[Webkit-unassigned] [Bug 230364] Fix CellTag being set 32 bits even if the base is not a cell

Fri Sep 17 11:09:11 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=230364

Yusuke Suzuki <ysuzuki at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ysuzuki at apple.com
 Attachment #438404|review?                     |review-
              Flags|                            |

--- Comment #3 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 438404
  --> https://bugs.webkit.org/attachment.cgi?id=438404
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=438404&action=review

Commented.

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13711
> +    JSValueRegs baseRegs;
> +    if (isCell(baseEdge.useKind())) {
> +        SpeculateCellOperand base(this, baseEdge);
> +        baseRegs = JSValueRegs::payloadOnly(base.gpr());
> +    } else {
> +        JSValueOperand base(this, baseEdge);
> +        baseRegs = base.regs();
> +    }

This is not correct. When SpeculateCellOperand / JSValueOperand are destroyed, its tied register is unlocked.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210917/0889410a/attachment-0001.htm>