Bug 115188

Summary: 32 Bit: Crash due to RegExpTest nodes not setting result type to Boolean
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal Keywords: InRadar
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch ggaren: review+

Michael Saboff
Reported 2013-04-25 10:53:42 PDT
When a RegExp.test() call is made and the result is spilled prior to a consuming Branch, the Branch will fill the the tag and payload, but the spill only stored the payload. Therefore we end up with garbage in the tag register.
Attachments
Patch (1.32 KB, patch)
2013-04-25 11:08 PDT, Michael Saboff 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2013-04-25 11:08:17 PDT
Created attachment 199690 [details] Patch Working on test, but can't seem to reduce down to a test that crashes without the fix. Test will be in subsequent patch.
Geoffrey Garen
Comment 2 2013-04-25 11:15:31 PDT
Comment on attachment 199690 [details] Patch r=me
Geoffrey Garen
Comment 3 2013-04-25 11:22:25 PDT
Comment on attachment 199690 [details] Patch I think we could test this just by assigning the result of regexp.test() to a local variable, and then asking if the variable is === true, or === false, depending on the regexp. In theory, the CFA will cause garbage to be stored into the tag of the local variable, causing non-boolean-ness with very high probability.
Michael Saboff
Comment 4 2013-04-25 11:34:04 PDT
Committed r149128: <http://trac.webkit.org/changeset/149128>
Michael Saboff
Comment 5 2013-04-25 15:09:20 PDT
<rdar://problem/13716112>
Note You need to log in before you can comment on or make changes to this bug.