133368 – DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays

Bug 133368 - DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays

Summary: DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious bas...

Attachments
Patch (4.83 KB, patch) 2014-05-28 18:37 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
Patch (4.82 KB, patch) 2014-05-28 18:43 PDT, Filip Pizlo	mark.lam: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2014-05-28 18:36:03 PDT

DFG::DCEPhase inserts into an insertion set in reverse, causing hilarious basic block corruption if you kill a lot of NewArrays

Comment 1 Filip Pizlo 2014-05-28 18:37:41 PDT

Created attachment 232226 [details]
Patch

Comment 2 Filip Pizlo 2014-05-28 18:43:37 PDT

Created attachment 232227 [details]
Patch

Comment 3 Mark Lam 2014-05-29 08:01:16 PDT

Comment on attachment 232227 [details]
Patch

r=me

Comment 4 Filip Pizlo 2014-05-29 09:10:55 PDT

Landed in http://trac.webkit.org/changeset/169447