<div dir="ltr">Nice catch!<div><br></div><div>I've just filed it in <a href="https://bugs.webkit.org/show_bug.cgi?id=161029">https://bugs.webkit.org/show_bug.cgi?id=161029</a>.</div><div class="gmail_extra">AnyInt includes int52 representation, that is only allowed in 64bit DFG. (See enableInt52())</div><div class="gmail_extra">
<br><div class="gmail_quote">On Sat, Aug 20, 2016 at 2:49 AM, Konstantin Tokarev <span dir="ltr"><<a href="mailto:annulen@yandex.ru" target="_blank">annulen@yandex.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
19.08.2016, 20:43, "Konstantin Tokarev" <<a href="mailto:annulen@yandex.ru">annulen@yandex.ru</a>>:<br>
<div><div class="h5">> 19.08.2016, 18:34, "Andrew Webster" <<a href="mailto:awebster@arcx.com">awebster@arcx.com</a>>:<br>
>> This may be a question for webkit-dev, but I thought I'd check here first since I'm using qtwebkit-tp3.<br>
>><br>
>> On an arm 32-bit platform in SpeculativeJIT::speculate, I occasionally hit the default handler which contains a release assert when using the WebInspector:<br>
>><br>
>> switch (edge.useKind()) {<br>
>><br>
>> ...<br>
>><br>
>> default:<br>
>> RELEASE_ASSERT_NOT_REACHED();<br>
>> break;<br>
>> }<br>
>><br>
>> The value of edge.useKind() causing this is MachineIntUse. The case handler for this value has been ifdef'd out on my platform:<br>
>><br>
>> #if USE(JSVALUE64)<br>
>> case MachineIntUse:<br>
>> speculateMachineInt(edge);<br>
>> break;<br>
>> case DoubleRepMachineIntUse:<br>
>> speculateDoubleRepMachineInt(<wbr>edge);<br>
>> break;<br>
>> #endif<br>
>><br>
>> It appears that MachineIntUse is being set in JSC::DFG::FixupPhase::<wbr>fixupNode when op is ProfileType:<br>
>><br>
>> if (typeSet->doesTypeConformTo(<wbr>TypeMachineInt)) {<br>
>> if (node->child1()-><wbr>shouldSpeculateInt32())<br>
>> fixEdge<Int32Use>(node-><wbr>child1());<br>
>> else<br>
>> fixEdge<MachineIntUse>(node-><wbr>child1());<br>
>> node->remove();<br>
>> }<br>
>><br>
>> I am not at all familiar with this code, but from other usage of MachineIntUse, I would guess that this should not be used except on a 64-bit platform. Given that, I am not sure if<br>
>><br>
>> 1. The typeSet should not conform to TypeMachineInt on 32-bit,<br>
>><br>
>> 2. shouldSpeculateInt32 should always be true on 32-bit,<br>
>><br>
>> 3. Int32Use should always be used on 32-bit, or<br>
>><br>
>> 4. Something else.<br>
>><br>
>> I currently am going with 3:<br>
>><br>
>> if (typeSet->doesTypeConformTo(<wbr>TypeMachineInt)) {<br>
>> #if USE(JSVALUE64)<br>
>> if (node->child1()-><wbr>shouldSpeculateInt32())<br>
>> #endif<br>
>> fixEdge<Int32Use>(node-><wbr>child1());<br>
>> #if USE(JSVALUE64)<br>
>> else<br>
>> fixEdge<MachineIntUse>(node-><wbr>child1());<br>
>> #endif<br>
>><br>
>> }<br>
>><br>
>> This has solved my immediate problem, but due to my lack of understanding, this solution could be quite flawed.<br>
>><br>
>> Any help is much appreciated.<br>
><br>
> Hello, thanks for the interest!<br>
><br>
> I'm by no means a JSC expert, however from quick analysis it seems to me that the correct code would be<br>
><br>
> #if USE(JSVALUE64)<br>
> if (typeSet->doesTypeConformTo(<wbr>TypeMachineInt)) {<br>
> if (node->child1()-><wbr>shouldSpeculateInt32())<br>
> fixEdge<<wbr>Int32Use>(node->child1());<br>
> else<br>
> fixEdge<<wbr>MachineIntUse>(node->child1())<wbr>;<br>
> node->remove()<wbr>;<br>
> }<br>
> #else<br>
> if (typeSet->doesTypeConformTo(<wbr>TypeMachineInt) && node->child1()-><wbr>shouldSpeculateInt32()) {<br>
> fixEdge<<wbr>Int32Use>(node->child1());<br>
> node->remove()<wbr>;<br>
> }<br>
> #endif<br>
><br>
> Anyway, I highly recommend you to:<br>
><br>
> 1. Ask real JSC experts on webkit-dev or jsc-dev<br>
> 2. Run JSC test suite on target (better debug build as well, as it has much more ASSERTs) before and after such changes<br>
<br>
</div></div>Sorry, I forgot to add an explanation: AFAIU, MachineInt is Int32 | Int52 and on 32-bit platforms we don't speculate about Int52 because it won't fit in the register anyway, so MachineInt can be only Int32. If we have a MachineInt which is not inferred to be Int32, we cannot do anything fast with it and we follow to the next branch TypeNumber | TypeMachineInt.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Regards,<br>
Konstantin<br>
______________________________<wbr>_________________<br>
webkit-qt mailing list<br>
<a href="mailto:webkit-qt@lists.webkit.org">webkit-qt@lists.webkit.org</a><br>
<a href="https://lists.webkit.org/mailman/listinfo/webkit-qt" rel="noreferrer" target="_blank">https://lists.webkit.org/<wbr>mailman/listinfo/webkit-qt</a><br>
</div></div></blockquote></div><br></div></div>