Asking for a value profile prediction should be defensive against not finding a value...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Nov 2016 14:39:47 +0000 (14:39 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Nov 2016 14:39:47 +0000 (14:39 +0000)
commit5348b2b94580bbefdfb2fb0e881d779208c6910f
tree70ddc3d994aa87cd44d93fee493ebe8367ebaa9a
parentc73aa54eed85e959c566069c28fc54857d786cb4
Asking for a value profile prediction should be defensive against not finding a value profile
https://bugs.webkit.org/show_bug.cgi?id=164306

Reviewed by Mark Lam.

JSTests:

* stress/inlined-tail-call-in-inlined-setter-should-not-crash-when-getting-value-profile.js: Added.
(let.o.set foo):
(bar):

Source/JavaScriptCore:

Currently, the code that calls CodeBlock::valueProfilePredictionForBytecodeOffset
in the DFG assumes it will always be at a value producing node. However, this isn't
true if we tail call from an inlined setter. When we're at a tail call, we try
to find the first caller that isn't a tail call to see what value the
tail_call produces. If we inline a setter, however, we will end up finding
the put_by_id as our first non-tail-called "caller", and that won't have a
value profile associated with it since it's not a value producing node.
CodeBlock::valueProfilePredictionForBytecodeOffset should be defensive
against finding a null value profile.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@208326 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/inlined-tail-call-in-inlined-setter-should-not-crash-when-getting-value-profile.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/CodeBlock.h
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp