Bug 117280

Summary:

JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com

Product:

WebKit

Reporter:

Michael Saboff <msaboff>

Component:

JavaScriptCore

Assignee:

Michael Saboff <msaboff>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bjhomer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch	fpizlo: review+

Michael Saboff

Reported 2013-06-05 21:41:05 PDT

We are crashing because an argument variable is been speculated to be an Int32, but there isn't a corresponding speculation check on entry to the function. When it is call with a non-int value and we OSR exit for some other reason we crash in the baseline JIT because the tag is bogus.

Attachments
Patch (5.84 KB, patch) 2013-06-05 22:01 PDT, Michael Saboff	fpizlo: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Michael Saboff

Comment 1 2013-06-05 21:41:22 PDT

<rdar://problem/13548820>

Michael Saboff

Comment 2 2013-06-05 22:01:33 PDT

Created attachment 203903 [details] Patch This fixes the problem by merging the various attributes of a VariableAccessData with the root node of the unified set of VariableAccessData nodes. Before we were merging with a leaf node and therefore the merge didn't propgate to the code generation phase. This is performance neutral on SunSpider and V8.

Michael Saboff

Comment 3 2013-06-06 08:37:24 PDT

Committed r151273: <http://trac.webkit.org/changeset/151273>

Alexey Proskuryakov

Comment 4 2013-06-06 15:51:31 PDT

*** Bug 116052 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.