Bug 86918

Summary:

DFG CFG simplification crashes if it's trying to remove an unreachable block that has an already-killed-off unreachable successor

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Bug Depends on:

84553

Bug Blocks:

Attachments:

Description	Flags
the patch	oliver: review+

Filip Pizlo

Reported 2012-05-18 16:01:22 PDT

We kill off unreachable blocks in arbitrary order. Therefore if there is a network of unreachable blocks, we may try to do unreachable-successor fix-up when the successor has already been deleted. Then we crash. This is hit by: inspector/styles/styles-computed-trace.html inspector/console/console-big-array.html

Attachments
the patch (1.71 KB, patch) 2012-05-18 16:03 PDT, Filip Pizlo	oliver: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2012-05-18 16:03:34 PDT

Created attachment 142810 [details] the patch

Filip Pizlo

Comment 2 2012-05-18 16:20:12 PDT

Landed in http://trac.webkit.org/changeset/117654

Note You need to log in before you can comment on or make changes to this bug.