[Webkit-unassigned] [Bug 123277] REGRESSION(r157164): v8-v6/v8-raytrace.js crashes on arm and sh4
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 29 17:16:47 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=123277
--- Comment #11 from Julien Brianceau <jbriance at cisco.com> 2013-10-29 17:15:32 PST ---
(In reply to comment #10)
> (In reply to comment #9)
> > I'm curious, is your methodology for making these changes seriously just that you keep trying stuff until tests pass?
No, I thought that my previous comments showed that I did a little analyzis before.
> Reason why I ask is that quite clearly, the DFG is using nonArgGPR0 for the callee. I just found that out by looking for "Call" in the DFGSpeculativeJIT64.cpp and DFGSpeculativeJIT32_64.cpp files. That led me to emitCall(), where it's clear that we're moving the callee into nonArgGPR0 and not regT0.
Digging into the JavaScriptCore engine is just a part of my job, and I have still to learn on how it works. I don't pretend to be an expert of this engine, I'm just trying to help.
> Hence this code will break the DFG.
I didn't realize this, but fortunately reviews are made for this, right?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list