Bug 65334 - DFG JIT does not have any way of undoing double speculation
Summary: DFG JIT does not have any way of undoing double speculation
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-28 12:15 PDT by Filip Pizlo
Modified: 2011-07-29 15:40 PDT (History)
3 users (show)

See Also:

Attachments
the patch (13.31 KB, patch)
2011-07-28 12:19 PDT, Filip Pizlo 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2011-07-28 12:15:26 PDT 
The DFG JIT may speculate that a value is double if it has no evidence that it is an integer, but it has evidence that it should be a number.  But doing so means that integers will turn into doubles.  Doubles are less efficient than integers in certain cases, such as for performing GetByVal accesses.  The DFG JIT should have some way of undoing double speculation when jumping to non-speculative code - that is, attempting to convert doubles back to integers so as to prevent the non-speculative code does not have to take even deeper slow paths when doing array accesses.
Comment 1 Filip Pizlo 2011-07-28 12:19:26 PDT 
Created attachment 102284 [details]
the patch
Comment 2 WebKit Review Bot 2011-07-29 15:40:17 PDT 
Comment on attachment 102284 [details]
the patch

Clearing flags on attachment: 102284

Committed r92024: <http://trac.webkit.org/changeset/92024>
Comment 3 WebKit Review Bot 2011-07-29 15:40:21 PDT 
All reviewed patches have been landed.  Closing bug.