REGRESSION(120121): inspector tests crash in DFG
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Jun 2012 01:29:07 +0000 (01:29 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 13 Jun 2012 01:29:07 +0000 (01:29 +0000)
commit4eebb842c1faf926465f125ec54ec3377fbe7dbd
tree83bcd7a2da03000b9d651be61f9c3d4b95872e0c
parentcdb64a87af1a2d576b7236e39cbc5f8719a11a80
REGRESSION(120121): inspector tests crash in DFG
https://bugs.webkit.org/show_bug.cgi?id=88941

Reviewed by Geoffrey Garen.

The CFG simplifier has two different ways of fixing up GetLocal, Phantom, and Flush. If we've
already fixed up the node one way, we shouldn't try the other way. The reason why we shouldn't
is that the second way depends on the node referring to other nodes in the to-be-jettisoned
block. After fixup they potentially will refer to nodes in the block being merged to.

* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::fixPossibleGetLocal):
(JSC::DFG::CFGSimplificationPhase::mergeBlocks):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@120148 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp