Bug 153897

Summary: REGRESSION(192409): Cannot rely on add32() to zero-extend
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: WebKit Nightly Build   
Hardware: All   
OS: All   

Filip Pizlo
Reported 2016-02-04 15:05:07 PST
Callers of add32() and other 32-bit arithmetic ops rely on the fact that the destination register is zero-extended. The optimizations in r192409 broke this feature, and this causes crashes on some obscure code.
Attachments
Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2016-02-04 15:16:34 PST
rdar://problem/24289839
Filip Pizlo
Comment 2 2016-02-04 15:20:26 PST
I tried writing a test, but actually hitting this issue is sooooper hard.
Filip Pizlo
Comment 3 2016-02-04 15:23:58 PST
Landed in http://trac.webkit.org/changeset/196152
Note You need to log in before you can comment on or make changes to this bug.