RESOLVED FIXED 106398
DFG shouldn't treat the 'this' argument as being captured if a code block uses arguments 
https://bugs.webkit.org/show_bug.cgi?id=106398
Summary DFG shouldn't treat the 'this' argument as being captured if a code block use...
Filip Pizlo
Reported 2013-01-08 16:38:17 PST
Doing so results in two outcomes: 1) We're overly pessimistic about how we compile code that uses 'this' in inlined function calls that uses arguments. 2) We try to flush the this argument when we assign to it in create_this. Except that the this argument wouldn't have been assigned. This results in strange IR corruption, including causing the OSR entry code to try to test the values in the locals associated with the 'this' argument of inlined code - except that the 'this' argument to an inline construct is a temporary, and would not have been initialized at OSR entrypoints. This can lead to strange crashes in OSR entry.
Attachments
the patch (11.95 KB, patch)
2013-01-08 16:42 PST, Filip Pizlo 		mhahnenberg: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2013-01-08 16:42:11 PST
<rdar://problem/12439776>
Filip Pizlo
Comment 2 2013-01-08 16:42:30 PST
Created attachment 181800 [details] the patch
Mark Hahnenberg
Comment 3 2013-01-08 17:04:46 PST
Comment on attachment 181800 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=181800&action=review r=me > Source/JavaScriptCore/dfg/DFGValidate.cpp:80 > + // Validate that all local variable phis at the head of the root block are dead. No "phis". > Source/JavaScriptCore/dfg/DFGValidate.cpp:297 > + void reportValidationContext() Remove.
Filip Pizlo
Comment 4 2013-01-08 17:13:39 PST
Landed in http://trac.webkit.org/changeset/139136
Note You need to log in before you can comment on or make changes to this bug.