[Webkit-unassigned] [Bug 123277] REGRESSION(r157164): v8-v6/v8-raytrace.js crashes on arm and sh4
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 29 16:54:18 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=123277
--- Comment #10 from Filip Pizlo <fpizlo at apple.com> 2013-10-29 16:53:04 PST ---
(In reply to comment #9)
> (In reply to comment #6)
> > Created an attachment (id=215268)
--> (https://bugs.webkit.org/attachment.cgi?id=215268&action=review) [details] [details]
> > run-layout-jsc results for arm r157164
> >
> > Here are the run-layout-jsc results for r157163 and r157164.
> >
> > The delta is 20 new crashes between r157163 and r157164 for ARM_TRADITIONAL:
> > js/array-proto-func-property-getter-except
> > js/comparison-operators-greater
> > js/comparison-operators
> > js/comparison-operators-less
> > js/date-set-to-nan
> > js/dfg-float32array
> > js/dfg-float64array
> > js/dfg-inline-unused-this
> > js/dfg-inline-unused-this-method-check
> > js/dfg-int16array
> > js/dfg-int32array
> > js/dfg-int32array-overflow-values
> > js/dfg-int8array
> > js/dfg-intrinsic-unused-this
> > js/dfg-intrinsic-unused-this-method-check
> > js/dfg-uint16array
> > js/dfg-uint32array
> > js/dfg-uint32array-overflow-values
> > js/dfg-uint8array
> > js/dfg-uint8clampedarray
>
> I'm curious, is your methodology for making these changes seriously just that you keep trying stuff until tests pass?
Reason why I ask is that quite clearly, the DFG is using nonArgGPR0 for the callee. I just found that out by looking for "Call" in the DFGSpeculativeJIT64.cpp and DFGSpeculativeJIT32_64.cpp files. That led me to emitCall(), where it's clear that we're moving the callee into nonArgGPR0 and not regT0.
Hence this code will break the DFG.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list