From 757760b17c63858e7d9f027876a4cb4abd1cd88c Mon Sep 17 00:00:00 2001
From: Michael Saboff <msaboff@apple.com>
Date: Mon, 11 Mar 2013 22:36:28 +0000
Subject: [PATCH] Crash beneath operationCreateInlinedArguments running
 fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only)
 https://bugs.webkit.org/show_bug.cgi?id=112067

Reviewed by Geoffrey Garen.

We weren't setting the tag in SetCallee.  Therefore set it to CellTag.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):


Canonical link: https://commits.webkit.org/130369@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@145417 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 Source/JavaScriptCore/ChangeLog                      | 12 ++++++++++++
 Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp |  1 +
 Source/WTF/wtf/DataLog.cpp                           |  2 +-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index b661405e5ddf..22884a24e769 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,15 @@
+2013-03-11  Michael Saboff  <msaboff@apple.com>
+
+        Crash beneath operationCreateInlinedArguments running fast/js/dfg-create-inlined-arguments-in-closure-inline.html (32-bit only)
+        https://bugs.webkit.org/show_bug.cgi?id=112067
+
+        Reviewed by Geoffrey Garen.
+
+        We weren't setting the tag in SetCallee.  Therefore set it to CellTag.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2013-03-11  Oliver Hunt  <oliver@apple.com>
 
         Make SegmentedVector Noncopyable
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
index 4ffa53a6a023..36dbe0cbe0c4 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -3745,6 +3745,7 @@ void SpeculativeJIT::compile(Node* node)
     case SetCallee: {
         SpeculateCellOperand callee(this, node->child1());
         m_jit.storePtr(callee.gpr(), JITCompiler::payloadFor(static_cast<VirtualRegister>(node->codeOrigin.stackOffset() + static_cast<int>(JSStack::Callee))));
+        m_jit.store32(MacroAssembler::TrustedImm32(JSValue::CellTag), JITCompiler::tagFor(static_cast<VirtualRegister>(node->codeOrigin.stackOffset() + static_cast<int>(JSStack::Callee))));
         noResult(node);
         break;
     }
diff --git a/Source/WTF/wtf/DataLog.cpp b/Source/WTF/wtf/DataLog.cpp
index d0d5a5741f02..c35901202eb0 100644
--- a/Source/WTF/wtf/DataLog.cpp
+++ b/Source/WTF/wtf/DataLog.cpp
@@ -40,7 +40,7 @@
 #endif
 #endif
 
-#define DATA_LOG_TO_FILE 0
+#define DATA_LOG_TO_FILE 1
 
 // Uncomment to force logging to the given file regardless of what the environment variable says. Note that
 // we will append ".<pid>.txt" where <pid> is the PID.