[Webkit-unassigned] [Bug 24447] REGRESSION (r41508): Google Maps does not complete initialization

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 9 06:10:03 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=24447


oliver at apple.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|webkit-                     |oliver at apple.com
                   |unassigned at lists.webkit.org |
             Status|NEW                         |ASSIGNED




------- Comment #4 from oliver at apple.com  2009-03-09 06:10 PDT -------
Created an attachment (id=28412)
 --> (https://bugs.webkit.org/attachment.cgi?id=28412&action=view)
Fix dirtying of the register cache at branch targets

>From Radar:
3/7/09 8:13 PM Oliver Hunt:
(This is an underlying bug exposes by r41508, not caused by it)

3/8/09 6:57 AM Oliver Hunt:
Reduced to 
(print||q.c)()

3/8/09 7:04 AM Oliver Hunt:
or 
(print?1:q.c)()

This is very suckful, apparently we aren't checking for an instruction being a
branch target -- i'm 90% sure we can get buy only tracking forward branches,
although it will suck to do so, it should not be too difficult

3/8/09 4:00 PM Oliver Hunt:
The basic cause of the issue is demonstrated thus:
[   1] resolve_global    r4, [object global], print(@id0) //
cachedResultRegister = r4
[   7] jfalse            r4, 6(->15) // cachedResultRegister = <nothing>

    [  10] mov           r3, r0 // no change
    [  13] jmp           15(->29) // no change
    [  15] resolve_global        r4, [object global], q(@id1) //
cachedResultRegister = r4
    [  21] get_by_id     r3, r4, c(@id2) // cachedResultRegister = r3
// At this point we believe  r4 is cached in eax, but if we come from
[  29] mov               r4, r1
[  32] call              r3, r3, 1, 13

This patch ensures that the jit will correctly clobber the cache register when
it hits the target of a forward branch.  I have not yet determined whether it
is possible to create code that can be hit by a loop that does not clobber the
register cache.

Currently have not test case written, and haven't been able to get stable perf
numbers, so will finish this at work.


-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list