68606 – 32-bit call code clobbers the function cell tag

Bug 68606 - 32-bit call code clobbers the function cell tag

Summary: 32-bit call code clobbers the function cell tag

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	68557
	Show dependency tree / graph

Reported:	2011-09-22 03:22 PDT by Filip Pizlo
Modified:	2011-09-22 04:04 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
the patch (2.02 KB, patch) 2011-09-22 03:24 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2011-09-22 03:22:15 PDT

The change to use emitJumpIfNotType results in problems, because this function is often called (in 32-bit mode) with the tag register as the scratch register.  If the jump is taken, the slow path code then expects the tag register to be intact, and passes the no-longer-valid tag to a stub function.  This results in failures when attempting to make InternalFunction calls.

Comment 1 Filip Pizlo 2011-09-22 03:24:22 PDT

Created attachment 108305 [details]
the patch

Comment 2 Csaba Osztrogonác 2011-09-22 04:02:36 PDT

Comment on attachment 108305 [details]
the patch

r+ to go ahead. I tested it on a 32-bit Qt environment and it works for me.

Comment 3 Csaba Osztrogonác 2011-09-22 04:04:45 PDT

Comment on attachment 108305 [details]
the patch

Clearing flags on attachment: 108305

Committed r95707: <http://trac.webkit.org/changeset/95707>

Comment 4 Csaba Osztrogonác 2011-09-22 04:04:52 PDT

All reviewed patches have been landed.  Closing bug.