Crash beneath DFG JIT code @ video.disney.com
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Apr 2014 05:19:08 +0000 (05:19 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 11 Apr 2014 05:19:08 +0000 (05:19 +0000)
commitd5a56ce4e32be647fdbf843efc645ce533453d87
tree66bee1598001fbcedc281d9bd44536d4f0a79565
parent316acbc7eb1c58c9b3a811f06211acbb1f4e254b
Crash beneath DFG JIT code @ video.disney.com
https://bugs.webkit.org/show_bug.cgi?id=131447

Reviewed by Geoffrey Garen.

The 32-bit path of speculateMisc() uses an 'is not int32' check followed by
'tag not less than Undefined' check.  The first check was incorrectly elided if we
knew that the value *was* an int32, when it should have been elided if we already
knew that the value *was not* an int32.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateMisc):
* tests/stress/test-spec-misc.js: Added test.
(getX):
(foo):
(bar):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@167112 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/tests/stress/test-spec-misc.js [new file with mode: 0644]