Bug 109491

Summary: Strange bug in DFG OSR in JSC
Product: WebKit Reporter: Gabor Rapcsanyi <rgabor>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, fpizlo, ossy, zherczeg
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 108645    
Attachments:
Description Flags
test.js
none
the patch mhahnenberg: review+

Gabor Rapcsanyi
Reported 2013-02-11 14:28:56 PST
Somehow a JS function run twice after the DFG optimization.
Attachments
test.js (468 bytes, application/javascript)
2013-02-11 14:37 PST, Gabor Rapcsanyi 		no flags
Details
the patch (55.87 KB, patch)
2013-02-11 16:18 PST, Filip Pizlo 		mhahnenberg: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Gabor Rapcsanyi
Comment 1 2013-02-11 14:37:12 PST
Created attachment 187677 [details] test.js The test output is when DFG starts to work: 1 --> a --> b 2 --> c 3 1 --> a --> b 2 --> c 3 1 --> a --> b --> a --> b 2 --> c 3 The output with DFGDisassembly: https://gist.github.com/rgabor-szeged/4758227 This problem exists on x86-64 and ARM architectures as well.
Filip Pizlo
Comment 2 2013-02-11 14:46:48 PST
Fascinating ... I'll try to take a look.
Filip Pizlo
Comment 3 2013-02-11 14:56:15 PST
Yup, this is a fun bug. Int32ToDouble was being injected at a SetLocal, without realizing that it should be doing a forward exit.
Filip Pizlo
Comment 4 2013-02-11 16:18:55 PST
Created attachment 187713 [details] the patch
Mark Hahnenberg
Comment 5 2013-02-11 16:29:28 PST
Comment on attachment 187713 [details] the patch r=me
Filip Pizlo
Comment 6 2013-02-11 16:31:24 PST
Landed in http://trac.webkit.org/changeset/142544
Csaba Osztrogonác
Comment 7 2013-02-15 03:36:27 PST
*** Bug 108491 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.