RESOLVED FIXED 164239
GetByOffset rule is has incorrect assumptions inside arguments elimination phase 
https://bugs.webkit.org/show_bug.cgi?id=164239
Summary GetByOffset rule is has incorrect assumptions inside arguments elimination phase
Saam Barati
Reported 2016-10-31 14:03:26 PDT
It assumes that a child will always be transformed before it does by assuming it will already be a phantom allocation. This probably happens to be true because of how we generate byte code for arguments allocation and how traversal of the graph works using blocksInNaturalOrder. However, there is no guarantee that blocksInNaturalOrder must first traverse a block's dominator before the block being dominated.
Attachments
patch (2.01 KB, patch)
2016-10-31 14:11 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2016-10-31 14:04:47 PDT
<rdar://problem/29032041>
Saam Barati
Comment 2 2016-10-31 14:11:43 PDT
Created attachment 293464 [details] patch
Keith Miller
Comment 3 2016-10-31 14:36:33 PDT
Comment on attachment 293464 [details] patch r=me.
WebKit Commit Bot
Comment 4 2016-10-31 15:54:32 PDT
Comment on attachment 293464 [details] patch Clearing flags on attachment: 293464 Committed r208185: <http://trac.webkit.org/changeset/208185>
WebKit Commit Bot
Comment 5 2016-10-31 15:54:36 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.