Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 14 Apr 2017 00:09:08 +0000 (00:09 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 14 Apr 2017 00:09:08 +0000 (00:09 +0000)
commit7e2229ccd3491360b6b90fd55394e3400ff8086f
tree86f609a3afbafe1999291afd7c04166b57e4dbab
parent247939a2e924c120ea18c14258793f22e6956111
Should use flushDirect() when flushing the scopeRegister due to needsScopeRegister().
https://bugs.webkit.org/show_bug.cgi?id=170661
<rdar://problem/31579046>

Reviewed by Filip Pizlo.

JSTests:

* stress/regress-170661.js: Added.

Source/JavaScriptCore:

Previously, we were using flush() to flush the outermost frame's scopeRegister.
This is incorrect because flush() expects the VirtualRegister value passed to
it to be that of the top most inlined frame.  In the event that we reach a
terminal condition while inside an inlined frame, flush() will end up flushing
the wrong register.  The fix is simply to use flushDirect() instead.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::flush):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@215351 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regress-170661.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp