[Webkit-unassigned] [Bug 58600] New: DFG JIT bugs in ValueToInt, PutByVal
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Apr 14 16:40:40 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=58600
Summary: DFG JIT bugs in ValueToInt, PutByVal
Product: WebKit
Version: 528+ (Nightly build)
Platform: PC
OS/Version: Mac OS X 10.5
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: barraclough at apple.com
The issues are demonstrated by the following code:
function putSelf(array, index)
{
index = index << 0;
array[index] = index;
return true;
}
shouldBeTrue("putSelf([0], 0);");
shouldBeTrue("putSelf([0], 1/9);");
The bug in PutByVal is that an operand is in JSValueOperand - when this locks an integer into a register it will always retag the value without checking if the register is already locked. This is a problem where the value being stored by a PutByVal is the same as the subscript. The subscript is locked into a register first, as a strict integer. Locking the value results in the subscript being modified.
The bug in ValueToInt related to the function of sillentFillAllRegisters. The problem is that this method will restore all register values from prior to the call, overwriting the result of the call out. Allow a register to be passed to specifically be excluded from being preserved.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list