[Webkit-unassigned] [Bug 66038] REGRESSION (r91610?): Bing Maps fail to initialize (InvalidOperation: Matrix3D.invert)

Thu Aug 11 23:13:06 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=66038

--- Comment #2 from Filip Pizlo <fpizlo at apple.com>  2011-08-11 23:13:06 PST ---
Here's what is going on:

The DFG JIT (particularly the speculative JIT) may convert a value that is stored in a register into a different format, perhaps even moving it into a different register in the process.  This conversion may either happen in-place (where all subsequent uses of the value end up using the newly converted version of the value) or as a copy.  If it is done as a copy, then everything is fine.  But if it is done in-place, then badness can ensure, particularly if the old (unconverted) version of the value had been spilled.  Subsequent spills and fills of the value will assume that the spilled version of the value is in the same format as the version in the register, which may not be the case.

The principal example of this is converting a JSValue to a double.  The JSValue may be an Int32, a double, or sometjing else.  In the latter case, speculation fails and no conversion is performed.  If it is an Int32, then the value is converted to a double; if it is a double then it is simply unboxed.  But thereafter all code assumes that since the register contains a double then it must be the case that the spilled value is just a boxed double.  Subsequently it is possible that code will be emitted that performs double unboxing on an Int32, which results in rubbish.

The DFG JTI should make an effort to respect discrepencies between the spilled format and the register format, in a way that does not result in registers containing garbage values that lead to programs failing.

A patch is on the way.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.