WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
64254
DFG Speculative JIT does not always insert speculation checks when speculating arrays
https://bugs.webkit.org/show_bug.cgi?id=64254
Summary
DFG Speculative JIT does not always insert speculation checks when speculatin...
Filip Pizlo
Reported
2011-07-11 01:37:36 PDT
The DFG Speculative JIT attempts to guess the type of variables. Sometimes, it guesses that a variable is an array. The JIT should insert checking code that validates that variables that are speculate-array are actually arrays. However, the JIT does not insert these checks at PutLocal instructions, even though subsequent code assumes that specualte-array variables that are retrieved via GetLocal are already validated.
Attachments
the patch
(1.90 KB, patch)
2011-07-11 01:49 PDT
,
Filip Pizlo
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Filip Pizlo
Comment 1
2011-07-11 01:49:16 PDT
Created
attachment 100254
[details]
the patch
Alexey Proskuryakov
Comment 2
2011-07-11 10:21:24 PDT
Is there a reason why this doesn't have a regression test?
WebKit Review Bot
Comment 3
2011-07-11 11:39:29 PDT
Comment on
attachment 100254
[details]
the patch Clearing flags on attachment: 100254 Committed
r90768
: <
http://trac.webkit.org/changeset/90768
>
WebKit Review Bot
Comment 4
2011-07-11 11:39:33 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug