1 Jun 2018 03:06:25 +0000 (03:06 +0000)
commit22b3adb34d8795ebd712f15eec9025a089a59d56
tree3092ba0daa8a6805696fb339e6b89aeadd011eab
parenta920315c20ad27227bca6d12fa7a12aac9365f34
PutStructure AI rule needs to call didFoldClobberStructures when the incoming value's structure set is clear
https://bugs.webkit.org/show_bug.cgi?id=186169

Reviewed by Mark Lam.

If we don't do this, the CFA validation rule about StructureID being
clobbered but AI not clobbering or folding a clobber will cause us
to crash. Simon was running into this yesterday on arstechnica.com.
I couldn't come up with a test case for this, but it's obvious
what the issue is by looking at the IR dump at the time of the crash.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232384 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h