114774 – Crash beneath JSC::JIT::privateCompileSlowCases @ stephenrdonaldson.com

Bug 114774 - Crash beneath JSC::JIT::privateCompileSlowCases @ stephenrdonaldson.com

Summary: Crash beneath JSC::JIT::privateCompileSlowCases @ stephenrdonaldson.com

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Hahnenberg

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-04-17 16:45 PDT by Mark Hahnenberg
Modified:	2013-04-18 15:50 PDT (History)
CC List:	0 users

See Also:

Attachments
Patch (1.54 KB, patch) 2013-04-18 12:17 PDT, Mark Hahnenberg	no flags	Details \| Formatted Diff \| Diff
Patch (4.36 KB, patch) 2013-04-18 15:42 PDT, Mark Hahnenberg	ggaren: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Hahnenberg 2013-04-17 16:45:19 PDT

Looks like we're not linking up all of the slow cases in the baseline JIT. put_to_base is the culprit due to some weird mismatch in the switch statement logic of the normal case and the slow case.

Comment 1 Mark Hahnenberg 2013-04-17 16:45:29 PDT

<rdar://problem/13445011>

Comment 2 Mark Hahnenberg 2013-04-18 12:17:28 PDT

Created attachment 198752 [details]
Patch

Comment 3 Geoffrey Garen 2013-04-18 12:23:56 PDT

Comment on attachment 198752 [details]
Patch

Patch looks good, but it needs a regression test.

Comment 4 Mark Hahnenberg 2013-04-18 15:42:24 PDT

Created attachment 198776 [details]
Patch

Comment 5 Geoffrey Garen 2013-04-18 15:43:52 PDT

Comment on attachment 198776 [details]
Patch

r=me

Comment 6 Mark Hahnenberg 2013-04-18 15:50:57 PDT

Committed r148711: <http://trac.webkit.org/changeset/148711>