Bug 112738

Summary: Crash in SpeculativeJIT::fillSpeculateIntInternal<false> on http://bellard.org/jslinux
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Mark Hahnenberg
Reported 2013-03-19 12:45:28 PDT
Reproducible crash on ToT when the linux emulator tries to boot Steps: 1) Load web site 2) Wait for emulator to start booting linux 3) Crash after a couple seconds
Attachments
Patch (1.39 KB, patch)
2013-03-19 12:50 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (26.48 KB, patch)
2013-03-19 13:59 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2013-03-19 12:45:46 PDT
<rdar://problem/13452599>
Mark Hahnenberg
Comment 2 2013-03-19 12:46:15 PDT
The issue is that we're killing the ValueToInt32 node in fixIntEdge in DFGFixupPhase.cpp, which is not safe.
Mark Hahnenberg
Comment 3 2013-03-19 12:50:35 PDT
Created attachment 193900 [details] Patch
Filip Pizlo
Comment 4 2013-03-19 12:52:04 PDT
I can has LayoutTest?
Mark Hahnenberg
Comment 5 2013-03-19 13:59:58 PDT
Created attachment 193915 [details] Patch
WebKit Review Bot
Comment 6 2013-03-19 14:51:56 PDT
Comment on attachment 193915 [details] Patch Clearing flags on attachment: 193915 Committed r146263: <http://trac.webkit.org/changeset/146263>
WebKit Review Bot
Comment 7 2013-03-19 14:51:59 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.