[webkit-changes] [90487] trunk/Source/JavaScriptCore

Wed, 06 Jul 2011 13:40:26 -0700

Title: [90487] trunk/Source/_javascript_Core
Revision
90487
Author
[email protected]
Date
2011-07-06 13:40:21 -0700 (Wed, 06 Jul 2011)

Log Message

2011-07-06  Filip Pizlo  <[email protected]>

        DFG speculative JIT may crash when speculating int on a non-int JSConstant.
        https://bugs.webkit.org/show_bug.cgi?id=64017

        Reviewed by Gavin Barraclough.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
        (JSC::DFG::SpeculativeJIT::compile):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (90486 => 90487)


--- trunk/Source/_javascript_Core/ChangeLog	2011-07-06 20:27:32 UTC (rev 90486)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-07-06 20:40:21 UTC (rev 90487)
@@ -1,3 +1,14 @@
+2011-07-06  Filip Pizlo  <[email protected]>
+
+        DFG speculative JIT may crash when speculating int on a non-int JSConstant.
+        https://bugs.webkit.org/show_bug.cgi?id=64017
+
+        Reviewed by Gavin Barraclough.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2011-07-06  Dmitriy Vyukov  <[email protected]>
 
         Reviewed by David Levin.

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (90486 => 90487)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2011-07-06 20:27:32 UTC (rev 90486)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2011-07-06 20:40:21 UTC (rev 90487)
@@ -49,7 +49,9 @@
                 returnFormat = DataFormatInteger;
                 return gpr;
             }
-            m_jit.move(valueOfJSConstantAsImmPtr(nodeIndex), gpr);
+            terminateSpeculativeExecution();
+            returnFormat = DataFormatInteger;
+            return allocate();
         } else {
             DataFormat spillFormat = info.spillFormat();
             ASSERT(spillFormat & DataFormatJS);
@@ -862,6 +864,9 @@
         GPRReg propertyReg = property.gpr();
         GPRReg valueReg = value.gpr();
         GPRReg scratchReg = scratch.gpr();
+        
+        if (!m_compileOkay)
+            return;
 
         writeBarrier(m_jit, baseReg, scratchReg);
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to