[webkit-changes] [153442] branches/safari-537-branch/Source/JavaScriptCore

[lforschler]

Title: [153442] branches/safari-537-branch/Source/_javascript_Core

Revision

153442

Author

lforsch...@apple.com

Date

2013-07-29 14:55:52 -0700 (Mon, 29 Jul 2013)

Log Message

Merge patch from <rdar://problem/14579343>

Modified Paths

• branches/safari-537-branch/Source/_javascript_Core/ChangeLog
• branches/safari-537-branch/Source/_javascript_Core/dfg/DFGAbstractState.cpp
• branches/safari-537-branch/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp

Diff

Modified: branches/safari-537-branch/Source/_javascript_Core/ChangeLog (153441 => 153442)

--- branches/safari-537-branch/Source/_javascript_Core/ChangeLog	2013-07-29 21:25:33 UTC (rev 153441)
+++ branches/safari-537-branch/Source/_javascript_Core/ChangeLog	2013-07-29 21:55:52 UTC (rev 153442)
@@ -1,3 +1,23 @@
+2013-07-29  Lucas Forschler  <lforsch...@apple.com>
+
+        Merge r153410
+
+    2013-07-28  Oliver Hunt  <oli...@apple.com>
+
+        REGRESSION: Crash when opening Facebook.com
+        https://bugs.webkit.org/show_bug.cgi?id=119155
+
+        Reviewed by Andreas Kling.
+
+        Scope nodes are always objects, so we should be using SpecObjectOther
+        rather than SpecCellOther.  Marking Scopes as CellOther leads to a
+        contradiction in the CFA, resulting in bogus codegen.
+
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::executeEffects):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+
 2013-07-24  Lucas Forschler  <lforsch...@apple.com>
 
         Merge r153075

Modified: branches/safari-537-branch/Source/_javascript_Core/dfg/DFGAbstractState.cpp (153441 => 153442)

--- branches/safari-537-branch/Source/_javascript_Core/dfg/DFGAbstractState.cpp	2013-07-29 21:25:33 UTC (rev 153441)
+++ branches/safari-537-branch/Source/_javascript_Core/dfg/DFGAbstractState.cpp	2013-07-29 21:55:52 UTC (rev 153442)
@@ -1255,7 +1255,7 @@
     case GetScope: // FIXME: We could get rid of these if we know that the JSFunction is a constant. https://bugs.webkit.org/show_bug.cgi?id=106202
     case GetMyScope:
     case SkipTopScope:
-        forNode(node).set(SpecCellOther);
+        forNode(node).set(SpecObjectOther);
         break;
 
     case SkipScope: {
@@ -1264,7 +1264,7 @@
             m_foundConstants = true;
             break;
         }
-        forNode(node).set(SpecCellOther);
+        forNode(node).set(SpecObjectOther);
         break;
     }
 

Modified: branches/safari-537-branch/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp (153441 => 153442)

--- branches/safari-537-branch/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp	2013-07-29 21:25:33 UTC (rev 153441)
+++ branches/safari-537-branch/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp	2013-07-29 21:55:52 UTC (rev 153442)
@@ -396,7 +396,7 @@
         case GetMyScope:
         case SkipTopScope:
         case SkipScope: {
-            changed |= setPrediction(SpecCellOther);
+            changed |= setPrediction(SpecObjectOther);
             break;
         }
             
@@ -497,7 +497,7 @@
             break;
 
         case GetScope:
-            changed |= setPrediction(SpecCellOther);
+            changed |= setPrediction(SpecObjectOther);
             break;
 
         case Identity:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes