The following tests crashes when running with a 32-bit x86 debug build of jsc: JSRegress/get-by-id-self-or-proto JSRegress/polymorphic-put-by-id Kraken/audio-beat-detection Octane/gbemu Octane/pdfjs Octane/typescript V8Spider/raytrace V8v7/encrypt V8v7/splay ...
<rdar://problem/16306428>
The issue is that generateGetByIdStub() can potentially use the same register for the JSValue base register and the target tag register. After loading the tag value into the target tag register, the JSValue base address is lost. The code then proceeds to load the payload value using the base register, and this results in a crash. The fix is to check if the base register is the same as the target tag register. If so, we should make a copy the base register first before loading the tag value, and use the copy to load the payload value instead.
Created attachment 226612 [details] the patch
Comment on attachment 226612 [details] the patch r=me
Thanks for the review. Landed in r165559: <http://trac.webkit.org/r165559>.