Currently, switching to this crashes on stress/inlined-tail-call-in-inlined-setter-should-not-crash-when-getting-value-profile.js ValueProfile* CodeBlock::valueProfileForBytecodeOffset(int bytecodeOffset) { OpcodeID opcodeID = Interpreter::getOpcodeID(instructions()[bytecodeOffset]); unsigned length = opcodeLength(opcodeID); ValueProfile* result = instructions()[bytecodeOffset + length - 1].u.profile; #if !ASSERT_DISABLED bool found = false; for (unsigned i = 0; i < numberOfValueProfiles(); ++i) { ValueProfile* profile = valueProfile(i); if (profile->m_bytecodeOffset == bytecodeOffset) { ASSERT(profile == result); found = true; break; } } ASSERT(found); #endif return result; } I'll fix and land this change
I'm moving to two functions: ValueProfile& valueProfileForBytecodeOffset(int); ValueProfile* tryGetValueProfileForBytecodeOffset(int);
Created attachment 318740 [details] patch
Comment on attachment 318740 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=318740&action=review r=me with the suggested build fix. > Source/JavaScriptCore/jit/JITInlines.h:974 > ASSERT(valueProfile); Looks like this line needs to be removed to fix the Debug build.
landed in: https://trac.webkit.org/changeset/221018/webkit
<rdar://problem/34014145>