Bug 164239

Summary:

GetByOffset rule is has incorrect assumptions inside arguments elimination phase

Product:

WebKit

Reporter:

Saam Barati <saam>

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, commit-queue, fpizlo, ggaren, gskachkov, jfbastien, keith_miller, mark.lam, msaboff, oliver, ticaiolima, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

163925

Attachments:

Description	Flags
patch	none

Saam Barati

Reported 2016-10-31 14:03:26 PDT

It assumes that a child will always be transformed before it does by assuming it will already be a phantom allocation. This probably happens to be true because of how we generate byte code for arguments allocation and how traversal of the graph works using blocksInNaturalOrder. However, there is no guarantee that blocksInNaturalOrder must first traverse a block's dominator before the block being dominated.

Attachments
patch (2.01 KB, patch) 2016-10-31 14:11 PDT, Saam Barati	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Saam Barati

Comment 1 2016-10-31 14:04:47 PDT

<rdar://problem/29032041>

Saam Barati

Comment 2 2016-10-31 14:11:43 PDT

Created attachment 293464 [details] patch

Keith Miller

Comment 3 2016-10-31 14:36:33 PDT

Comment on attachment 293464 [details] patch r=me.

WebKit Commit Bot

Comment 4 2016-10-31 15:54:32 PDT

Comment on attachment 293464 [details] patch Clearing flags on attachment: 293464 Committed r208185: <http://trac.webkit.org/changeset/208185>

WebKit Commit Bot

Comment 5 2016-10-31 15:54:36 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.