Fairly simple failure: function f() { for (;;)`${1}` } f(); The issue is that we appear to be issuing a str_concat with a single child, which the DFG thinks is invalid. The obvious solutions are to either: * don't emit str_concat from a single child template literal * Have the DFG acknowledge this can happen I think the former is the better option.
<rdar://problem/26775638>
Created attachment 281211 [details] Patch
Comment on attachment 281211 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=281211&action=review r=me > Source/JavaScriptCore/tests/stress/template-literal.js:209 > +function testSingleNode() { Can you also add other tests for valueOf, etc
Comment on attachment 281211 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=281211&action=review >> Source/JavaScriptCore/tests/stress/template-literal.js:209 >> +function testSingleNode() { > > Can you also add other tests for valueOf, etc Unrealted to this bug you mean? This bug is specifically because template literals would alway plant a strcat, even if there was only a single node.
Committed r202015: <http://trac.webkit.org/changeset/202015>