[webkit-changes] [200169] tags/Safari-602.1.30/Source/JavaScriptCore

Wed, 27 Apr 2016 21:56:31 -0700

Title: [200169] tags/Safari-602.1.30/Source/_javascript_Core
Revision
200169
Author
[email protected]
Date
2016-04-27 21:55:46 -0700 (Wed, 27 Apr 2016)

Log Message

Merged r200147.  rdar://problem/25963453


Modified Paths

Diff

Modified: tags/Safari-602.1.30/Source/_javascript_Core/ChangeLog (200168 => 200169)


--- tags/Safari-602.1.30/Source/_javascript_Core/ChangeLog	2016-04-28 03:33:45 UTC (rev 200168)
+++ tags/Safari-602.1.30/Source/_javascript_Core/ChangeLog	2016-04-28 04:55:46 UTC (rev 200169)
@@ -1,3 +1,20 @@
+2016-04-27  Babak Shafiei  <[email protected]>
+
+        Merge r200147.
+
+    2016-04-27  Michael Saboff  <[email protected]>
+
+            REGRESSION(r200117): Crash in lowerDFGToB3::compileStringReplace()
+            https://bugs.webkit.org/show_bug.cgi?id=157099
+
+            Reviewed by Saam Barati.
+
+            Given that the DFGFixupPhase could mark the edge of child2 as StringUse,
+            we need to lower that edge appropriately.
+
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
+
 2016-04-26  Michael Saboff  <[email protected]>
 
         [ES] Implement RegExp.prototype.@@replace and use it for String.prototype.replace

Modified: tags/Safari-602.1.30/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (200168 => 200169)


--- tags/Safari-602.1.30/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2016-04-28 03:33:45 UTC (rev 200168)
+++ tags/Safari-602.1.30/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2016-04-28 04:55:46 UTC (rev 200169)
@@ -6938,10 +6938,16 @@
             setJSValue(result);
             return;
         }
-        
+
+        LValue search;
+        if (m_node->child2().useKind() == StringUse)
+            search = lowString(m_node->child2());
+        else
+            search = lowJSValue(m_node->child2());
+
         LValue result = vmCall(
             Int64, m_out.operation(operationStringProtoFuncReplaceGeneric), m_callFrame,
-            lowJSValue(m_node->child1()), lowJSValue(m_node->child2()),
+            lowJSValue(m_node->child1()), search,
             lowJSValue(m_node->child3()));
 
         setJSValue(result);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to