RESOLVED FIXED Bug 66104
DFG JIT speculation failure code sometimes picks the wrong register as a scratch register. 
https://bugs.webkit.org/show_bug.cgi?id=66104
Summary DFG JIT speculation failure code sometimes picks the wrong register as a scra...
Filip Pizlo
Reported 2011-08-11 15:13:17 PDT
The DFG JIT speculation failure code attempts to pick three registers (one GPR, two FPRs) for scratch storage. This is opportunistic and may fail; even if it does the speculation failure will still work but may require somewhat slower code. Currently, the code to pick scratch registers assumes that if a register is spilled then it can be subsequently be used for scratch. This is incorrect, as the register may actually be used for shuffling (i.e. subsequent code in the speculation failure path may assume that the register still contains the value of a DFG node, and may move that value from that register into a different register).
Attachments
the patch (6.07 KB, patch)
2011-08-11 15:15 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (fix style) (5.85 KB, patch)
2011-08-11 15:17 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2011-08-11 15:15:43 PDT
Created attachment 103682 [details] the patch All tests pass. Performance is neutral.
Filip Pizlo
Comment 2 2011-08-11 15:17:18 PDT
Created attachment 103683 [details] the patch (fix style)
WebKit Review Bot
Comment 3 2011-08-11 15:18:10 PDT
Attachment 103682 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source..." exit_code: 1 Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:624: One line control clauses should not use braces. [whitespace/braces] [4] Total errors found: 1 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style.
Gavin Barraclough
Comment 4 2011-08-11 19:49:38 PDT
Comment on attachment 103683 [details] the patch (fix style) View in context: https://bugs.webkit.org/attachment.cgi?id=103683&action=review > Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:643 > + ASSERT((scratchFPR1 == InvalidFPRReg && scratchFPR2 == InvalidFPRReg) || (scratchFPR1 != scratchFPR2)); the latter set of parentheses are redundant, but we can remove them later. :-)
WebKit Review Bot
Comment 5 2011-08-11 20:42:02 PDT
Comment on attachment 103683 [details] the patch (fix style) Clearing flags on attachment: 103683 Committed r92909: <http://trac.webkit.org/changeset/92909>
WebKit Review Bot
Comment 6 2011-08-11 20:42:06 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.