64017 2011-07-06 12:55:33 -0700 DFG speculative JIT may crash when speculating int on a non-int JSConstant 2011-07-06 13:40:37 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 0 fpizlo webkit-unassigned webkit.review.bot oldest_to_newest 432943 0 fpizlo 2011-07-06 12:55:33 -0700 The DFG speculative JIT may sometimes perform speculations that are statically wrong. This is inevitable in the current design and is supposed to be both performance neutral in the average and correct, because the JIT will recover once it detects that the speculation was wrong. However, the JIT fails to perform the recovery in the case that a JSConstant node that references a non-int (for example a JSCell*) is speculated to be an Int32. This causes crashes if the GPR that would have contained the Int32 is ever spilled and filled. The spilling code skips spilling under the assumption that the Int32 can be rematerialized, and the filling code crashes because it's not possible to rematerialize something that is not actually an Int32 constant. 432945 1 99863 fpizlo 2011-07-06 12:58:17 -0700 Created attachment 99863 the patch 432953 2 99863 barraclough 2011-07-06 13:00:52 -0700 Comment on attachment 99863 the patch At some point we should remove that resolved FIXME you found, too. 432963 3 fpizlo 2011-07-06 13:08:24 -0700 (In reply to comment #2) > (From update of attachment 99863 [details]) > At some point we should remove that resolved FIXME you found, too. Yup, see https://bugs.webkit.org/show_bug.cgi?id=64022 432993 4 99863 webkit.review.bot 2011-07-06 13:40:34 -0700 Comment on attachment 99863 the patch Clearing flags on attachment: 99863 Committed r90487: <http://trac.webkit.org/changeset/90487> 432994 5 webkit.review.bot 2011-07-06 13:40:37 -0700 All reviewed patches have been landed. Closing bug. 99863 2011-07-06 12:58:17 -0700 2011-07-06 13:40:33 -0700 the patch specrecoverint_patch_1.diff text/plain 1728 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gOTA0ODMpCisrKyBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAK KzIwMTEtMDctMDYgIEZpbGlwIFBpemxvICA8ZnBpemxvQGFwcGxlLmNvbT4KKworICAgICAgICBE Rkcgc3BlY3VsYXRpdmUgSklUIG1heSBjcmFzaCB3aGVuIHNwZWN1bGF0aW5nIGludCBvbiBhIG5v bi1pbnQgSlNDb25zdGFudC4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19i dWcuY2dpP2lkPTY0MDE3CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisK KyAgICAgICAgKiBkZmcvREZHU3BlY3VsYXRpdmVKSVQuY3BwOgorICAgICAgICAoSlNDOjpERkc6 OlNwZWN1bGF0aXZlSklUOjpmaWxsU3BlY3VsYXRlSW50SW50ZXJuYWwpOgorICAgICAgICAoSlND OjpERkc6OlNwZWN1bGF0aXZlSklUOjpjb21waWxlKToKKwogMjAxMS0wNy0wNiAgRG1pdHJpeSBW eXVrb3YgIDxkdnl1a292QGdvb2dsZS5jb20+CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgRGF2aWQg TGV2aW4uCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1NwZWN1bGF0aXZlSklU LmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1NwZWN1bGF0 aXZlSklULmNwcAkocmV2aXNpb24gOTA0NzcpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZn L0RGR1NwZWN1bGF0aXZlSklULmNwcAkod29ya2luZyBjb3B5KQpAQCAtNDksNyArNDksOSBAQCBH UFJSZWcgU3BlY3VsYXRpdmVKSVQ6OmZpbGxTcGVjdWxhdGVJbnRJCiAgICAgICAgICAgICAgICAg cmV0dXJuRm9ybWF0ID0gRGF0YUZvcm1hdEludGVnZXI7CiAgICAgICAgICAgICAgICAgcmV0dXJu IGdwcjsKICAgICAgICAgICAgIH0KLSAgICAgICAgICAgIG1faml0Lm1vdmUodmFsdWVPZkpTQ29u c3RhbnRBc0ltbVB0cihub2RlSW5kZXgpLCBncHIpOworICAgICAgICAgICAgdGVybWluYXRlU3Bl Y3VsYXRpdmVFeGVjdXRpb24oKTsKKyAgICAgICAgICAgIHJldHVybkZvcm1hdCA9IERhdGFGb3Jt YXRJbnRlZ2VyOworICAgICAgICAgICAgcmV0dXJuIGFsbG9jYXRlKCk7CiAgICAgICAgIH0gZWxz ZSB7CiAgICAgICAgICAgICBEYXRhRm9ybWF0IHNwaWxsRm9ybWF0ID0gaW5mby5zcGlsbEZvcm1h dCgpOwogICAgICAgICAgICAgQVNTRVJUKHNwaWxsRm9ybWF0ICYgRGF0YUZvcm1hdEpTKTsKQEAg LTg2Miw2ICs4NjQsOSBAQCB2b2lkIFNwZWN1bGF0aXZlSklUOjpjb21waWxlKE5vZGUmIG5vZGUp CiAgICAgICAgIEdQUlJlZyBwcm9wZXJ0eVJlZyA9IHByb3BlcnR5LmdwcigpOwogICAgICAgICBH UFJSZWcgdmFsdWVSZWcgPSB2YWx1ZS5ncHIoKTsKICAgICAgICAgR1BSUmVnIHNjcmF0Y2hSZWcg PSBzY3JhdGNoLmdwcigpOworICAgICAgICAKKyAgICAgICAgaWYgKCFtX2NvbXBpbGVPa2F5KQor ICAgICAgICAgICAgcmV0dXJuOwogCiAgICAgICAgIHdyaXRlQmFycmllcihtX2ppdCwgYmFzZVJl Zywgc2NyYXRjaFJlZyk7CiAK