Bug 146029

Summary:

Inlining in the DFG trashes ByteCodeParser::m_currentInstruction for the calling function

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	benjamin: review+

Description Michael Saboff 2015-06-16 15:16:04 PDT

When we inline a function call in the DFG, we essential recurse in ByteCodeParser::attemptToInlineCall() when we call inlineCall().  In the process we overwrite m_currentInstruction.  When we return, m_currentInstruction no longer points at the call instruction.  The fix is to save and restore m_currentInstruction around the call to inlineCall().

<rdar://problem/20841734>

Comment 1 Michael Saboff 2015-06-16 16:22:03 PDT

Created attachment 254975 [details]
Patch

Comment 2 Benjamin Poulain 2015-06-16 16:43:09 PDT

Comment on attachment 254975 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=254975&action=review

> Source/JavaScriptCore/ChangeLog:7
> +

IMHO, you should explain the bug here. How/where m_currentInstruction is trashed, and what were the side effects.

Comment 3 Mark Lam 2015-06-16 16:44:41 PDT

Comment on attachment 254975 [details]
Patch

r=me too

Comment 4 Michael Saboff 2015-06-16 16:50:45 PDT

(In reply to comment #2)
> Comment on attachment 254975 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=254975&action=review
> 
> > Source/JavaScriptCore/ChangeLog:7
> > +
> 
> IMHO, you should explain the bug here. How/where m_currentInstruction is
> trashed, and what were the side effects.

I'll add comments explaining how this happens.

Comment 5 Michael Saboff 2015-06-16 17:06:51 PDT

Committed r185627: <http://trac.webkit.org/changeset/185627>