<html>
    <head>
      <base href="https://bugs.webkit.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - Function allocation sinking works for wrong reasons"
   href="https://bugs.webkit.org/show_bug.cgi?id=144176">144176</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>Function allocation sinking works for wrong reasons
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>Unclassified
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>WebKit
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>528+ (Nightly build)
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Unspecified
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P2
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>JavaScriptCore
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>webkit-unassigned&#64;lists.webkit.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>basile_clement&#64;apple.com
          </td>
        </tr></table>
      <p>
        <div>
        <pre>It is by design that we don't support sinking of function allocation through any related operations.
Object allocation, however, does sink through field assignment (PutByOffset etc.), so we have a check that is supposed to prevent function allocations from sinking through these.

However that check is misguided and (a) do not prevent function allocation sinking through field assignment and (b) ensures that if a function allocation ever sinks through a PutByOffset, very bad things happen instead.
Fortunately, PutByOffset (and their relatives) require first allocating a custom structure for the JSFunction object, thus the PutByOffset will always be preceded by an AllocatePropertyStorage through which no allocation can sink, and materialization would always be triggered before the PutByOffset - so this works by chance.

Anyway, this should be done the proper way, and I will submit a patch soon to prevent properly have checks preventing function allocation sinking through PutByOffset et al.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>