Bug 74463

Summary:

DFG OSR exit for UInt32ToNumber should roll forward, not roll backward

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
the patch	barraclough: review+

Filip Pizlo

Reported 2011-12-13 16:40:26 PST

Once we get to a UInt32ToNumber node, we may no longer have the state necessary to execute the bytecode operation that the UInt32ToNumber belongs to. So a standard OSR exit, which relies on rolling execution state backwards, won't work. But we have all of the information necessary to roll execution forward. We should do that instead.

Attachments
the patch (29.26 KB, patch) 2011-12-13 16:53 PST, Filip Pizlo	barraclough: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2011-12-13 16:53:53 PST

Created attachment 119109 [details] the patch

Filip Pizlo

Comment 2 2011-12-13 17:47:49 PST

Landed in http://trac.webkit.org/changeset/102723

Note You need to log in before you can comment on or make changes to this bug.