[Webkit-unassigned] [Bug 73286] New: DFG non-X86 ArithDiv does speculation failure after mutating state, without a value recovery

Mon Nov 28 22:30:48 PST 2011

https://bugs.webkit.org/show_bug.cgi?id=73286

           Summary: DFG non-X86 ArithDiv does speculation failure after
                    mutating state, without a value recovery
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: fpizlo at apple.com

ArithDiv on non-X86 that was speculating integer will perform a double division, attempt to convert to an integer, and then do a speculation failure if the conversion failed.  Unfortunately, by the time this speculation check is hit, we have already mutated the registers holding the inputs to the division, which will likely cause the OSR exit code to incorrectly set up the state for the old JIT to reexecute the division.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.