[webkit-reviews] review granted: [Bug 131447] Crash beneath DFG JIT code @ video.disney.com : [Attachment 229085] Updated patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 10 19:17:33 PDT 2014
Geoffrey Garen <ggaren at apple.com> has granted Michael Saboff
<msaboff at apple.com>'s request for review:
Bug 131447: Crash beneath DFG JIT code @ video.disney.com
https://bugs.webkit.org/show_bug.cgi?id=131447
Attachment 229085: Updated patch
https://bugs.webkit.org/attachment.cgi?id=229085&action=review
------- Additional Comments from Geoffrey Garen <ggaren at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=229085&action=review
> Source/JavaScriptCore/ChangeLog:11
> + The prior check in the 32 bit version of speculateMisc() checked
that the value is
> + either a Misc or an Int32 followed by a check that the value is a
Misc. The first
> + check masked the second and therefore it didn't get performed. The
fix is to change
> + the first check to not be an Int32.
Rather than saying "the check was" I would say "the recorded type was". The
type checks were correct, and this patch doesn't change them. What was
incorrect was the filtered type we recorded in the abstract interpreter.
> Source/JavaScriptCore/tests/stress/test-spec-misc.js:16
> + x * 2;
Is this relevant? It looks like dead code.
More information about the webkit-reviews
mailing list