-
fpizlo@apple.com authored
ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in jsc-layout-tests.yaml/js/script-tests/dfg-inline-arguments-capture-throw-exception.js.layout-dfg-eager-no-cjit https://bugs.webkit.org/show_bug.cgi?id=122418 Reviewed by Oliver Hunt. Source/JavaScriptCore: This is pretty awesome. With stack compression, Arguments created in the DFG will point their m_registers pointers into a different slab of stack than they would have in byte code. Hence OSR exit must repoint any Arguments objects' m_registers pointers. It previously neglected to do so. This patch fixes that. Fixing this unveiled another bug: the stack reversal broke the reification of inlined phantom arguments. * dfg/DFGOSRExitCompiler32_64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOSRExitCompiler64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOSRExitCompilerCommon.cpp: (JSC::DFG::reifyInlinedCallFrames): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnArguments): (JSC::DFG::SpeculativeJIT::compileGetArgumentsLength): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * runtime/Arguments.h: (JSC::Arguments::offsetOfNumArguments): (JSC::Arguments::offsetOfRegisters): (JSC::Arguments::offsetOfSlowArgumentData): (JSC::Arguments::offsetOfOverrodeLength): LayoutTests: * js/script-tests/dfg-arguments-osr-exit-multiple-blocks-before-exit.js: * js/script-tests/dfg-arguments-osr-exit-multiple-blocks.js: * js/script-tests/dfg-arguments-osr-exit.js: * js/script-tests/dfg-inline-arguments-capture-throw-exception.js: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@157035 268f45cc-cd09-0410-ab3c-d52691b4dbfc
0e97f125