[Webkit-unassigned] [Bug 119117] New: Fix the wrong refining ArrayMode

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=119117

           Summary: Fix the wrong refining ArrayMode
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
               URL: http://translate.google.com
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Major
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: youngho33.yoo at lge.com


Overview :

I tested on X86 and ARM arch,
There is crash in Google Translate(http://translate.google.com)

Steps to Reproduce:

1. http://translate.google.com

Actual Results:

When go into the address,it crashed.

Expected Results:

Successfully loading page, and then setting into idle condition.

Build Date & Platform:

Linux, Qt, WebKit2, ARM_THUMB2 with LLInt + JIT + DFG_JIT (rev 151088)
with -mfloat-abi=softfp and EABI compile option.

Additional Builds and Platforms:

It occurs on Linux, Qt, WebKit2, ARM_THUMB2 with LLInt + JIT (rev 151088) too.

Additional Information:

w/o DFG_JIT It doesn't occur.

Solution :

If we go to translate.google.com, QtWebProcess crash.
That is because of wrong refining array-mode in JSC
In speculating array, change refining array-mode rule in JSC, DFG-JIT mode.
In speculating array(refine func), Regardless of int32 or not in index, 
If base is int32, It shoulde be return ArrayMode(Array::Int32Array);

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.