66122 – DFG JIT-specific structure stub info code offset fields are signed 8-bit, but it is possible for the offsets to be greater than 127

Bug 66122 - DFG JIT-specific structure stub info code offset fields are signed 8-bit, but it is possible for the offsets to be greater than 127

Summary: DFG JIT-specific structure stub info code offset fields are signed 8-bit, but...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2011-08-11 18:45 PDT by Filip Pizlo
Modified:	2011-08-11 21:10 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
the patch (4.68 KB, patch) 2011-08-11 18:47 PDT, Filip Pizlo	fpizlo: review-	Details \| Formatted Diff \| Diff
the patch (6.22 KB, patch) 2011-08-11 19:18 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
the patch (even better) (7.36 KB, patch) 2011-08-11 19:26 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2011-08-11 18:45:09 PDT

The DFG JIT needs to store offsets between the return address and patchable points in the code, because these offsets vary depending on how register allocation works out.  As an optimization these were compressed to 8 bits.  But, the offsets may be greater than 127 when a large number of registers get spilled.  It's not clear that the offsets are guaranteed to be less than 256, either, when all registers get spilled, particularly in the number of registers used by DFG is increased.  These offsets should use more bits to be robust against the rare and difficult-to-debug cases where large amounts of spilling occurs.

Comment 1 Filip Pizlo 2011-08-11 18:47:02 PDT

Created attachment 103721 [details]
the patch

Comment 2 Filip Pizlo 2011-08-11 18:55:46 PDT

Comment on attachment 103721 [details]
the patch

Never mind.  This doesn't really fix it.  Trying again...

Comment 3 Filip Pizlo 2011-08-11 19:18:31 PDT

Created attachment 103724 [details]
the patch

Comment 4 Filip Pizlo 2011-08-11 19:26:31 PDT

Created attachment 103725 [details]
the patch (even better)

Comment 5 WebKit Review Bot 2011-08-11 21:09:56 PDT

Comment on attachment 103725 [details]
the patch (even better)

Clearing flags on attachment: 103725

Committed r92911: <http://trac.webkit.org/changeset/92911>

Comment 6 WebKit Review Bot 2011-08-11 21:10:01 PDT

All reviewed patches have been landed.  Closing bug.