111783 – DFG should not get corrupted IR in the case of code that is dead, unreachable, and contains a chain of nodes that use each other in an untyped way

Bug 111783 - DFG should not get corrupted IR in the case of code that is dead, unreachable, and contains a chain of nodes that use each other in an untyped way

Summary: DFG should not get corrupted IR in the case of code that is dead, unreachable...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2013-03-07 15:31 PST by Filip Pizlo
Modified:	2013-03-07 15:47 PST (History)
CC List:	7 users (show)

See Also:

Attachments
the patch (30.92 KB, patch) 2013-03-07 15:35 PST, Filip Pizlo	mhahnenberg: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2013-03-07 15:31:47 PST

Patch forthcoming.

<rdar://problem/13372094>

Comment 1 Filip Pizlo 2013-03-07 15:35:20 PST

Created attachment 192097 [details]
the patch

Comment 2 Mark Hahnenberg 2013-03-07 15:41:59 PST

Comment on attachment 192097 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=192097&action=review

r=me

> Source/JavaScriptCore/dfg/DFGDCEPhase.cpp:162
> +            if (edge.needsCheck() && edge.useKind() != UntypedUse)

Make this clearer like we discussed.

Comment 3 Filip Pizlo 2013-03-07 15:47:38 PST

Landed in http://trac.webkit.org/changeset/145145