[Webkit-unassigned] [Bug 140097] New: CreateArguments should take a LexicalEnvironment as a parameter
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 5 14:03:22 PST 2015
https://bugs.webkit.org/show_bug.cgi?id=140097
Bug ID: 140097
Summary: CreateArguments should take a LexicalEnvironment as a
parameter
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mark.lam at apple.com
After https://bugs.webkit.org/show_bug.cgi?id=139827, a few test failures will start failing. One of them is arguments.js, which can be run this way:
$ jsc --useFTLJIT=false --enableFunctionDotArguments=true --enableConcurrentJIT=false --thresholdForJITAfterWarmUp=100 --thresholdForJITAfterWarmUp=10 --thresholdForJITSoon=10 --thresholdForOptimizeAfterWarmUp=20 --thresholdForOptimizeAfterLongWarmUp=20 --thresholdForOptimizeSoon=20 --thresholdForFTLOptimizeAfterWarmUp=20 --thresholdForFTLOptimizeSoon=20 resources/standalone-pre.js arguments.js resources/standalone-post.js
The relevant code is as follows:
function tear_off_live_2(a, b, c)
{
var args = arguments;
return function()
{
args[1] = 2;
return b;
};
}
In the generated DFG IR, the fact that CreateArguments replies on the result of CreateActivation is not explicitly spelled out. CreateArguments relies on the created activation (aka LexicalEnvironment) having been stored in the designated lexicalEnvironment local previously. However, without knowing that CreateArgument relies on that local value, CFA declares the store of that local unnecessary and dead code elimination removed it. As a result, the Arguments factory crashes when it use the lexicalEnvironment local but discovers that it is uninitialized.
The fix is to pass the result of CreateActivation to CreateArguments as an argument instead of having it implicitly load the lexicalEnvironment from its designated local.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150105/b497ee37/attachment-0002.html>
More information about the webkit-unassigned
mailing list