DFG shouldn't treat the 'this' argument as being captured if a code block uses arguments
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 9 Jan 2013 01:11:32 +0000 (01:11 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 9 Jan 2013 01:11:32 +0000 (01:11 +0000)
commit72cd03509bb6cbc183c788bd96a220833e59c6b5
tree6e36e92c341288dfe8006b72b3ad96d9144a5e29
parent9e85a9b183886c9e92552dda7cf40ab372ac67e8
DFG shouldn't treat the 'this' argument as being captured if a code block uses arguments
https://bugs.webkit.org/show_bug.cgi?id=106398
<rdar://problem/12439776>

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

This is a possible optimization for inlined calls, and fixes crashes for inlined constructors, in the case
that the inlined code used arguments. The problem was that assuming that 'this' was captured implies the
assumption that it was initialized by the caller, which is wrong for constructors and this.

Also added a pretty essential DFG IR validation rule: we shouldn't have any live locals at the top of the
root block. This helps to catch this bug: our assumption that 'this' was captured in an inlined constructor
that used arguments led to liveness for the temporary that would have held 'this' in the caller being
propagated all the way up to the entrypoint of the function.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::isCaptured):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
(JSC::DFG::Validate::reportValidationContext):
(Validate):
(JSC::DFG::Validate::dumpGraphIfAppropriate):

LayoutTests:

Reviewed by Mark Hahnenberg.

* fast/js/dfg-inline-constructor-that-uses-arguments-expected.txt: Added.
* fast/js/dfg-inline-constructor-that-uses-arguments.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-inline-constructor-that-uses-arguments.js: Added.
(Foo):
(bar):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@139136 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/js/dfg-inline-constructor-that-uses-arguments-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/dfg-inline-constructor-that-uses-arguments.html [new file with mode: 0644]
LayoutTests/fast/js/jsc-test-list
LayoutTests/fast/js/script-tests/dfg-inline-constructor-that-uses-arguments.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/CodeBlock.h
Source/JavaScriptCore/dfg/DFGValidate.cpp