Bug 263520
| Summary: | AbstractInterpreter handles GetMyArgumentByVal incorrectly when callee is inlined | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | EntryHi <entryhii> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | mark.lam, webkit-bug-importer, ysuzuki |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | PC | ||
| OS: | Linux | ||
EntryHi
Hello, I found a bug related to Abstract Interpreter in JSC.
=================test.js================
function f0() {
const v6 = arguments[-6];
print(v6)
}
for (let v11 = 0; v11 < 99; v11++) {
f0(1);
for (let v13 = 0; v13 < 100; v13++) {
for (let v14 = 0; v14 < 101 ; v14++) {}
}
}
=========================================
Run args: ./jsc -f test.js --useConcurrentJIT=0 --jitPolicyScale=0.1
JSC should print 99 "undefined", but it prints 2 "undefined" and 97 "1"(arguments[0]) actually.
I found the problem is in DFGAbstractInterpreterInlines.h when AI handles GetMyArgumentsByVal node.
AI ignores the situation where the index is negative when callee is inlined and computes wrong result for GetMyArgumentsByVal.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/117682102>
Yusuke Suzuki
Hmm, maybe no longer reproducible?