Title: [121712] trunk/Source/_javascript_Core
- Revision
- 121712
- Author
- [email protected]
- Date
- 2012-07-02 17:10:08 -0700 (Mon, 02 Jul 2012)
Log Message
DFG::ArgumentsSimplificationPhase should assert that the PhantomArguments nodes it creates are not shouldGenerate()
https://bugs.webkit.org/show_bug.cgi?id=90407
Reviewed by Mark Hahnenberg.
* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (121711 => 121712)
--- trunk/Source/_javascript_Core/ChangeLog 2012-07-02 23:44:06 UTC (rev 121711)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-07-03 00:10:08 UTC (rev 121712)
@@ -1,3 +1,13 @@
+2012-07-02 Filip Pizlo <[email protected]>
+
+ DFG::ArgumentsSimplificationPhase should assert that the PhantomArguments nodes it creates are not shouldGenerate()
+ https://bugs.webkit.org/show_bug.cgi?id=90407
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGArgumentsSimplificationPhase.cpp:
+ (JSC::DFG::ArgumentsSimplificationPhase::run):
+
2012-07-02 Gavin Barraclough <[email protected]>
Array.prototype.pop should throw if property is not configurable
Modified: trunk/Source/_javascript_Core/dfg/DFGArgumentsSimplificationPhase.cpp (121711 => 121712)
--- trunk/Source/_javascript_Core/dfg/DFGArgumentsSimplificationPhase.cpp 2012-07-02 23:44:06 UTC (rev 121711)
+++ trunk/Source/_javascript_Core/dfg/DFGArgumentsSimplificationPhase.cpp 2012-07-03 00:10:08 UTC (rev 121712)
@@ -627,8 +627,9 @@
continue;
// If this is a CreateArguments for an InlineCallFrame* that does
// not create arguments, then replace it with a PhantomArguments.
- // PhantomArguments is a constant that represents JSValue() (the
- // empty value) in DFG and arguments creation for OSR exit.
+ // PhantomArguments is a non-executing node that just indicates
+ // that the node should be reified as an arguments object on OSR
+ // exit.
if (m_createsArguments.contains(node.codeOrigin.inlineCallFrame))
continue;
if (node.shouldGenerate()) {
@@ -641,12 +642,30 @@
}
node.setOpAndDefaultFlags(PhantomArguments);
node.children.reset();
+ changed = true;
}
insertionSet.execute(*block);
}
- if (changed)
+ if (changed) {
m_graph.collectGarbage();
+
+ // Verify that PhantomArguments nodes are not shouldGenerate().
+#if !ASSERT_DISABLED
+ for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
+ BasicBlock* block = m_graph.m_blocks[blockIndex].get();
+ if (!block)
+ continue;
+ for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
+ NodeIndex nodeIndex = block->at(indexInBlock);
+ Node& node = m_graph[nodeIndex];
+ if (node.op() != PhantomArguments)
+ continue;
+ ASSERT(!node.shouldGenerate());
+ }
+ }
+#endif
+ }
return changed;
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
