Bug 145062

Summary:

DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic

Product:

WebKit

Reporter:

Basile Clement <basile_clement>

Component:

JavaScriptCore

Assignee:

Basile Clement <basile_clement>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

fpizlo, ggaren, mark.lam, msaboff

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	fpizlo: review+

Basile Clement

Reported 2015-05-15 11:28:27 PDT

This can be hit by running e.g. sunspider/access-nsieve with DYLD_FRAMEWORK_PATH=WebKitBuild/Debug WebKitBuild/Debug/jsc --forceEagerCompilation=true --useFTLJIT=true --dumpGraphAtEachPhase=true In this case, a Phi node is converted into a JSConstant by the DFGConstantFoldingPhase, and doesn't have a NodeOrigin. Then it gets LICM'd, which unconditionally sets the NodeOrigin's forExit, and now we have a NodeOrigin with a set forExit and unset semantic, which we assert against in various places.

Attachments
Patch (3.74 KB, patch) 2015-05-15 12:14 PDT, Basile Clement	fpizlo: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Basile Clement

Comment 1 2015-05-15 12:14:05 PDT

Created attachment 253213 [details] Patch

Basile Clement

Comment 2 2015-05-15 12:31:42 PDT

Committed r184405: <http://trac.webkit.org/changeset/184405>

Note You need to log in before you can comment on or make changes to this bug.