[Webkit-unassigned] [Bug 64017] New: DFG speculative JIT may crash when speculating int on a non-int JSConstant

Wed Jul 6 12:55:33 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=64017

           Summary: DFG speculative JIT may crash when speculating int on
                    a non-int JSConstant
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: fpizlo at apple.com

The DFG speculative JIT may sometimes perform speculations that are statically wrong.  This is inevitable in the current design and is supposed to be both performance neutral in the average and correct, because the JIT will recover once it detects that the speculation was wrong.  However, the JIT fails to perform the recovery in the case that a JSConstant node that references a non-int (for example a JSCell*) is speculated to be an Int32.  This causes crashes if the GPR that would have contained the Int32 is ever spilled and filled.  The spilling code skips spilling under the assumption that the Int32 can be rematerialized, and the filling code crashes because it's not possible to rematerialize something that is not actually an Int32 constant.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.