GetByVal to GetById conversion in the DFG is incorrect for getters with control flow
https://bugs.webkit.org/show_bug.cgi?id=163629
Reviewed by Yusuke Suzuki.
JSTests:
* stress/get-by-val-to-id-with-getter.js: Added.
(foo):
(o.get hello):
Source/JavaScriptCore:
This patch fixes a bug in the DFG when attempt to convert a
GetByVal into a GetById. While converting the GetByVal, during
handleGetById in the Bytecode parser, we would mistakenly use the
opcode length of op_get_by_id rather than op_get_by_val. This causes
the new basic block we create to point to the wrong offset. In the
added test this will cause us to infinite loop.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleGetById):
(JSC::DFG::ByteCodeParser::parseBlock):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@207500 268f45cc-cd09-0410-ab3c-d52691b4dbfc
4 files changed