| Summary: | We shouldn't leave holes on the stack when performing an OSR exit in presence of inlined tail calls | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Basile Clement <basile_clement> |
| Component: | JavaScriptCore | Assignee: | Basile Clement <basile_clement> |
| Status: | NEW --- | ||
| Severity: | Normal | ||
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
In the following test case, each time we do an OSR exit, we currently leave a couple of frames on the stack, which shouldn't be the case. This is a super rare bug that requires an infinite number of functions because otherwise we would stop using a DFG-compiled version of the function if it keeps exiting. Still, we should probably restore the stack correctly in this case, if only to avoid leaving useless pointers to the heap on the stack. ```` var source = "pathological = function (n) { " + " 'use strict';" + " if (n > 100000) {" + " (function () { })();" + // This will trigger an OSR exit and leave inlined frames on the stack " return build_and_run();" + " } else {" + " return pathological(n + 1);" + " }" + "}"; var pathological; function build_and_run() { 'use strict'; eval(source); return pathological(0); } build_and_run(); ````