[webkit-reviews] review denied: [Bug 230364] Fix CellTag being set 32 bits even if the base is not a cell : [Attachment 438404] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 17 11:09:11 PDT 2021
Yusuke Suzuki <ysuzuki at apple.com> has denied Mikhail R. Gadelha
<mikhail at igalia.com>'s request for review:
Bug 230364: Fix CellTag being set 32 bits even if the base is not a cell
https://bugs.webkit.org/show_bug.cgi?id=230364
Attachment 438404: Patch
https://bugs.webkit.org/attachment.cgi?id=438404&action=review
--- Comment #3 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 438404
--> https://bugs.webkit.org/attachment.cgi?id=438404
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=438404&action=review
Commented.
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13711
> + JSValueRegs baseRegs;
> + if (isCell(baseEdge.useKind())) {
> + SpeculateCellOperand base(this, baseEdge);
> + baseRegs = JSValueRegs::payloadOnly(base.gpr());
> + } else {
> + JSValueOperand base(this, baseEdge);
> + baseRegs = base.regs();
> + }
This is not correct. When SpeculateCellOperand / JSValueOperand are destroyed,
its tied register is unlocked.
More information about the webkit-reviews
mailing list