From 51227441abbaefcac30dcc0750badd305ea1a8f3 Mon Sep 17 00:00:00 2001 From: "fpizlo@apple.com" Date: Tue, 3 Jul 2012 00:10:08 +0000 Subject: [PATCH] DFG::ArgumentsSimplificationPhase should assert that the PhantomArguments nodes it creates are not shouldGenerate() https://bugs.webkit.org/show_bug.cgi?id=90407 Reviewed by Mark Hahnenberg. * dfg/DFGArgumentsSimplificationPhase.cpp: (JSC::DFG::ArgumentsSimplificationPhase::run): git-svn-id: https://svn.webkit.org/repository/webkit/trunk@121712 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- Source/JavaScriptCore/ChangeLog | 10 +++++++++ .../dfg/DFGArgumentsSimplificationPhase.cpp | 25 +++++++++++++++++++--- 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 26f9f3f..40b4b7e 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,13 @@ +2012-07-02 Filip Pizlo + + DFG::ArgumentsSimplificationPhase should assert that the PhantomArguments nodes it creates are not shouldGenerate() + https://bugs.webkit.org/show_bug.cgi?id=90407 + + Reviewed by Mark Hahnenberg. + + * dfg/DFGArgumentsSimplificationPhase.cpp: + (JSC::DFG::ArgumentsSimplificationPhase::run): + 2012-07-02 Gavin Barraclough Array.prototype.pop should throw if property is not configurable diff --git a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp index 28e686a..82c081b 100644 --- a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp @@ -627,8 +627,9 @@ public: continue; // If this is a CreateArguments for an InlineCallFrame* that does // not create arguments, then replace it with a PhantomArguments. - // PhantomArguments is a constant that represents JSValue() (the - // empty value) in DFG and arguments creation for OSR exit. + // PhantomArguments is a non-executing node that just indicates + // that the node should be reified as an arguments object on OSR + // exit. if (m_createsArguments.contains(node.codeOrigin.inlineCallFrame)) continue; if (node.shouldGenerate()) { @@ -641,12 +642,30 @@ public: } node.setOpAndDefaultFlags(PhantomArguments); node.children.reset(); + changed = true; } insertionSet.execute(*block); } - if (changed) + if (changed) { m_graph.collectGarbage(); + + // Verify that PhantomArguments nodes are not shouldGenerate(). +#if !ASSERT_DISABLED + for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) { + BasicBlock* block = m_graph.m_blocks[blockIndex].get(); + if (!block) + continue; + for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) { + NodeIndex nodeIndex = block->at(indexInBlock); + Node& node = m_graph[nodeIndex]; + if (node.op() != PhantomArguments) + continue; + ASSERT(!node.shouldGenerate()); + } + } +#endif + } return changed; } -- 1.8.3.1