145062 – DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic

Bug 145062 - DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic

Summary: DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Basile Clement

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-05-15 11:28 PDT by Basile Clement
Modified:	2015-05-15 12:31 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Patch (3.74 KB, patch) 2015-05-15 12:14 PDT, Basile Clement	fpizlo: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Basile Clement 2015-05-15 11:28:27 PDT

This can be hit by running e.g. sunspider/access-nsieve with

DYLD_FRAMEWORK_PATH=WebKitBuild/Debug WebKitBuild/Debug/jsc --forceEagerCompilation=true --useFTLJIT=true --dumpGraphAtEachPhase=true

In this case, a Phi node is converted into a JSConstant by the DFGConstantFoldingPhase, and doesn't have a NodeOrigin.
Then it gets LICM'd, which unconditionally sets the NodeOrigin's forExit, and now we have a NodeOrigin with a set forExit and unset semantic, which we assert against in various places.

Comment 1 Basile Clement 2015-05-15 12:14:05 PDT

Created attachment 253213 [details]
Patch

Comment 2 Basile Clement 2015-05-15 12:31:42 PDT

Committed r184405: <http://trac.webkit.org/changeset/184405>