Bug 149467

Summary: the toInt32 operation inside DFGSpeculativeJIT.cpp can't throw so we shouldn't emit an exceptionCheck after it.
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, commit-queue, fpizlo, ggaren, gskachkov, keith_miller, mark.lam, msaboff, oliver, sukolsak, ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch none

Description Saam Barati 2015-09-22 10:29:19 PDT 
The callOperation won't store a code origin on the call frame.
Therefore, if this is the first callOperation in the current 
compilation, and we emit an exception check inside a try
block, we will hit an assertion claiming that we must
have some codeOrigins.size() be > 0 to ask for the last call site.
Comment 1 Saam Barati 2015-09-22 10:54:59 PDT 
Created attachment 261750 [details]
patch
Comment 2 Saam Barati 2015-09-22 10:55:29 PDT 
Comment on attachment 261750 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=261750&action=review

> Source/JavaScriptCore/dfg/DFGCommonData.cpp:62
> +    RELEASE_ASSERT(codeOrigins.size());

I think moving this to a RELEASE_ASSERT should help us find any remaining callOperation call sites that also run into this problem.
Comment 3 Mark Lam 2015-09-22 10:56:20 PDT 
Comment on attachment 261750 [details]
patch

r=me
Comment 4 WebKit Commit Bot 2015-09-22 12:33:29 PDT 
Comment on attachment 261750 [details]
patch

Clearing flags on attachment: 261750

Committed r190128: <http://trac.webkit.org/changeset/190128>
Comment 5 WebKit Commit Bot 2015-09-22 12:33:34 PDT 
All reviewed patches have been landed.  Closing bug.