[Webkit-unassigned] [Bug 65937] New: DFG non-speculative JIT misuses the register allocator when generating ValueToInt32 conversions where the input is known to be a double.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Aug 9 13:24:40 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=65937
Summary: DFG non-speculative JIT misuses the register allocator
when generating ValueToInt32 conversions where the
input is known to be a double.
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
The DFG JIT has an on-the-fly register allocator, which works by having the code generator specify when a value is needed, when it is being used, and when it is not needed anymore. But the DFG non-speculative JIT path for generating ValueToInt32 conversions where the source is a double will first kill a register and then allocate it. Sometimes this works by accident (if there are other uses of the register), but when visiting http://www.skinnytaste.com/2011/06/ricotta-cheese-chocolate-chip-muffins.html, it generates an assertion failure. The DFG non-speculative JIT should really first allocate the register and then kill it rather than the other way around.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list