[Webkit-unassigned] [Bug 140097] New: CreateArguments should take a LexicalEnvironment as a parameter

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 5 14:03:22 PST 2015


https://bugs.webkit.org/show_bug.cgi?id=140097

            Bug ID: 140097
           Summary: CreateArguments should take a LexicalEnvironment as a
                    parameter
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

After https://bugs.webkit.org/show_bug.cgi?id=139827, a few test failures will start failing.  One of them is arguments.js, which can be run this way:

$ jsc --useFTLJIT=false --enableFunctionDotArguments=true --enableConcurrentJIT=false --thresholdForJITAfterWarmUp=100 --thresholdForJITAfterWarmUp=10 --thresholdForJITSoon=10 --thresholdForOptimizeAfterWarmUp=20 --thresholdForOptimizeAfterLongWarmUp=20 --thresholdForOptimizeSoon=20 --thresholdForFTLOptimizeAfterWarmUp=20 --thresholdForFTLOptimizeSoon=20 resources/standalone-pre.js arguments.js resources/standalone-post.js

The relevant code is as follows:

    function tear_off_live_2(a, b, c)
    {
        var args = arguments;
        return function()
        {
            args[1] = 2;
            return b;
        };
    }

In the generated DFG IR, the fact that CreateArguments replies on the result of CreateActivation is not explicitly spelled out.  CreateArguments relies on the created activation (aka LexicalEnvironment) having been stored in the designated lexicalEnvironment local previously.  However, without knowing that CreateArgument relies on that local value, CFA declares the store of that local unnecessary and dead code elimination removed it.  As a result, the Arguments factory crashes when it use the lexicalEnvironment local but discovers that it is uninitialized.

The fix is to pass the result of CreateActivation to CreateArguments as an argument instead of having it implicitly load the lexicalEnvironment from its designated local.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150105/b497ee37/attachment-0002.html>


More information about the webkit-unassigned mailing list