Crash beneath operationCreateInlinedArguments running fast/js/dfg-cre…

…ate-inlined-arguments-in-closure-inline.html (32-bit only)

https://bugs.webkit.org/show_bug.cgi?id=112067

Reviewed by Geoffrey Garen.

We weren't setting the tag in SetCallee.  Therefore set it to CellTag.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):


Canonical link: https://commits.webkit.org/130369@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@145417 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,15 @@
+2013-03-11  Michael Saboff  <msaboff@apple.com>
+
+        Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only)
+        https://bugs.webkit.org/show_bug.cgi?id=112067
+
+        Reviewed by Geoffrey Garen.
+
+        We weren't setting the tag in SetCallee.  Therefore set it to CellTag.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2013-03-11  Oliver Hunt  <oliver@apple.com>
 
         Make SegmentedVector Noncopyable

Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -3745,6 +3745,7 @@ void SpeculativeJIT::compile(Node* node)
     case SetCallee: {
         SpeculateCellOperand callee(this, node->child1());
         m_jit.storePtr(callee.gpr(), JITCompiler::payloadFor(static_cast<VirtualRegister>(node->codeOrigin.stackOffset() + static_cast<int>(JSStack::Callee))));
+        m_jit.store32(MacroAssembler::TrustedImm32(JSValue::CellTag), JITCompiler::tagFor(static_cast<VirtualRegister>(node->codeOrigin.stackOffset() + static_cast<int>(JSStack::Callee))));
         noResult(node);
         break;
     }

Source/WTF/wtf/DataLog.cpp

@@ -40,7 +40,7 @@
 #endif
 #endif
 
-#define DATA_LOG_TO_FILE 0
+#define DATA_LOG_TO_FILE 1
 
 // Uncomment to force logging to the given file regardless of what the environment variable says. Note that
 // we will append ".<pid>.txt" where <pid> is the PID.