[Webkit-unassigned] [Bug 68430] New: DFG JIT performs too many negative zero checks, and too many overflow checks
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 20 01:10:49 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=68430
Summary: DFG JIT performs too many negative zero checks, and
too many overflow checks
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
In the following constructs, the DFG JIT could perform some obvious optimizations. Currently it doesn't. All of these optimizations require one mechanism: backward propagation of the worst-case use kind of a value. The DFG currently does have this mechanism, but it should.
a[b * c]
b * c does not need to check for negative zero, since a[-0] is the same as a[0].
(a + b) | c
a + b does not need to check for overflow.
(a * b) * c
a * b does not need to check for negative zero, if (a * b) * c does not need to.
Finally, in the case where all of these optimizations fail and the DFG produces a double result because it believes that an overflow needs to be noted, the DFG JIT should not subsequently give up on speculation just because it sees a ValueToInt32. It's better to just perform a conversion to integer (even if it's not cheap) then it is to OSR exit.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list