Bug 84638

Summary: DFG must keep alive values that it will perform speculations on
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ggaren
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
the patch oliver: review+

Filip Pizlo
Reported 2012-04-23 14:49:43 PDT
Consider the following code: x = o.f; y = x + 1; Where there are no further uses of x or y. If x was an object, then x + 1 would result in a call to x.valueOf(), which could have side effects. Currently if the DFG speculates that x is a number, then it will dead-code-eliminate x + 1 along with the check that x is a number - so a future execution of this code where o.f results in an object with a valueOf() method will result in the valueOf() method not being called, which is wrong. <rdar://problem/11258183>
Attachments
the patch (2.14 KB, patch)
2012-04-23 14:52 PDT, Filip Pizlo 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2012-04-23 14:52:06 PDT
Created attachment 138430 [details] the patch
Geoffrey Garen
Comment 2 2012-04-23 15:32:06 PDT
Regression test?
Filip Pizlo
Comment 3 2012-04-23 15:32:34 PDT
(In reply to comment #2) > Regression test? Already got one with Oliver's rs.
Filip Pizlo
Comment 4 2012-04-23 15:44:06 PDT
Landed in http://trac.webkit.org/changeset/114956
Note You need to log in before you can comment on or make changes to this bug.