[Webkit-unassigned] [Bug 139327] New: CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 5 17:07:55 PST 2014 

https://bugs.webkit.org/show_bug.cgi?id=139327

            Bug ID: 139327
           Summary: CFA wrongly assumes that a speculation for
                    SlowPutArrayStorageShape disallows ArrayStorageShape
                    arrays
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

The code generator speculation checks for SlowPutArrayStorageShape explicitly allows ArrayStorageShape arrays.  The runtime slow paths that handles SlowPutArrayStorageShape is also capable of handling ArrayStorageShape arrays.  As a result, the CFA may declare some basic blocks as unreachable though the code generator expects otherwise.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141206/5503bdaa/attachment-0002.html>

More information about the webkit-unassigned mailing list