Bug 84638

Summary:

DFG must keep alive values that it will perform speculations on

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ggaren

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
the patch	oliver: review+

Filip Pizlo

Reported 2012-04-23 14:49:43 PDT

Consider the following code: x = o.f; y = x + 1; Where there are no further uses of x or y. If x was an object, then x + 1 would result in a call to x.valueOf(), which could have side effects. Currently if the DFG speculates that x is a number, then it will dead-code-eliminate x + 1 along with the check that x is a number - so a future execution of this code where o.f results in an object with a valueOf() method will result in the valueOf() method not being called, which is wrong. <rdar://problem/11258183>

Attachments
the patch (2.14 KB, patch) 2012-04-23 14:52 PDT, Filip Pizlo	oliver: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2012-04-23 14:52:06 PDT

Created attachment 138430 [details] the patch

Geoffrey Garen

Comment 2 2012-04-23 15:32:06 PDT

Regression test?

Filip Pizlo

Comment 3 2012-04-23 15:32:34 PDT

(In reply to comment #2) > Regression test? Already got one with Oliver's rs.

Filip Pizlo

Comment 4 2012-04-23 15:44:06 PDT

Landed in http://trac.webkit.org/changeset/114956

Note You need to log in before you can comment on or make changes to this bug.