Ignore:
Timestamp:
Mar 16, 2017, 6:24:46 AM (8 years ago)
Author:
Yusuke Suzuki
Message:

Unreviewed, fix numParameter() - 1 OSRExit materialization
https://bugs.webkit.org/show_bug.cgi?id=164582

When materializing rest parameters, we rely on that numParameter() - 1 equals to
the numberOfArgumentsToSkip. But this assumption is broken in r214029.

  • bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):

  • bytecode/CodeBlock.h:

(JSC::CodeBlock::numberOfArgumentsToSkip):

  • ftl/FTLOperations.cpp:

(JSC::FTL::operationMaterializeObjectInOSR):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp

    r212177 r214040  
    265265                    materialization->origin(), exec->codeBlock());
    266266
    267                 unsigned numberOfArgumentsToSkip = codeBlock->numParameters() - 1;
     267                unsigned numberOfArgumentsToSkip = codeBlock->numberOfArgumentsToSkip();
    268268                JSGlobalObject* globalObject = codeBlock->globalObject();
    269269                Structure* structure = globalObject->restParameterStructure();
     
    359359        }
    360360        case PhantomCreateRest: {
    361             unsigned numberOfArgumentsToSkip = codeBlock->numParameters() - 1;
     361            unsigned numberOfArgumentsToSkip = codeBlock->numberOfArgumentsToSkip();
    362362            JSGlobalObject* globalObject = codeBlock->globalObject();
    363363            Structure* structure = globalObject->restParameterStructure();
Note: See TracChangeset for help on using the changeset viewer.