[Webkit-unassigned] [Bug 65294] New: DFG JIT - may speculate based on wrong arguments.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jul 27 16:38:40 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=65294
Summary: DFG JIT - may speculate based on wrong arguments.
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: barraclough at apple.com
In the case of a DFG compiled function calling to and compiling a second function that also compiles through the DFG JIT (i.e. compilation triggered with DFGOperations.cpp), we call compileFor passing the caller functions exec state, rather than the callee's. This may lead to mis-optimization, since the DFG compiler will example the exec state's arguments on the assumption that these will be passed to the callee - it is wanting the callee exec state, not the caller's exec state.
Fixing this for all cases of compilation is tricksy, due to the way the numeric sort function is compiled, & the structure of the calls in the Interpreter::execute methods. Only fix for compilation from the JIT, in other calls don't speculate based on arguments for now.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list