Bug 109491

Summary: Strange bug in DFG OSR in JSC
Product: WebKit Reporter: Gabor Rapcsanyi <rgabor>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, fpizlo, ossy, zherczeg
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 108645    
Attachments:
Description Flags
test.js
none
the patch mhahnenberg: review+

Description Gabor Rapcsanyi 2013-02-11 14:28:56 PST 
Somehow a JS function run twice after the DFG optimization.
Comment 1 Gabor Rapcsanyi 2013-02-11 14:37:12 PST 
Created attachment 187677 [details]
test.js

The test output is when DFG starts to work:
1
--> a
--> b
2
--> c
3
1
--> a
--> b
2
--> c
3
1
--> a
--> b
--> a
--> b
2
--> c
3

The output with DFGDisassembly:
https://gist.github.com/rgabor-szeged/4758227

This problem exists on x86-64 and ARM architectures as well.
Comment 2 Filip Pizlo 2013-02-11 14:46:48 PST 
Fascinating ... I'll try to take a look.
Comment 3 Filip Pizlo 2013-02-11 14:56:15 PST 
Yup, this is a fun bug.  Int32ToDouble was being injected at a SetLocal, without realizing that it should be doing a forward exit.
Comment 4 Filip Pizlo 2013-02-11 16:18:55 PST 
Created attachment 187713 [details]
the patch
Comment 5 Mark Hahnenberg 2013-02-11 16:29:28 PST 
Comment on attachment 187713 [details]
the patch

r=me
Comment 6 Filip Pizlo 2013-02-11 16:31:24 PST 
Landed in http://trac.webkit.org/changeset/142544
Comment 7 Csaba Osztrogonác 2013-02-15 03:36:27 PST 
*** Bug 108491 has been marked as a duplicate of this bug. ***