CRASH in operationCreateDirectArgumentsDuringExit()
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 25 Apr 2015 05:19:07 +0000 (05:19 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 25 Apr 2015 05:19:07 +0000 (05:19 +0000)
commitc5286e8611e9ca76c4b298d0d4e90c958cf890e1
tree54d43510679aa210bde059ec6b38b8a119659d44
parent3db6a0b34ab498fab369b02a990bffec1bca37bb
CRASH in operationCreateDirectArgumentsDuringExit()
https://bugs.webkit.org/show_bug.cgi?id=143962

Reviewed by Geoffrey Garen.

We shouldn't assume that constant-like OSR exit values are always recoverable. They are only
recoverable so long as they are live. Therefore, OSR exit should track liveness of
constants instead of assuming that they are always live.

* dfg/DFGGenerationInfo.h:
(JSC::DFG::GenerationInfo::noticeOSRBirth):
(JSC::DFG::GenerationInfo::appendBirth):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
* dfg/DFGVariableEvent.cpp:
(JSC::DFG::VariableEvent::dump):
* dfg/DFGVariableEvent.h:
(JSC::DFG::VariableEvent::birth):
(JSC::DFG::VariableEvent::id):
(JSC::DFG::VariableEvent::dataFormat):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):
* tests/stress/phantom-direct-arguments-clobber-argument-count.js: Added.
(foo):
(bar):
* tests/stress/phantom-direct-arguments-clobber-callee.js: Added.
(foo):
(bar):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@183307 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGGenerationInfo.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGVariableEvent.cpp
Source/JavaScriptCore/dfg/DFGVariableEvent.h
Source/JavaScriptCore/dfg/DFGVariableEventStream.cpp
Source/JavaScriptCore/tests/stress/phantom-direct-arguments-clobber-argument-count.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/phantom-direct-arguments-clobber-callee.js [new file with mode: 0644]