RESOLVED FIXED 146029
Inlining in the DFG trashes ByteCodeParser::m_currentInstruction for the calling function 
https://bugs.webkit.org/show_bug.cgi?id=146029
Summary Inlining in the DFG trashes ByteCodeParser::m_currentInstruction for the call...
Michael Saboff
Reported 2015-06-16 15:16:04 PDT
When we inline a function call in the DFG, we essential recurse in ByteCodeParser::attemptToInlineCall() when we call inlineCall(). In the process we overwrite m_currentInstruction. When we return, m_currentInstruction no longer points at the call instruction. The fix is to save and restore m_currentInstruction around the call to inlineCall(). <rdar://problem/20841734>
Attachments
Patch (4.76 KB, patch)
2015-06-16 16:22 PDT, Michael Saboff 		benjamin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2015-06-16 16:22:03 PDT
Created attachment 254975 [details] Patch
Benjamin Poulain
Comment 2 2015-06-16 16:43:09 PDT
Comment on attachment 254975 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=254975&action=review > Source/JavaScriptCore/ChangeLog:7 > + IMHO, you should explain the bug here. How/where m_currentInstruction is trashed, and what were the side effects.
Mark Lam
Comment 3 2015-06-16 16:44:41 PDT
Comment on attachment 254975 [details] Patch r=me too
Michael Saboff
Comment 4 2015-06-16 16:50:45 PDT
(In reply to comment #2) > Comment on attachment 254975 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=254975&action=review > > > Source/JavaScriptCore/ChangeLog:7 > > + > > IMHO, you should explain the bug here. How/where m_currentInstruction is > trashed, and what were the side effects. I'll add comments explaining how this happens.
Michael Saboff
Comment 5 2015-06-16 17:06:51 PDT
Committed r185627: <http://trac.webkit.org/changeset/185627>
Note You need to log in before you can comment on or make changes to this bug.