[Webkit-unassigned] [Bug 160870] Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Aug 21 11:19:52 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=160870
Saam Barati <sbarati at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #286310|review? |review-
Flags| |
--- Comment #16 from Saam Barati <sbarati at apple.com> ---
Comment on attachment 286310
--> https://bugs.webkit.org/attachment.cgi?id=286310
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=286310&action=review
> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2003
> + if (m_phiChildren) {
> + m_phiChildren->forAllTransitiveIncomingValues(
> + m_graph.varArgChild(node, 0).node(),
> + [&] (Node* incoming) {
> + set.add(incoming->castConstant<Structure*>());
> + });
> + }
Filip recently added code that will add MaterializeNewObject into the IR even when we're not in SSA.
This is when we do RegExp constant folding on various RegExp operations, like RegExp.prototype.exec.
That said, I don't think this code is correct when we're not in SSA form. For example, I think you're saying
that the result of this node is the emptySet of structures when we're not in SSA. That's not what we want.
If anything, if we can't give a specific result filled with structure sets, we probably want to widen our result
type to just arbitrary Object or something similar to that. However, maybe there are other methods in which
we can attain the Structure(s) that this produce in non-SSA form.
Filip, what do you think?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160821/98f0fc1c/attachment.html>
More information about the webkit-unassigned
mailing list