Bug 230364 - Fix CellTag being set 32 bits even if the base is not a cell
Summary: Fix CellTag being set 32 bits even if the base is not a cell
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-09-16 11:28 PDT by Mikhail R. Gadelha
Modified: 2021-09-17 23:52 PDT (History)
8 users (show)

See Also:

Attachments
Patch (4.50 KB, patch)
2021-09-16 11:33 PDT, Mikhail R. Gadelha 		no flags Details | Formatted Diff | Diff
Patch (6.19 KB, patch)
2021-09-16 14:36 PDT, Mikhail R. Gadelha 		no flags Details | Formatted Diff | Diff
Patch (4.54 KB, patch)
2021-09-17 11:58 PDT, Mikhail R. Gadelha 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail R. Gadelha 2021-09-16 11:28:06 PDT 
Fix CellTag being set 32 bits even if the base is not a cell
Comment 1 Mikhail R. Gadelha 2021-09-16 11:33:25 PDT 
Created attachment 438375 [details]
Patch
Comment 2 Mikhail R. Gadelha 2021-09-16 14:36:15 PDT 
Created attachment 438404 [details]
Patch
Comment 3 Yusuke Suzuki 2021-09-17 11:09:11 PDT 
Comment on attachment 438404 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=438404&action=review

Commented.

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13711
> +    JSValueRegs baseRegs;
> +    if (isCell(baseEdge.useKind())) {
> +        SpeculateCellOperand base(this, baseEdge);
> +        baseRegs = JSValueRegs::payloadOnly(base.gpr());
> +    } else {
> +        JSValueOperand base(this, baseEdge);
> +        baseRegs = base.regs();
> +    }

This is not correct. When SpeculateCellOperand / JSValueOperand are destroyed, its tied register is unlocked.
Comment 4 Mikhail R. Gadelha 2021-09-17 11:58:28 PDT 
Created attachment 438498 [details]
Patch
Comment 5 Yusuke Suzuki 2021-09-17 23:44:30 PDT 
Comment on attachment 438498 [details]
Patch

r=me
Comment 6 EWS 2021-09-17 23:51:13 PDT 
Committed r282722 (241859@main): <https://commits.webkit.org/241859@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 438498 [details].
Comment 7 Radar WebKit Bug Importer 2021-09-17 23:52:16 PDT 
<rdar://problem/83267081>