...
This is pretty awesome. With stack compression, Arguments created in the DFG will point their m_registers pointers into a different slab of stack than they would have in byte code. Hence OSR exit must repoint any Arguments objects' m_registers pointers. It neglects to do so.
Created attachment 213524 [details] the patch
Comment on attachment 213524 [details] the patch If DFG function A calls non-DFG function B, and B throws, what prevents B from unwinding A's stack frame. and tearing off the arguments object incorrectly?
(In reply to comment #3) > (From update of attachment 213524 [details]) > If DFG function A calls non-DFG function B, and B throws, what prevents B from unwinding A's stack frame. and tearing off the arguments object incorrectly? The code in Interpreter.cpp handles this directly and this has nothing to do with this bug. See unwindCallFrame(). It calls StackVisitor::existingArguments(). This gets the right Arguments object. It then tears off the Arguments correctly depending on the kind of Arguments that we have. Note that there is no such thing as non-DFG function B doing unwinding any differently than it would have, if function B was a DFG function. Everyone calls into the same unwinding machinery and that machinery decides what to do on a per-call-frame basis and it takes into account inlining. Also it just so happens that for non-inlined code, DFG Arguments look the same as non-DFG Arguments. That could change and if it did, we would edit the code in unwindCallFrame().
Created attachment 213526 [details] more correcter patch
Created attachment 213551 [details] the patch Fixed some more bugs - this needs rereview.
Created attachment 213552 [details] the patch Fix changelog.
*** Bug 122436 has been marked as a duplicate of this bug. ***
Created attachment 213559 [details] the patch Rebased. Now unskipping more tests than ever!
Landed in http://trac.webkit.org/changeset/157035