[Webkit-unassigned] [Bug 63347] New: DFG non-speculative JIT has potentially harmful speculations with respect to arithmetic operations.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jun 24 13:28:18 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=63347
Summary: DFG non-speculative JIT has potentially harmful
speculations with respect to arithmetic operations.
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
Currently, the DFG speculative JIT speculates that numbers are integers, while the DFG non-speculative JIT speculates that numbers are doubles. The latter means that if speculative execution bails out for any reason, then any subsequent arithmetic operation will rebox the integers involved as doubles, meaning that after that all operations on that value (outside of this current non-speculative call frame) will bail out of the fast path. This even affects GetByVal within non-speculative execution, but it may also affect other call frames if that value is returned or stored into the heap. Instead, the non-speculative JIT should use the same policy as the baseline JIT: attempt a fast path integer operation and box the value as an integer if possible, and only bail to double arithmetic (or value operations) if it's really necessary.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list