[Webkit-unassigned] [Bug 229543] [JSC] ASSERT failed in stress/for-in-tests.js (32bit)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 3 12:58:25 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=229543
--- Comment #3 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 437283
--> https://bugs.webkit.org/attachment.cgi?id=437283
v1
View in context: https://bugs.webkit.org/attachment.cgi?id=437283&action=review
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13659
> + // Zero out modeGPR, it's not used anymore and we might want to reuse it.
> + m_jit.xorPtr(modeGPR, modeGPR);
I don't think this is necessary.
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13699
> + // We can reuse modeGPR, since it's not used anymore. This reduces a bit the register pressure in some architectures.
> + storageGPR = modeGPR;
I think this is not correct. modeGPR comes from SpeculateStrictInt32Operand. This means that some other node can expect that this register still contains the value for mode.
If we change it, then we will break that.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210903/0e63a470/attachment.htm>
More information about the webkit-unassigned
mailing list