[Webkit-unassigned] [Bug 65825] New: DFG JIT does not track speculation decisions for global variables
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Aug 7 02:48:35 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=65825
Summary: DFG JIT does not track speculation decisions for
global variables
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
The DFG JIT tracks speculation decisions for block-local temporaries (in the backend) and variables than span blocks (during bytecode parsing via local variable tracking). But it does not do this for global variables. Hence code that uses a global variable "as if" it were a local variable can experience awkward pathologies. For example:
x=5
x/=2
x++
Where x is not declared as a 'var' will result in the first line storing the Int32 representation of 5 into x; the second line checking what type x has, realizing that it's an int, and converting it to a double in order to perform a division and then storing the result into x as a double; and the third line speculating that x is an integer and failing speculation.
The DFG JIT should track speculations for global variables, so that such code will at the very least not perform speculations that contravene other speculations performed by the same code.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list