[Webkit-unassigned] [Bug 258552] New: iterator_next becomes undefined in baselineJIT after bailout from DFG
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 27 02:28:02 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=258552
Bug ID: 258552
Summary: iterator_next becomes undefined in baselineJIT after
bailout from DFG
Product: WebKit
Version: WebKit Nightly Build
Hardware: PC
OS: Linux
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ChristineWillice at gmail.com
I found a bug which may be related to bailout.
```test.js```
for (let v0 = 0; v0 < 100; v0++) {
try {
const v5 = new Int8Array(v0);
function f6(a7, a8) {}
let v13 = 0;
do {
v13++;
} while (v13 < 6);
let [, v17] = v5;
const v18 = v5[v0];
try {
f6(Int8Array, Function, ...v5);
} catch (e20) {}
print(v0)
} catch (e29) {print(e29)}
}
`````````````
JSC commit id: 269f0e8b5e51910decd0f6d55a87bac7f5ec4eb8
Run args: ./jsc -f test.js --useConcurrentJIT=0 --jitPolicyScale=0 --useFTLJIT=0
JSC should print 0-99, but in baselineJIT after bailout, JSC throw TypeError: undefined is not a function (near '...[, v17]...')
I debug JSC, and located in JITCall.cpp `JIT::emit_op_iterator_next`.
`JIT::emit_op_iterator_next` will invoke `compileOpCall<OpIteratorNext>(instruction, m_callLinkInfoIndex++)`, and in compileOpCall, JSC will get `callee` from Stack(VirtualRegister -14). I found `callee` is 0xa (undefined) after bailout from DFG.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230627/53ffea19/attachment.htm>
More information about the webkit-unassigned
mailing list