Bug 148367

Summary: DFG::InsertionSet should be tolerant of occasional out-of-order insertions
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, basile_clement, benjamin, ggaren, mark.lam, mhahnenb, msaboff, nrotem, oliver, saam, sam
Priority: P2    
Version: Other   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 145204    
Attachments:
Description Flags
the patch ggaren: review+

Description Filip Pizlo 2015-08-22 19:40:44 PDT 
Patch forthcoming.
Comment 1 Filip Pizlo 2015-08-22 19:45:47 PDT 
Created attachment 259730 [details]
the patch
Comment 2 Geoffrey Garen 2015-08-24 10:45:03 PDT 
Comment on attachment 259730 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=259730&action=review

r=me

> Source/JavaScriptCore/ChangeLog:19
> +        It seems like it would be best to just lift this restrictions.

restriction
Comment 3 Saam Barati 2015-08-24 10:46:03 PDT 
Comment on attachment 259730 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=259730&action=review

r=me

> Source/JavaScriptCore/dfg/DFGInsertionSet.cpp:35
> +    for (size_t index = m_insertions.size() - 1; index--;) {

Even though this is checked at the call site for this function, it might be nice for documentation's sake to assert that the last element's index is larger than what we're inserting.
Comment 4 Filip Pizlo 2015-08-24 13:59:29 PDT 
(In reply to comment #2)
> Comment on attachment 259730 [details]
> the patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=259730&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/ChangeLog:19
> > +        It seems like it would be best to just lift this restrictions.
> 
> restriction

Fixed.
Comment 5 Filip Pizlo 2015-08-24 13:59:37 PDT 
(In reply to comment #3)
> Comment on attachment 259730 [details]
> the patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=259730&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/dfg/DFGInsertionSet.cpp:35
> > +    for (size_t index = m_insertions.size() - 1; index--;) {
> 
> Even though this is checked at the call site for this function, it might be
> nice for documentation's sake to assert that the last element's index is
> larger than what we're inserting.

Done.
Comment 6 Filip Pizlo 2015-08-24 14:11:48 PDT 
Landed in http://trac.webkit.org/changeset/188879