Bug 231179

Summary: Fix wrong edge type from get-by-val in 32 bits
Product: WebKit Reporter: Mikhail R. Gadelha <mikhail>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, xan.lopez, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description Mikhail R. Gadelha 2021-10-04 11:00:02 PDT 
Fix wrong edge type from get-by-val in 32 bits
Comment 1 Mikhail R. Gadelha 2021-10-04 11:09:11 PDT 
Created attachment 440079 [details]
Patch
Comment 2 Yusuke Suzuki 2021-10-05 10:57:51 PDT 
Comment on attachment 440079 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=440079&action=review

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:4518
> +        JSValueOperand baseOperand(this, baseEdge);
> +        generate(baseOperand.gpr());

base is JSValue, but it only passes payload part of JSValue. In 32bit, there is tag part, which needs to be passed. If it is a JSValue, then we need to use JSValueRegs.
Comment 3 Mikhail R. Gadelha 2021-10-05 13:57:08 PDT 
Created attachment 440260 [details]
Patch
Comment 4 Yusuke Suzuki 2021-10-05 17:52:42 PDT 
Comment on attachment 440260 [details]
Patch

r=me
Comment 5 EWS 2021-10-06 00:15:45 PDT 
Committed r283603 (242555@main): <https://commits.webkit.org/242555@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 440260 [details].
Comment 6 Radar WebKit Bug Importer 2021-10-06 00:16:17 PDT 
<rdar://problem/83921689>