[Webkit-unassigned] [Bug 70256] Live range splitting bug
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Oct 17 13:03:10 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=70256
--- Comment #3 from Filip Pizlo <fpizlo at apple.com> 2011-10-17 13:03:11 PST ---
Aha! So it's not live range splitting's fault, per se. Live range splitting is doing the right thing: indeed the j = undefined coexists with j = 0.
>From the standpoint of the propagator, if we ignore local variables, an addition of undefined (i.e. PredictOther) and 1 (i.e. PredctInt32) should not speculate integer, since the following code:
var j;
j++;
j;
produces NaN, which is not an integer.
The problem is that the propagator is not flow-sensitive with respect to variables, so it fails to see that in all of the places where we do j++, j must be an integer. So the solution is two-fold:
1) Make the propagator flow-sensitive with respect to variables.
2) After we do this, GetLocal(j)/SetLocal(j) will still think that j is Int|Other since the variable j does indeed have stores of both Other and Int32. So SpeculateIntegerOperand will have to fall back on the CFA's proof that at the point where we do Add(GetLocal(j), JSConstant(1)), GetLocal(j) must be an integer even though j is not strictly an integer variable.
Yucky. I'll do this after the horror of inlining is complete.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list