RESOLVED FIXED 153287
[JSC] The register allocator can use a dangling pointer when selecting a spill candidate 
https://bugs.webkit.org/show_bug.cgi?id=153287
Summary [JSC] The register allocator can use a dangling pointer when selecting a spil...
Benjamin Poulain
Reported 2016-01-20 14:25:12 PST
[JSC] The register allocator can use a dangling pointer when selecting a spill candidate
Attachments
Patch (3.23 KB, patch)
2016-01-20 14:34 PST, Benjamin Poulain 		no flags
DetailsFormatted DiffDiff
Patch for landing (3.83 KB, patch)
2016-01-20 14:46 PST, Benjamin Poulain 		no flags
DetailsFormatted DiffDiff
Patch for landing (3.25 KB, patch)
2016-01-20 14:57 PST, Benjamin Poulain 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Benjamin Poulain
Comment 1 2016-01-20 14:34:04 PST
Created attachment 269386 [details] Patch
WebKit Commit Bot
Comment 2 2016-01-20 14:36:24 PST
Attachment 269386 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ChangeLog:28: Need whitespace between colon and description [changelog/filechangedescriptionwhitespace] [5] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.
Mark Lam
Comment 3 2016-01-20 14:39:28 PST
Comment on attachment 269386 [details] Patch r=me
Benjamin Poulain
Comment 4 2016-01-20 14:46:52 PST
Created attachment 269388 [details] Patch for landing
Mark Lam
Comment 5 2016-01-20 14:47:43 PST
Comment on attachment 269388 [details] Patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=269388&action=review > Source/JavaScriptCore/dfg/DFGCommon.h:42 > -#define FTL_USES_B3 0 > +#define FTL_USES_B3 1 > Please undo this.
Benjamin Poulain
Comment 6 2016-01-20 14:57:49 PST
Created attachment 269390 [details] Patch for landing
WebKit Commit Bot
Comment 7 2016-01-20 15:11:44 PST
Comment on attachment 269390 [details] Patch for landing Clearing flags on attachment: 269390 Committed r195387: <http://trac.webkit.org/changeset/195387>
WebKit Commit Bot
Comment 8 2016-01-20 15:11:47 PST
All reviewed patches have been landed. Closing bug.
Filip Pizlo
Comment 9 2016-01-20 17:45:24 PST
I encountered the same thing. I think I'll keep my version of UseCounts from https://bugs.webkit.org/show_bug.cgi?id=153200, which returns a pointer that may be null, since it feels perfectly ordinary for a phase to add tmps and still query UseCounts. I'm not sure whether to keep your version or my version of the fix in IRC. The benefit of my fix is that querying unspillableTmps before adding to spillWorklist is probably better than querying unspillableTmps for every member of spillWorklist every time selectSpill() is called.
Note You need to log in before you can comment on or make changes to this bug.