When we inline a function call in the DFG, we essential recurse in ByteCodeParser::attemptToInlineCall() when we call inlineCall(). In the process we overwrite m_currentInstruction. When we return, m_currentInstruction no longer points at the call instruction. The fix is to save and restore m_currentInstruction around the call to inlineCall(). <rdar://problem/20841734>
Created attachment 254975 [details] Patch
Comment on attachment 254975 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=254975&action=review > Source/JavaScriptCore/ChangeLog:7 > + IMHO, you should explain the bug here. How/where m_currentInstruction is trashed, and what were the side effects.
Comment on attachment 254975 [details] Patch r=me too
(In reply to comment #2) > Comment on attachment 254975 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=254975&action=review > > > Source/JavaScriptCore/ChangeLog:7 > > + > > IMHO, you should explain the bug here. How/where m_currentInstruction is > trashed, and what were the side effects. I'll add comments explaining how this happens.
Committed r185627: <http://trac.webkit.org/changeset/185627>