119504 – DFG optimizes out strict mode arguments tear off

Bug 119504 - DFG optimizes out strict mode arguments tear off

Summary: DFG optimizes out strict mode arguments tear off

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2013-08-05 18:00 PDT by Oliver Hunt
Modified:	2013-08-16 22:37 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
the patch (5.76 KB, patch) 2013-08-16 16:19 PDT, Filip Pizlo	oliver: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Oliver Hunt 2013-08-05 18:00:53 PDT

If i have a strict mode function:

function f(a) {
    "use strict";
    a = 5;
    return arguments[0];
}

var x = 0;
for (var i = 0; i < N; i++)
     x = x + f(1);


The result should be N, but the DFG optimizes out the eager tear off of the Arguments object, leading to arguments[0] eventually being optimized to return 5, which is incorrect.

Comment 1 Filip Pizlo 2013-08-16 16:19:26 PDT

Created attachment 208962 [details]
the patch

Comment 2 Filip Pizlo 2013-08-16 22:36:06 PDT

<rdar://problem/14764160>

Comment 3 Filip Pizlo 2013-08-16 22:37:00 PDT

Landed in http://trac.webkit.org/changeset/154217