[Webkit-unassigned] [Bug 211881] JavascriptCore crashed cause of Inappropriate optimization
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri May 15 02:08:50 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=211881
--- Comment #5 from szwgg <5n1p3r0010 at gmail.com> ---
I think if this could help?(I'm not familar with the ir in jsc)
use env JSC_dumpDFGDisassembly=true
B3 after eliminateDeadCode, before generation:
b3 BB#0: ; frequency = 1.000000
b3 Int64 b at 13 = FramePointer()
b3 Int64 b at 19 = Const64(140736183682176)
b3 Void b at 20 = Store($140736183682176(b at 19), b at 13, offset = 16, ControlDependent|Writes:125)
b3 Void b at 21 = Patchpoint(b at 13:SomeRegister, generator = 0x7ffff2961930, earlyClobbered = [%r11], lateClobbered = [%r11], usedRegisters = [], resultConstraints = WarmAny, numGPScratchRegisters = 1, ExitsSideways|ControlDependent|WritesPinned|ReadsPinned|Fence|Writes:Top|Reads:Top)
b3 Int64 b at 30 = Const64(140737263468600, D at 1)
b3 Int64 b at 29 = Load($140737263468600(b at 30), offset = -16, ControlDependent|Reads:129, D at 4)
b3 Int64 b at 31 = Load($140737263468600(b at 30), ControlDependent|Reads:130, D at 1)
b3 Int64 b at 15 = Const64(-562949953421312)
b3 Int32 b at 32 = Below(b at 31, $-562949953421312(b at 15), D at 5)
b3 Void b at 33 = Check(b at 32:WarmAny, b at 31:ColdAny, b at 29:ColdAny, b at 31:ColdAny, generator = 0x7fffafbff240, earlyClobbered = [], lateClobbered = [], usedRegisters = [], ExitsSideways|Reads:Top, D at 5)
b3 Int32 b at 34 = Trunc(b at 31, D at 5)
b3 Int32 b at 35 = Const32(1337, D at 18)
b3 Int32 b at 36 = LessThan(b at 34, $1337(b at 35), D at 13)
b3 Void b at 37 = Patchpoint(b at 29:ColdAny, b at 34:ColdAny, generator = 0x7ffff29443c0, earlyClobbered = [], lateClobbered = [], usedRegisters = [], resultConstraints = WarmAny, ExitsSideways|WritesPinned|ReadsPinned|Fence|Reads:Top, D at 23)
b3 Void b at 18 = Branch(b at 36, Terminal, D at 12)
b3 Successors: Then:#1, Else:#3
b3 BB#1: ; frequency = 10.000000
b3 Predecessors: #0, #1
b3 Void b at 41 = Patchpoint(b at 29:ColdAny, b at 34:ColdAny, generator = 0x7ffff29443c0, earlyClobbered = [], lateClobbered = [], usedRegisters = [], resultConstraints = WarmAny, ExitsSideways|WritesPinned|ReadsPinned|Fence|Reads:Top, D at 23)
b3 Void b at 17 = Branch(b at 36, Terminal, D at 12)
b3 Successors: Then:#1, Else:#3
b3 BB#3: ; frequency = 1.000000
b3 Predecessors: #0, #1
b3 Int64 b at 24 = Const64(10, D at 11)
b3 Void b at 42 = Return($10(b at 24), Terminal, D at 10)
b3 Has Quirks: True
b3 Stack slots:
b3 stack0: byteSize = 40, offsetFromFP = 0
here:
b3 Void b at 33 = Check(b at 32:WarmAny, b at 31:ColdAny, b at 29:ColdAny, b at 31:ColdAny, generator = 0x7fffafbff240, earlyClobbered = [], lateClobbered = [], usedRegisters = [], ExitsSideways|Reads:Top, D at 5)
I'm not quite sure which local symbol is the function test(),but I think maybe we should check 3 symbols' side effects here including function test(),but actually we only check 2.so if we are missing to check function test()?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200515/6b7130c7/attachment.htm>
More information about the webkit-unassigned
mailing list