Bug 230364

Summary: Fix CellTag being set 32 bits even if the base is not a cell
Product: WebKit Reporter: Mikhail R. Gadelha <mikhail>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Mikhail R. Gadelha
Reported 2021-09-16 11:28:06 PDT
Fix CellTag being set 32 bits even if the base is not a cell
Attachments
Patch (4.50 KB, patch)
2021-09-16 11:33 PDT, Mikhail R. Gadelha 		no flags
DetailsFormatted DiffDiff
Patch (6.19 KB, patch)
2021-09-16 14:36 PDT, Mikhail R. Gadelha 		no flags
DetailsFormatted DiffDiff
Patch (4.54 KB, patch)
2021-09-17 11:58 PDT, Mikhail R. Gadelha 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Mikhail R. Gadelha
Comment 1 2021-09-16 11:33:25 PDT
Created attachment 438375 [details] Patch
Mikhail R. Gadelha
Comment 2 2021-09-16 14:36:15 PDT
Created attachment 438404 [details] Patch
Yusuke Suzuki
Comment 3 2021-09-17 11:09:11 PDT
Comment on attachment 438404 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438404&action=review Commented. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13711 > + JSValueRegs baseRegs; > + if (isCell(baseEdge.useKind())) { > + SpeculateCellOperand base(this, baseEdge); > + baseRegs = JSValueRegs::payloadOnly(base.gpr()); > + } else { > + JSValueOperand base(this, baseEdge); > + baseRegs = base.regs(); > + } This is not correct. When SpeculateCellOperand / JSValueOperand are destroyed, its tied register is unlocked.
Mikhail R. Gadelha
Comment 4 2021-09-17 11:58:28 PDT
Created attachment 438498 [details] Patch
Yusuke Suzuki
Comment 5 2021-09-17 23:44:30 PDT
Comment on attachment 438498 [details] Patch r=me
EWS
Comment 6 2021-09-17 23:51:13 PDT
Committed r282722 (241859@main): <https://commits.webkit.org/241859@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 438498 [details].
Radar WebKit Bug Importer
Comment 7 2021-09-17 23:52:16 PDT
<rdar://problem/83267081>
Note You need to log in before you can comment on or make changes to this bug.