When inserting Unreachable in byte code parser we need to flush all the right things
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 11 Jan 2018 23:21:18 +0000 (23:21 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 11 Jan 2018 23:21:18 +0000 (23:21 +0000)
commitaf4e7d626852492458fdac69a133a843101de247
treebeaf1936c0d58140c596e9b86bd814c5ee269164
parent91312a26fd4f842003860081d97a41af41e69372
When inserting Unreachable in byte code parser we need to flush all the right things
https://bugs.webkit.org/show_bug.cgi?id=181509
<rdar://problem/36423110>

Reviewed by Mark Lam.

JSTests:

* stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js: Added.

Source/JavaScriptCore:

I added code in r226655 that had its own mechanism for preserving liveness when
inserting Unreachable nodes after ForceOSRExit. There are two ways to preserve
liveness: PhantomLocal and Flush. Certain values *must* be flushed to the stack.
I got some of these values wrong, which was leading to a crash when recovering the
callee value from an inlined frame. Instead of making the same mistake and repeating
similar code again, this patch refactors this logic to be shared with the other
liveness preservation code in the DFG bytecode parser. This is what I should have
done in my initial patch.

* bytecode/InlineCallFrame.h:
(JSC::remapOperand):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::flushImpl):
(JSC::DFG::flushForTerminalImpl):
(JSC::DFG::ByteCodeParser::flush):
(JSC::DFG::ByteCodeParser::flushForTerminal):
(JSC::DFG::ByteCodeParser::parse):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226811 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/proper-flushing-when-we-insert-unreachable-after-force-exit-in-bytecode-parser.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/InlineCallFrame.h
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp