[Webkit-unassigned] [Bug 127902] Fix the remaining regression caused by the jsCStack branch merge on Linux platforms

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=127902





--- Comment #20 from Zan Dobersek <zandobersek at gmail.com>  2014-03-03 12:43:16 PST ---
(In reply to comment #19)
> (In reply to comment #18)
> > Disabling the canOptimize branch at build-time in JIT::compileLoadVarargs() avoids the problem, but is obviously not the solution.
> > 
> > I believe the generated JIT code for 'function g() { return f.apply(null, arguments); }' is missing the create_arguments opcode in the optimized path. Modifying the source to 'function g() { arguments; return f.apply(null, arguments); }' (as is the case with the h() function in the function-apply-many-args.js file) includes that opcode through BytecodeGenerator::local()[1] (via BytecodeGenerator::createArgumentsIfNecessary()) [2]. 
> > 
> > Calling BytecodeGenerator::createArgumentsIfNecessary() from BytecodeGenerator::emitCallVarargs()[3] fixes this, generating create_arguments which enables the canOptimize branch to function properly, and removing the crashes. Does that make sense?
> > 
> > [1] http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp#L1168
> > [2] http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp#L1613
> > [3] http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp#L1789
> 
> f.apply(thing, arguments) should not instantiate the arguments object -- it should essentially just be doing a move

But is the canOptimize branch in JIT::compileLoadVarargs() expecting to operate on an existing arguments object or can it optimize without it? A move is obviously ideal, but there's nothing to move.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.