[Webkit-unassigned] [Bug 147250] DFG::safeToExecute() is wrong for MultiGetByOffset, doesn't consider the structures of the prototypes that get loaded from
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 23 19:51:15 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=147250
--- Comment #1 from Filip Pizlo <fpizlo at apple.com> ---
Oh man, this is super hard to test. We end up not hoisting MultiGetByOffset in LICM in any of the situations where safeToExecute() would have been wrong - if the loop is responsible for adding or removing the property that is being loaded, then it will appear to clobber JSCell_structure or the property. This means that of MultiGetByOffset relies on some CheckStructure to prove the presence of a property in a prototype, then that CheckStructure will be hoisted anytime that MultiGetByOffset is hoisted.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150724/189c7e31/attachment-0001.html>
More information about the webkit-unassigned
mailing list