Bug 150532

Summary: r190735 Caused us to maybe trample the base's tag-GPR on 32-bit inline cache when the cache allocates a scratch register and then jumps to the slow path
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, dewei_zhu, ggaren
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch
ggaren: review+
patch for landing none

Saam Barati
Reported 2015-10-24 12:21:27 PDT
This register used to show up in the used register set because of how the DFG kept track of used register. I changed this in my work on online caching because we don't want to spill these registers when we have a GetByIdFlush/PutByIdFlush and we use the used register set as the metric of how to spill. That said, these registers should be locked and not used as scratch registers by the scratch register allocator. The reason is that our inline cache may fail and jump to the slow path. The slow path then uses the base's tag register. If the inline cache used the base's tag register as a scratch and it fails and jumps to the slow path, we have a problem. The most obvious solution is to just make StructureStubInfo aware of the base's tag register so that it can lock it when allocating a scratch. Note that this doesn't mean that we can trample this register when making a call. We can totally trample this as long as the inline cache succeeds. The problem is only when we trample it and then jump to the slow path
Attachments
patch (4.94 KB, patch)
2015-10-25 15:47 PDT, Saam Barati 		ggaren: review+
DetailsFormatted DiffDiff
patch for landing (6.43 KB, patch)
2015-10-26 12:46 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2015-10-25 15:47:02 PDT
Created attachment 264026 [details] patch
Geoffrey Garen
Comment 2 2015-10-25 18:06:50 PDT
Comment on attachment 264026 [details] patch r=me
Geoffrey Garen
Comment 3 2015-10-25 18:15:10 PDT
...Can has regression test?
Saam Barati
Comment 4 2015-10-25 22:16:12 PDT
(In reply to comment #3) > ...Can has regression test? Yeah. I was thinking I should create one. I'll write one tomorrow before landing.
Saam Barati
Comment 5 2015-10-26 12:46:18 PDT
Created attachment 264064 [details] patch for landing
Saam Barati
Comment 6 2015-10-26 12:49:37 PDT
landed in: http://trac.webkit.org/changeset/191594
Note You need to log in before you can comment on or make changes to this bug.