Summary: | ObjectAllocationSinkingPhase::insertOSRHintsForUpdate() fails to emit updated hints in some cases | ||||||
---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Filip Pizlo <fpizlo> | ||||
Component: | JavaScriptCore | Assignee: | Filip Pizlo <fpizlo> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | Normal | CC: | commit-queue, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer | ||||
Priority: | P2 | Keywords: | InRadar | ||||
Version: | WebKit Nightly Build | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
Bug Depends on: | 143073 | ||||||
Bug Blocks: | 160125 | ||||||
Attachments: |
|
Description
Filip Pizlo
2016-09-01 10:39:37 PDT
It looks like this is handled by m_materializationSiteToRecoveries. I wonder why the scope isn't in there. 100% repro: function bar() { } noInline(bar); function foo(p, x) { var value = 1; function inc() { return value + 1; } function dec() { return value - 1; } if (!p) return 0; bar(inc); x += 2000000000; value = 42; return dec(); } noInline(foo); function test(x) { var result = foo(true, x); if (result != 42 - 1) throw "Error: bad result: " + result; } for (var i = 0; i < 100000; ++i) test(0); test(2000000000); Wow this is an epic one-line fix! Created attachment 287648 [details]
the patch
Comment on attachment 287648 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=287648&action=review r=me > Source/JavaScriptCore/ChangeLog:16 > + it's a special meta-data field initialed on construction. But just because it's immutable /initialed/initialized/ ? > Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:1942 > - > + Please remove. (In reply to comment #5) > Comment on attachment 287648 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=287648&action=review > > r=me > > > Source/JavaScriptCore/ChangeLog:16 > > + it's a special meta-data field initialed on construction. But just because it's immutable > > /initialed/initialized/ ? Fixed. > > > Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:1942 > > - > > + > > Please remove. Fixed. Landed in http://trac.webkit.org/changeset/205304 |