Bug 201332

Summary:

[JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be invalid

Product:

WebKit

Reporter:

Yusuke Suzuki <ysuzuki>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	mark.lam: review+

Description Yusuke Suzuki 2019-08-30 00:10:54 PDT

...

Comment 1 Yusuke Suzuki 2019-08-30 00:13:36 PDT

<rdar://problem/54245190>

Comment 2 Yusuke Suzuki 2019-08-30 00:18:50 PDT

Created attachment 377684 [details]
Patch

Comment 3 Mark Lam 2019-08-30 00:55:08 PDT

Comment on attachment 377684 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=377684&action=review

r=me

> Source/JavaScriptCore/ChangeLog:3
> +        [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be inValid

/inValid/invalid/.

> JSTests/ChangeLog:3
> +        [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be inValid

Ditto.

Comment 4 Yusuke Suzuki 2019-08-30 01:03:17 PDT

Comment on attachment 377684 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=377684&action=review

Thanks!

>> Source/JavaScriptCore/ChangeLog:3
>> +        [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be inValid
> 
> /inValid/invalid/.

Fixed.

>> JSTests/ChangeLog:3
>> +        [JSC] DFG inlining CheckBadCell slow path does not assume result VirtualRegister can be inValid
> 
> Ditto.

Fixed.

Comment 5 Yusuke Suzuki 2019-08-30 01:13:20 PDT

Committed r249317: <https://trac.webkit.org/changeset/249317>