<rdar://problem/27328836>

Created attachment 290393 [details]
patch

Comment on attachment 290393 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=290393&action=review

Ouch.  R=me.

> Source/JavaScriptCore/dfg/DFGClobberize.h:267
> +        if (mode.type() == Array::ForceExit) {
> +            write(SideState);
> +            return;
> +        }
> +

Why didn't you put this in the switch statement, below?

Created attachment 290397 [details]
patch for landing

I'm going to try to find a repro test before landing, but it might be tricky

(In reply to comment #5)
> I'm going to try to find a repro test before landing, but it might be tricky

This is difficult to do.

(In reply to comment #6)
> (In reply to comment #5)
> > I'm going to try to find a repro test before landing, but it might be tricky
> 
> This is difficult to do.

Basically, we need to profile something as contiguousInbounds, and then somehow not have a prediction for either the base or the index.

Ok, I'm going to give up on trying to get this to reproduce on ToT. It's pretty clear what the bug is, but it's probably quite difficult to write a program that exhibits the bug. Anyways, I'm going to commit this change for now and then if I find a way to write a test that exhibits the bug, I'll check in the test later.

Comment on attachment 290397 [details]
patch for landing

Clearing flags on attachment: 290397

Committed r206955: <http://trac.webkit.org/changeset/206955>

All reviewed patches have been landed.  Closing bug.