Bug 119504

Summary:

DFG optimizes out strict mode arguments tear off

Product:

WebKit

Reporter:

Oliver Hunt <oliver>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

fpizlo

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
the patch	oliver: review+

Oliver Hunt

Reported 2013-08-05 18:00:53 PDT

If i have a strict mode function: function f(a) { "use strict"; a = 5; return arguments[0]; } var x = 0; for (var i = 0; i < N; i++) x = x + f(1); The result should be N, but the DFG optimizes out the eager tear off of the Arguments object, leading to arguments[0] eventually being optimized to return 5, which is incorrect.

Attachments
the patch (5.76 KB, patch) 2013-08-16 16:19 PDT, Filip Pizlo	oliver: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2013-08-16 16:19:26 PDT

Created attachment 208962 [details] the patch

Filip Pizlo

Comment 2 2013-08-16 22:36:06 PDT

<rdar://problem/14764160>

Filip Pizlo

Comment 3 2013-08-16 22:37:00 PDT

Landed in http://trac.webkit.org/changeset/154217

Note You need to log in before you can comment on or make changes to this bug.