RESOLVED FIXED 230364
Fix CellTag being set 32 bits even if the base is not a cell 
https://bugs.webkit.org/show_bug.cgi?id=230364
Summary Fix CellTag being set 32 bits even if the base is not a cell
Mikhail R. Gadelha
Reported 2021-09-16 11:28:06 PDT
Fix CellTag being set 32 bits even if the base is not a cell
Attachments
Patch (4.50 KB, patch)
2021-09-16 11:33 PDT, Mikhail R. Gadelha 		no flags
DetailsFormatted DiffDiff
Patch (6.19 KB, patch)
2021-09-16 14:36 PDT, Mikhail R. Gadelha 		no flags
DetailsFormatted DiffDiff
Patch (4.54 KB, patch)
2021-09-17 11:58 PDT, Mikhail R. Gadelha 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Mikhail R. Gadelha
Comment 1 2021-09-16 11:33:25 PDT
Created attachment 438375 [details] Patch
Mikhail R. Gadelha
Comment 2 2021-09-16 14:36:15 PDT
Created attachment 438404 [details] Patch
Yusuke Suzuki
Comment 3 2021-09-17 11:09:11 PDT
Comment on attachment 438404 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438404&action=review Commented. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13711 > + JSValueRegs baseRegs; > + if (isCell(baseEdge.useKind())) { > + SpeculateCellOperand base(this, baseEdge); > + baseRegs = JSValueRegs::payloadOnly(base.gpr()); > + } else { > + JSValueOperand base(this, baseEdge); > + baseRegs = base.regs(); > + } This is not correct. When SpeculateCellOperand / JSValueOperand are destroyed, its tied register is unlocked.
Mikhail R. Gadelha
Comment 4 2021-09-17 11:58:28 PDT
Created attachment 438498 [details] Patch
Yusuke Suzuki
Comment 5 2021-09-17 23:44:30 PDT
Comment on attachment 438498 [details] Patch r=me
EWS
Comment 6 2021-09-17 23:51:13 PDT
Committed r282722 (241859@main): <https://commits.webkit.org/241859@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 438498 [details].
Radar WebKit Bug Importer
Comment 7 2021-09-17 23:52:16 PDT
<rdar://problem/83267081>
Note You need to log in before you can comment on or make changes to this bug.