[Webkit-unassigned] [Bug 153422] [b3] REGRESSION(r195395): testComplex(64, 128) asserts on Linux with GCC

Thu Jan 28 14:45:27 PST 2016

https://bugs.webkit.org/show_bug.cgi?id=153422

--- Comment #10 from Yusuke Suzuki <utatane.tea at gmail.com> ---
(In reply to comment #9)
> (In reply to comment #8)
> > I found an interesting thing here. This bug isn't valid if I build 
> > JSC with Clang (3.6). But crash happens with GCC 4.9 and 5.2 too.
> > 
> > It might be a compiler bug or maybe the new code introduced
> > in r195395 relies some non standard Clang behaviour.
> > 
> > By the way, it's not "good" that we try to get the 164th element
> > from a null-sized vector. The question is why is it null-sized.
> 
> Fascinating.  We'll need to get a bot to run testb3 and testair so that we
> can catch these things.  It would be great to have such a bot on Linux,
> compiling with GCC.
> 
> I'm really curious what causes this bug.

I've found the issue.
Seeing B3FixSSA.cpp's `for (Value* value : values.values(proc.values())) {`

proc.values() returns ValuesCollection (Not reference!). But values.values takes const ValueCollection&. And later it produces IndexSet<Value>::Iterable<Procedure::ValuesCollection>, it holds const ValueCollection& as its member.

But IndexSet<Value>::Iterable<Procedure::ValuesCollection> is just an instance. So after creating this, the lifetime of the ValueCollection const reference finished!

Easy example,

class A {
   A(const std::string& value) : m_string(value) { }
   const std::string& m_string;
};

A a(std::string("Value"));
// Here, the lifetime of the const reference to the std::string is ended.

So I think the behavior of the GCC is correct.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160128/9f2d1e9f/attachment-0001.html>