174781 – [JSC] ArrayProfile and ValueProfile indice should be stored in unsignedValue in Instruction

NEW 174781

[JSC] ArrayProfile and ValueProfile indice should be stored in unsignedValue in Instruction

https://bugs.webkit.org/show_bug.cgi?id=174781

Summary [JSC] ArrayProfile and ValueProfile indice should be stored in unsignedValue ...

Yusuke Suzuki

Reported 2017-07-24 03:24:12 PDT

In UnlinkedCodeBlock, their value should be placed in unsignedValue field.

Attachments
Add attachment proposed patch, testcase, etc.

Yusuke Suzuki

Comment 1 2017-07-24 03:26:21 PDT

The problem is that StructureForInContext already uses `unsignedValue` field to store array profile and value profile. However, when using these numbers in CodeBlock, we use `operand` field. That causes undefined behavior. (accessing inactive union member).

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Yusuke Suzuki

Reported

2017-07-24 03:24 PDT

Modified

2017-07-24 03:26 PDT History

CC List

3 users Show

URL

Keywords

Depends on

Blocks