64903 – DFG speculative JIT sometimes claims to use compare operands twice, leading to use count corruption

Bug 64903 - DFG speculative JIT sometimes claims to use compare operands twice, leading to use count corruption

Summary: DFG speculative JIT sometimes claims to use compare operands twice, leading t...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-07-20 16:40 PDT by Filip Pizlo
Modified:	2011-07-20 17:24 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
the patch (1.81 KB, patch) 2011-07-20 16:45 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2011-07-20 16:40:54 PDT

The DFG speculative JIT's compare() helper method may call the JITCodeGenerator's non-speculative compare helper, which calls use() on the operands.  But then SpeculativeJIT::compare() also calls use() on the operands.  The SpeculativeJIT::compare() method should not call use() on the operands if the JITCodeGenerator has already done so.

Comment 1 Filip Pizlo 2011-07-20 16:45:11 PDT

Created attachment 101526 [details]
the patch

Comment 2 WebKit Review Bot 2011-07-20 17:24:13 PDT

Comment on attachment 101526 [details]
the patch

Clearing flags on attachment: 101526

Committed r91428: <http://trac.webkit.org/changeset/91428>

Comment 3 WebKit Review Bot 2011-07-20 17:24:17 PDT

All reviewed patches have been landed.  Closing bug.