Bug 149467 - the toInt32 operation inside DFGSpeculativeJIT.cpp can't throw so we shouldn't emit an exceptionCheck after it.
Summary: the toInt32 operation inside DFGSpeculativeJIT.cpp can't throw so we shouldn'...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Saam Barati
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-22 10:29 PDT by Saam Barati
Modified: 2015-09-22 12:33 PDT (History)
11 users (show)

See Also:


Attachments
patch (3.78 KB, patch)
2015-09-22 10:54 PDT, Saam Barati
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Saam Barati 2015-09-22 10:29:19 PDT
The callOperation won't store a code origin on the call frame.
Therefore, if this is the first callOperation in the current 
compilation, and we emit an exception check inside a try
block, we will hit an assertion claiming that we must
have some codeOrigins.size() be > 0 to ask for the last call site.
Comment 1 Saam Barati 2015-09-22 10:54:59 PDT
Created attachment 261750 [details]
patch
Comment 2 Saam Barati 2015-09-22 10:55:29 PDT
Comment on attachment 261750 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=261750&action=review

> Source/JavaScriptCore/dfg/DFGCommonData.cpp:62
> +    RELEASE_ASSERT(codeOrigins.size());

I think moving this to a RELEASE_ASSERT should help us find any remaining callOperation call sites that also run into this problem.
Comment 3 Mark Lam 2015-09-22 10:56:20 PDT
Comment on attachment 261750 [details]
patch

r=me
Comment 4 WebKit Commit Bot 2015-09-22 12:33:29 PDT
Comment on attachment 261750 [details]
patch

Clearing flags on attachment: 261750

Committed r190128: <http://trac.webkit.org/changeset/190128>
Comment 5 WebKit Commit Bot 2015-09-22 12:33:34 PDT
All reviewed patches have been landed.  Closing bug.