Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix handleRecursiveTailCall for osr exit at op_tail_call
https://bugs.webkit.org/show_bug.cgi?id=254574 rdar://107598022 Reviewed by Yusuke Suzuki. Previously, we introduced a patch https://commits.webkit.org/260787@main which merges op_enter, op_get_scope, and op_check_traps into op_enter for less prologue overhead. However, the patch crashes in a tail recursion when OSR exit from FTL to Baseline at op_tail_call. This is becuase we exit to the offset(op_enter) + 1 which would miss the execution of op_get_scope that merged into op_enter in the previous path. In that case, program would crash when trying to dereference an undefined scope after OSR exit. To fix this issue we should just update the exit to offset(op_enter) instead of offset(op_enter) + 1. JavaScript tail recursion foo: function foo(n) { ... return foo(n); } Bytecode for foo with scope at loc4: [ 0] enter [ 1] ... ... [ 11] resolve_scope dst:loc10, scope:loc4 ... [ 38] tail_call ... [...] ret ... DFG for foo: ... --> foo // inlined recursive tail call ... @node(..., bc#38, exit: bc#38 --> bc#1, ...) ... <-- foo DFG for foo: ... --> foo // inlined recursive tail call ... @node(..., bc#38, exit: bc#38 --> bc#0, ...) ... <-- foo * JSTests/stress/osr-exit-at-tail-call-in-tail-recursion.js: Added. (foo): (bar): * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::handleRecursiveTailCall): Canonical link: https://commits.webkit.org/263183@main
- Loading branch information