[Webkit-unassigned] [Bug 199527] New: Coverity flagged likely copy/paste error in DFGArgumentEliminationPhase
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 5 12:49:55 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=199527
Bug ID: 199527
Summary: Coverity flagged likely copy/paste error in
DFGArgumentEliminationPhase
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mcatanzaro at igalia.com
CC: ysuzuki at apple.com
Coverity has flagged this code from r226033 "[FTL] NewArrayBuffer should be sinked if it is only used for spreading" in ArgumentsEliminationPhase::eliminateCandidatesThatEscape as a likely copy/paste error:
case LoadVarargs:
if (node->loadVarargsData()->offset && (node->child1()->op() == NewArrayWithSpread || node->child1()->op() == Spread || node->child1()->op() == NewArrayBuffer))
escape(node->child1(), node);
break;
case CallVarargs:
case ConstructVarargs:
case TailCallVarargs:
case TailCallVarargsInlinedCaller:
escape(node->child1(), node);
escape(node->child2(), node);
if (node->callVarargsData()->firstVarArgOffset && (node->child3()->op() == NewArrayWithSpread || node->child3()->op() == Spread || node->child1()->op() == NewArrayBuffer)) // <-- likely error here
escape(node->child3(), node);
break;
It looks like this was probably supposed to be node->child3()->op() == NewArrayBuffer, but I don't pretend to understand anything under Source/JavaScriptCore. Yusuke should look at it.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190705/e871f8a9/attachment-0001.html>
More information about the webkit-unassigned
mailing list