[Webkit-unassigned] [Bug 172383] New: DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.

Fri May 19 14:15:38 PDT 2017

https://bugs.webkit.org/show_bug.cgi?id=172383

            Bug ID: 172383
           Summary: DFG::SpeculativeJIT::pickCanTrample() is wrongly
                    ignoring result registers.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always available as a scratch register.  This assumption is wrong if this canTrample register is used for a silentFill() after an operation that returns a result in regT0 or regT1.

Turns out the only reason we need the canTrample register is for SetDoubleConstant.  We can remove the need for this canTrample register by introducing a moveDouble() pseudo instruction in the MacroAssembler to do the job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.

<rdar://problem/31418651>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170519/c8ca1d39/attachment.html>