<rdar://problem/54245190>

Created attachment 377684 [details]
Patch

Comment on attachment 377684 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=377684&action=review

r=me

> Source/JavaScriptCore/ChangeLog:3
> +        [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be inValid

/inValid/invalid/.

> JSTests/ChangeLog:3
> +        [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be inValid

Ditto.

Comment on attachment 377684 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=377684&action=review

Thanks!

>> Source/JavaScriptCore/ChangeLog:3
>> +        [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be inValid
> 
> /inValid/invalid/.

Fixed.

>> JSTests/ChangeLog:3
>> +        [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be inValid
> 
> Ditto.

Fixed.

Committed r249317: <https://trac.webkit.org/changeset/249317>