[webkit-changes] [100972] trunk/Source/JavaScriptCore

[fpizlo]

Title: [100972] trunk/Source/_javascript_Core

Revision

100972

Author

fpi...@apple.com

Date

2011-11-21 18:15:36 -0800 (Mon, 21 Nov 2011)

Log Message

Showing the data overlay in OpenStreetMap doesn't work, zooming partially broken
https://bugs.webkit.org/show_bug.cgi?id=71505

Reviewed by Gavin Barraclough.
        
It turns out that we were corrupting phi nodes in case of overflow. The bug is
really obvious, but producing a test case that causes the badness is hard. Even
when the phi nodes do get corrupt, there's more that has to happen before it
causes incorrect execution - and I wasn't able to reproduce in any kind of
sensible reduced case.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::processPhiStack):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (100971 => 100972)

--- trunk/Source/_javascript_Core/ChangeLog	2011-11-22 01:27:46 UTC (rev 100971)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-11-22 02:15:36 UTC (rev 100972)
@@ -1,3 +1,19 @@
+2011-11-21  Filip Pizlo  <fpi...@apple.com>
+
+        Showing the data overlay in OpenStreetMap doesn't work, zooming partially broken
+        https://bugs.webkit.org/show_bug.cgi?id=71505
+
+        Reviewed by Gavin Barraclough.
+        
+        It turns out that we were corrupting phi nodes in case of overflow. The bug is
+        really obvious, but producing a test case that causes the badness is hard. Even
+        when the phi nodes do get corrupt, there's more that has to happen before it
+        causes incorrect execution - and I wasn't able to reproduce in any kind of
+        sensible reduced case.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::processPhiStack):
+
 2011-11-21  Simon Hausmann  <simon.hausm...@nokia.com>
 
         [Qt] Speed up debug builds.

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (100971 => 100972)

--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2011-11-22 01:27:46 UTC (rev 100971)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2011-11-22 02:15:36 UTC (rev 100972)
@@ -2222,7 +2222,7 @@
             newPhiNode.children.fixed.child3 = phiNode->child3();
 
             phiNode->children.fixed.child1 = newPhi;
-            phiNode->children.fixed.child1 = valueInPredecessor;
+            phiNode->children.fixed.child2 = valueInPredecessor;
             phiNode->children.fixed.child3 = NoNode;
         }
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes