64330 2011-07-11 17:09:12 -0700 DFG speculative JIT does not guard itself against floating point speculation failures on non-floating-point constants 2011-07-11 18:10:23 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 0 fpizlo webkit-unassigned webkit.review.bot oldest_to_newest 435321 0 fpizlo 2011-07-11 17:09:12 -0700 The DFG speculative JIT may speculate that a value is a double, even though there may be operations that set it to a non-double constant. Such static speculation failures are benign if the JIT notices them and performs the appropriate evasive action. Unfortunately, the DFG JIT does not do this in this particular case (SetLocal to a speculate-double from a non-double JSConstant), which causes crashes when the fillFPR code wants to refill the register. 435324 1 100386 fpizlo 2011-07-11 17:15:22 -0700 Created attachment 100386 the patch 435362 2 100386 webkit.review.bot 2011-07-11 18:10:20 -0700 Comment on attachment 100386 the patch Clearing flags on attachment: 100386 Committed r90799: <http://trac.webkit.org/changeset/90799> 435363 3 webkit.review.bot 2011-07-11 18:10:23 -0700 All reviewed patches have been landed. Closing bug. 100386 2011-07-11 17:15:22 -0700 2011-07-11 18:10:19 -0700 the patch fixspecdouble_patch_1.diff text/plain 1886 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gOTA3OTUpCisrKyBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTggQEAK KzIwMTEtMDctMTEgIEZpbGlwIFBpemxvICA8ZnBpemxvQGFwcGxlLmNvbT4KKworICAgICAgICBE Rkcgc3BlY3VsYXRpdmUgSklUIGRvZXMgbm90IGd1YXJkIGl0c2VsZiBhZ2FpbnN0IGZsb2F0aW5n IHBvaW50IHNwZWN1bGF0aW9uCisgICAgICAgIGZhaWx1cmVzIG9uIG5vbi1mbG9hdGluZy1wb2lu dCBjb25zdGFudHMuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNn aT9pZD02NDMzMAorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorICAgICAg ICAKKyAgICAgICAgTWFkZSBmaWxsU3BlY3VsYXRlRG91YmxlIGltbWVkaWF0ZSBpbnZva2UgdGVy bWluYXRlU3BlY3VsYXRpdmVFeGVjdXRpb24oKSBhcworICAgICAgICBzb29uIGFzIGl0IG5vdGlj ZXMgdGhhdCBpdCdzIHNwZWN1bGF0aW5nIG9uIHNvbWV0aGluZyB0aGF0IGlzIGEgbm9uLW51bWVy aWMKKyAgICAgICAgSlNDb25zdGFudC4KKworICAgICAgICAqIGRmZy9ERkdTcGVjdWxhdGl2ZUpJ VC5jcHA6CisgICAgICAgIChKU0M6OkRGRzo6U3BlY3VsYXRpdmVKSVQ6OmZpbGxTcGVjdWxhdGVE b3VibGUpOgorCiAyMDExLTA3LTExICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CiAK ICAgICAgICAgREZHIFNwZWN1bGF0aXZlIEpJVCBkb2VzIG5vdCBhbHdheXMgaW5zZXJ0IHNwZWN1 bGF0aW9uIGNoZWNrcyB3aGVuIHNwZWN1bGF0aW5nCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENv cmUvZGZnL0RGR1NwZWN1bGF0aXZlSklULmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNj cmlwdENvcmUvZGZnL0RGR1NwZWN1bGF0aXZlSklULmNwcAkocmV2aXNpb24gOTA3OTUpCisrKyBT b3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1NwZWN1bGF0aXZlSklULmNwcAkod29ya2luZyBj b3B5KQpAQCAtMjA2LDEyICsyMDYsOCBAQCBGUFJSZWcgU3BlY3VsYXRpdmVKSVQ6OmZpbGxTcGVj dWxhdGVEb3ViCiAgICAgICAgICAgICAgICAgaW5mby5maWxsRG91YmxlKGZwcik7CiAgICAgICAg ICAgICAgICAgcmV0dXJuIGZwcjsKICAgICAgICAgICAgIH0KLSAgICAgICAgICAgIEFTU0VSVChp c0pTQ29uc3RhbnQobm9kZUluZGV4KSk7Ci0gICAgICAgICAgICBKU1ZhbHVlIGpzVmFsdWUgPSB2 YWx1ZU9mSlNDb25zdGFudChub2RlSW5kZXgpOwotICAgICAgICAgICAgbV9qaXQubW92ZShNYWNy b0Fzc2VtYmxlcjo6SW1tUHRyKEpTVmFsdWU6OmVuY29kZShqc1ZhbHVlKSksIGdwcik7Ci0gICAg ICAgICAgICBtX2dwcnMucmV0YWluKGdwciwgdmlydHVhbFJlZ2lzdGVyLCBTcGlsbE9yZGVyQ29u c3RhbnQpOwotICAgICAgICAgICAgaW5mby5maWxsSlNWYWx1ZShncHIsIERhdGFGb3JtYXRKUyk7 Ci0gICAgICAgICAgICB1bmxvY2soZ3ByKTsKKyAgICAgICAgICAgIHRlcm1pbmF0ZVNwZWN1bGF0 aXZlRXhlY3V0aW9uKCk7CisgICAgICAgICAgICByZXR1cm4gZnByQWxsb2NhdGUoKTsKICAgICAg ICAgfSBlbHNlIHsKICAgICAgICAgICAgIERhdGFGb3JtYXQgc3BpbGxGb3JtYXQgPSBpbmZvLnNw aWxsRm9ybWF0KCk7CiAgICAgICAgICAgICBBU1NFUlQoc3BpbGxGb3JtYXQgJiBEYXRhRm9ybWF0 SlMpOwo=