[Webkit-unassigned] [Bug 143104] REGRESSION: js/regress/inline-arguments-local-escape.html is flaky

Mon Mar 30 08:51:44 PDT 2015

https://bugs.webkit.org/show_bug.cgi?id=143104

--- Comment #4 from Filip Pizlo <fpizlo at apple.com> ---
Turns out to be a pretty bad bug.  PreciseLocalClobberize's readTop() method is totally wrong for accesses to "escaped" arguments.  There are a handful of ways to fix this and I'll investigate.  Here's a version of the test that crashes every time:


function foo() {
    return arguments;
}

function bar(a, b, c, i) {
    var a = foo(b, c, 42);
    return a[i];
}

noInline(bar);

var expected = [2, 3, 42];
for (var i = 0; i < 10000; ++i) {
    var result = bar(1, 2, 3, i % 3);
    if (result != expected[i % 3])
        throw "Error: bad result: " + result;
}

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150330/025fe934/attachment-0002.html>