WebKit GIT trees - WebKit-https.git/commit

Safari WebKit crash when loading Google Spreadsheet.
https://bugs.webkit.org/show_bug.cgi?id=144020

Reviewed by Filip Pizlo.

The bug is that the object allocation sinking phase did not account for a case
where a property of a sunken object is only initialized on one path and not
another. As a result, on the path where the property is not initialized, we'll
encounter an Upsilon with a BottomValue (which is not allowed by definition).

The fix is to use a JSConstant(undefined) as the bottom value instead (of
BottomValue). If the property is uninitialized, it should still be accessible
and have the value undefined.

* dfg/DFGObjectAllocationSinkingPhase.cpp:
(JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
* tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js: Added.
(foo):
(foo2):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@183564 268f45cc-cd09-0410-ab3c-d52691b4dbfc

author	mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 29 Apr 2015 19:00:12 +0000 (19:00 +0000)
committer	mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
	Wed, 29 Apr 2015 19:00:12 +0000 (19:00 +0000)
commit	8cbcb24ef3bc0ad8d0bdbb5733a31365ce128a62
tree	9a7aac4336626fcd432d3d1ef7c012fb40abe90e	tree \| snapshot
parent	c0a27f594c714af56bc60f0303324dd3d0f75cc9	commit \| diff

Source/JavaScriptCore/ChangeLog		diff \| blob \| history
Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp		diff \| blob \| history
Source/JavaScriptCore/tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js	[new file with mode: 0644]	blob