Crash in DFGFrozenValue
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 23 Feb 2015 18:03:49 +0000 (18:03 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 23 Feb 2015 18:03:49 +0000 (18:03 +0000)
commite02899ee66319b1d289f8306e2841823eab0afc8
tree05d3ed6d389e8c9acedd5648f12bd3a4209fb61c
parent5ab26f388d0f4bd3d75f1385b8dda8fd736fa83c
Crash in DFGFrozenValue
https://bugs.webkit.org/show_bug.cgi?id=141883

Reviewed by Benjamin Poulain.

If a value might be a cell, then we have to have Graph freeze it rather than trying to
create the FrozenValue directly. Creating it directly is just an optimization for when you
know for sure that it cannot be a cell.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* tests/stress/regress-141883.js: Added. Hacked the original test to be faster while still crashing before this fix.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@180505 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/tests/stress/regress-141883.js [new file with mode: 0644]