-
fpizlo@apple.com authored
DFG inlining machinery should be robust against the inline callee varying while the executable stays the same https://bugs.webkit.org/show_bug.cgi?id=105953 Reviewed by Mark Hahnenberg. This institutes the policy that if InlineCallFrame::callee is null, then the callee and scope have already been stored into the true call frame (i.e. the place where the call frame of the inlined call would have been) and so any attempt to access the callee or scope should do a load instead of assuming that the value is constant. This wires the changes through the bytecode parser, the stack scanning logic, and the compiler optimization phases and backends. * bytecode/CodeOrigin.cpp: (JSC::InlineCallFrame::dump): * bytecode/CodeOrigin.h: (CodeOrigin): (InlineCallFrame): (JSC::InlineCallFrame::isClosureCall): (JSC::CodeOrigin::stackOffset): (JSC): * dfg/DFGAssemblyHelpers.h: * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::get): (InlineStackEntry): (JSC::DFG::ByteCodeParser::getScope): (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry): * dfg/DFGCSEPhase.cpp: (CSEPhase): (JSC::DFG::CSEPhase::genericPureCSE): (JSC::DFG::CSEPhase::pureCSE): (JSC::DFG::CSEPhase::pureCSERequiringSameInlineCallFrame): (JSC::DFG::CSEPhase::getMyScopeLoadElimination): (JSC::DFG::CSEPhase::performNodeCSE): * dfg/DFGOSRExitCompiler32_64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOSRExitCompiler64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): * interpreter/CallFrame.cpp: (JSC::CallFrame::trueCallFrame): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138669 268f45cc-cd09-0410-ab3c-d52691b4dbfc
439e9e55