128155 – ASSERT in speculateMachineInt on 32-bit platforms

Bug 128155 - ASSERT in speculateMachineInt on 32-bit platforms

Summary: ASSERT in speculateMachineInt on 32-bit platforms

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Hahnenberg

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-02-03 19:47 PST by Mark Hahnenberg
Modified:	2014-02-04 11:05 PST (History)
CC List:	2 users (show)

See Also:

Attachments
Patch (1.33 KB, patch) 2014-02-03 19:49 PST, Mark Hahnenberg	no flags	Details \| Formatted Diff \| Diff
Patch (1.31 KB, patch) 2014-02-04 10:15 PST, Mark Hahnenberg	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Hahnenberg 2014-02-03 19:47:25 PST

Patch on the way.

Comment 1 Mark Hahnenberg 2014-02-03 19:49:16 PST

Created attachment 223064 [details]
Patch

Comment 2 Geoffrey Garen 2014-02-03 19:50:49 PST

Comment on attachment 223064 [details]
Patch

r=me

Comment 3 Filip Pizlo 2014-02-04 08:48:12 PST

Comment on attachment 223064 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=223064&action=review

> Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:139
>              if (type == SpecInt52AsDouble)
> -                type = SpecInt52;
> +                type = enableInt52() ? SpecInt52 : SpecDouble;

I'm pretty sure this is wrong and will result in worse optimizations on 32-bit.  In particular, you're claiming that if something was representable as an in52 (i.e. it's non-fractional and not-NaN and not infinity), then it's SpecDouble, which means "this value can be an integer, or a real, or infinity, or NaN, etc".  So, this is not the right fix.

You should have instead just made this say:

if (type == SpecInt52AsDouble && enableInt52())
    type = SpecInt52;

Comment 4 Mark Hahnenberg 2014-02-04 08:49:27 PST

> You should have instead just made this say:
> 
> if (type == SpecInt52AsDouble && enableInt52())
>     type = SpecInt52;

But what happens when !enableInt52()? Is it valid for the speculated type to be SpecInt52AsDouble on 32-bit platforms?

Comment 5 Filip Pizlo 2014-02-04 10:12:47 PST

(In reply to comment #4)
> > You should have instead just made this say:
> > 
> > if (type == SpecInt52AsDouble && enableInt52())
> >     type = SpecInt52;
> 
> But what happens when !enableInt52()? Is it valid for the speculated type to be SpecInt52AsDouble on 32-bit platforms?

Yes.

Comment 6 Mark Hahnenberg 2014-02-04 10:15:28 PST

Created attachment 223135 [details]
Patch

Comment 7 Mark Hahnenberg 2014-02-04 11:05:05 PST

Committed r163391: <http://trac.webkit.org/changeset/163391>