Title: [119526] trunk/Source/_javascript_Core
- Revision
- 119526
- Author
- [email protected]
- Date
- 2012-06-05 14:32:18 -0700 (Tue, 05 Jun 2012)
Log Message
DFG CFG simplification should not attempt to deref nodes inside of an unreachable subgraph
https://bugs.webkit.org/show_bug.cgi?id=88362
Reviewed by Gavin Barraclough.
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::fixPhis):
(JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (119525 => 119526)
--- trunk/Source/_javascript_Core/ChangeLog 2012-06-05 21:31:40 UTC (rev 119525)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-06-05 21:32:18 UTC (rev 119526)
@@ -1,3 +1,14 @@
+2012-06-05 Filip Pizlo <[email protected]>
+
+ DFG CFG simplification should not attempt to deref nodes inside of an unreachable subgraph
+ https://bugs.webkit.org/show_bug.cgi?id=88362
+
+ Reviewed by Gavin Barraclough.
+
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::fixPhis):
+ (JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference):
+
2012-06-05 Mark Hahnenberg <[email protected]>
Entry into JSC should CRASH() if the Heap is busy
Modified: trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp (119525 => 119526)
--- trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp 2012-06-05 21:31:40 UTC (rev 119525)
+++ trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp 2012-06-05 21:32:18 UTC (rev 119526)
@@ -389,7 +389,7 @@
if (myNode.op() == GetLocal)
myNodeIndex = myNode.child1().index();
for (unsigned j = 0; j < AdjacencyList::Size; ++j)
- removePotentiallyDeadPhiReference(myNodeIndex, phiNode, j);
+ removePotentiallyDeadPhiReference(myNodeIndex, phiNode, j, sourceBlock->isReachable);
#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
dataLog("\n");
#endif
@@ -414,14 +414,14 @@
fixPhis(blockIndex, jettisonedBlockIndex);
}
- void removePotentiallyDeadPhiReference(NodeIndex myNodeIndex, Node& phiNode, unsigned edgeIndex)
+ void removePotentiallyDeadPhiReference(NodeIndex myNodeIndex, Node& phiNode, unsigned edgeIndex, bool changeRef)
{
if (phiNode.children.child(edgeIndex).indexUnchecked() != myNodeIndex)
return;
#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
dataLog(" Removing reference at child %u.", edgeIndex);
#endif
- if (phiNode.shouldGenerate())
+ if (changeRef && phiNode.shouldGenerate())
m_graph.deref(myNodeIndex);
phiNode.children.removeEdgeFromBag(edgeIndex);
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
