153897 – REGRESSION(192409): Cannot rely on add32() to zero-extend

Bug 153897 - REGRESSION(192409): Cannot rely on add32() to zero-extend

Summary: REGRESSION(192409): Cannot rely on add32() to zero-extend

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-02-04 15:05 PST by Filip Pizlo
Modified:	2016-02-04 15:23 PST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2016-02-04 15:05:07 PST

Callers of add32() and other 32-bit arithmetic ops rely on the fact that the destination register is zero-extended.  The optimizations in r192409 broke this feature, and this causes crashes on some obscure code.

Comment 1 Filip Pizlo 2016-02-04 15:16:34 PST

rdar://problem/24289839

Comment 2 Filip Pizlo 2016-02-04 15:20:26 PST

I tried writing a test, but actually hitting this issue is sooooper hard.

Comment 3 Filip Pizlo 2016-02-04 15:23:58 PST

Landed in http://trac.webkit.org/changeset/196152