[Webkit-unassigned] [Bug 229543] [JSC] ASSERT failed in stress/for-in-tests.js (32bit)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 10 10:00:29 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=229543
--- Comment #5 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 437864
--> https://bugs.webkit.org/attachment.cgi?id=437864
WIP
View in context: https://bugs.webkit.org/attachment.cgi?id=437864&action=review
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:4486
> + JSValueRegsFlushedCallResult result(this);
> + JSValueRegs resultRegs = result.regs();
This should be done after calling flushRegisters()
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:4499
> + SpeculateStrictInt32Operand index(this, m_graph.varArgChild(node, 3));
> + SpeculateStrictInt32Operand mode(this, m_graph.varArgChild(node, 4));
> + SpeculateCellOperand enumerator(this, m_graph.varArgChild(node, 5));
We should retrieve GPRReg for each ones before calling flushRegisters().
> Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:1014
> + JSValue propertyName = GET_C(bytecode.m_propertyName).jsValue();
It was GET() in the previous code (not GET_C).
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210910/868ab77d/attachment-0001.htm>
More information about the webkit-unassigned
mailing list