Changeset 141536 in webkit


Ignore:
Timestamp:
Jan 31, 2013 9:54:04 PM (11 years ago)
Author:
ggaren@apple.com
Message:

REGRESSION (r141192): Crash beneath cti_op_get_by_id_generic @ discussions.apple.com
https://bugs.webkit.org/show_bug.cgi?id=108576

Reviewed by Filip Pizlo.

This was a long-standing bug. The DFG would destructively reuse a register
in op_convert_this, but:

  • The bug only presented during speculation failure for type Other
  • The bug presented by removing the low bits of a pointer, which used to be harmless, since all objects were so aligned anyway.
  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile): Don't reuse our this register as
our scratch register. The whole point of our scratch register is to
avoid destructively modifying our this register. I'm pretty sure this
was a copy-paste error.

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r141521 r141536  
     12013-01-31  Geoffrey Garen  <ggaren@apple.com>
     2
     3        REGRESSION (r141192): Crash beneath cti_op_get_by_id_generic @ discussions.apple.com
     4        https://bugs.webkit.org/show_bug.cgi?id=108576
     5
     6        Reviewed by Filip Pizlo.
     7
     8        This was a long-standing bug. The DFG would destructively reuse a register
     9        in op_convert_this, but:
     10
     11            * The bug only presented during speculation failure for type Other
     12
     13            * The bug presented by removing the low bits of a pointer, which
     14            used to be harmless, since all objects were so aligned anyway.
     15
     16        * dfg/DFGSpeculativeJIT64.cpp:
     17        (JSC::DFG::SpeculativeJIT::compile): Don't reuse our this register as
     18        our scratch register. The whole point of our scratch register is to
     19        avoid destructively modifying our this register. I'm pretty sure this
     20        was a copy-paste error.
     21
    1222013-01-31  Roger Fong  <roger_fong@apple.com>
    223

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

    r141179 r141536  
    38063806        if (isOtherSpeculation(node->child1()->prediction())) {
    38073807            JSValueOperand thisValue(this, node->child1());
    3808             GPRTemporary scratch(this, thisValue);
     3808            GPRTemporary scratch(this);
    38093809            GPRReg thisValueGPR = thisValue.gpr();
    38103810            GPRReg scratchGPR = scratch.gpr();
Note: See TracChangeset for help on using the changeset viewer.