[webkit-reviews] review granted: [Bug 209035] DFG nodes that take a TypedArray's storage need to keepAlive the TypedArray : [Attachment 393446] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Mar 12 19:59:51 PDT 2020
Saam Barati <sbarati at apple.com> has granted Keith Miller
<keith_miller at apple.com>'s request for review:
Bug 209035: DFG nodes that take a TypedArray's storage need to keepAlive the
TypedArray
https://bugs.webkit.org/show_bug.cgi?id=209035
Attachment 393446: Patch
https://bugs.webkit.org/attachment.cgi?id=393446&action=review
--- Comment #2 from Saam Barati <sbarati at apple.com> ---
Comment on attachment 393446
--> https://bugs.webkit.org/attachment.cgi?id=393446
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=393446&action=review
r=me
> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:3843
> + keepAlive(lowJSValue(baseEdge));
seems like this would crash in validation failure if we're speculating on base
edge? Maybe pass ManualOperandSpeculation? (I don't remember if we actually
speculate on base, but I presume we do)
More information about the webkit-reviews
mailing list