97496 – JSC: llint ASM should not reference ArrayProfile outside of VALUE_PROFILER check

RESOLVED FIXED Bug 97496

JSC: llint ASM should not reference ArrayProfile outside of VALUE_PROFILER check

https://bugs.webkit.org/show_bug.cgi?id=97496

Summary JSC: llint ASM should not reference ArrayProfile outside of VALUE_PROFILER check

Mark Lam

Reported 2012-09-24 16:43:29 PDT

When jsc is built with ENABLE_JIT, ENABLE_LLINT, and !ENABLE_DFG_JIT, run-javascript-test is reporting 900+ regressions. This is due to a crash in the llint where it is expecting to access an ArrayProfile record which has not been allocated. This access should be guarded by "if VALUE_PROFILER" and hence should not have occurred.

Attachments
Fix. (1.94 KB, patch) 2012-09-24 16:50 PDT, Mark Lam	fpizlo: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Mark Lam

Comment 1 2012-09-24 16:50:19 PDT

Created attachment 165468 [details] Fix. Fixed as suggested by Filip.

Mark Lam

Comment 2 2012-09-24 16:53:40 PDT

Landed in http://trac.webkit.org/changeset/129428.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Mark Lam

Reported

2012-09-24 16:43 PDT

Modified

2012-09-24 16:53 PDT History

CC List

1 user Show

URL

Keywords

Depends on

Blocks