[Webkit-unassigned] [Bug 66122] New: DFG JIT-specific structure stub info code offset fields are signed 8-bit, but it is possible for the offsets to be greater than 127

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=66122

           Summary: DFG JIT-specific structure stub info code offset
                    fields are signed 8-bit, but it is possible for the
                    offsets to be greater than 127
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: fpizlo at apple.com


The DFG JIT needs to store offsets between the return address and patchable points in the code, because these offsets vary depending on how register allocation works out.  As an optimization these were compressed to 8 bits.  But, the offsets may be greater than 127 when a large number of registers get spilled.  It's not clear that the offsets are guaranteed to be less than 256, either, when all registers get spilled, particularly in the number of registers used by DFG is increased.  These offsets should use more bits to be robust against the rare and difficult-to-debug cases where large amounts of spilling occurs.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.