64903 – DFG speculative JIT sometimes claims to use compare operands twice, leading to use count corruption

RESOLVED FIXED 64903

DFG speculative JIT sometimes claims to use compare operands twice, leading to use count corruption

https://bugs.webkit.org/show_bug.cgi?id=64903

Summary DFG speculative JIT sometimes claims to use compare operands twice, leading t...

Filip Pizlo

Reported 2011-07-20 16:40:54 PDT

The DFG speculative JIT's compare() helper method may call the JITCodeGenerator's non-speculative compare helper, which calls use() on the operands. But then SpeculativeJIT::compare() also calls use() on the operands. The SpeculativeJIT::compare() method should not call use() on the operands if the JITCodeGenerator has already done so.

Attachments
the patch (1.81 KB, patch) 2011-07-20 16:45 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2011-07-20 16:45:11 PDT

Created attachment 101526 [details] the patch

WebKit Review Bot

Comment 2 2011-07-20 17:24:13 PDT

Comment on attachment 101526 [details] the patch Clearing flags on attachment: 101526 Committed r91428: <http://trac.webkit.org/changeset/91428>

WebKit Review Bot

Comment 3 2011-07-20 17:24:17 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2011-07-20 16:40 PDT

Modified

2011-07-20 17:24 PDT History

CC List

3 users Show

URL

Keywords

Depends on

Blocks