[Webkit-unassigned] [Bug 65233] New: DFG JIT speculation failure code performs incorrect conversions in the case where two registers need to be swapped
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jul 26 22:34:59 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=65233
Summary: DFG JIT speculation failure code performs incorrect
conversions in the case where two registers need to be
swapped
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
The DFG JIT speculation failure code is quite optimized, and quite complicated. One special case that it detects, and handles in an efficient way, is where the speculative path would have placed node A in register R1 and node B in register R2, whilst the non-speculative path reversed them: node A in R2, B in R1. Special care must be taken, however, if speculative represents node A (i.e. R1) as an unboxed integer while non-speculative represents node A (i.e. R2) as a boxed integer. This is where the DFG will currently fail. Instead of asking if R1 in speculative has a different register format than R2 in non-speculative, it compares the register formats of R1 in speculative with R1 in non-speculative, despite the fact that R1 is associated with different nodes in the two paths. This may make the speculation failure code miss cases where register formats need to be converted, and in other cases may perform a conversion on the wrong register, thereby causing two register to
be corrupt: the one on which an incorrect conversion was performed, and the one on which no conversion was performed.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list