64254 – DFG Speculative JIT does not always insert speculation checks when speculating arrays

Bug 64254 - DFG Speculative JIT does not always insert speculation checks when speculating arrays

Summary: DFG Speculative JIT does not always insert speculation checks when speculatin...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-07-11 01:37 PDT by Filip Pizlo
Modified:	2011-07-11 11:39 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
the patch (1.90 KB, patch) 2011-07-11 01:49 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2011-07-11 01:37:36 PDT

The DFG Speculative JIT attempts to guess the type of variables.  Sometimes, it guesses that a variable is an array.  The JIT should insert checking code that validates that variables that are speculate-array are actually arrays.  However, the JIT does not insert these checks at PutLocal instructions, even though subsequent code assumes that specualte-array variables that are retrieved via GetLocal are already validated.

Comment 1 Filip Pizlo 2011-07-11 01:49:16 PDT

Created attachment 100254 [details]
the patch

Comment 2 Alexey Proskuryakov 2011-07-11 10:21:24 PDT

Is there a reason why this doesn't have a regression test?

Comment 3 WebKit Review Bot 2011-07-11 11:39:29 PDT

Comment on attachment 100254 [details]
the patch

Clearing flags on attachment: 100254

Committed r90768: <http://trac.webkit.org/changeset/90768>

Comment 4 WebKit Review Bot 2011-07-11 11:39:33 PDT

All reviewed patches have been landed.  Closing bug.