[Webkit-unassigned] [Bug 64330] New: DFG speculative JIT does not guard itself against floating point speculation failures on non-floating-point constants
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 11 17:09:12 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=64330
Summary: DFG speculative JIT does not guard itself against
floating point speculation failures on
non-floating-point constants
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
The DFG speculative JIT may speculate that a value is a double, even though there may be operations that set it to a non-double constant. Such static speculation failures are benign if the JIT notices them and performs the appropriate evasive action. Unfortunately, the DFG JIT does not do this in this particular case (SetLocal to a speculate-double from a non-double JSConstant), which causes crashes when the fillFPR code wants to refill the register.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list