[Webkit-unassigned] [Bug 144945] The liveness pruning done by ObjectAllocationSinkingPhase ignores the possibility of an object's bytecode liveness being longer than its DFG liveness
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 13 11:01:35 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=144945
--- Comment #3 from Filip Pizlo <fpizlo at apple.com> ---
Another test:
var global = null;
function foo(p, q) {
var o = {f:42};
if (p)
global = o;
var tmp = q + 1;
return o.f + tmp;
}
noInline(foo);
var lastObject = null;
function validateEscape(when) {
if (global === lastObject)
throw "Error: bad value in global " + when + ", identical to lastObject.";
if (global === null || !(typeof global == "object"))
throw "Error: bad value in global " + when + ": it's not an object.";
if (global.f != 42)
throw "Error: bad value in global " + when + ": f isn't 42, it's: " + global.f;
lastObject = global;
global = null;
}
for (var i = 0; i < 10000; ++i) {
var escape = !!(i & 1);
var result = foo(escape, 42);
if (result != 42 + 42 + 1)
throw "Error: bad result: " + result;
if (escape)
validateEscape("in loop");
else if (global !== null)
throw "Error: bad value in global: " + global;
}
var result = foo(true, 2147483647);
if (result != 42 + 2147483647 + 1)
throw "Error: bad result at end: " + result;
validateEscape("at end");
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150513/8cac2c0f/attachment.html>
More information about the webkit-unassigned
mailing list