[Webkit-unassigned] [Bug 65421] New: DFG JIT speculation failure pass sometimes forgets to emit code to move certain registers.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Jul 30 17:25:19 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=65421
Summary: DFG JIT speculation failure pass sometimes forgets to
emit code to move certain registers.
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
The DFG speculation failure pass attempts to be completely optimal. Part of this strategy is that if a register is either already spilled on the speculative path, or not spilled on the non-speculative path, then it does not need to be spilled. However, as part of further optimizations, the same loop that detects when to spill also sets up data structures for moving registers around (such as if node X is in register A on the speculative path and in register B on the non-speculative path, necessitating a move). Unfortunately, this loop is badly formed: it will skip over a register entirely if it is already spilled on the speculative path, rather than just not spilling it. This means that if a register is spilled on the speculative path, and needs to be moved to a different register on the non-speculative path, the move will never happen resulting in badness if speculation fails.
This crash is responsible for docs.google.com spreadsheets not loading.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list