Changeset 254996 in webkit
- Timestamp:
- Jan 23, 2020 12:11:33 PM (4 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r254975 r254996 1 2020-01-23 Saam Barati <sbarati@apple.com> 2 3 OptimizeAssociativeExpressionTrees should reset value owners before running 4 https://bugs.webkit.org/show_bug.cgi?id=206670 5 <rdar://problem/58535628> 6 7 Reviewed by Robin Morisset. 8 9 We have a crash inside OptimizeAssociativeExpressionTrees and we don't know 10 how to reproduce it. Also, based on Mark's auditing of the crash site's 11 assembly, Mark thinks we're crashing on a "currupt" basic block. 12 13 After I audited the code, I saw that we rely on value owners in this phase. 14 However, we don't actually reset them before running the phase. This patch 15 adds that as a speculative fix for the crash we're seeing. 16 17 * b3/B3OptimizeAssociativeExpressionTrees.cpp: 18 (JSC::B3::OptimizeAssociativeExpressionTrees::run): 19 1 20 2020-01-23 Yusuke Suzuki <ysuzuki@apple.com> 2 21 -
trunk/Source/JavaScriptCore/b3/B3OptimizeAssociativeExpressionTrees.cpp
r244088 r254996 250 250 // We need the use counts to avoid duplicating code. 251 251 252 m_proc.resetValueOwners(); 253 252 254 Vector<unsigned> useCounts(m_proc.values().size(), 0); // Mapping from Value::m_index to use counts. 253 255 HashSet<Value*> expressionTreeRoots;
Note: See TracChangeset
for help on using the changeset viewer.