[webkit-changes] [156900] trunk/Source/JavaScriptCore

Fri, 04 Oct 2013 11:37:43 -0700

Title: [156900] trunk/Source/_javascript_Core
Revision
156900
Author
[email protected]
Date
2013-10-04 11:38:16 -0700 (Fri, 04 Oct 2013)

Log Message

FTL: Crash in OSRExit::convertToForward() using VirtualRegister.offset() as array index
https://bugs.webkit.org/show_bug.cgi?id=122332

Reviewed by Oliver Hunt.

Changed the uses of .offset(), which returns a negative number for locals, to be
toLocal() which returns a local's ordinal number.

* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::convertToForward):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (156899 => 156900)


--- trunk/Source/_javascript_Core/ChangeLog	2013-10-04 18:34:11 UTC (rev 156899)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-10-04 18:38:16 UTC (rev 156900)
@@ -1,5 +1,18 @@
 2013-10-04  Michael Saboff  <[email protected]>
 
+        FTL: Crash in OSRExit::convertToForward() using VirtualRegister.offset() as array index
+        https://bugs.webkit.org/show_bug.cgi?id=122332
+
+        Reviewed by Oliver Hunt.
+
+        Changed the uses of .offset(), which returns a negative number for locals, to be
+        toLocal() which returns a local's ordinal number.
+
+        * ftl/FTLOSRExit.cpp:
+        (JSC::FTL::OSRExit::convertToForward):
+
+2013-10-04  Michael Saboff  <[email protected]>
+
         Add callOperation to Baseline JIT
         https://bugs.webkit.org/show_bug.cgi?id=122306

Modified: trunk/Source/_javascript_Core/ftl/FTLOSRExit.cpp (156899 => 156900)


--- trunk/Source/_javascript_Core/ftl/FTLOSRExit.cpp	2013-10-04 18:34:11 UTC (rev 156899)
+++ trunk/Source/_javascript_Core/ftl/FTLOSRExit.cpp	2013-10-04 18:38:16 UTC (rev 156900)
@@ -84,17 +84,17 @@
     // Is the value for this operand being passed as an argument to the exit, or is
     // it something else? If it's an argument already, then replace that argument;
     // otherwise add another argument.
-    if (m_values[overriddenOperand.offset()].isArgument()) {
-        ExitArgument exitArgument = m_values[overriddenOperand.offset()].exitArgument();
+    if (m_values[overriddenOperand.toLocal()].isArgument()) {
+        ExitArgument exitArgument = m_values[overriddenOperand.toLocal()].exitArgument();
         arguments[exitArgument.argument()] = value.value();
-        m_values[overriddenOperand.offset()] = ExitValue::exitArgument(
+        m_values[overriddenOperand.toLocal()] = ExitValue::exitArgument(
             exitArgument.withFormat(value.format()));
         return;
     }
     
     unsigned argument = arguments.size();
     arguments.append(value.value());
-    m_values[m_lastSetOperand.offset()] = ExitValue::exitArgument(
+    m_values[m_lastSetOperand.toLocal()] = ExitValue::exitArgument(
         ExitArgument(value.format(), argument));
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to