Bug 69702

Summary:

JSVALUE32_64 DFG JIT - Bug fixes for Branch and LogicalNot

Product:

WebKit

Reporter:

Yuqiang Xian <yuqiang.xian>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, fpizlo, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
the patch	none

Description Yuqiang Xian 2011-10-08 07:50:13 PDT

There are some errors in generating code for Branch and LogicalNot, when the operand is predicted as ObjectOrOther.
This fix together with another uncommitted bug #69699 make the JSVALUE32_64 DFG JIT pass the JavaScriptCore tests with op_call/op_construct supports turned on (i.e. on Linux ia32 they both have 57/1127 failure rate).

Comment 1 Yuqiang Xian 2011-10-08 07:54:55 PDT

Created attachment 110271 [details]
the patch

Comment 2 Filip Pizlo 2011-10-08 12:36:06 PDT

Comment on attachment 110271 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=110271&action=review

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:560
>      speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, valueTagGPR, TrustedImm32(JSValue::UndefinedTag)));

It's sad that we need two branches here. :-(  But I think that we can optimize this later; more important is that your version is safer and more likely to be correct.

Comment 3 WebKit Review Bot 2011-10-08 13:39:09 PDT

Comment on attachment 110271 [details]
the patch

Clearing flags on attachment: 110271

Committed r97013: <http://trac.webkit.org/changeset/97013>

Comment 4 WebKit Review Bot 2011-10-08 13:39:14 PDT

All reviewed patches have been landed.  Closing bug.