[JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister...
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Aug 2019 08:13:15 +0000 (08:13 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Aug 2019 08:13:15 +0000 (08:13 +0000)
commitb622e41dec5d4356676f57a00c4dc4e8ea1edac8
tree95f6e5578541a2bf8ff07335bacc1fafe01e7039
parent86ca5822c39d6a1b2d5deee217e3c2ac373d5a0c
[JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid
https://bugs.webkit.org/show_bug.cgi?id=201332

Reviewed by Mark Lam.

JSTests:

This test is very flaky, it is hard to reproduce.

* stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js: Added.
(code):

Source/JavaScriptCore:

When inlining setter calls in DFG, result VirtualRegister becomes invalid one. While other call-related DFG code correctly assumes
that `result` may be invalid, only CheckBadCell slow path missed this case. Since this is OSR exit path and VirtualRegister result
does not exist, set BottomValue only when "result" is valid as the other DFG code is doing.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleInlining):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249317 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/setter-inlining-resulting-bad-cell-result-virtual-register-should-be-invalid.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp