[Webkit-unassigned] [Bug 143960] REGRESSION (r182899): icloud.com crashes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 20 14:55:36 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=143960
--- Comment #3 from Basile Clement <basile_clement at apple.com> ---
(In reply to comment #2)
> Comment on attachment 251185 [details]
> Possible patch, regression test forthcoming
>
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=251185&action=review
>
> > Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp:113
> > + case AllocationProfileWatchpoint: {
> > + InlineWatchpointSet* watchpointSet = m_node->castOperand<JSFunction*>()->allocationProfileWatchpointSet();
> > + if (watchpointSet)
> > + addLazily(*watchpointSet);
> > break;
> > + }
>
> If watchpointSet is null, the compiler will fail to add a necessary
> watchpoint, which means that we'll end up with incorrect code if the
> watchpoint fires.
>
> Can we ASSERT that watchpointSet is not null instead of checking?
>
> What guarantees that it will not be null?
If the watchpointSet is null, it means there is no rare data and thus there shouldn't be an AllocationProfileWatchpoint for this node.
A least that was the case before I made the allocation profile clearing too aggressive when the .prototype is overwritten.
This can only appear in the case of a singleton constructor whose prototype is overwritten after having been already constructed in the DFG, then constructed again, so no wonder the test cases did not catch this.
I am writing a proper fix now.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150420/50bce823/attachment.html>
More information about the webkit-unassigned
mailing list