Changeset 90487 in webkit

Timestamp:

Jul 6, 2011 1:40:21 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

2011-07-06 Filip Pizlo <​fpizlo@apple.com>

DFG speculative JIT may crash when speculating int on a non-int JSConstant.
​https://bugs.webkit.org/show_bug.cgi?id=64017

Reviewed by Gavin Barraclough.

• dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): (JSC::DFG::SpeculativeJIT::compile):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-07-06  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG speculative JIT may crash when speculating int on a non-int JSConstant.
+        https://bugs.webkit.org/show_bug.cgi?id=64017
+
+        Reviewed by Gavin Barraclough.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2011-07-06  Dmitriy Vyukov  <dvyukov@google.com>
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -50 +50 @@
                 return gpr;
             }
-            m_jit.move(valueOfJSConstantAsImmPtr(nodeIndex), gpr);
+            terminateSpeculativeExecution();
+            returnFormat = DataFormatInteger;
+            return allocate();
         } else {
             DataFormat spillFormat = info.spillFormat();
@@ -863 +865 @@
         GPRReg valueReg = value.gpr();
         GPRReg scratchReg = scratch.gpr();
+        
+        if (!m_compileOkay)
+            return;
 
         writeBarrier(m_jit, baseReg, scratchReg);