111777 – Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article

Bug 111777 - Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com article

Summary: Crash when updating predictions below JSC::arrayProtoFuncForEach on tuaw.com ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:	http://www.tuaw.com/2012/12/29/5-thin...
Keywords:	InRadar

Depends on:
Blocks:	112380
	Show dependency tree / graph

Reported:	2013-03-07 14:28 PST by Michael Saboff
Modified:	2013-03-14 14:23 PDT (History)
CC List:	0 users

See Also:

Attachments
Patch (11.08 KB, patch) 2013-03-07 16:07 PST, Michael Saboff	fpizlo: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2013-03-07 14:28:59 PST

Investigating this, I've determined that the issue is due to a register allocation in the middle of generating control flow and we are under register pressure causing us to spill on one path in the control flow but not the other two.  This is in SpeculativeJIT::nonSpeculativeNonPeepholeCompareNull() in dfg/DFGSpeculativeJit32_64.cpp.  Inspection shows that the problem also exists in dfg/DFGSpeculativeJit64.cpp.

Patch forth coming.

From <rdar://problem/13185728>.

Comment 1 Michael Saboff 2013-03-07 16:07:51 PST

Created attachment 192101 [details]
Patch

Comment 2 Michael Saboff 2013-03-07 16:21:42 PST

Committed r145150: <http://trac.webkit.org/changeset/145150>