[webkit-changes] [98878] trunk/Source/JavaScriptCore

Mon, 31 Oct 2011 14:03:29 -0700

Title: [98878] trunk/Source/_javascript_Core
Revision
98878
Author
fpi...@apple.com
Date
2011-10-31 14:03:21 -0700 (Mon, 31 Oct 2011)

Log Message

REGRESSION (r97118): Reproducible crash in JSCell::toPrimitive when adding
https://bugs.webkit.org/show_bug.cgi?id=71227

Reviewed by Oliver Hunt.
        
No new tests, since while I can see exactly where the DFG went wrong on the
site in question from looking at the generated machine code, and while I can
certainly believe that such a scenario would happen, I cannot visualize how
to make it happen reproducibly. It requires an odd combination of double
values getting spilled and then refilled, but then reboxed at just the right
time so that the spilled value is an unboxed double while the in-register
value is a boxed double.

* dfg/DFGJITCodeGenerator.h:
(JSC::DFG::JITCodeGenerator::silentFillGPR):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (98877 => 98878)


--- trunk/Source/_javascript_Core/ChangeLog	2011-10-31 20:50:51 UTC (rev 98877)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-10-31 21:03:21 UTC (rev 98878)
@@ -1,3 +1,21 @@
+2011-10-31  Filip Pizlo  <fpi...@apple.com>
+
+        REGRESSION (r97118): Reproducible crash in JSCell::toPrimitive when adding
+        https://bugs.webkit.org/show_bug.cgi?id=71227
+
+        Reviewed by Oliver Hunt.
+        
+        No new tests, since while I can see exactly where the DFG went wrong on the
+        site in question from looking at the generated machine code, and while I can
+        certainly believe that such a scenario would happen, I cannot visualize how
+        to make it happen reproducibly. It requires an odd combination of double
+        values getting spilled and then refilled, but then reboxed at just the right
+        time so that the spilled value is an unboxed double while the in-register
+        value is a boxed double.
+
+        * dfg/DFGJITCodeGenerator.h:
+        (JSC::DFG::JITCodeGenerator::silentFillGPR):
+
 2011-10-30  Filip Pizlo  <fpi...@apple.com>
 
         JSParser::parsePrimaryExpression should have an overflow check

Modified: trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h (98877 => 98878)


--- trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h	2011-10-31 20:50:51 UTC (rev 98877)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h	2011-10-31 21:03:21 UTC (rev 98878)
@@ -397,6 +397,10 @@
             ASSERT(registerFormat == DataFormatJSInteger);
             m_jit.load32(JITCompiler::payloadFor(spillMe), info.gpr());
             m_jit.orPtr(GPRInfo::tagTypeNumberRegister, info.gpr());
+        } else if (info.spillFormat() == DataFormatDouble) {
+            ASSERT(registerFormat == DataFormatJSDouble);
+            m_jit.loadPtr(JITCompiler::addressFor(spillMe), info.gpr());
+            m_jit.subPtr(GPRInfo::tagTypeNumberRegister, info.gpr());
         } else
             m_jit.loadPtr(JITCompiler::addressFor(spillMe), info.gpr());
 #else

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to