[Webkit-unassigned] [Bug 127902] Fix the remaining regression caused by the jsCStack branch merge on Linux platforms
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Mar 3 10:58:03 PST 2014
https://bugs.webkit.org/show_bug.cgi?id=127902
--- Comment #19 from Oliver Hunt <oliver at apple.com> 2014-03-03 10:55:05 PST ---
(In reply to comment #18)
> Disabling the canOptimize branch at build-time in JIT::compileLoadVarargs() avoids the problem, but is obviously not the solution.
>
> I believe the generated JIT code for 'function g() { return f.apply(null, arguments); }' is missing the create_arguments opcode in the optimized path. Modifying the source to 'function g() { arguments; return f.apply(null, arguments); }' (as is the case with the h() function in the function-apply-many-args.js file) includes that opcode through BytecodeGenerator::local()[1] (via BytecodeGenerator::createArgumentsIfNecessary()) [2].
>
> Calling BytecodeGenerator::createArgumentsIfNecessary() from BytecodeGenerator::emitCallVarargs()[3] fixes this, generating create_arguments which enables the canOptimize branch to function properly, and removing the crashes. Does that make sense?
>
> [1] http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp#L1168
> [2] http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp#L1613
> [3] http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp#L1789
f.apply(thing, arguments) should not instantiate the arguments object -- it should essentially just be doing a move
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list