Bug 74463

Summary:

DFG OSR exit for UInt32ToNumber should roll forward, not roll backward

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
the patch	barraclough: review+

Description Filip Pizlo 2011-12-13 16:40:26 PST

Once we get to a UInt32ToNumber node, we may no longer have the state necessary to execute the bytecode operation that the UInt32ToNumber belongs to. So a standard OSR exit, which relies on rolling execution state backwards, won't work.  But we have all of the information necessary to roll execution forward.  We should do that instead.

Comment 1 Filip Pizlo 2011-12-13 16:53:53 PST

Created attachment 119109 [details]
the patch

Comment 2 Filip Pizlo 2011-12-13 17:47:49 PST

Landed in http://trac.webkit.org/changeset/102723