Bug 112738 - Crash in SpeculativeJIT::fillSpeculateIntInternal<false> on http://bellard.org/jslinux
Summary: Crash in SpeculativeJIT::fillSpeculateIntInternal<false> on http://bellard.or...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Hahnenberg
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-19 12:45 PDT by Mark Hahnenberg
Modified: 2013-03-19 14:51 PDT (History)
2 users (show)

See Also:

Attachments
Patch (1.39 KB, patch)
2013-03-19 12:50 PDT, Mark Hahnenberg 		no flags Details | Formatted Diff | Diff
Patch (26.48 KB, patch)
2013-03-19 13:59 PDT, Mark Hahnenberg 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Hahnenberg 2013-03-19 12:45:28 PDT 
Reproducible crash on ToT when the linux emulator tries to boot

Steps:
1) Load web site
2) Wait for emulator to start booting linux
3) Crash after a couple seconds
Comment 1 Mark Hahnenberg 2013-03-19 12:45:46 PDT 
<rdar://problem/13452599>
Comment 2 Mark Hahnenberg 2013-03-19 12:46:15 PDT 
The issue is that we're killing the ValueToInt32 node in fixIntEdge in DFGFixupPhase.cpp, which is not safe.
Comment 3 Mark Hahnenberg 2013-03-19 12:50:35 PDT 
Created attachment 193900 [details]
Patch
Comment 4 Filip Pizlo 2013-03-19 12:52:04 PDT 
I can has LayoutTest?
Comment 5 Mark Hahnenberg 2013-03-19 13:59:58 PDT 
Created attachment 193915 [details]
Patch
Comment 6 WebKit Review Bot 2013-03-19 14:51:56 PDT 
Comment on attachment 193915 [details]
Patch

Clearing flags on attachment: 193915

Committed r146263: <http://trac.webkit.org/changeset/146263>
Comment 7 WebKit Review Bot 2013-03-19 14:51:59 PDT 
All reviewed patches have been landed.  Closing bug.