RESOLVED FIXED 150532
r190735 Caused us to maybe trample the base's tag-GPR on 32-bit inline cache when the cache allocates a scratch register and then jumps to the slow path
https://bugs.webkit.org/show_bug.cgi?id=150532
Summary r190735 Caused us to maybe trample the base's tag-GPR on 32-bit inline cache ...
Saam Barati
Reported 2015-10-24 12:21:27 PDT
This register used to show up in the used register set because of how the DFG kept track of used register. I changed this in my work on online caching because we don't want to spill these registers when we have a GetByIdFlush/PutByIdFlush and we use the used register set as the metric of how to spill. That said, these registers should be locked and not used as scratch registers by the scratch register allocator. The reason is that our inline cache may fail and jump to the slow path. The slow path then uses the base's tag register. If the inline cache used the base's tag register as a scratch and it fails and jumps to the slow path, we have a problem. The most obvious solution is to just make StructureStubInfo aware of the base's tag register so that it can lock it when allocating a scratch. Note that this doesn't mean that we can trample this register when making a call. We can totally trample this as long as the inline cache succeeds. The problem is only when we trample it and then jump to the slow path
Attachments
patch (4.94 KB, patch)
2015-10-25 15:47 PDT, Saam Barati
ggaren: review+
patch for landing (6.43 KB, patch)
2015-10-26 12:46 PDT, Saam Barati
no flags
Saam Barati
Comment 1 2015-10-25 15:47:02 PDT
Geoffrey Garen
Comment 2 2015-10-25 18:06:50 PDT
Comment on attachment 264026 [details] patch r=me
Geoffrey Garen
Comment 3 2015-10-25 18:15:10 PDT
...Can has regression test?
Saam Barati
Comment 4 2015-10-25 22:16:12 PDT
(In reply to comment #3) > ...Can has regression test? Yeah. I was thinking I should create one. I'll write one tomorrow before landing.
Saam Barati
Comment 5 2015-10-26 12:46:18 PDT
Created attachment 264064 [details] patch for landing
Saam Barati
Comment 6 2015-10-26 12:49:37 PDT
Note You need to log in before you can comment on or make changes to this bug.