[webkit-changes] [200147] trunk/Source/JavaScriptCore

Wed, 27 Apr 2016 13:38:29 -0700

Title: [200147] trunk/Source/_javascript_Core
Revision
200147
Author
[email protected]
Date
2016-04-27 13:37:49 -0700 (Wed, 27 Apr 2016)

Log Message

REGRESSION(r200117): Crash in lowerDFGToB3::compileStringReplace()
https://bugs.webkit.org/show_bug.cgi?id=157099

Reviewed by Saam Barati.

Given that the DFGFixupPhase could mark the edge of child2 as StringUse,
we need to lower that edge appropriately.

* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (200146 => 200147)


--- trunk/Source/_javascript_Core/ChangeLog	2016-04-27 20:11:48 UTC (rev 200146)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-04-27 20:37:49 UTC (rev 200147)
@@ -1,3 +1,16 @@
+2016-04-27  Michael Saboff  <[email protected]>
+
+        REGRESSION(r200117): Crash in lowerDFGToB3::compileStringReplace()
+        https://bugs.webkit.org/show_bug.cgi?id=157099
+
+        Reviewed by Saam Barati.
+
+        Given that the DFGFixupPhase could mark the edge of child2 as StringUse,
+        we need to lower that edge appropriately.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
+
 2016-04-27  Mark Lam  <[email protected]>
 
         Address feedback from https://bugs.webkit.org/show_bug.cgi?id=157048#c5.

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (200146 => 200147)


--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2016-04-27 20:11:48 UTC (rev 200146)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2016-04-27 20:37:49 UTC (rev 200147)
@@ -6938,10 +6938,16 @@
             setJSValue(result);
             return;
         }
-        
+
+        LValue search;
+        if (m_node->child2().useKind() == StringUse)
+            search = lowString(m_node->child2());
+        else
+            search = lowJSValue(m_node->child2());
+
         LValue result = vmCall(
             Int64, m_out.operation(operationStringProtoFuncReplaceGeneric), m_callFrame,
-            lowJSValue(m_node->child1()), lowJSValue(m_node->child2()),
+            lowJSValue(m_node->child1()), search,
             lowJSValue(m_node->child3()));
 
         setJSValue(result);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to