68189 – DFG speculative JIT sometimes asserts that a value is not a number even when it doesn't know anything about the number

RESOLVED FIXED 68189

DFG speculative JIT sometimes asserts that a value is not a number even when it doesn't know anything about the number

https://bugs.webkit.org/show_bug.cgi?id=68189

Summary DFG speculative JIT sometimes asserts that a value is not a number even when ...

Filip Pizlo

Reported 2011-09-15 14:09:09 PDT

The DFG speculative JIT makes use of the isKnownNotNumber() method, which returns true if the GenerationInfo reports that the value is neither an integer nor a double. But that means that it will return true if the GenerationInfo is either DataFormatNone or DataFormatJS, which means that we actually know nothing about the value. This results in poor speculations on ValueAdd in release builds, and assertion falues in debug builds.

Attachments
the patch (2.15 KB, patch) 2011-09-15 14:12 PDT, Filip Pizlo	oliver: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2011-09-15 14:12:36 PDT

Created attachment 107550 [details] the patch

Filip Pizlo

Comment 2 2011-09-15 14:53:44 PDT

Landed in r95233.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2011-09-15 14:09 PDT

Modified

2011-09-15 14:53 PDT History

CC List

4 users Show

URL

Keywords

Depends on

Blocks