• mstarzinger's avatar
    [turbofan] Move SimplifiedOperatorBuilder into JSGraph. · b7990793
    mstarzinger authored
    This fixes the lifetime of nodes created by JSGlobalSpecialization that
    contain a simplified operator. In the case where this reducer runs as
    part of the inliner, the SimplifiedOperatorBuilder was instantiated with
    the wrong zone. This led to use-after-free of simplified operators.
    
    To avoid such situations in the future, we decided to move this operator
    builder into the JSGraph and make the situation uniform with all other
    operator builders.
    
    R=bmeurer@chromium.org
    BUG=chromium:543528
    LOG=n
    
    Review URL: https://codereview.chromium.org/1409993002
    
    Cr-Commit-Position: refs/heads/master@{#31334}
    b7990793
test-loop-analysis.cc 28.4 KB