RESOLVED FIXED 130203
JS benchmarks crash with a bus error on 32-bit x86 
https://bugs.webkit.org/show_bug.cgi?id=130203
Summary JS benchmarks crash with a bus error on 32-bit x86
Mark Lam
Reported 2014-03-13 12:20:03 PDT
The following tests crashes when running with a 32-bit x86 debug build of jsc: JSRegress/get-by-id-self-or-proto JSRegress/polymorphic-put-by-id Kraken/audio-beat-detection Octane/gbemu Octane/pdfjs Octane/typescript V8Spider/raytrace V8v7/encrypt V8v7/splay ...
Attachments
the patch (2.17 KB, patch)
2014-03-13 12:32 PDT, Mark Lam 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2014-03-13 12:20:34 PDT
<rdar://problem/16306428>
Mark Lam
Comment 2 2014-03-13 12:30:34 PDT
The issue is that generateGetByIdStub() can potentially use the same register for the JSValue base register and the target tag register. After loading the tag value into the target tag register, the JSValue base address is lost. The code then proceeds to load the payload value using the base register, and this results in a crash. The fix is to check if the base register is the same as the target tag register. If so, we should make a copy the base register first before loading the tag value, and use the copy to load the payload value instead.
Mark Lam
Comment 3 2014-03-13 12:32:43 PDT
Created attachment 226612 [details] the patch
Geoffrey Garen
Comment 4 2014-03-13 12:42:30 PDT
Comment on attachment 226612 [details] the patch r=me
Mark Lam
Comment 5 2014-03-13 12:48:25 PDT
Thanks for the review. Landed in r165559: <http://trac.webkit.org/r165559>.
Note You need to log in before you can comment on or make changes to this bug.