Bug 119349

Summary: DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ggaren: review+

Description Mark Hahnenberg 2013-07-31 12:50:09 PDT 
The baseline JIT is currently responsible for resizing the ctiOffsets Vector for SimpleJumpTables to be equal to the size of the branchOffsets Vector. If the DFG chooses to inline a function that has never been compiled by the baseline JIT then this resizing never happens and we crash at link time in the DFG.

We can fix this by doing the resize in the DFG as well to catch this case.
Comment 1 Mark Hahnenberg 2013-07-31 12:52:58 PDT 
Created attachment 207873 [details]
Patch
Comment 2 Radar WebKit Bug Importer 2013-07-31 12:53:45 PDT 
<rdar://problem/14608744>
Comment 3 Geoffrey Garen 2013-07-31 13:12:13 PDT 
Comment on attachment 207873 [details]
Patch

r=me
Comment 4 Mark Hahnenberg 2013-07-31 13:23:10 PDT 
Committed r153540: <http://trac.webkit.org/changeset/153540>
Comment 5 Brent Fulgham 2022-02-12 20:01:32 PST 
*** Bug 119224 has been marked as a duplicate of this bug. ***