111777 – Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article

RESOLVED FIXED 111777

Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article

https://bugs.webkit.org/show_bug.cgi?id=111777

Summary Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com ...

Michael Saboff

Reported 2013-03-07 14:28:59 PST

Investigating this, I've determined that the issue is due to a register allocation in the middle of generating control flow and we are under register pressure causing us to spill on one path in the control flow but not the other two. This is in SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull() in dfg/DFGSpeculativeJit32_64.cpp. Inspection shows that the problem also exists in dfg/DFGSpeculativeJit64.cpp. Patch forth coming. From <rdar://problem/13185728>.

Attachments
Patch (11.08 KB, patch) 2013-03-07 16:07 PST, Michael Saboff	fpizlo: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Michael Saboff

Comment 1 2013-03-07 16:07:51 PST

Created attachment 192101 [details] Patch

Michael Saboff

Comment 2 2013-03-07 16:21:42 PST

Committed r145150: <http://trac.webkit.org/changeset/145150>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Michael Saboff

Reported

2013-03-07 14:28 PST

Modified

2013-03-14 14:23 PDT History

CC List

0 users

URL

http://www.tuaw.com/2012/12/29/5-things-i-want-to-see-from-apple-in-2013/

Keywords InRadar

Depends on

Blocks

112380

Dependencies

tree graph