<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} .ms-cui-menu {background-color:#ffffff;border:1px rgb(171, 171, 171) solid;font-family:"Segoe UI WPC","Segoe UI",Tahoma,"Microsoft Sans Serif",Verdana,sans-serif;font-size:10pt;color:rgb(51, 51, 51);} .ms-cui-menusection-title {display:none;} .ms-cui-ctl {vertical-align:text-top;text-decoration:none;color:rgb(51, 51, 51);} .ms-cui-ctl-on {background-color:rgb(223, 237, 250);opacity: 0.8;} .ms-cui-img-cont-float {display:inline-block;margin-top:2px} .ms-cui-smenu-inner {padding-top:0px;} .ms-owa-paste-option-icon {margin: 2px 4px 0px 4px;vertical-align:sub;padding-bottom: 2px;display:inline-block;} .ms-rtePasteFlyout-option:hover {background-color:rgb(223, 237, 250) !important;opacity:1 !important;} .ms-rtePasteFlyout-option {padding:8px 4px 8px 4px;outline:none;} .ms-cui-menusection {float:left; width:85px;height:24px;overflow:hidden}--></style>
</head>
<body>
<div style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<p>This may be a question for webkit-dev, but I thought I'd check here first since I'm using qtwebkit-tp3.</p>
<p><br>
</p>
<p>On an arm 32-bit platform in SpeculativeJIT::speculate, I occasionally hit the default handler which contains a release assert when using the WebInspector:</p>
<p><br>
</p>
<p>switch (edge.useKind()) {</p>
<p>...<br>
</p>
<p>default:<br>
RELEASE_ASSERT_NOT_REACHED();<br>
break;<br>
}</p>
<p><br>
</p>
<p>The value of edge.useKind() causing this is MachineIntUse. The case handler for this value has been ifdef'd out on my platform:</p>
<p><br>
</p>
<p>#if USE(JSVALUE64)<br>
case MachineIntUse:<br>
speculateMachineInt(edge);<br>
break;<br>
case DoubleRepMachineIntUse:<br>
speculateDoubleRepMachineInt(edge);<br>
break;<br>
#endif</p>
<p><br>
</p>
<p>It appears that MachineIntUse is being set in JSC::DFG::FixupPhase::fixupNode when op is ProfileType:</p>
<p><br>
</p>
<p>if (typeSet->doesTypeConformTo(TypeMachineInt)) {<br>
if (node->child1()->shouldSpeculateInt32())<br>
fixEdge<Int32Use>(node->child1());<br>
else<br>
fixEdge<MachineIntUse>(node->child1());<br>
node->remove();<br>
}</p>
<p><br>
</p>
<p>I am not at all familiar with this code, but from other usage of MachineIntUse, I would guess that this should not be used except on a 64-bit platform. Given that, I am not sure if</p>
<p>1. The typeSet should not conform to TypeMachineInt on 32-bit,</p>
<p>2. shouldSpeculateInt32 should always be true on 32-bit,</p>
<p>3. Int32Use should always be used on 32-bit, or</p>
<p>4. Something else.</p>
<p><br>
</p>
<p>I currently am going with 3:</p>
<p><br>
</p>
<p>if (typeSet->doesTypeConformTo(TypeMachineInt)) {<br>
#if USE(JSVALUE64)<br>
if (node->child1()->shouldSpeculateInt32())<br>
#endif<br>
fixEdge<Int32Use>(node->child1());<br>
#if USE(JSVALUE64)<br>
else<br>
fixEdge<MachineIntUse>(node->child1());<br>
#endif</p>
<p>}</p>
<p><br>
</p>
<p>This has solved my immediate problem, but due to my lack of understanding, this solution could be quite flawed.</p>
<p><br>
</p>
<p>Any help is much appreciated.<br>
</p>
<p><br>
</p>
<p><br>
</p>
<p>Thanks,</p>
<p>Andrew<br>
</p>
</div>
</body>
</html>