[Webkit-unassigned] [Bug 71071] New: If the bytecode generator emits code after the return in the first basic block, DFG's inliner crashes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 27 15:49:27 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=71071
Summary: If the bytecode generator emits code after the return
in the first basic block, DFG's inliner crashes
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
The bytecode generator will emit some code after a return in the first basic block in some cases. One silly case is:
function foo(a) {
{
return a;
}
}
The bytecode will be something like:
op_enter
op_ret arg1
op_ret undefined
The DFG bytecode parser will then crash when inlining this function because it thinks that an early return (i.e. a return prior to the end position in the bytecode stream) implies that multiple basic blocks have been created prior to reaching that return. This is clearly not the case here. The DFG bytecode parser should be smart enough to realize that an early return in the first basic block means that subsequent basic blocks are dead and should not be parsed.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list