68189 2011-09-15 14:09:09 -0700 DFG speculative JIT sometimes asserts that a value is not a number even when it doesn't know anything about the number 2011-09-15 14:53:44 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 fpizlo webkit-unassigned barraclough fpizlo ggaren oliver oldest_to_newest 468068 0 fpizlo 2011-09-15 14:09:09 -0700 The DFG speculative JIT makes use of the isKnownNotNumber() method, which returns true if the GenerationInfo reports that the value is neither an integer nor a double. But that means that it will return true if the GenerationInfo is either DataFormatNone or DataFormatJS, which means that we actually know nothing about the value. This results in poor speculations on ValueAdd in release builds, and assertion falues in debug builds. 468072 1 107550 fpizlo 2011-09-15 14:12:36 -0700 Created attachment 107550 the patch 468100 2 fpizlo 2011-09-15 14:53:44 -0700 Landed in r95233. 107550 2011-09-15 14:12:36 -0700 2011-09-15 14:17:53 -0700 the patch correctnotnumber_patch_1.diff text/plain 2201 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gOTUyMjYpCisrKyBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTYgQEAK KzIwMTEtMDktMTUgIEZpbGlwIFBpemxvICA8ZnBpemxvQGFwcGxlLmNvbT4KKworICAgICAgICBE Rkcgc3BlY3VsYXRpdmUgSklUIHNvbWV0aW1lcyBhc3NlcnRzIHRoYXQgYSB2YWx1ZSBpcyBub3Qg YSBudW1iZXIKKyAgICAgICAgZXZlbiB3aGVuIGl0IGRvZXNuJ3Qga25vdyBhbnl0aGluZyBhYm91 dCB0aGUgbnVtYmVyCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNn aT9pZD02ODE4OQorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAg ICAgICogZGZnL0RGR0dlbmVyYXRpb25JbmZvLmg6CisgICAgICAgIChKU0M6OkRGRzo6R2VuZXJh dGlvbkluZm86OmlzVW5rbm93bkpTKToKKyAgICAgICAgKiBkZmcvREZHSklUQ29kZUdlbmVyYXRv ci5jcHA6CisgICAgICAgIChKU0M6OkRGRzo6SklUQ29kZUdlbmVyYXRvcjo6aXNLbm93bk5vdE51 bWJlcik6CisKIDIwMTEtMDktMTUgIEZpbGlwIFBpemxvICA8ZnBpemxvQGFwcGxlLmNvbT4KIAog ICAgICAgICBVbnJldmlld2VkIGJ1aWxkIGZpeCBmb3IgcGxhdGZvcm1zIHRoYXQgZXhwZWN0IGEg bGlua2FibGUgc3ltYm9sCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR0dlbmVy YXRpb25JbmZvLmgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdH ZW5lcmF0aW9uSW5mby5oCShyZXZpc2lvbiA5NTIyMSkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29y ZS9kZmcvREZHR2VuZXJhdGlvbkluZm8uaAkod29ya2luZyBjb3B5KQpAQCAtMjU5LDYgKzI1OSwx MiBAQCBwdWJsaWM6CiAgICAgewogICAgICAgICByZXR1cm4gaXNKU0Zvcm1hdChEYXRhRm9ybWF0 SlNCb29sZWFuKTsKICAgICB9CisgICAgCisgICAgYm9vbCBpc1Vua25vd25KUygpCisgICAgewor ICAgICAgICByZXR1cm4gcmVnaXN0ZXJGb3JtYXQoKSA9PSBEYXRhRm9ybWF0Tm9uZSB8fCByZWdp c3RlckZvcm1hdCgpID09IERhdGFGb3JtYXRKUworICAgICAgICAgICAgfHwgc3BpbGxGb3JtYXQo KSA9PSBEYXRhRm9ybWF0Tm9uZSB8fCBzcGlsbEZvcm1hdCgpID09IERhdGFGb3JtYXRKUzsKKyAg ICB9CiAKICAgICAvLyBHZXQgdGhlIG1hY2hpbmUgcmVzaXN0ZXIgY3VycmVudGx5IGhvbGRpbmcg dGhlIHZhbHVlLgogICAgIEdQUlJlZyBncHIoKSB7IEFTU0VSVChtX3JlZ2lzdGVyRm9ybWF0ICYm IG1fcmVnaXN0ZXJGb3JtYXQgIT0gRGF0YUZvcm1hdERvdWJsZSk7IHJldHVybiB1LmdwcjsgfQpJ bmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdKSVRDb2RlR2VuZXJhdG9yLmNwcAo9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR0pJVENvZGVHZW5lcmF0 b3IuY3BwCShyZXZpc2lvbiA5NTIyMSkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZH SklUQ29kZUdlbmVyYXRvci5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTQxMiw3ICs0MTIsNyBAQCBi b29sIEpJVENvZGVHZW5lcmF0b3I6OmlzS25vd25Ob3ROdW1iZXIoCiAgICAgVmlydHVhbFJlZ2lz dGVyIHZpcnR1YWxSZWdpc3RlciA9IG5vZGUudmlydHVhbFJlZ2lzdGVyKCk7CiAgICAgR2VuZXJh dGlvbkluZm8mIGluZm8gPSBtX2dlbmVyYXRpb25JbmZvW3ZpcnR1YWxSZWdpc3Rlcl07CiAgICAg Ci0gICAgcmV0dXJuICghaW5mby5pc0pTRG91YmxlKCkgJiYgIWluZm8uaXNKU0ludGVnZXIoKSkK KyAgICByZXR1cm4gKCFpbmZvLmlzSlNEb3VibGUoKSAmJiAhaW5mby5pc0pTSW50ZWdlcigpICYm ICFpbmZvLmlzVW5rbm93bkpTKCkpCiAgICAgICAgIHx8IChub2RlLmlzQ29uc3RhbnQoKSAmJiAh aXNOdW1iZXJDb25zdGFudChub2RlSW5kZXgpKTsKIH0KIAo=