[Webkit-unassigned] [Bug 68189] New: DFG speculative JIT sometimes asserts that a value is not a number even when it doesn't know anything about the number
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 15 14:09:09 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=68189
Summary: DFG speculative JIT sometimes asserts that a value is
not a number even when it doesn't know anything about
the number
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
The DFG speculative JIT makes use of the isKnownNotNumber() method, which returns true if the GenerationInfo reports that the value is neither an integer nor a double. But that means that it will return true if the GenerationInfo is either DataFormatNone or DataFormatJS, which means that we actually know nothing about the value. This results in poor speculations on ValueAdd in release builds, and assertion falues in debug builds.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list