Bug 199527
| Summary: | Fix DFGArgumentEliminationPhase's NewArrayBuffer check | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Michael Catanzaro <mcatanzaro> |
| Component: | JavaScriptCore | Assignee: | Yusuke Suzuki <ysuzuki> |
| Status: | NEW | ||
| Severity: | Normal | CC: | mcatanzaro, saam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Bug Depends on: | |||
| Bug Blocks: | 104114 | ||
Michael Catanzaro
Coverity has flagged this code from r226033 "[FTL] NewArrayBuffer should be sinked if it is only used for spreading" in ArgumentsEliminationPhase::eliminateCandidatesThatEscape as a likely copy/paste error:
case LoadVarargs:
if (node->loadVarargsData()->offset && (node->child1()->op() == NewArrayWithSpread || node->child1()->op() == Spread || node->child1()->op() == NewArrayBuffer))
escape(node->child1(), node);
break;
case CallVarargs:
case ConstructVarargs:
case TailCallVarargs:
case TailCallVarargsInlinedCaller:
escape(node->child1(), node);
escape(node->child2(), node);
if (node->callVarargsData()->firstVarArgOffset && (node->child3()->op() == NewArrayWithSpread || node->child3()->op() == Spread || node->child1()->op() == NewArrayBuffer)) // <-- likely error here
escape(node->child3(), node);
break;
It looks like this was probably supposed to be node->child3()->op() == NewArrayBuffer, but I don't pretend to understand anything under Source/JavaScriptCore. Yusuke should look at it.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Saam Barati
Yeah I think coverity is right!
Radar WebKit Bug Importer
<rdar://problem/55507104>