Bug 128556

Summary: 32-bit LLInt writeBarrierOnGlobalObject is wrong
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, cmarcelo, commit-queue
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Description Mark Hahnenberg 2014-02-10 15:31:40 PST 
It checks if the value is a cell is a really wrong way.
Comment 1 Mark Hahnenberg 2014-02-10 15:41:47 PST 
Created attachment 223755 [details]
Patch
Comment 2 Geoffrey Garen 2014-02-10 15:44:53 PST 
Comment on attachment 223755 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=223755&action=review

r=me

> Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:413
> +        loadConstantOrVariableCell(t1, t0, .writeBarrierDone)
>          btpz t0, .writeBarrierDone

Why does this code check for a null t0? Is a null cell ever allowed?
Comment 3 Mark Hahnenberg 2014-02-10 15:50:44 PST 
(In reply to comment #2)
> (From update of attachment 223755 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=223755&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:413
> > +        loadConstantOrVariableCell(t1, t0, .writeBarrierDone)
> >          btpz t0, .writeBarrierDone
> 
> Why does this code check for a null t0? Is a null cell ever allowed?

I think init_global_const potentially does this...it's been a while since I added that however.
Comment 4 Mark Hahnenberg 2014-02-11 09:34:22 PST 
(In reply to comment #3)
> (In reply to comment #2)
> > (From update of attachment 223755 [details] [details])
> > View in context: https://bugs.webkit.org/attachment.cgi?id=223755&action=review
> > 
> > r=me
> > 
> > > Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:413
> > > +        loadConstantOrVariableCell(t1, t0, .writeBarrierDone)
> > >          btpz t0, .writeBarrierDone
> > 
> > Why does this code check for a null t0? Is a null cell ever allowed?
> 
> I think init_global_const potentially does this...it's been a while since I added that however.

I filed bug 128608 to track getting rid of the null check.
Comment 5 WebKit Commit Bot 2014-02-11 10:04:34 PST 
Comment on attachment 223755 [details]
Patch

Clearing flags on attachment: 223755

Committed r163887: <http://trac.webkit.org/changeset/163887>
Comment 6 WebKit Commit Bot 2014-02-11 10:04:37 PST 
All reviewed patches have been landed.  Closing bug.