[Webkit-unassigned] [Bug 179835] New: The recursive tail call optimisation is wrong on closures

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=179835

            Bug ID: 179835
           Summary: The recursive tail call optimisation is wrong on
                    closures
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: rmorisset at apple.com

Created attachment 327215

  --> https://bugs.webkit.org/attachment.cgi?id=327215&action=review

testcase: merge-sort-cps.js

We speculate on the executable of the callee, instead of the callee itself. And two different instances of a closure share the same executable even when they have different captured variables.
This bug manifests as a non-deterministic infinite loop in merge-sort-cps.js (attached).
This happens when the only value that has been seen for cont in "cont(result)" is the "(right) => {..}" closure, because it is then turned into an infinite loop.

The problem is in the use of emitFunctionChecks: that function only checks the executable of the callee. If we checked for the callee itself in the case of closures, there would be no such problems.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171117/e9e7bdd0/attachment.html>