73286 2011-11-28 22:30:48 -0800 DFG non-X86 ArithDiv does speculation failure after mutating state, without a value recovery 2011-11-28 23:44:32 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 fpizlo webkit-unassigned webkit.review.bot oldest_to_newest 510505 0 fpizlo 2011-11-28 22:30:48 -0800 ArithDiv on non-X86 that was speculating integer will perform a double division, attempt to convert to an integer, and then do a speculation failure if the conversion failed. Unfortunately, by the time this speculation check is hit, we have already mutated the registers holding the inputs to the division, which will likely cause the OSR exit code to incorrectly set up the state for the old JIT to reexecute the division. 510506 1 116899 fpizlo 2011-11-28 22:32:26 -0800 Created attachment 116899 the patch 510539 2 116899 webkit.review.bot 2011-11-28 23:44:28 -0800 Comment on attachment 116899 the patch Clearing flags on attachment: 116899 Committed r101332: <http://trac.webkit.org/changeset/101332> 510540 3 webkit.review.bot 2011-11-28 23:44:32 -0800 All reviewed patches have been landed. Closing bug. 116899 2011-11-28 22:32:26 -0800 2011-11-28 23:44:28 -0800 the patch fixarithdiv_patch_1.diff text/plain 3439 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTAxMzI3KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE0IEBA CisyMDExLTExLTI4ICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CisKKyAgICAgICAg REZHIG5vbi1YODYgQXJpdGhEaXYgZG9lcyBzcGVjdWxhdGlvbiBmYWlsdXJlIGFmdGVyIG11dGF0 aW5nIHN0YXRlLAorICAgICAgICB3aXRob3V0IGEgdmFsdWUgcmVjb3ZlcnkKKyAgICAgICAgaHR0 cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTczMjg2CisKKyAgICAgICAgUmV2 aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBkZmcvREZHU3BlY3VsYXRpdmVK SVQzMl82NC5jcHA6CisgICAgICAgIChKU0M6OkRGRzo6U3BlY3VsYXRpdmVKSVQ6OmNvbXBpbGUp OgorCiAyMDExLTExLTI4ICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CiAKICAgICAg ICAgVW5yZXZpZXdlZCBidWlsZCBmaXhlcyBmb3IgQVJNLgpJbmRleDogU291cmNlL0phdmFTY3Jp cHRDb3JlL2RmZy9ERkdTcGVjdWxhdGl2ZUpJVDMyXzY0LmNwcAo9PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3Vy Y2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1NwZWN1bGF0aXZlSklUMzJfNjQuY3BwCShyZXZpc2lv biAxMDEzMjMpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1NwZWN1bGF0aXZlSklU MzJfNjQuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0yNDAwLDggKzI0MDAsOCBAQCB2b2lkIFNwZWN1 bGF0aXZlSklUOjpjb21waWxlKE5vZGUmIG5vZGUpCiAgICAgfQogCiAgICAgY2FzZSBBcml0aERp djogewotI2lmIENQVShYODYpCiAgICAgICAgIGlmIChOb2RlOjpzaG91bGRTcGVjdWxhdGVJbnRl Z2VyKGF0KG5vZGUuY2hpbGQxKCkpLCBhdChub2RlLmNoaWxkMigpKSkgJiYgbm9kZS5jYW5TcGVj dWxhdGVJbnRlZ2VyKCkpIHsKKyNpZiBDUFUoWDg2KQogICAgICAgICAgICAgU3BlY3VsYXRlSW50 ZWdlck9wZXJhbmQgb3AxKHRoaXMsIG5vZGUuY2hpbGQxKCkpOwogICAgICAgICAgICAgU3BlY3Vs YXRlSW50ZWdlck9wZXJhbmQgb3AyKHRoaXMsIG5vZGUuY2hpbGQyKCkpOwogICAgICAgICAgICAg R1BSVGVtcG9yYXJ5IGVheCh0aGlzLCBYODZSZWdpc3RlcnM6OmVheCk7CkBAIC0yNDM4LDkgKzI0 MzgsMjkgQEAgdm9pZCBTcGVjdWxhdGl2ZUpJVDo6Y29tcGlsZShOb2RlJiBub2RlKQogICAgICAg ICAgICAgc3BlY3VsYXRpb25DaGVjayhKU1ZhbHVlUmVncygpLCBOb05vZGUsIG1faml0LmJyYW5j aFRlc3QzMihKSVRDb21waWxlcjo6Tm9uWmVybywgZWR4LmdwcigpKSk7CiAgICAgICAgICAgICAK ICAgICAgICAgICAgIGludGVnZXJSZXN1bHQoZWF4LmdwcigpLCBtX2NvbXBpbGVJbmRleCk7Cisj ZWxzZSAvLyBDUFUoWDg2KSAtPiBzbyBub24tWDg2IGNvZGUgZm9sbG93cworICAgICAgICAgICAg U3BlY3VsYXRlRG91YmxlT3BlcmFuZCBvcDEodGhpcywgbm9kZS5jaGlsZDEoKSk7CisgICAgICAg ICAgICBTcGVjdWxhdGVEb3VibGVPcGVyYW5kIG9wMih0aGlzLCBub2RlLmNoaWxkMigpKTsKKyAg ICAgICAgICAgIEZQUlRlbXBvcmFyeSByZXN1bHQodGhpcyk7CisgICAgICAgICAgICBGUFJUZW1w b3Jhcnkgc2NyYXRjaCh0aGlzKTsKKyAgICAgICAgICAgIEdQUlRlbXBvcmFyeSBpbnRSZXN1bHQo dGhpcyk7CisgICAgICAgICAgICAKKyAgICAgICAgICAgIEZQUlJlZyBvcDFGUFIgPSBvcDEuZnBy KCk7CisgICAgICAgICAgICBGUFJSZWcgb3AyRlBSID0gb3AyLmZwcigpOworICAgICAgICAgICAg RlBSUmVnIHJlc3VsdEZQUiA9IHJlc3VsdC5mcHIoKTsKKyAgICAgICAgICAgIEZQUlJlZyBzY3Jh dGNoRlBSID0gc2NyYXRjaC5mcHIoKTsKKyAgICAgICAgICAgIEdQUlJlZyByZXN1bHRHUFIgPSBp bnRSZXN1bHQuZ3ByKCk7CisgICAgICAgICAgICAKKyAgICAgICAgICAgIG1faml0LmRpdkRvdWJs ZShvcDFGUFIsIG9wMkZQUiwgcmVzdWx0RlBSKTsKKyAgICAgICAgICAgIAorICAgICAgICAgICAg SklUQ29tcGlsZXI6Okp1bXBMaXN0IGZhaWx1cmVDYXNlczsKKyAgICAgICAgICAgIG1faml0LmJy YW5jaENvbnZlcnREb3VibGVUb0ludDMyKHJlc3VsdEZQUiwgcmVzdWx0R1BSLCBmYWlsdXJlQ2Fz ZXMsIHNjcmF0Y2hGUFIpOworICAgICAgICAgICAgc3BlY3VsYXRpb25DaGVjayhKU1ZhbHVlUmVn cygpLCBOb05vZGUsIGZhaWx1cmVDYXNlcyk7CisKKyAgICAgICAgICAgIGludGVnZXJSZXN1bHQo cmVzdWx0R1BSLCBtX2NvbXBpbGVJbmRleCk7CisjZW5kaWYgLy8gQ1BVKFg4NikKICAgICAgICAg ICAgIGJyZWFrOwogICAgICAgICB9Ci0jZW5kaWYKICAgICAgICAgCiAgICAgICAgIFNwZWN1bGF0 ZURvdWJsZU9wZXJhbmQgb3AxKHRoaXMsIG5vZGUuY2hpbGQxKCkpOwogICAgICAgICBTcGVjdWxh dGVEb3VibGVPcGVyYW5kIG9wMih0aGlzLCBub2RlLmNoaWxkMigpKTsKQEAgLTI0NTAsMjAgKzI0 NzAsNiBAQCB2b2lkIFNwZWN1bGF0aXZlSklUOjpjb21waWxlKE5vZGUmIG5vZGUpCiAgICAgICAg IEZQUlJlZyByZWcyID0gb3AyLmZwcigpOwogICAgICAgICBtX2ppdC5kaXZEb3VibGUocmVnMSwg cmVnMiwgcmVzdWx0LmZwcigpKTsKIAotI2lmICFDUFUoWDg2KQotICAgICAgICBpZiAoTm9kZTo6 c2hvdWxkU3BlY3VsYXRlSW50ZWdlcihhdChub2RlLmNoaWxkMSgpKSwgYXQobm9kZS5jaGlsZDIo KSkpICYmIG5vZGUuY2FuU3BlY3VsYXRlSW50ZWdlcigpKSB7Ci0gICAgICAgICAgICBGUFJUZW1w b3Jhcnkgc2NyYXRjaCh0aGlzLCBvcDIpOwotICAgICAgICAgICAgR1BSVGVtcG9yYXJ5IGludFJl c3VsdCh0aGlzKTsKLQotICAgICAgICAgICAgSklUQ29tcGlsZXI6Okp1bXBMaXN0IGZhaWx1cmVD YXNlczsKLSAgICAgICAgICAgIG1faml0LmJyYW5jaENvbnZlcnREb3VibGVUb0ludDMyKHJlc3Vs dC5mcHIoKSwgaW50UmVzdWx0LmdwcigpLCBmYWlsdXJlQ2FzZXMsIHNjcmF0Y2guZnByKCkpOwot ICAgICAgICAgICAgc3BlY3VsYXRpb25DaGVjayhKU1ZhbHVlUmVncygpLCBOb05vZGUsIGZhaWx1 cmVDYXNlcyk7Ci0KLSAgICAgICAgICAgIGludGVnZXJSZXN1bHQoaW50UmVzdWx0LmdwcigpLCBt X2NvbXBpbGVJbmRleCk7Ci0gICAgICAgICAgICBicmVhazsKLSAgICAgICAgfQotI2VuZGlmCi0K ICAgICAgICAgZG91YmxlUmVzdWx0KHJlc3VsdC5mcHIoKSwgbV9jb21waWxlSW5kZXgpOwogICAg ICAgICBicmVhazsKICAgICB9Cg==