Bug 111777

Summary:

Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

Keywords:

InRadar

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

URL:

http://www.tuaw.com/2012/12/29/5-things-i-want-to-see-from-apple-in-2013/

Bug Depends on:

Bug Blocks:

112380

Attachments:

Description	Flags
Patch	fpizlo: review+

Description Michael Saboff 2013-03-07 14:28:59 PST

Investigating this, I've determined that the issue is due to a register allocation in the middle of generating control flow and we are under register pressure causing us to spill on one path in the control flow but not the other two.  This is in SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull() in dfg/DFGSpeculativeJit32_64.cpp.  Inspection shows that the problem also exists in dfg/DFGSpeculativeJit64.cpp.

Patch forth coming.

From <rdar://problem/13185728>.

Comment 1 Michael Saboff 2013-03-07 16:07:51 PST

Created attachment 192101 [details]
Patch

Comment 2 Michael Saboff 2013-03-07 16:21:42 PST

Committed r145150: <http://trac.webkit.org/changeset/145150>