119349 – DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT

Bug 119349 - DFG doesn't account for inlining of functions with switch statements that haven't been executed by the baseline JIT

Summary: DFG doesn't account for inlining of functions with switch statements that hav...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Hahnenberg

URL:
Keywords:	InRadar

Duplicates (1):	119224 (view as bug list)
Depends on:
Blocks:

Reported:	2013-07-31 12:50 PDT by Mark Hahnenberg
Modified:	2022-02-12 20:01 PST (History)
CC List:	2 users (show)

See Also:

Attachments
Patch (4.43 KB, patch) 2013-07-31 12:52 PDT, Mark Hahnenberg	ggaren: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Hahnenberg 2013-07-31 12:50:09 PDT

The baseline JIT is currently responsible for resizing the ctiOffsets Vector for SimpleJumpTables to be equal to the size of the branchOffsets Vector. If the DFG chooses to inline a function that has never been compiled by the baseline JIT then this resizing never happens and we crash at link time in the DFG.

We can fix this by doing the resize in the DFG as well to catch this case.

Comment 1 Mark Hahnenberg 2013-07-31 12:52:58 PDT

Created attachment 207873 [details]
Patch

Comment 2 Radar WebKit Bug Importer 2013-07-31 12:53:45 PDT

<rdar://problem/14608744>

Comment 3 Geoffrey Garen 2013-07-31 13:12:13 PDT

Comment on attachment 207873 [details]
Patch

r=me

Comment 4 Mark Hahnenberg 2013-07-31 13:23:10 PDT

Committed r153540: <http://trac.webkit.org/changeset/153540>

Comment 5 Brent Fulgham 2022-02-12 20:01:32 PST

*** Bug 119224 has been marked as a duplicate of this bug. ***