Bug 110519

Summary: Object allocation profiling will refuse to create objects with more than JSFinalObject::maxInlineCapacity() inline slots, but JSFunction::allocationProfile() asserts that the number of inline slots is always what it asked for
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
tbhe patch ggaren: review+

Filip Pizlo
Reported 2013-02-21 15:09:44 PST
Basically, JSFunction is asserting that the object allocation profiling doesn't have the max-out feature. But it does have that feature, for good reason.
Attachments
tbhe patch (1.42 KB, patch)
2013-02-21 15:10 PST, Filip Pizlo 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2013-02-21 15:10:55 PST
Created attachment 189608 [details] tbhe patch
Geoffrey Garen
Comment 2 2013-02-21 15:13:12 PST
Comment on attachment 189608 [details] tbhe patch r=me Would be nice to rename the argument to inferredInlineCapacity, too. The convention is that "inlineCapacity" means the real number, and not the guess.
Filip Pizlo
Comment 3 2013-02-21 15:43:36 PST
(In reply to comment #2) > (From update of attachment 189608 [details]) > r=me > > Would be nice to rename the argument to inferredInlineCapacity, too. The convention is that "inlineCapacity" means the real number, and not the guess. I'll leave that for later. Also, there's no good test for this. The key thing is that the JSFunction must survive but the CodeBlock must be blown away. Otherwise we never take that path in JSFunction::allocationProfile().
Filip Pizlo
Comment 4 2013-02-21 16:57:48 PST
Landed in http://trac.webkit.org/changeset/143667
Note You need to log in before you can comment on or make changes to this bug.