commit 74aef1f4bfd5e99b56334842e5663407fd92f6ce
author msaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Sat Feb 01 15:30:41 2014 +0000
committer msaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Sat Feb 01 15:30:41 2014 +0000
tree 68de398e4f519decf17facc08542a75348ea0cfb
parent ff8951f3665f8273961651bdf0cc496d148d82bb

REGRESSION (r163027?): CrashTracer: [USER] com.apple.WebKit.WebContent.Development at com.apple.JavaScriptCore: JSC::ArrayProfile::computeUpdatedPrediction + 4
https://bugs.webkit.org/show_bug.cgi?id=128037

Reviewed by Mark Lam.

op_call_varargs ops now needs an ArrayProfile since DFG inlines these since
change set r162739.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitCallVarargs):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@163241 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/bytecode/CodeBlock.cpp

diff --git a/Source/JavaScriptCore/bytecode/CodeBlock.cpp b/Source/JavaScriptCore/bytecode/CodeBlock.cpp
index ad1f6bf..1c953c1 100644
--- a/Source/JavaScriptCore/bytecode/CodeBlock.cpp
+++ b/Source/JavaScriptCore/bytecode/CodeBlock.cpp
@@ -1689,6 +1689,7 @@
             instructions[i + j].u.operand = pc[j].u.operand;
         }
         switch (pc[0].u.opcode) {
+        case op_call_varargs:
         case op_get_by_val:
         case op_get_argument_by_val: {
             int arrayProfileIndex = pc[opLength - 2].u.operand;
@@ -1697,8 +1698,7 @@
             instructions[i + opLength - 2] = &m_arrayProfiles[arrayProfileIndex];
             FALLTHROUGH;
         }
-        case op_get_by_id:
-        case op_call_varargs: {
+        case op_get_by_id: {
             ValueProfile* profile = &m_valueProfiles[pc[opLength - 1].u.operand];
             ASSERT(profile->m_bytecodeOffset == -1);
             profile->m_bytecodeOffset = i;