[Webkit-unassigned] [Bug 196582] New: [JSC] OSRExit recovery for SpeculativeAdd does not consier "A = A + A" pattern
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 3 17:15:50 PDT 2019
https://bugs.webkit.org/show_bug.cgi?id=196582
Bug ID: 196582
Summary: [JSC] OSRExit recovery for SpeculativeAdd does not
consier "A = A + A" pattern
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ysuzuki at apple.com
We have a code like this.
4297 SpeculateInt32Operand op1(this, node->child1());
4298 SpeculateInt32Operand op2(this, node->child2());
4299 GPRTemporary result(this, Reuse, op1, op2);
4300
4301 GPRReg gpr1 = op1.gpr();
4302 GPRReg gpr2 = op2.gpr();
4303 GPRReg gprResult = result.gpr();
4304
4305 if (!shouldCheckOverflow(node->arithMode()))
4306 m_jit.add32(gpr1, gpr2, gprResult);
4307 else {
4308 MacroAssembler::Jump check = m_jit.branchAdd32(MacroAssembler::Overflow, gpr1, gpr2, gprResult);
4309
4310 if (gpr1 == gprResult)
4311 speculationCheck(Overflow, JSValueRegs(), 0, check, SpeculationRecovery(SpeculativeAdd, gprResult, gpr2));
4312 else if (gpr2 == gprResult)
4313 speculationCheck(Overflow, JSValueRegs(), 0, check, SpeculationRecovery(SpeculativeAdd, gprResult, gpr1));
4314 else
4315 speculationCheck(Overflow, JSValueRegs(), 0, check);
And recovery side code is the following.
1114 jit.sub32(recovery->src(), recovery->dest());
If gpr1 = gpr2 = gprResult (this can happen if child1 and child2 are the same and GPRTemporary Reuse works), the result becomes zero accidentally.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190404/50f50044/attachment.html>
More information about the webkit-unassigned
mailing list