StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable...

https://bugs.webkit.org/show_bug.cgi?id=141721
rdar://problem/17198633

Reviewed by Michael Saboff.

I've seen cases where the two are out of sync.  We know we can trust the CodeBlock::usesArguments because
we use it everywhere else.

No test because I could never reproduce the crash.

* dfg/DFGGraph.h:
(JSC::DFG::Graph::usesArguments):
* dfg/DFGStackLayoutPhase.cpp:
(JSC::DFG::StackLayoutPhase::run):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@180237 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 341e157..22f507a 100644 (file)
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,21 @@
+2015-02-17  Filip Pizlo  <fpizlo@apple.com>
+
+        StackLayoutPhase should use CodeBlock::usesArguments rather than FunctionExecutable::usesArguments
+        https://bugs.webkit.org/show_bug.cgi?id=141721
+        rdar://problem/17198633
+
+        Reviewed by Michael Saboff.
+        
+        I've seen cases where the two are out of sync.  We know we can trust the CodeBlock::usesArguments because
+        we use it everywhere else.
+        
+        No test because I could never reproduce the crash.
+
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::usesArguments):
+        * dfg/DFGStackLayoutPhase.cpp:
+        (JSC::DFG::StackLayoutPhase::run):
+
 2015-02-16  Joseph Pecoraro  <pecoraro@apple.com>
 
         Web Inspector: Improved Console Support for Bound Functions

diff --git a/Source/JavaScriptCore/dfg/DFGGraph.h b/Source/JavaScriptCore/dfg/DFGGraph.h
index c19829b..5898b80 100644 (file)
--- a/Source/JavaScriptCore/dfg/DFGGraph.h
+++ b/Source/JavaScriptCore/dfg/DFGGraph.h
@@ -406,6 +406,14 @@ public:
         return hasExitSite(node->origin.semantic, exitKind);
     }
     
+    bool usesArguments(InlineCallFrame* inlineCallFrame)
+    {
+        if (!inlineCallFrame)
+            return m_profiledBlock->usesArguments();
+        
+        return baselineCodeBlockForInlineCallFrame(inlineCallFrame)->usesArguments();
+    }
+    
     VirtualRegister argumentsRegisterFor(InlineCallFrame* inlineCallFrame)
     {
         if (!inlineCallFrame)

diff --git a/Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp b/Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp
index ceb2632..f86e08d 100644 (file)
--- a/Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGStackLayoutPhase.cpp
@@ -106,7 +106,7 @@ public:
             usedLocals.set(codeBlock()->activationRegister().toLocal());
         for (InlineCallFrameSet::iterator iter = m_graph.m_plan.inlineCallFrames->begin(); !!iter; ++iter) {
             InlineCallFrame* inlineCallFrame = *iter;
-            if (!inlineCallFrame->executable->usesArguments())
+            if (!m_graph.usesArguments(inlineCallFrame))
                 continue;
             
             VirtualRegister argumentsRegister = m_graph.argumentsRegisterFor(inlineCallFrame);
@@ -175,7 +175,7 @@ public:
             InlineVariableData data = m_graph.m_inlineVariableData[i];
             InlineCallFrame* inlineCallFrame = data.inlineCallFrame;
             
-            if (inlineCallFrame->executable->usesArguments()) {
+            if (m_graph.usesArguments(inlineCallFrame)) {
                 inlineCallFrame->argumentsRegister = virtualRegisterForLocal(
                     allocation[m_graph.argumentsRegisterFor(inlineCallFrame).toLocal()]);