164239 – GetByOffset rule is has incorrect assumptions inside arguments elimination phase

Bug 164239 - GetByOffset rule is has incorrect assumptions inside arguments elimination phase

Summary: GetByOffset rule is has incorrect assumptions inside arguments elimination phase

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Saam Barati

URL:
Keywords:	InRadar

Depends on:
Blocks:	163925
	Show dependency tree / graph

Reported:	2016-10-31 14:03 PDT by Saam Barati
Modified:	2016-10-31 15:54 PDT (History)
CC List:	13 users (show)

See Also:

Attachments
patch (2.01 KB, patch) 2016-10-31 14:11 PDT, Saam Barati	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Saam Barati 2016-10-31 14:03:26 PDT

It assumes that a child will always be transformed before it does by assuming it will already be a phantom allocation. This probably happens to be true because of how we generate byte code for arguments allocation and how traversal of the graph works using blocksInNaturalOrder. However, there is no guarantee that blocksInNaturalOrder must first traverse a block's dominator before the block being dominated.

Comment 1 Saam Barati 2016-10-31 14:04:47 PDT

<rdar://problem/29032041>

Comment 2 Saam Barati 2016-10-31 14:11:43 PDT

Created attachment 293464 [details]
patch

Comment 3 Keith Miller 2016-10-31 14:36:33 PDT

Comment on attachment 293464 [details]
patch

r=me.

Comment 4 WebKit Commit Bot 2016-10-31 15:54:32 PDT

Comment on attachment 293464 [details]
patch

Clearing flags on attachment: 293464

Committed r208185: <http://trac.webkit.org/changeset/208185>

Comment 5 WebKit Commit Bot 2016-10-31 15:54:36 PDT

All reviewed patches have been landed.  Closing bug.