[Webkit-unassigned] [Bug 96184] [GTK][Stable] Crash in JSC::DFG::SpeculativeJIT::speculateArray(JSC::DFG::Array::Mode, JSC::DFG::Edge, JSC::X86Registers::RegisterID)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 11 12:11:22 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=96184
--- Comment #7 from Priit Laes (IRC: plaes) <plaes at plaes.org> 2012-09-11 12:11:46 PST ---
(In reply to comment #6)
> Does this repro on ToT? The SpeculativeJIT::speculateArray() method doesn't even exist in ToT.
That code has been mostly refactored by now and speculativeArray() was replaced by checkArray() in r126715.
I was hoping that r126715 fixes the crash, but after applying it, crash happens in JSC::ArrayProfile::computeUpdatedPrediction(JSC::OperationInProgress) (see comment #4).
Haven't yet had chance to test with ToT, mainly because I need this machine for some other purposes.
The crash seems to be happening only on x86, on amd64 that page works.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list