[Webkit-unassigned] [Bug 65490] New: DFG JIT sometimes creates speculation check data structures that have invalid information about the format of a register

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=65490

           Summary: DFG JIT sometimes creates speculation check data
                    structures that have invalid information about the
                    format of a register
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: fpizlo at apple.com


The DFG JIT speculation failure code requires knowing the format in which values are stored on both the speculative, and non-speculative, paths.  For example, a number may be either boxed, unboxed as an integer, or unboxed as a double.  But sometimes the speculative JIT creates a speculation failure in which it fails to correctly set the data format of a register, leading to either incorrect speculation failure code, or assertion failures.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.