Google Git
Sign in
webkit / WebKit / cd3adcc561a982cd955f6d8757c94de75609187b^! / . / Source / JavaScriptCore / dfg / DFGAbstractState.cpp
commitcd3adcc561a982cd955f6d8757c94de75609187b[log] [tgz]
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Thu Mar 08 09:02:48 2012 +0000
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Thu Mar 08 09:02:48 2012 +0000
tree2dd40829b27d20446c3e0b0343986d333e0efd00
parent3298a6909224f18b276a07503545d40643919100 [diff] [blame]
Incorrect tracking of abstract values of variables forced double
https://bugs.webkit.org/show_bug.cgi?id=80566
<rdar://problem/11001442>

Reviewed by Gavin Barraclough.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::mergeStateAtTail):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@110153 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
index afe0ec7..38af844 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
+++ b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -998,7 +998,7 @@
     if (nodeIndex == NoNode)
         return false;
         
-    AbstractValue* source;
+    AbstractValue source;
         
     Node& node = m_graph[nodeIndex];
     if (!node.refCount())
@@ -1013,7 +1013,7 @@
     case SetArgument:
     case Flush:
         // The block transfers the value from head to tail.
-        source = &inVariable;
+        source = inVariable;
 #if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
         dataLog("          Transfering from head to tail.\n");
 #endif
@@ -1021,7 +1021,7 @@
             
     case GetLocal:
         // The block refines the value with additional speculations.
-        source = &forNode(nodeIndex);
+        source = forNode(nodeIndex);
 #if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
         dataLog("          Refining.\n");
 #endif
@@ -1030,7 +1030,10 @@
     case SetLocal:
         // The block sets the variable, and potentially refines it, both
         // before and after setting it.
-        source = &forNode(node.child1());
+        if (node.variableAccessData()->shouldUseDoubleFormat())
+            source.set(PredictDouble);
+        else
+            source = forNode(node.child1());
 #if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
         dataLog("          Setting.\n");
 #endif
@@ -1038,11 +1041,10 @@
         
     default:
         ASSERT_NOT_REACHED();
-        source = 0;
         break;
     }
     
-    if (destination == *source) {
+    if (destination == source) {
         // Abstract execution did not change the output value of the variable, for this
         // basic block, on this iteration.
 #if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
@@ -1054,7 +1056,7 @@
     // Abstract execution reached a new conclusion about the speculations reached about
     // this variable after execution of this basic block. Update the state, and return
     // true to indicate that the fixpoint must go on!
-    destination = *source;
+    destination = source;
 #if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
     dataLog("          Changed!\n");
 #endif