commit aedde2e14e21e37996ceeae61260828c1c0ed85a
author fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue Jul 03 00:10:08 2012 +0000
committer fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue Jul 03 00:10:08 2012 +0000
tree a44c9a67844cec40ce8a9de77741fdc3d4437e05
parent e4f762d07c8c0fb8eb376c1e01d517d61badc59a

DFG::ArgumentsSimplificationPhase should assert that the PhantomArguments nodes it creates are not shouldGenerate()
https://bugs.webkit.org/show_bug.cgi?id=90407

Reviewed by Mark Hahnenberg.

* dfg/DFGArgumentsSimplificationPhase.cpp:
(JSC::DFG::ArgumentsSimplificationPhase::run):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@121712 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 26f9f3f..40b4b7e 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,13 @@
+2012-07-02  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG::ArgumentsSimplificationPhase should assert that the PhantomArguments nodes it creates are not shouldGenerate()
+        https://bugs.webkit.org/show_bug.cgi?id=90407
+
+        Reviewed by Mark Hahnenberg.
+
+        * dfg/DFGArgumentsSimplificationPhase.cpp:
+        (JSC::DFG::ArgumentsSimplificationPhase::run):
+
 2012-07-02  Gavin Barraclough  <barraclough@apple.com>
 
         Array.prototype.pop should throw if property is not configurable

Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp

diff --git a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
index 28e686a..82c081b 100644
--- a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp
@@ -627,8 +627,9 @@
                     continue;
                 // If this is a CreateArguments for an InlineCallFrame* that does
                 // not create arguments, then replace it with a PhantomArguments.
-                // PhantomArguments is a constant that represents JSValue() (the
-                // empty value) in DFG and arguments creation for OSR exit.
+                // PhantomArguments is a non-executing node that just indicates
+                // that the node should be reified as an arguments object on OSR
+                // exit.
                 if (m_createsArguments.contains(node.codeOrigin.inlineCallFrame))
                     continue;
                 if (node.shouldGenerate()) {
@@ -641,12 +642,30 @@
                 }
                 node.setOpAndDefaultFlags(PhantomArguments);
                 node.children.reset();
+                changed = true;
             }
             insertionSet.execute(*block);
         }
         
-        if (changed)
+        if (changed) {
             m_graph.collectGarbage();
+            
+            // Verify that PhantomArguments nodes are not shouldGenerate().
+#if !ASSERT_DISABLED
+            for (BlockIndex blockIndex = 0; blockIndex < m_graph.m_blocks.size(); ++blockIndex) {
+                BasicBlock* block = m_graph.m_blocks[blockIndex].get();
+                if (!block)
+                    continue;
+                for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) {
+                    NodeIndex nodeIndex = block->at(indexInBlock);
+                    Node& node = m_graph[nodeIndex];
+                    if (node.op() != PhantomArguments)
+                        continue;
+                    ASSERT(!node.shouldGenerate());
+                }
+            }
+#endif
+        }
         
         return changed;
     }