Bug 119349

Summary:

DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT

Product:

WebKit

Reporter:

Mark Hahnenberg <mhahnenberg>

Component:

JavaScriptCore

Assignee:

Mark Hahnenberg <mhahnenberg>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

rniwa, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	ggaren: review+

Mark Hahnenberg

Reported 2013-07-31 12:50:09 PDT

The baseline JIT is currently responsible for resizing the ctiOffsets Vector for SimpleJumpTables to be equal to the size of the branchOffsets Vector. If the DFG chooses to inline a function that has never been compiled by the baseline JIT then this resizing never happens and we crash at link time in the DFG. We can fix this by doing the resize in the DFG as well to catch this case.

Attachments
Patch (4.43 KB, patch) 2013-07-31 12:52 PDT, Mark Hahnenberg	ggaren: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Mark Hahnenberg

Comment 1 2013-07-31 12:52:58 PDT

Created attachment 207873 [details] Patch

Radar WebKit Bug Importer

Comment 2 2013-07-31 12:53:45 PDT

<rdar://problem/14608744>

Geoffrey Garen

Comment 3 2013-07-31 13:12:13 PDT

Comment on attachment 207873 [details] Patch r=me

Mark Hahnenberg

Comment 4 2013-07-31 13:23:10 PDT

Committed r153540: <http://trac.webkit.org/changeset/153540>

Brent Fulgham

Comment 5 2022-02-12 20:01:32 PST

*** Bug 119224 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.