From 3d5e6a8219970bfecab0ece25408318183ec4c80 Mon Sep 17 00:00:00 2001 From: "fpizlo@apple.com" Date: Mon, 30 Jan 2012 02:39:14 +0000 Subject: [PATCH] REGRESSION (r105576-r105582): Web Inspector Crash in JSC::JSValue::toString(JSC::ExecState*) const https://bugs.webkit.org/show_bug.cgi?id=77146 Reviewed by Oliver Hunt. The old JIT expects that the result of the last operation is in the lastResultRegister. The DFG JIT is designed to correctly track the lastResultRegister by looking at SetLocal nodes. However, when the DFG JIT inlines a code block, it forgets that the inlined code block's result would have been placed in the lastResultRegister. Hence if we OSR exit on the first node following the end of an inlined code block that had a return value, and that first node uses the return value, the old JIT will get massively confused. This patch takes a surgical approach: instead of making the DFG smarter, it makes the old JIT slightly dumber. * jit/JITCall.cpp: (JSC::JIT::emit_op_call_put_result): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@106207 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- Source/JavaScriptCore/ChangeLog | 19 +++++++++++++++++++ Source/JavaScriptCore/jit/JITCall.cpp | 2 ++ 2 files changed, 21 insertions(+) diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 34232a6..9068561 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,5 +1,24 @@ 2012-01-29 Filip Pizlo + REGRESSION (r105576-r105582): Web Inspector Crash in JSC::JSValue::toString(JSC::ExecState*) const + https://bugs.webkit.org/show_bug.cgi?id=77146 + + + Reviewed by Oliver Hunt. + + The old JIT expects that the result of the last operation is in the lastResultRegister. The DFG JIT is + designed to correctly track the lastResultRegister by looking at SetLocal nodes. However, when the DFG + JIT inlines a code block, it forgets that the inlined code block's result would have been placed in the + lastResultRegister. Hence if we OSR exit on the first node following the end of an inlined code block + that had a return value, and that first node uses the return value, the old JIT will get massively + confused. This patch takes a surgical approach: instead of making the DFG smarter, it makes the old + JIT slightly dumber. + + * jit/JITCall.cpp: + (JSC::JIT::emit_op_call_put_result): + +2012-01-29 Filip Pizlo + Build fix for Mac non-x64 platforms. * tools/CodeProfiling.cpp: diff --git a/Source/JavaScriptCore/jit/JITCall.cpp b/Source/JavaScriptCore/jit/JITCall.cpp index 3aeef95..69dc954 100644 --- a/Source/JavaScriptCore/jit/JITCall.cpp +++ b/Source/JavaScriptCore/jit/JITCall.cpp @@ -52,6 +52,8 @@ void JIT::emit_op_call_put_result(Instruction* instruction) int dst = instruction[1].u.operand; emitValueProfilingSite(); emitPutVirtualRegister(dst); + if (canBeOptimized()) + killLastResultRegister(); // Make lastResultRegister tracking simpler in the DFG. } void JIT::compileLoadVarargs(Instruction* instruction) -- 2.7.4