[Webkit-unassigned] [Bug 144945] New: The liveness pruning done by ObjectAllocationSinkingPhase ignores the possibility of an object's bytecode liveness being longer than its DFG liveness
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 12 21:57:30 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=144945
Bug ID: 144945
Summary: The liveness pruning done by
ObjectAllocationSinkingPhase ignores the possibility
of an object's bytecode liveness being longer than its
DFG liveness
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: fpizlo at apple.com
This fails every time, because in the continuation after the ternary expression in foo(), we have materialized the activation if p was true but we haven't done so if p was false. We think that we don't need to place a materialization point on the false path (or to avoid sinking entirely) because we don't realize that the activation is still live after the ternary. We don't know that it's live because we're using DFG liveness instead of both DFG and bytecode liveness.
function foo(p) {
var result = 0;
var o = {valueOf: function() { result = 1; }};
var q = {f: p ? o : 42};
var tmp = q.f + 1;
return result;
}
noInline(foo);
for (var i = 0; i < 10000; ++i) {
var result = foo(false);
if (result !== 0)
throw "Error: bad result: " + result;
}
var result = foo(true);
if (result !== 1)
throw "Error: bad result at end: " + result;
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150513/c98ae60b/attachment.html>
More information about the webkit-unassigned
mailing list