Bug 143974

Summary: PhantomNewObject should be marked NodeMustGenerate
Product: WebKit Reporter: Basile Clement <basile_clement>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, fpizlo, ggaren, mark.lam, msaboff
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
The patch
none
Fix convertToPhantomNewObject none

Description Basile Clement 2015-04-20 18:08:30 PDT 
The allocation sinking optimization pass creates PhantomNewObject nodes to keep track of the old NewObject nodes, which must be kept as they are used to restore the state of allocations on OSR exit, and thus should be marked NodeMustGenerate.

They are currently prevented from being removed by the PutHint for the object's structure, but that is a rather implicit safety net.
Comment 1 Basile Clement 2015-04-20 18:13:24 PDT 
Created attachment 251208 [details]
The patch
Comment 2 WebKit Commit Bot 2015-04-20 19:38:47 PDT 
Comment on attachment 251208 [details]
The patch

Clearing flags on attachment: 251208

Committed r183040: <http://trac.webkit.org/changeset/183040>
Comment 3 WebKit Commit Bot 2015-04-20 19:38:51 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 4 Basile Clement 2015-04-21 13:19:41 PDT 
convertToPhantomNewObject() do not properly set the NodeMustGenerate flag.
Comment 5 Basile Clement 2015-04-21 14:21:23 PDT 
Created attachment 251262 [details]
Fix convertToPhantomNewObject
Comment 6 WebKit Commit Bot 2015-04-21 15:30:24 PDT 
Comment on attachment 251262 [details]
Fix convertToPhantomNewObject

Clearing flags on attachment: 251262

Committed r183078: <http://trac.webkit.org/changeset/183078>
Comment 7 WebKit Commit Bot 2015-04-21 15:30:28 PDT 
All reviewed patches have been landed.  Closing bug.