[Webkit-unassigned] [Bug 67826] JavaScriptCore does not have speculative->baseline OSR

Fri Sep 9 19:21:17 PDT 2011

https://bugs.webkit.org/show_bug.cgi?id=67826

--- Comment #8 from Filip Pizlo <fpizlo at apple.com>  2011-09-09 19:21:18 PST ---
Looks like the mac-ews fail is just a matter of #ifdef'ing some debug stuff, which can't (and shouldn't) compile under release build.

I've also found the reason why OSR breaks the web.  The OSR algorithm was playing fast and loose with virtual registers.  For efficiency, it first dumps state in physical registers into the bytecode register file, and then it shuffles virtual registers that were displaced.  But this is wrong.  There may be a value stored in a virtual register by the DFG JIT, where that same virtual register is in use by the old JIT, and the value for that virtual register is currently held by the DFG JIT in a physical register.  Then the OSR code will clobber its own virtual register with a different value stored in a physical register, and then shuffle that virtual register to a different virtual register location.  And so the world breaks.  On bing it means that 'this' gets clobbered with a double, resulting in humorous fails.

This is relatively easy to fix.  In most code, the DFG does not use its virtual registers very much, since physical register allocation does its job.  So we just have to special-case the situation where the OSR would want to dump a physical register into an old-JIT virtual register slot that still holds another live value from DFG state.  In that case, the physical register can be dumped to on-the-side scratch storage.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.