Closed
Bug 676322
Opened 13 years ago
Closed 13 years ago
IonMonkey: Don't process unreachable code in else() blocks
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: sstangl, Assigned: sstangl)
Details
Attachments
(2 files, 1 obsolete file)
179 bytes,
application/javascript
|
Details | |
580 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The attached testcase, which is equivalent to a while(1) loop, is constructed into a CFG with no loops. When the IonBuilder encounters the first break, processIfElseFalseEnd() terminates the else() block. But it then assumes that the next instruction belongs to the parent control structure -- but the next instruction is the next break. So IonBuilder terminates the loop itself.
Assignee | ||
Comment 1•13 years ago
|
||
Proposed fix: when we terminate the false block, instead of assuming that the current instruction is the end of the false block, forcibly update pc to the known end.
Attachment #550445 -
Flags: review?(dvander)
Assignee | ||
Comment 2•13 years ago
|
||
v2: we can always safely set pc, and always safely return ControlStatus_Joined.
Attachment #550445 -
Attachment is obsolete: true
Attachment #550445 -
Flags: review?(dvander)
Attachment #550459 -
Flags: review?(dvander)
Comment on attachment 550459 [details] [diff] [review] patch v2 Might want to make sure that this work as well: if (...) { break; break; }
Attachment #550459 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 4•13 years ago
|
||
The true case is fine; we always update pc. http://hg.mozilla.org/projects/ionmonkey/rev/fb72d669b653
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•