[Webkit-unassigned] [Bug 67804] New: DFG speculative JIT does not initialize integer tags for PredictInt32 temporaries
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 8 14:23:55 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=67804
Summary: DFG speculative JIT does not initialize integer tags
for PredictInt32 temporaries
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
For variables that are PredictInt32, the DFG specualtive JIT does loads and stores on the lower-32-bit payload without boxing and unboxing. This is possible because at the head of the code block, the speculative JIT initializes the tags for all of these variables. But, it neglects to do so for temporaries created by the DFG itself that were then predicted Int32.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list