| Summary: | We are using valueProfileForBytecodeOffset when there may not be a value profile | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Saam Barati <saam> | ||||
| Component: | JavaScriptCore | Assignee: | Saam Barati <saam> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | benjamin, fpizlo, ggaren, gskachkov, jfbastien, keith_miller, mark.lam, msaboff, rmorisset, ticaiolima, webkit-bug-importer, ysuzuki | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | Safari Technology Preview | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
I'm moving to two functions: ValueProfile& valueProfileForBytecodeOffset(int); ValueProfile* tryGetValueProfileForBytecodeOffset(int); Created attachment 318740 [details]
patch
Comment on attachment 318740 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=318740&action=review r=me with the suggested build fix. > Source/JavaScriptCore/jit/JITInlines.h:974 > ASSERT(valueProfile); Looks like this line needs to be removed to fix the Debug build. |
Currently, switching to this crashes on stress/inlined-tail-call-in-inlined-setter-should-not-crash-when-getting-value-profile.js ValueProfile* CodeBlock::valueProfileForBytecodeOffset(int bytecodeOffset) { OpcodeID opcodeID = Interpreter::getOpcodeID(instructions()[bytecodeOffset]); unsigned length = opcodeLength(opcodeID); ValueProfile* result = instructions()[bytecodeOffset + length - 1].u.profile; #if !ASSERT_DISABLED bool found = false; for (unsigned i = 0; i < numberOfValueProfiles(); ++i) { ValueProfile* profile = valueProfile(i); if (profile->m_bytecodeOffset == bytecodeOffset) { ASSERT(profile == result); found = true; break; } } ASSERT(found); #endif return result; } I'll fix and land this change