REGRESSION: Crash when opening Facebook.com

https://bugs.webkit.org/show_bug.cgi?id=119155

Reviewed by Andreas Kling.

Scope nodes are always objects, so we should be using SpecObjectOther
rather than SpecCellOther.  Marking Scopes as CellOther leads to a
contradiction in the CFA, resulting in bogus codegen.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):

Change-Id: Ic083c04b9351c904ea4b5ee41bcc98c7d66d757d
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153410 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
index ab2a5af98..19bad5c09 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
+++ b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
@@ -1255,7 +1255,7 @@ bool AbstractState::executeEffects(unsigned indexInBlock, Node* node)
     case GetScope: // FIXME: We could get rid of these if we know that the JSFunction is a constant. https://bugs.webkit.org/show_bug.cgi?id=106202
     case GetMyScope:
     case SkipTopScope:
-        forNode(node).set(SpecCellOther);
+        forNode(node).set(SpecObjectOther);
         break;
 
     case SkipScope: {
@@ -1264,7 +1264,7 @@ bool AbstractState::executeEffects(unsigned indexInBlock, Node* node)
             m_foundConstants = true;
             break;
         }
-        forNode(node).set(SpecCellOther);
+        forNode(node).set(SpecObjectOther);
         break;
     }