[Webkit-unassigned] [Bug 160802] Register usage optimization in mathIC when LHS and RHS are constants isn't configured correctly
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Aug 12 10:11:35 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=160802
--- Comment #11 from Mark Lam <mark.lam at apple.com> ---
Comment on attachment 285914
--> https://bugs.webkit.org/attachment.cgi?id=285914
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=285914&action=review
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3474
> + mathIC->setLeftOperand(leftOperand);
> + mathIC->setRightOperand(rightOperand);
> +
Thanks for identifying the issue. A few points come to mind:
1. I think this is brittle and hacky because you're setting the SnippetOperands here and then overriding it again later in the generator initialization. However, I'm not entirely satisfied with any alternatives that I can think of at the moment either (need more consideration). At minimum, we should have a debug build flag in the Generator that says that it isn't (or its snippetOperands aren't) initialized yet, and assert on that flag in JITMathIC::isLeftOperandValidConstant() and isRightOperandValidConstant().
2. Can you add some tests that shows that this is broken (unless existing tests can already cover this)? This will come in handy if someone accidentally breaks this in the future. The assertions suggested in (1) should make it easier to test.
Thanks.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160812/1b851843/attachment.html>
More information about the webkit-unassigned
mailing list