Bug 153287

Summary: [JSC] The register allocator can use a dangling pointer when selecting a spill candidate
Product: WebKit Reporter: Benjamin Poulain <benjamin>
Component: New BugsAssignee: Benjamin Poulain <benjamin>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, fpizlo, keith_miller, mark.lam, msaboff, saam
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing
none
Patch for landing none

Description Benjamin Poulain 2016-01-20 14:25:12 PST 
[JSC] The register allocator can use a dangling pointer when selecting a spill candidate
Comment 1 Benjamin Poulain 2016-01-20 14:34:04 PST 
Created attachment 269386 [details]
Patch
Comment 2 WebKit Commit Bot 2016-01-20 14:36:24 PST 
Attachment 269386 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:28:  Need whitespace between colon and description  [changelog/filechangedescriptionwhitespace] [5]
Total errors found: 1 in 3 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 3 Mark Lam 2016-01-20 14:39:28 PST 
Comment on attachment 269386 [details]
Patch

r=me
Comment 4 Benjamin Poulain 2016-01-20 14:46:52 PST 
Created attachment 269388 [details]
Patch for landing
Comment 5 Mark Lam 2016-01-20 14:47:43 PST 
Comment on attachment 269388 [details]
Patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=269388&action=review

> Source/JavaScriptCore/dfg/DFGCommon.h:42
> -#define FTL_USES_B3 0
> +#define FTL_USES_B3 1
>  

Please undo this.
Comment 6 Benjamin Poulain 2016-01-20 14:57:49 PST 
Created attachment 269390 [details]
Patch for landing
Comment 7 WebKit Commit Bot 2016-01-20 15:11:44 PST 
Comment on attachment 269390 [details]
Patch for landing

Clearing flags on attachment: 269390

Committed r195387: <http://trac.webkit.org/changeset/195387>
Comment 8 WebKit Commit Bot 2016-01-20 15:11:47 PST 
All reviewed patches have been landed.  Closing bug.
Comment 9 Filip Pizlo 2016-01-20 17:45:24 PST 
I encountered the same thing.  I think I'll keep my version of UseCounts from https://bugs.webkit.org/show_bug.cgi?id=153200, which returns a pointer that may be null, since it feels perfectly ordinary for a phase to add tmps and still query UseCounts.

I'm not sure whether to keep your version or my version of the fix in IRC.  The benefit of my fix is that querying unspillableTmps before adding to spillWorklist is probably better than querying unspillableTmps for every member of spillWorklist every time selectSpill() is called.