Bug 111777

Summary:

Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

Keywords:

InRadar

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

URL:

http://www.tuaw.com/2012/12/29/5-things-i-want-to-see-from-apple-in-2013/

Bug Depends on:

Bug Blocks:

112380

Attachments:

Description	Flags
Patch	fpizlo: review+

Michael Saboff

Reported 2013-03-07 14:28:59 PST

Investigating this, I've determined that the issue is due to a register allocation in the middle of generating control flow and we are under register pressure causing us to spill on one path in the control flow but not the other two. This is in SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull() in dfg/DFGSpeculativeJit32_64.cpp. Inspection shows that the problem also exists in dfg/DFGSpeculativeJit64.cpp. Patch forth coming. From <rdar://problem/13185728>.

Attachments
Patch (11.08 KB, patch) 2013-03-07 16:07 PST, Michael Saboff	fpizlo: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Michael Saboff

Comment 1 2013-03-07 16:07:51 PST

Created attachment 192101 [details] Patch

Michael Saboff

Comment 2 2013-03-07 16:21:42 PST

Committed r145150: <http://trac.webkit.org/changeset/145150>

Note You need to log in before you can comment on or make changes to this bug.