Bug 64254

Summary: DFG Speculative JIT does not always insert speculation checks when speculating arrays
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
the patch none

Description Filip Pizlo 2011-07-11 01:37:36 PDT
The DFG Speculative JIT attempts to guess the type of variables.  Sometimes, it guesses that a variable is an array.  The JIT should insert checking code that validates that variables that are speculate-array are actually arrays.  However, the JIT does not insert these checks at PutLocal instructions, even though subsequent code assumes that specualte-array variables that are retrieved via GetLocal are already validated.
Comment 1 Filip Pizlo 2011-07-11 01:49:16 PDT
Created attachment 100254 [details]
the patch
Comment 2 Alexey Proskuryakov 2011-07-11 10:21:24 PDT
Is there a reason why this doesn't have a regression test?
Comment 3 WebKit Review Bot 2011-07-11 11:39:29 PDT
Comment on attachment 100254 [details]
the patch

Clearing flags on attachment: 100254

Committed r90768: <http://trac.webkit.org/changeset/90768>
Comment 4 WebKit Review Bot 2011-07-11 11:39:33 PDT
All reviewed patches have been landed.  Closing bug.