The DFG JIT speculation failure code attempts to pick three registers (one GPR, two FPRs) for scratch storage. This is opportunistic and may fail; even if it does the speculation failure will still work but may require somewhat slower code. Currently, the code to pick scratch registers assumes that if a register is spilled then it can be subsequently be used for scratch. This is incorrect, as the register may actually be used for shuffling (i.e. subsequent code in the speculation failure path may assume that the register still contains the value of a DFG node, and may move that value from that register into a different register).
Created attachment 103682 [details] the patch All tests pass. Performance is neutral.
Created attachment 103683 [details] the patch (fix style)
Attachment 103682 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source..." exit_code: 1 Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:624: One line control clauses should not use braces. [whitespace/braces] [4] Total errors found: 1 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 103683 [details] the patch (fix style) View in context: https://bugs.webkit.org/attachment.cgi?id=103683&action=review > Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:643 > + ASSERT((scratchFPR1 == InvalidFPRReg && scratchFPR2 == InvalidFPRReg) || (scratchFPR1 != scratchFPR2)); the latter set of parentheses are redundant, but we can remove them later. :-)
Comment on attachment 103683 [details] the patch (fix style) Clearing flags on attachment: 103683 Committed r92909: <http://trac.webkit.org/changeset/92909>
All reviewed patches have been landed. Closing bug.