| Summary: | Re-investiage using PhantomLocal as the liveness preservation mechanism for variables live in a "catch" block in the DFG | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Saam Barati <saam> |
| Component: | JavaScriptCore | Assignee: | Saam Barati <saam> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | benjamin, fpizlo, ggaren, gskachkov, jfbastien, keith_miller, mark.lam, msaboff, oliver, ticaiolima, ysuzuki |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
|
Description
Saam Barati
2015-11-02 16:48:13 PST
Ok, so I was looking at other code, but realized maybe why there was a bug in the first place w/ GetById. DFGSpeculativeJIT64.cpp calls SpeculateCellOperand::use() on the base before compiling the IC. This might effect OSR exit data if the GetById is the last use of the base. I suspect this is why PhantomLocal was broken in that program. This also means that we should probably look at other use() calls to make sure they're sound w.r.t exceptions. It looks like there is a strength reduction rule that may rewrite Flush to PhantomLocal, and it has no concept of exception handling. So there is a chance there is some program that breaks because of the use() call and a Flush being rewritten as PhantomLocal. |