64330 – DFG speculative JIT does not guard itself against floating point speculation failures on non-floating-point constants

Bug 64330 - DFG speculative JIT does not guard itself against floating point speculation failures on non-floating-point constants

Summary: DFG speculative JIT does not guard itself against floating point speculation ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-07-11 17:09 PDT by Filip Pizlo
Modified:	2011-07-11 18:10 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
the patch (1.84 KB, patch) 2011-07-11 17:15 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2011-07-11 17:09:12 PDT

The DFG speculative JIT may speculate that a value is a double, even though there may be operations that set it to a non-double constant.  Such static speculation failures are benign if the JIT notices them and performs the appropriate evasive action.  Unfortunately, the DFG JIT does not do this in this particular case (SetLocal to a speculate-double from a non-double JSConstant), which causes crashes when the fillFPR code wants to refill the register.

Comment 1 Filip Pizlo 2011-07-11 17:15:22 PDT

Created attachment 100386 [details]
the patch

Comment 2 WebKit Review Bot 2011-07-11 18:10:20 PDT

Comment on attachment 100386 [details]
the patch

Clearing flags on attachment: 100386

Committed r90799: <http://trac.webkit.org/changeset/90799>

Comment 3 WebKit Review Bot 2011-07-11 18:10:23 PDT

All reviewed patches have been landed.  Closing bug.