Bug 68606

Summary:

32-bit call code clobbers the function cell tag

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, fpizlo, ossy

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

68557

Attachments:

Description	Flags
the patch	none

Filip Pizlo

Reported 2011-09-22 03:22:15 PDT

The change to use emitJumpIfNotType results in problems, because this function is often called (in 32-bit mode) with the tag register as the scratch register. If the jump is taken, the slow path code then expects the tag register to be intact, and passes the no-longer-valid tag to a stub function. This results in failures when attempting to make InternalFunction calls.

Attachments
the patch (2.02 KB, patch) 2011-09-22 03:24 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2011-09-22 03:24:22 PDT

Created attachment 108305 [details] the patch

Csaba Osztrogonác

Comment 2 2011-09-22 04:02:36 PDT

Comment on attachment 108305 [details] the patch r+ to go ahead. I tested it on a 32-bit Qt environment and it works for me.

Csaba Osztrogonác

Comment 3 2011-09-22 04:04:45 PDT

Comment on attachment 108305 [details] the patch Clearing flags on attachment: 108305 Committed r95707: <http://trac.webkit.org/changeset/95707>

Csaba Osztrogonác

Comment 4 2011-09-22 04:04:52 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.