Skip to site navigation (Press enter)

[webkit-changes] [117654] trunk/Source/JavaScriptCore

fpizlo Fri, 18 May 2012 16:19:47 -0700

Title: [117654] trunk/Source/_javascript_Core

Revision: 117654
Author: [email protected]
Date: 2012-05-18 16:20:42 -0700 (Fri, 18 May 2012)

Log Message

DFG CFG simplification crashes if it's trying to remove an unreachable block
that has an already-killed-off unreachable successor
https://bugs.webkit.org/show_bug.cgi?id=86918


Reviewed by Oliver Hunt.
        
This fixes crashes in:
inspector/styles/styles-computed-trace.html
inspector/console/console-big-array.html

* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::fixPhis):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (117653 => 117654)


--- trunk/Source/_javascript_Core/ChangeLog	2012-05-18 23:12:48 UTC (rev 117653)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-05-18 23:20:42 UTC (rev 117654)
@@ -1,5 +1,20 @@
 2012-05-18  Filip Pizlo  <[email protected]>
 
+        DFG CFG simplification crashes if it's trying to remove an unreachable block
+        that has an already-killed-off unreachable successor
+        https://bugs.webkit.org/show_bug.cgi?id=86918
+
+        Reviewed by Oliver Hunt.
+        
+        This fixes crashes in:
+        inspector/styles/styles-computed-trace.html
+        inspector/console/console-big-array.html
+
+        * dfg/DFGCFGSimplificationPhase.cpp:
+        (JSC::DFG::CFGSimplificationPhase::fixPhis):
+
+2012-05-18  Filip Pizlo  <[email protected]>
+
         DFG should have control flow graph simplification
         https://bugs.webkit.org/show_bug.cgi?id=84553

Modified: trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp (117653 => 117654)


--- trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp	2012-05-18 23:12:48 UTC (rev 117653)
+++ trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp	2012-05-18 23:20:42 UTC (rev 117654)
@@ -323,6 +323,11 @@
     {
         BasicBlock* sourceBlock = m_graph.m_blocks[sourceBlockIndex].get();
         BasicBlock* destinationBlock = m_graph.m_blocks[destinationBlockIndex].get();
+        if (!destinationBlock) {
+            // If we're trying to kill off the source block and the destination block is already
+            // dead, then we're done!
+            return;
+        }
         for (size_t i = 0; i < destinationBlock->phis.size(); ++i) {
             NodeIndex phiNodeIndex = destinationBlock->phis[i];
             Node& phiNode = m_graph[phiNodeIndex];

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes