[Webkit-unassigned] [Bug 121710] REGRESSION(r153215): New iCloud site crashes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 20 15:10:37 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=121710
--- Comment #7 from Filip Pizlo <fpizlo at apple.com> 2013-09-20 15:09:42 PST ---
Lololololo. That's hilarious. We have:
12: CreateArguments(...)
// bunch of code that stores properties into the arguments, resulting in @12 having structure S
32: CreateArguments(@12)
// stuff
66: CheckStructure(@32, structure S)
The CFA for CreateArguments claims that it always returns an object with the arguments structure. That's totally wrong, if we have this CreateArguments(CreateArguments) - in that case it will return an object that has whatever structure the previous CreateArguments had.
The correct solution is to make:
case CreateArguments:
forNode(node).set(
m_graph, m_codeBlock->globalObjectFor(node->codeOrigin)->argumentsStructure());
m_state.setHaveStructures(true);
break;
instead be:
case CreateArguments:
forNode(node).setType(SpecArguments);
break;
That's somewhat pessimistic but it'll fix the bug. It's unlikely to hurt performance, but I would test first.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list