Bug 64903

Summary: DFG speculative JIT sometimes claims to use compare operands twice, leading to use count corruption
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, fpizlo, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
the patch none

Description Filip Pizlo 2011-07-20 16:40:54 PDT 
The DFG speculative JIT's compare() helper method may call the JITCodeGenerator's non-speculative compare helper, which calls use() on the operands.  But then SpeculativeJIT::compare() also calls use() on the operands.  The SpeculativeJIT::compare() method should not call use() on the operands if the JITCodeGenerator has already done so.
Comment 1 Filip Pizlo 2011-07-20 16:45:11 PDT 
Created attachment 101526 [details]
the patch
Comment 2 WebKit Review Bot 2011-07-20 17:24:13 PDT 
Comment on attachment 101526 [details]
the patch

Clearing flags on attachment: 101526

Committed r91428: <http://trac.webkit.org/changeset/91428>
Comment 3 WebKit Review Bot 2011-07-20 17:24:17 PDT 
All reviewed patches have been landed.  Closing bug.