[Webkit-unassigned] [Bug 154844] New: [DFG] Drop comparison based on speculative types and constants
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Feb 29 20:04:27 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=154844
Bug ID: 154844
Summary: [DFG] Drop comparison based on speculative types and
constants
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: utatane.tea at gmail.com
For example,
if (Int32Speculated < 0x1FFFFFFFFFFFFF)
return Int32Speculated;
return 0x1FFFFFFFFFFFFF;
Since 0x1FFFFFFFFFFFFF is out of range of Int32, if the Int32Speculated is ensured that is Int32 (by edge filtering), this condition should be dropped.
And it should be considered as follows in DFG.
return Int32Speculated;
This case actually happens in @toLength builtin function. We cap length values with 0x1FFFFFFFFFFFFF.
Currently, since 0x1FFFFFFFFFFFFF is double represented value, the result of @toLength is speculated as double.
It leads using double for iteration condition in Array.prototype.{forEach...}
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160301/3bd04646/attachment.html>
More information about the webkit-unassigned
mailing list