<div dir="ltr"><div>Fixed. <a href="https://trac.webkit.org/changeset/204699">https://trac.webkit.org/changeset/204699</a></div><div><br></div><div>So, I think Konstantin will update the QtWebKitNG for the next Technology Preview.</div><div>Once it is done & released, this issue is fixed :)</div><div><br></div><div>On Fri, Aug 19, 2016 at 10:34 PM, Yusuke SUZUKI <span dir="ltr"><<a href="mailto:utatane.tea@gmail.com" target="_blank">utatane.tea@gmail.com</a>></span> wrote:<br></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><div dir="ltr">Nice catch!<div><br></div><div>I've just filed it in <a href="https://bugs.webkit.org/show_bug.cgi?id=161029" target="_blank">https://bugs.webkit.org/show_b<wbr>ug.cgi?id=161029</a>.</div><div class="gmail_extra">AnyInt includes int52 representation, that is only allowed in 64bit DFG. (See enableInt52())</div><div><div><div class="gmail_extra">
<br><div class="gmail_quote">On Sat, Aug 20, 2016 at 2:49 AM, Konstantin Tokarev <span dir="ltr"><<a href="mailto:annulen@yandex.ru" target="_blank">annulen@yandex.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><br>
<br>
19.08.2016, 20:43, "Konstantin Tokarev" <<a href="mailto:annulen@yandex.ru" target="_blank">annulen@yandex.ru</a>>:<br>
<div><div>> 19.08.2016, 18:34, "Andrew Webster" <<a href="mailto:awebster@arcx.com" target="_blank">awebster@arcx.com</a>>:<br>
>> This may be a question for webkit-dev, but I thought I'd check here first since I'm using qtwebkit-tp3.<br>
>><br>
>> On an arm 32-bit platform in SpeculativeJIT::speculate, I occasionally hit the default handler which contains a release assert when using the WebInspector:<br>
>><br>
>> switch (edge.useKind()) {<br>
>><br>
>> ...<br>
>><br>
>> default:<br>
>> RELEASE_ASSERT_NOT_REACHED();<br>
>> break;<br>
>> }<br>
>><br>
>> The value of edge.useKind() causing this is MachineIntUse. The case handler for this value has been ifdef'd out on my platform:<br>
>><br>
>> #if USE(JSVALUE64)<br>
>> case MachineIntUse:<br>
>> speculateMachineInt(edge);<br>
>> break;<br>
>> case DoubleRepMachineIntUse:<br>
>> speculateDoubleRepMachineInt(e<wbr>dge);<br>
>> break;<br>
>> #endif<br>
>><br>
>> It appears that MachineIntUse is being set in JSC::DFG::FixupPhase::fixupNod<wbr>e when op is ProfileType:<br>
>><br>
>> if (typeSet->doesTypeConformTo(Ty<wbr>peMachineInt)) {<br>
>> if (node->child1()->shouldSpecula<wbr>teInt32())<br>
>> fixEdge<Int32Use>(node->child1<wbr>());<br>
>> else<br>
>> fixEdge<MachineIntUse>(node->c<wbr>hild1());<br>
>> node->remove();<br>
>> }<br>
>><br>
>> I am not at all familiar with this code, but from other usage of MachineIntUse, I would guess that this should not be used except on a 64-bit platform. Given that, I am not sure if<br>
>><br>
>> 1. The typeSet should not conform to TypeMachineInt on 32-bit,<br>
>><br>
>> 2. shouldSpeculateInt32 should always be true on 32-bit,<br>
>><br>
>> 3. Int32Use should always be used on 32-bit, or<br>
>><br>
>> 4. Something else.<br>
>><br>
>> I currently am going with 3:<br>
>><br>
>> if (typeSet->doesTypeConformTo(Ty<wbr>peMachineInt)) {<br>
>> #if USE(JSVALUE64)<br>
>> if (node->child1()->shouldSpecula<wbr>teInt32())<br>
>> #endif<br>
>> fixEdge<Int32Use>(node->child1<wbr>());<br>
>> #if USE(JSVALUE64)<br>
>> else<br>
>> fixEdge<MachineIntUse>(node->c<wbr>hild1());<br>
>> #endif<br>
>><br>
>> }<br>
>><br>
>> This has solved my immediate problem, but due to my lack of understanding, this solution could be quite flawed.<br>
>><br>
>> Any help is much appreciated.<br>
><br>
> Hello, thanks for the interest!<br>
><br>
> I'm by no means a JSC expert, however from quick analysis it seems to me that the correct code would be<br>
><br>
> #if USE(JSVALUE64)<br>
> if (typeSet->doesTypeConformTo(Ty<wbr>peMachineInt)) {<br>
> if (node->child1()->shouldSpecula<wbr>teInt32())<br>
> fixEdge<In<wbr>t32Use>(node->child1());<br>
> else<br>
> fixEdge<Ma<wbr>chineIntUse>(node->child1());<br>
> node->remove()<wbr>;<br>
> }<br>
> #else<br>
> if (typeSet->doesTypeConformTo(Ty<wbr>peMachineInt) && node->child1()->shouldSpeculat<wbr>eInt32()) {<br>
> fixEdge<Int32U<wbr>se>(node->child1());<br>
> node->remove()<wbr>;<br>
> }<br>
> #endif<br>
><br>
> Anyway, I highly recommend you to:<br>
><br>
> 1. Ask real JSC experts on webkit-dev or jsc-dev<br>
> 2. Run JSC test suite on target (better debug build as well, as it has much more ASSERTs) before and after such changes<br>
<br>
</div></div>Sorry, I forgot to add an explanation: AFAIU, MachineInt is Int32 | Int52 and on 32-bit platforms we don't speculate about Int52 because it won't fit in the register anyway, so MachineInt can be only Int32. If we have a MachineInt which is not inferred to be Int32, we cannot do anything fast with it and we follow to the next branch TypeNumber | TypeMachineInt.<br>
<div><div><br>
--<br>
Regards,<br>
Konstantin<br>
______________________________<wbr>_________________<br>
webkit-qt mailing list<br>
<a href="mailto:webkit-qt@lists.webkit.org" target="_blank">webkit-qt@lists.webkit.org</a><br>
<a href="https://lists.webkit.org/mailman/listinfo/webkit-qt" rel="noreferrer" target="_blank">https://lists.webkit.org/mailm<wbr>an/listinfo/webkit-qt</a><br>
</div></div></blockquote></div><br></div></div></div></div>
</blockquote></div><br></div></div>