Bug 147354

Summary:

DFG::safeToExecute() cases for GetByOffset/PutByOffset don't handle clobbered structure abstract values correctly

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, basile_clement, benjamin, ggaren, mark.lam, mhahnenb, mmirman, msaboff, nrotem, oliver, saam, sam

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
the patch	msaboff: review+

Description Filip Pizlo 2015-07-27 22:31:28 PDT

This is a benign bug, but worth fixing.

Comment 1 Filip Pizlo 2015-07-27 22:38:43 PDT

Created attachment 257633 [details]
the patch

Comment 2 Filip Pizlo 2015-07-27 22:47:05 PDT

Comment on attachment 257633 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=257633&action=review

> Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h:129
> +    // neither clear nor top.

Meant to say: "neither top nor clobbered".  Fixed locally.

Comment 3 Michael Saboff 2015-07-28 09:45:00 PDT

Comment on attachment 257633 [details]
the patch

r=me

Comment 4 Filip Pizlo 2015-07-28 09:59:51 PDT

Landed in http://trac.webkit.org/changeset/187487