RESOLVED FIXED 95024
Don't allocate space for arguments and call frame if arguments aren't captured 
https://bugs.webkit.org/show_bug.cgi?id=95024
Summary Don't allocate space for arguments and call frame if arguments aren't captured
Geoffrey Garen
Reported 2012-08-26 00:01:27 PDT
Don't allocate space for arguments and call frame if arguments aren't captured
Attachments
Patch (1.95 KB, patch)
2012-08-26 00:04 PDT, Geoffrey Garen 		ggaren: review+
DetailsFormatted DiffDiff
test case (24.65 KB, patch)
2012-08-26 00:30 PDT, Filip Pizlo 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2012-08-26 00:04:45 PDT
Created attachment 160592 [details] Patch
Filip Pizlo
Comment 2 2012-08-26 00:25:15 PDT
Comment on attachment 160592 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=160592&action=review > Source/JavaScriptCore/runtime/JSActivation.h:160 > - // CallFrame > - registers[RegisterFile::ScopeChain].set(globalData, this, m_registers[RegisterFile::ScopeChain].get()); > - registers[RegisterFile::Callee].set(globalData, this, m_registers[RegisterFile::Callee].get()); > - > // vars Are you sure? I seem to recall arguments tear-off using them for something weird. :-/
Filip Pizlo
Comment 3 2012-08-26 00:30:03 PDT
Created attachment 160595 [details] test case I initially thought your patch failed to handle this, but now I'm pretty sure it's fine. Anyway, I figure that this test case should be handy.
Filip Pizlo
Comment 4 2012-08-26 00:30:31 PDT
Comment on attachment 160595 [details] test case I will land it myself once reviewed.
Geoffrey Garen
Comment 5 2012-08-26 09:38:57 PDT
> Are you sure? I seem to recall arguments tear-off using them for something weird. :-/ I, too, had this gut reaction -- and obviously the code was there for some reason at some point -- but I searched around and couldn't find a reason anymore. The arguments object holds a direct reference to "callee" now. Perhaps that's why we used to need callee, and don't need it anymore. As for the scope chain, I have no idea why we ever needed to preserve that. Pretty much any case you have an activation, it's owned by a function that also owns the scope chain. Also, by deduction: since we know we can merge scope chain and activation, it's hard to conceive of a case when one would be alive and one wouldn't. Famous last words.
Geoffrey Garen
Comment 6 2012-08-26 09:39:53 PDT
Comment on attachment 160595 [details] test case r=me on the test
Geoffrey Garen
Comment 7 2012-08-26 09:48:18 PDT
Aha! Here's the bug that we missed: https://bugs.webkit.org/show_bug.cgi?id=82947. I'll need to rethink what to do for the "argumentsGetter" case, and add a test for it.
Geoffrey Garen
Comment 8 2012-08-26 09:54:33 PDT
The bug arises if you call the argumentsGetter after the activation has torn off. That's impossible in user code, but the web inspector gets special direct access to activation objects, and can make it happen.
Geoffrey Garen
Comment 9 2012-08-26 11:03:16 PDT
Looks like I can fix the crash in a better way: https://bugs.webkit.org/show_bug.cgi?id=95033.
Filip Pizlo
Comment 10 2012-08-26 11:23:51 PDT
Test landed in http://trac.webkit.org/changeset/126708
Geoffrey Garen
Comment 11 2012-08-26 12:42:48 PDT
Comment on attachment 160592 [details] Patch Setting back to r+ based on Phil's earlier review, and the fix for the edge case we were worried about. (Side note: I was not able to reproduce the edge case even without its fix, but it's nice to be safe.)
Geoffrey Garen
Comment 12 2012-08-26 21:11:38 PDT
Committed r126722: <http://trac.webkit.org/changeset/126722>
Note You need to log in before you can comment on or make changes to this bug.