JIT bug - fails when inspector closed, works when open
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 15 Jun 2015 21:26:08 +0000 (21:26 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 15 Jun 2015 21:26:08 +0000 (21:26 +0000)
commitd102f4d86fbab9103f5ffbe1495f89e022bb291b
tree9ad6e8ab7f9e610c4bd40d6502513350e1bca675
parent5beedbbb8b2681588b3ec9b85cbbc5293c8ec44b
JIT bug - fails when inspector closed, works when open
https://bugs.webkit.org/show_bug.cgi?id=145243

Reviewed by Oliver Hunt.

Source/JavaScriptCore:

We need to provide the Arguments object as the base when creating the HeapLocation for
GetFromArguments and PutToArguments.  Otherwise we endup creating a HeapLocation for
any arguments object, not the one we need.

* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

LayoutTests:

New regression test.

* js/regress-145243-expected.txt: Added.
* js/regress-145243.html: Added.
* js/script-tests/regress-145243.js: Added.
(bar):
(foo):
(test):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@185566 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/js/regress-145243-expected.txt [new file with mode: 0644]
LayoutTests/js/regress-145243.html [new file with mode: 0644]
LayoutTests/js/script-tests/regress-145243.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGClobberize.h