Bug 147511 - We shouldn't leave holes on the stack when performing an OSR exit in presence of inlined tail calls
Summary: We shouldn't leave holes on the stack when performing an OSR exit in presence...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Basile Clement
Depends on:
Reported: 2015-07-31 15:08 PDT by Basile Clement
Modified: 2015-07-31 15:08 PDT (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Basile Clement 2015-07-31 15:08:11 PDT
In the following test case, each time we do an OSR exit, we currently leave a couple of frames on the stack, which shouldn't be the case. This is a super rare bug that requires an infinite number of functions because otherwise we would stop using a DFG-compiled version of the function if it keeps exiting. Still, we should probably restore the stack correctly in this case, if only to avoid leaving useless pointers to the heap on the stack.

var source = "pathological = function (n) { " +
"    'use strict';" +
"    if (n > 100000) {" +
"        (function () { })();" + // This will trigger an OSR exit and leave inlined frames on the stack
"        return build_and_run();" +
"    } else {" +
"        return pathological(n + 1);" +
"    }" +

var pathological;

function build_and_run() {
    'use strict';
    return pathological(0);