[Webkit-unassigned] [Bug 117144] JSC asserting without LLINT with DFG JIT

Thu Jun 6 00:30:41 PDT 2013

https://bugs.webkit.org/show_bug.cgi?id=117144


--- Comment #1 from Gabor Rapcsanyi <rgabor at webkit.org>  2013-06-06 00:29:15 PST ---
As I see the JITted code could differ from the stored bytecode in case of no LLInt. DFG deoptimization has a recovery method which set back the values in the memory with the help of the stored bytecode.
The problem is that this bytecode differs from the one which we used to compile the JIT code and we don't have neither the original nor the changes. So it will set back a value which the JIT not expected. In this case it will set back an Undefined JS value while the JIT is expected CellTag.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.