[Webkit-unassigned] [Bug 67798] New: DFG JIT completely undoes speculative compilation even in the case of a partial static speculation failure

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=67798

           Summary: DFG JIT completely undoes speculative compilation even
                    in the case of a partial static speculation failure
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: fpizlo at apple.com


The DFG JIT may perform a speculation that contravenes static information.  For example, it may assume that a value must be integer when the code that produces it always produces a cell, and the fact that it produces a cell is proven statically.  In that case, it terminates speculation.  Currently this means undoing speculative compilation for the entire code block, and recompiling the entire code block entirely with the non-speculative JIT.  What it should probably do instead is just jump out of speculative code at the point where the static information contravenes speculation, to ensure that if this scenario happens partially (i.e. in conditional code, which may be a slow path anyway) then the code block will still benefit from speculation when that condition does not arise.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.