Bug 149467

Summary: the toInt32 operation inside DFGSpeculativeJIT.cpp can't throw so we shouldn't emit an exceptionCheck after it.
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, commit-queue, fpizlo, ggaren, gskachkov, keith_miller, mark.lam, msaboff, oliver, sukolsak, ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch none

Saam Barati
Reported 2015-09-22 10:29:19 PDT
The callOperation won't store a code origin on the call frame. Therefore, if this is the first callOperation in the current compilation, and we emit an exception check inside a try block, we will hit an assertion claiming that we must have some codeOrigins.size() be > 0 to ask for the last call site.
Attachments
patch (3.78 KB, patch)
2015-09-22 10:54 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2015-09-22 10:54:59 PDT
Created attachment 261750 [details] patch
Saam Barati
Comment 2 2015-09-22 10:55:29 PDT
Comment on attachment 261750 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=261750&action=review > Source/JavaScriptCore/dfg/DFGCommonData.cpp:62 > + RELEASE_ASSERT(codeOrigins.size()); I think moving this to a RELEASE_ASSERT should help us find any remaining callOperation call sites that also run into this problem.
Mark Lam
Comment 3 2015-09-22 10:56:20 PDT
Comment on attachment 261750 [details] patch r=me
WebKit Commit Bot
Comment 4 2015-09-22 12:33:29 PDT
Comment on attachment 261750 [details] patch Clearing flags on attachment: 261750 Committed r190128: <http://trac.webkit.org/changeset/190128>
WebKit Commit Bot
Comment 5 2015-09-22 12:33:34 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.