[Webkit-unassigned] [Bug 67551] New: DFG JIT speculation failure does recovery of additions in reverse and doesn't rebox
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 2 20:48:53 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=67551
Summary: DFG JIT speculation failure does recovery of additions
in reverse and doesn't rebox
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
The DFG JIT speculation failure code can undo additions - so if we realize that we executed a destructive addition incorrectly, we can revert it. But the code does not work: it performs an addition on the wrong register (it reverses the source and destination) and then fails to rebox the result, if the destructive addition also did implicit unboxing via zero extension.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list