Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5c92de6a61ab777048959db43a409771875825a3
https://github.com/WebKit/WebKit/commit/5c92de6a61ab777048959db43a409771875825a3
Author: Yusuke Suzuki <[email protected]>
Date: 2024-08-28 (Wed, 28 Aug 2024)
Changed paths:
A JSTests/stress/in-by-val-profile.js
M Source/JavaScriptCore/dfg/DFGGraph.cpp
Log Message:
-----------
[JSC] Inlined in_by_val does not have ValueProfile thus we should check that
condition before using ValueProfile from OSR exit
https://bugs.webkit.org/show_bug.cgi?id=278810
rdar://132478663
Reviewed by Yijia Huang.
280973@main allows DFG / FTL to inline InByVal's Proxy calls. As a result, we
may encounter that ValueProfile update request
for in_by_val because it can be converted to sequence of calling. But because
in_by_val's result is always boolean, we do not have ValueProfile.
But current code is not assuming that case and expecting that there is always
ValueProfile for the DFG Node which has heapPrediction (but it is not for
in_by_val).
This patch checks ValueProfile existence before using.
* JSTests/stress/in-by-val-profile.js: Added.
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
(JSC::DFG::Graph::methodOfGettingAValueProfileFor):
Canonical link: https://commits.webkit.org/282866@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
