[Webkit-unassigned] [Bug 147250] DFG::safeToExecute() is wrong for MultiGetByOffset, doesn't consider the structures of the prototypes that get loaded from
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 23 19:56:58 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=147250
--- Comment #2 from Filip Pizlo <fpizlo at apple.com> ---
It just occurred to me that there's a tremendously simple solution: don't use MultiGetByOffset for prototype loads if the field in the prototype isn't constant-inferred. That means we don't have to do any kind of checks on the prototype to guarantee the safety of MultiGetByOffset's execution.
Another solution is to prevent hoisting of MutliGetByOffset's whose prototype properties are not constant-inferred.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150724/ee95483b/attachment.html>
More information about the webkit-unassigned
mailing list