Bug 186818

Summary:

DirectArguments::create needs to initialize to undefined instead of the empty value

Product:

WebKit

Reporter:

Saam Barati <saam>

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, commit-queue, fpizlo, ggaren, gskachkov, jfbastien, keith_miller, mark.lam, msaboff, rmorisset, ticaiolima, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
patch	none

Description Saam Barati 2018-06-19 13:59:52 PDT

We have code in OSR exit that sets up length, but not capacity. This means get_from_arguments may end up loading an empty value, instead of undefined. We rely on it DirectArguments having at least up to the number of declared parameters slots being undefined if there are no arguments to the actual function

Comment 1 Saam Barati 2018-06-19 14:00:37 PDT

The test case
```
function foo(a, b) {
    let x = arguments;
    OSRExit();
    return a + b; // Will load JSValue() instead of jsUndefined() since we'll materialize a DirectArguments in OSRExit that only has slots filled with JSValue()
}

function bar() {
    foo();
}
noInline(bar);

for (let i = 0; i < 1000; ++i) {
    bar();
}
```

Comment 2 Saam Barati 2018-06-19 14:10:03 PDT

<rdar://problem/38415177>

Comment 3 Saam Barati 2018-06-19 15:54:44 PDT

Created attachment 343118 [details]
patch

Comment 4 WebKit Commit Bot 2018-06-19 18:11:51 PDT

Comment on attachment 343118 [details]
patch

Clearing flags on attachment: 343118

Committed r233000: <https://trac.webkit.org/changeset/233000>

Comment 5 WebKit Commit Bot 2018-06-19 18:11:53 PDT

All reviewed patches have been landed.  Closing bug.