<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><span class="vcard"><a class="email" href="mailto:sbarati&#64;apple.com" title="Saam Barati &lt;sbarati&#64;apple.com&gt;"> <span class="fn">Saam Barati</span></a>

</span> changed

              <a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h"

   href="https://bugs.webkit.org/show_bug.cgi?id=160870">bug 160870</a>

        <br>

             <table border="1" cellspacing="0" cellpadding="8">

          <tr>

            <th>What</th>

            <th>Removed</th>

            <th>Added</th>

          </tr>

         <tr>

           <td style="text-align:right;">Attachment #286310 Flags</td>

           <td>review?

           </td>

           <td>review-

           </td>

         </tr></table>

      <p>

        <div>

            <b><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h"

   href="https://bugs.webkit.org/show_bug.cgi?id=160870#c16">Comment # 16</a>

              on <a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Member call on NULL pointer in JavaScriptCore/dfg/DFGAbstractInterpretterInlines.h"

   href="https://bugs.webkit.org/show_bug.cgi?id=160870">bug 160870</a>

              from <span class="vcard"><a class="email" href="mailto:sbarati&#64;apple.com" title="Saam Barati &lt;sbarati&#64;apple.com&gt;"> <span class="fn">Saam Barati</span></a>

</span></b>

        <pre>Comment on <span class=""><a href="attachment.cgi?id=286310&amp;action=diff" name="attach_286310" title="Patch">attachment 286310</a> <a href="attachment.cgi?id=286310&amp;action=edit" title="Patch">[details]</a></span>

Patch

View in context: <a href="https://bugs.webkit.org/attachment.cgi?id=286310&amp;action=review">https://bugs.webkit.org/attachment.cgi?id=286310&amp;action=review</a>

<span class="quote">&gt; Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2003

&gt; +        if (m_phiChildren) {

&gt; +            m_phiChildren-&gt;forAllTransitiveIncomingValues(

&gt; +                m_graph.varArgChild(node, 0).node(),

&gt; +                [&amp;] (Node* incoming) {

&gt; +                    set.add(incoming-&gt;castConstant&lt;Structure*&gt;());

&gt; +                });

&gt; +        }</span >

Filip recently added code that will add MaterializeNewObject into the IR even when we're not in SSA.

This is when we do RegExp constant folding on various RegExp operations, like RegExp.prototype.exec.

That said, I don't think this code is correct when we're not in SSA form. For example, I think you're saying

that the result of this node is the emptySet of structures when we're not in SSA. That's not what we want.

If anything, if we can't give a specific result filled with structure sets, we probably want to widen our result

type to just arbitrary Object or something similar to that. However, maybe there are other methods in which

we can attain the Structure(s) that this produce in non-SSA form.

Filip, what do you think?</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>