RESOLVED FIXED 143974
PhantomNewObject should be marked NodeMustGenerate 
https://bugs.webkit.org/show_bug.cgi?id=143974
Summary PhantomNewObject should be marked NodeMustGenerate
Basile Clement
Reported 2015-04-20 18:08:30 PDT
The allocation sinking optimization pass creates PhantomNewObject nodes to keep track of the old NewObject nodes, which must be kept as they are used to restore the state of allocations on OSR exit, and thus should be marked NodeMustGenerate. They are currently prevented from being removed by the PutHint for the object's structure, but that is a rather implicit safety net.
Attachments
The patch (1.18 KB, patch)
2015-04-20 18:13 PDT, Basile Clement 		no flags
DetailsFormatted DiffDiff
Fix convertToPhantomNewObject (1.16 KB, patch)
2015-04-21 14:21 PDT, Basile Clement 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Basile Clement
Comment 1 2015-04-20 18:13:24 PDT
Created attachment 251208 [details] The patch
WebKit Commit Bot
Comment 2 2015-04-20 19:38:47 PDT
Comment on attachment 251208 [details] The patch Clearing flags on attachment: 251208 Committed r183040: <http://trac.webkit.org/changeset/183040>
WebKit Commit Bot
Comment 3 2015-04-20 19:38:51 PDT
All reviewed patches have been landed. Closing bug.
Basile Clement
Comment 4 2015-04-21 13:19:41 PDT
convertToPhantomNewObject() do not properly set the NodeMustGenerate flag.
Basile Clement
Comment 5 2015-04-21 14:21:23 PDT
Created attachment 251262 [details] Fix convertToPhantomNewObject
WebKit Commit Bot
Comment 6 2015-04-21 15:30:24 PDT
Comment on attachment 251262 [details] Fix convertToPhantomNewObject Clearing flags on attachment: 251262 Committed r183078: <http://trac.webkit.org/changeset/183078>
WebKit Commit Bot
Comment 7 2015-04-21 15:30:28 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.