Ignore:
Timestamp:
Nov 3, 2016, 7:39:47 AM (9 years ago)
Author:
[email protected]
Message:

Asking for a value profile prediction should be defensive against not finding a value profile
https://bugs.webkit.org/show_bug.cgi?id=164306

Reviewed by Mark Lam.

JSTests:

  • stress/inlined-tail-call-in-inlined-setter-should-not-crash-when-getting-value-profile.js: Added.

(let.o.set foo):
(bar):

Source/JavaScriptCore:

Currently, the code that calls CodeBlock::valueProfilePredictionForBytecodeOffset
in the DFG assumes it will always be at a value producing node. However, this isn't
true if we tail call from an inlined setter. When we're at a tail call, we try
to find the first caller that isn't a tail call to see what value the
tail_call produces. If we inline a setter, however, we will end up finding
the put_by_id as our first non-tail-called "caller", and that won't have a
value profile associated with it since it's not a value producing node.
CodeBlock::valueProfilePredictionForBytecodeOffset should be defensive
against finding a null value profile.

  • bytecode/CodeBlock.h:

(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

    r208309 r208326  
    415415    SpeculatedType valueProfilePredictionForBytecodeOffset(const ConcurrentJITLocker& locker, int bytecodeOffset)
    416416    {
    417         return valueProfileForBytecodeOffset(bytecodeOffset)->computeUpdatedPrediction(locker);
     417        if (ValueProfile* valueProfile = valueProfileForBytecodeOffset(bytecodeOffset))
     418            return valueProfile->computeUpdatedPrediction(locker);
     419        return SpecNone;
    418420    }
    419421
Note: See TracChangeset for help on using the changeset viewer.