[Webkit-unassigned] [Bug 127902] Fix the remaining regression caused by the jsCStack branch merge on Linux platforms
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Mar 2 08:31:32 PST 2014
https://bugs.webkit.org/show_bug.cgi?id=127902
--- Comment #18 from Zan Dobersek <zandobersek at gmail.com> 2014-03-02 08:28:35 PST ---
Disabling the canOptimize branch at build-time in JIT::compileLoadVarargs() avoids the problem, but is obviously not the solution.
I believe the generated JIT code for 'function g() { return f.apply(null, arguments); }' is missing the create_arguments opcode in the optimized path. Modifying the source to 'function g() { arguments; return f.apply(null, arguments); }' (as is the case with the h() function in the function-apply-many-args.js file) includes that opcode through BytecodeGenerator::local()[1] (via BytecodeGenerator::createArgumentsIfNecessary()) [2].
Calling BytecodeGenerator::createArgumentsIfNecessary() from BytecodeGenerator::emitCallVarargs()[3] fixes this, generating create_arguments which enables the canOptimize branch to function properly, and removing the crashes. Does that make sense?
[1] http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp#L1168
[2] http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp#L1613
[3] http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp#L1789
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list