RESOLVED FIXED 202014
[JSC] DFG op_call_varargs should not assume that one-previous-local of freeReg is usable 
https://bugs.webkit.org/show_bug.cgi?id=202014
Summary [JSC] DFG op_call_varargs should not assume that one-previous-local of freeRe...
Yusuke Suzuki
Reported 2019-09-19 16:43:22 PDT
This is not correct.
Attachments
Patch (19.66 KB, patch)
2019-09-19 18:06 PDT, Yusuke Suzuki 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2019-09-19 16:43:45 PDT
<rdar://problem/54574453>
Yusuke Suzuki
Comment 2 2019-09-19 18:06:02 PDT
Created attachment 379183 [details] Patch
Yusuke Suzuki
Comment 3 2019-09-19 18:06:56 PDT
Comment on attachment 379183 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=379183&action=review > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1861 > + int registerOffset = firstFreeReg; This is the fix.
Mark Lam
Comment 4 2019-09-19 18:23:33 PDT
Comment on attachment 379183 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=379183&action=review r=me too. > Source/JavaScriptCore/ChangeLog:51 > + represent that this includes |this| count. By "this includes |this| count", you mean "the argument count includes |this|", yes? Can you rephrase as that please. The first "this" is a bit ambiguous.
Yusuke Suzuki
Comment 5 2019-09-19 19:17:31 PDT
Comment on attachment 379183 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=379183&action=review >> Source/JavaScriptCore/ChangeLog:51 >> + represent that this includes |this| count. > > By "this includes |this| count", you mean "the argument count includes |this|", yes? Can you rephrase as that please. The first "this" is a bit ambiguous. Fixed.
Yusuke Suzuki
Comment 6 2019-09-19 19:31:50 PDT
Committed r250116: <https://trac.webkit.org/changeset/250116>
Note You need to log in before you can comment on or make changes to this bug.