WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
64330
DFG speculative JIT does not guard itself against floating point speculation failures on non-floating-point constants
https://bugs.webkit.org/show_bug.cgi?id=64330
Summary
DFG speculative JIT does not guard itself against floating point speculation ...
Filip Pizlo
Reported
2011-07-11 17:09:12 PDT
The DFG speculative JIT may speculate that a value is a double, even though there may be operations that set it to a non-double constant. Such static speculation failures are benign if the JIT notices them and performs the appropriate evasive action. Unfortunately, the DFG JIT does not do this in this particular case (SetLocal to a speculate-double from a non-double JSConstant), which causes crashes when the fillFPR code wants to refill the register.
Attachments
the patch
(1.84 KB, patch)
2011-07-11 17:15 PDT
,
Filip Pizlo
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Filip Pizlo
Comment 1
2011-07-11 17:15:22 PDT
Created
attachment 100386
[details]
the patch
WebKit Review Bot
Comment 2
2011-07-11 18:10:20 PDT
Comment on
attachment 100386
[details]
the patch Clearing flags on attachment: 100386 Committed
r90799
: <
http://trac.webkit.org/changeset/90799
>
WebKit Review Bot
Comment 3
2011-07-11 18:10:23 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug