65233 2011-07-26 22:34:59 -0700 DFG JIT speculation failure code performs incorrect conversions in the case where two registers need to be swapped 2011-07-27 00:12:55 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 0 fpizlo webkit-unassigned webkit.review.bot oldest_to_newest 442743 0 fpizlo 2011-07-26 22:34:59 -0700 The DFG JIT speculation failure code is quite optimized, and quite complicated. One special case that it detects, and handles in an efficient way, is where the speculative path would have placed node A in register R1 and node B in register R2, whilst the non-speculative path reversed them: node A in R2, B in R1. Special care must be taken, however, if speculative represents node A (i.e. R1) as an unboxed integer while non-speculative represents node A (i.e. R2) as a boxed integer. This is where the DFG will currently fail. Instead of asking if R1 in speculative has a different register format than R2 in non-speculative, it compares the register formats of R1 in speculative with R1 in non-speculative, despite the fact that R1 is associated with different nodes in the two paths. This may make the speculation failure code miss cases where register formats need to be converted, and in other cases may perform a conversion on the wrong register, thereby causing two register to be corrupt: the one on which an incorrect conversion was performed, and the one on which no conversion was performed. 442744 1 102095 fpizlo 2011-07-26 22:40:09 -0700 Created attachment 102095 the patch Tests still running. Will change to ? once (if) they succeed. 442761 2 102095 webkit.review.bot 2011-07-27 00:12:51 -0700 Comment on attachment 102095 the patch Clearing flags on attachment: 102095 Committed r91825: <http://trac.webkit.org/changeset/91825> 442762 3 webkit.review.bot 2011-07-27 00:12:55 -0700 All reviewed patches have been landed. Closing bug. 102095 2011-07-26 22:40:09 -0700 2011-07-27 00:12:51 -0700 the patch fixswap_patch_1.diff text/plain 2010 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gOTE4MjMpCisrKyBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTQgQEAK KzIwMTEtMDctMjYgIEZpbGlwIFBpemxvICA8ZnBpemxvQGFwcGxlLmNvbT4KKworICAgICAgICBE RkcgSklUIHNwZWN1bGF0aW9uIGZhaWx1cmUgY29kZSBwZXJmb3JtcyBpbmNvcnJlY3QgY29udmVy c2lvbnMgaW4KKyAgICAgICAgdGhlIGNhc2Ugd2hlcmUgdHdvIHJlZ2lzdGVycyBuZWVkIHRvIGJl IHN3YXBwZWQuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9p ZD02NTIzMworCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorICAgICAgICAK KyAgICAgICAgKiBkZmcvREZHSklUQ29tcGlsZXIuY3BwOgorICAgICAgICAoSlNDOjpERkc6Okdl bmVyYWxpemVkUmVnaXN0ZXI6OnN3YXBXaXRoKToKKwogMjAxMS0wNy0yNiAgRmlsaXAgUGl6bG8g IDxmcGl6bG9AYXBwbGUuY29tPgogCiAgICAgICAgIEpTQyBjb21tYW5kLWxpbmUgdG9vbCBkb2Vz IG5vdCBjb21lIHdpdGggYW55IGZhY2lsaXR5IGZvcgpJbmRleDogU291cmNlL0phdmFTY3JpcHRD b3JlL2RmZy9ERkdKSVRDb21waWxlci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3Jp cHRDb3JlL2RmZy9ERkdKSVRDb21waWxlci5jcHAJKHJldmlzaW9uIDkxODIzKQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL2RmZy9ERkdKSVRDb21waWxlci5jcHAJKHdvcmtpbmcgY29weSkKQEAg LTI0NCwxNSArMjQ0LDE1IEBAIHB1YmxpYzoKICAgICAgICAgCiAgICAgICAgIGppdC5zd2FwKGdw cigpLCBvdGhlci5ncHIoKSk7CiAgICAgICAgIAotICAgICAgICBpZiAoVU5MSUtFTFkobmVlZERh dGFGb3JtYXRDb252ZXJzaW9uKG15RGF0YUZvcm1hdCwgbXlOZXdEYXRhRm9ybWF0KSkpIHsKLSAg ICAgICAgICAgIGlmIChteURhdGFGb3JtYXQgPT0gRGF0YUZvcm1hdEludGVnZXIpCisgICAgICAg IGlmIChVTkxJS0VMWShuZWVkRGF0YUZvcm1hdENvbnZlcnNpb24ob3RoZXJEYXRhRm9ybWF0LCBt eU5ld0RhdGFGb3JtYXQpKSkgeworICAgICAgICAgICAgaWYgKG90aGVyRGF0YUZvcm1hdCA9PSBE YXRhRm9ybWF0SW50ZWdlcikKICAgICAgICAgICAgICAgICBqaXQub3JQdHIoR1BSSW5mbzo6dGFn VHlwZU51bWJlclJlZ2lzdGVyLCBncHIoKSk7CiAgICAgICAgICAgICBlbHNlIGlmIChteU5ld0Rh dGFGb3JtYXQgPT0gRGF0YUZvcm1hdEludGVnZXIpCiAgICAgICAgICAgICAgICAgaml0Lnplcm9F eHRlbmQzMlRvUHRyKGdwcigpLCBncHIoKSk7CiAgICAgICAgIH0KICAgICAgICAgCi0gICAgICAg IGlmIChVTkxJS0VMWShuZWVkRGF0YUZvcm1hdENvbnZlcnNpb24ob3RoZXJEYXRhRm9ybWF0LCBt eU5ld0RhdGFGb3JtYXQpKSkgewotICAgICAgICAgICAgaWYgKG90aGVyRGF0YUZvcm1hdCA9PSBE YXRhRm9ybWF0SW50ZWdlcikKKyAgICAgICAgaWYgKFVOTElLRUxZKG5lZWREYXRhRm9ybWF0Q29u dmVyc2lvbihteURhdGFGb3JtYXQsIG90aGVyTmV3RGF0YUZvcm1hdCkpKSB7CisgICAgICAgICAg ICBpZiAobXlEYXRhRm9ybWF0ID09IERhdGFGb3JtYXRJbnRlZ2VyKQogICAgICAgICAgICAgICAg IGppdC5vclB0cihHUFJJbmZvOjp0YWdUeXBlTnVtYmVyUmVnaXN0ZXIsIG90aGVyLmdwcigpKTsK ICAgICAgICAgICAgIGVsc2UgaWYgKG90aGVyTmV3RGF0YUZvcm1hdCA9PSBEYXRhRm9ybWF0SW50 ZWdlcikKICAgICAgICAgICAgICAgICBqaXQuemVyb0V4dGVuZDMyVG9QdHIob3RoZXIuZ3ByKCks IG90aGVyLmdwcigpKTsK