RESOLVED FIXED 65294
DFG JIT - may speculate based on wrong arguments. 
https://bugs.webkit.org/show_bug.cgi?id=65294
Summary DFG JIT - may speculate based on wrong arguments.
Gavin Barraclough
Reported 2011-07-27 16:38:40 PDT
In the case of a DFG compiled function calling to and compiling a second function that also compiles through the DFG JIT (i.e. compilation triggered with DFGOperations.cpp), we call compileFor passing the caller functions exec state, rather than the callee's. This may lead to mis-optimization, since the DFG compiler will example the exec state's arguments on the assumption that these will be passed to the callee - it is wanting the callee exec state, not the caller's exec state. Fixing this for all cases of compilation is tricksy, due to the way the numeric sort function is compiled, & the structure of the calls in the Interpreter::execute methods. Only fix for compilation from the JIT, in other calls don't speculate based on arguments for now.
Attachments
The patch (9.02 KB, patch)
2011-07-27 16:40 PDT, Gavin Barraclough 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Gavin Barraclough
Comment 1 2011-07-27 16:40:44 PDT
Created attachment 102202 [details] The patch No performance impact
Gavin Barraclough
Comment 2 2011-07-27 20:30:40 PDT
Fixed in r91883
Note You need to log in before you can comment on or make changes to this bug.