RESOLVED FIXED 122332
FTL: Crash in OSRExit::convertToForward() using VirtualRegister.offset() as array index 
https://bugs.webkit.org/show_bug.cgi?id=122332
Summary FTL: Crash in OSRExit::convertToForward() using VirtualRegister.offset() as a...
Michael Saboff
Reported 2013-10-04 11:18:30 PDT
There are several instances in OSRExit::convertToForward() where we are using the offset() method on a virtual register as an array index. The should be toLocal() calls instead.
Attachments
Patch (2.12 KB, patch)
2013-10-04 11:33 PDT, Michael Saboff 		fpizlo: review-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Nadav Rotem
Comment 1 2013-10-04 11:32:49 PDT
Looks Good To Me (LGTM).
Michael Saboff
Comment 2 2013-10-04 11:33:56 PDT
Created attachment 213381 [details] Patch
Michael Saboff
Comment 3 2013-10-04 11:36:55 PDT
Committed r156900: <http://trac.webkit.org/changeset/156900>
Filip Pizlo
Comment 4 2013-10-04 11:44:33 PDT
Comment on attachment 213381 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=213381&action=review > Source/JavaScriptCore/ftl/FTLOSRExit.cpp:90 > - if (m_values[overriddenOperand.offset()].isArgument()) { > - ExitArgument exitArgument = m_values[overriddenOperand.offset()].exitArgument(); > + if (m_values[overriddenOperand.toLocal()].isArgument()) { > + ExitArgument exitArgument = m_values[overriddenOperand.toLocal()].exitArgument(); > arguments[exitArgument.argument()] = value.value(); > - m_values[overriddenOperand.offset()] = ExitValue::exitArgument( > + m_values[overriddenOperand.toLocal()] = ExitValue::exitArgument( I think that this is still wrong. m_values is an Operands<>, which can be indexed in two ways: Operands<>::operator[]: this is only meant for iterating over all of the entries, and the index is meaningless. it is neither the offset nor the local - it's nothing. Hence this code was totally wrong to begin with for using m_values[...], and only worked by accident. Operands<>::operand(): this takes a VirtualRegister. There are other indexing modes like Operands<>::local() and Operands<>::argument(), but those are less useful since usually in the DFG and FTL we don't know if something is a local or an argument and we don't really care. In this code, overriddenOperand could be an argument, maybe if you did something like: function foo(x) { x = x | 0 } I don't know if you'll actually get a MovHint into the argument here, but that would be valid IR for this byte code so we should be able to handle it. So, the correct thing to do here is to say: if (m_values.operand(overriddenOperand).isArgument()) { ... And: m_values.operand(overriddenOperand) = ExitValue::exitArgument( ... That way, it'll handle both locals and arguments and there will be no confusion over what to use as indices.
Michael Saboff
Comment 5 2013-10-04 11:46:27 PDT
I'll make the changes that Phil suggests and submit a new patch.
Filip Pizlo
Comment 6 2013-10-04 11:47:35 PDT
(In reply to comment #5) > I'll make the changes that Phil suggests and submit a new patch. Can you fix it in: https://bugs.webkit.org/show_bug.cgi?id=122336
Filip Pizlo
Comment 7 2013-10-04 11:47:50 PDT
(In reply to comment #6) > (In reply to comment #5) > > I'll make the changes that Phil suggests and submit a new patch. > > Can you fix it in: https://bugs.webkit.org/show_bug.cgi?id=122336 (or dup appropriately if you already created your own bug.)
Michael Saboff
Comment 8 2013-10-04 11:51:25 PDT
(In reply to comment #7) > (In reply to comment #6) > > (In reply to comment #5) > > > I'll make the changes that Phil suggests and submit a new patch. > > > > Can you fix it in: https://bugs.webkit.org/show_bug.cgi?id=122336 > > (or dup appropriately if you already created your own bug.) I'll fix it in 122336. Testing now.
Note You need to log in before you can comment on or make changes to this bug.