Bug 145062

Summary: DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic
Product: WebKit Reporter: Basile Clement <basile_clement>
Component: JavaScriptCoreAssignee: Basile Clement <basile_clement>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, mark.lam, msaboff
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch fpizlo: review+

Description Basile Clement 2015-05-15 11:28:27 PDT 
This can be hit by running e.g. sunspider/access-nsieve with

DYLD_FRAMEWORK_PATH=WebKitBuild/Debug WebKitBuild/Debug/jsc --forceEagerCompilation=true --useFTLJIT=true --dumpGraphAtEachPhase=true

In this case, a Phi node is converted into a JSConstant by the DFGConstantFoldingPhase, and doesn't have a NodeOrigin.
Then it gets LICM'd, which unconditionally sets the NodeOrigin's forExit, and now we have a NodeOrigin with a set forExit and unset semantic, which we assert against in various places.
Comment 1 Basile Clement 2015-05-15 12:14:05 PDT 
Created attachment 253213 [details]
Patch
Comment 2 Basile Clement 2015-05-15 12:31:42 PDT 
Committed r184405: <http://trac.webkit.org/changeset/184405>