[Webkit-unassigned] [Bug 203603] New: codeBlock->expressionRangeForBytecodeIndex() returns wrong range for op_get_from_scope

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 30 02:46:13 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=203603

            Bug ID: 203603
           Summary: codeBlock->expressionRangeForBytecodeIndex() returns
                    wrong range for op_get_from_scope
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tuomas.webkit at apple.com

Created attachment 382291

  --> https://bugs.webkit.org/attachment.cgi?id=382291&action=review

repro case

for the JavaScript:

> for (var i = 0; i < 10; ++i) {}

the bytecode is:

> <global>#DECxqq:[0x1139a0000->0x1139a8000, NoneGlobal, 95]: 21 instructions (0 16-bit instructions, 0 32-bit instructions, 9 instructions with metadata); 203 bytes (108 metadata bytes); 1 parameter(s); 10 callee register(s); 6 variable(s); scope at loc4
> [   0] enter
> [   1] get_scope          loc4
> [   3] mov                loc5, loc4
> [   6] check_traps
> [   7] mov                loc6, Undefined(const0)
> [  10] mov                loc6, Undefined(const0)
> [  13] resolve_scope      loc7, loc4, 0, GlobalProperty, 0
> [  20] put_to_scope       loc7, 0, Int32: 0(const1), 1048576<DoNotThrowIfNotFound|GlobalProperty|Initialization>, 0, 0
> [  28] resolve_scope      loc7, loc4, 0, GlobalProperty, 0
> [  35] get_from_scope     loc8, loc7, 0, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 0, 0
> [  43] jnless             loc8, Int32: 10(const2), 50(->93)
> [  47] loop_hint
> [  48] check_traps
> [  49] resolve_scope      loc7, loc4, 0, GlobalProperty, 0
> [  56] get_from_scope     loc8, loc7, 0, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 0, 0
> [  64] inc                loc8
> [  66] put_to_scope       loc7, 0, loc8, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 0, 0
> [  74] resolve_scope      loc7, loc4, 0, GlobalProperty, 0
> [  81] get_from_scope     loc8, loc7, 0, 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 0, 0
> [  89] jless              loc8, Int32: 10(const2), -42(->47)
> [  93] end                loc6
> 
> Identifiers:
>   id0 = i
> 
> Constants:
>    k0 = Undefined
>    k1 = Int32: 0: in source as integer
>    k2 = Int32: 10: in source as integer

output of codeBlock->unlinkedCodeBlock()->dumpExpressionRangeInfo() is:

> UnlinkedCodeBlock 0x107aa4000 expressionRangeInfo[6] {
>   [0] pc 20 @ line 0 col 12 : op_put_to_scope
>   [1] pc 28 @ line 0 col 17 : op_resolve_scope
>   [2] pc 43 @ line 0 col 16 : op_jnless
>   [3] pc 49 @ line 0 col 27 : op_resolve_scope
>   [4] pc 74 @ line 0 col 17 : op_resolve_scope
>   [5] pc 89 @ line 0 col 16 : op_jless
> }

for the op_get_from_scope at #56, codeBlock->expressionRangeForBytecodeIndex returns:

divot: 27, startOffset: 3, endOffset: 0, source: '++i'

afaik, the correct source would be just 'i'

for

> for (var i = 0; i < 10; i++) {}

there is an op_get_from_scope for 'i++' with the divot at the 'i'

for

> for (var i = 0; i < 10; i+=1) {}

the source is just 'i'

the bytecode for the ++i and i++ is identical, and the only difference in the i+=1 case is that the 'inc' is replaced with an 'add'

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191030/13d0da10/attachment.htm>

More information about the webkit-unassigned mailing list