[Webkit-unassigned] [Bug 66104] New: DFG JIT speculation failure code sometimes picks the wrong register as a scratch register.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Aug 11 15:13:17 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=66104
Summary: DFG JIT speculation failure code sometimes picks the
wrong register as a scratch register.
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
The DFG JIT speculation failure code attempts to pick three registers (one GPR, two FPRs) for scratch storage. This is opportunistic and may fail; even if it does the speculation failure will still work but may require somewhat slower code. Currently, the code to pick scratch registers assumes that if a register is spilled then it can be subsequently be used for scratch. This is incorrect, as the register may actually be used for shuffling (i.e. subsequent code in the speculation failure path may assume that the register still contains the value of a DFG node, and may move that value from that register into a different register).
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list