| Summary: | AbstractInterpreter handles GetMyArgumentByVal incorrectly when callee is inlined | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | mark.lam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
Hello, I found a bug related to Abstract Interpreter in JSC. =================test.js================ function f0() { const v6 = arguments[-6]; print(v6) } for (let v11 = 0; v11 < 99; v11++) { f0(1); for (let v13 = 0; v13 < 100; v13++) { for (let v14 = 0; v14 < 101 ; v14++) {} } } ========================================= Run args: ./jsc -f test.js --useConcurrentJIT=0 --jitPolicyScale=0.1 JSC should print 99 "undefined", but it prints 2 "undefined" and 97 "1"(arguments[0]) actually. I found the problem is in DFGAbstractInterpreterInlines.h when AI handles GetMyArgumentsByVal node. AI ignores the situation where the index is negative when callee is inlined and computes wrong result for GetMyArgumentsByVal.