Bug 69702

Summary: JSVALUE32_64 DFG JIT - Bug fixes for Branch and LogicalNot
Product: WebKit Reporter: Yuqiang Xian <yuqiang.xian>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, fpizlo, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch none

Yuqiang Xian
Reported 2011-10-08 07:50:13 PDT
There are some errors in generating code for Branch and LogicalNot, when the operand is predicted as ObjectOrOther. This fix together with another uncommitted bug #69699 make the JSVALUE32_64 DFG JIT pass the JavaScriptCore tests with op_call/op_construct supports turned on (i.e. on Linux ia32 they both have 57/1127 failure rate).
Attachments
the patch (2.79 KB, patch)
2011-10-08 07:54 PDT, Yuqiang Xian 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yuqiang Xian
Comment 1 2011-10-08 07:54:55 PDT
Created attachment 110271 [details] the patch
Filip Pizlo
Comment 2 2011-10-08 12:36:06 PDT
Comment on attachment 110271 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=110271&action=review > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:560 > speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, valueTagGPR, TrustedImm32(JSValue::UndefinedTag))); It's sad that we need two branches here. :-( But I think that we can optimize this later; more important is that your version is safer and more likely to be correct.
WebKit Review Bot
Comment 3 2011-10-08 13:39:09 PDT
Comment on attachment 110271 [details] the patch Clearing flags on attachment: 110271 Committed r97013: <http://trac.webkit.org/changeset/97013>
WebKit Review Bot
Comment 4 2011-10-08 13:39:14 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.