Bug 128155

Summary: ASSERT in speculateMachineInt on 32-bit platforms
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, fpizlo
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Mark Hahnenberg
Reported 2014-02-03 19:47:25 PST
Patch on the way.
Attachments
Patch (1.33 KB, patch)
2014-02-03 19:49 PST, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (1.31 KB, patch)
2014-02-04 10:15 PST, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2014-02-03 19:49:16 PST
Created attachment 223064 [details] Patch
Geoffrey Garen
Comment 2 2014-02-03 19:50:49 PST
Comment on attachment 223064 [details] Patch r=me
Filip Pizlo
Comment 3 2014-02-04 08:48:12 PST
Comment on attachment 223064 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=223064&action=review > Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:139 > if (type == SpecInt52AsDouble) > - type = SpecInt52; > + type = enableInt52() ? SpecInt52 : SpecDouble; I'm pretty sure this is wrong and will result in worse optimizations on 32-bit. In particular, you're claiming that if something was representable as an in52 (i.e. it's non-fractional and not-NaN and not infinity), then it's SpecDouble, which means "this value can be an integer, or a real, or infinity, or NaN, etc". So, this is not the right fix. You should have instead just made this say: if (type == SpecInt52AsDouble && enableInt52()) type = SpecInt52;
Mark Hahnenberg
Comment 4 2014-02-04 08:49:27 PST
> You should have instead just made this say: > > if (type == SpecInt52AsDouble && enableInt52()) > type = SpecInt52; But what happens when !enableInt52()? Is it valid for the speculated type to be SpecInt52AsDouble on 32-bit platforms?
Filip Pizlo
Comment 5 2014-02-04 10:12:47 PST
(In reply to comment #4) > > You should have instead just made this say: > > > > if (type == SpecInt52AsDouble && enableInt52()) > > type = SpecInt52; > > But what happens when !enableInt52()? Is it valid for the speculated type to be SpecInt52AsDouble on 32-bit platforms? Yes.
Mark Hahnenberg
Comment 6 2014-02-04 10:15:28 PST
Created attachment 223135 [details] Patch
Mark Hahnenberg
Comment 7 2014-02-04 11:05:05 PST
Committed r163391: <http://trac.webkit.org/changeset/163391>
Note You need to log in before you can comment on or make changes to this bug.