Changeset 182643 in webkit


Ignore:
Timestamp:
Apr 10, 2015, 5:00:38 PM (10 years ago)
Author:
msaboff@apple.com
Message:

REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
https://bugs.webkit.org/show_bug.cgi?id=143582

Reviewed by Mark Lam.

For 32 bit builds, we favor spilling unboxed values. The ASSERT at the root of this bug doesn't
fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
if the spillFormat is DataFormatCell. Had we spilled in DataFormatJS and the value was a JSCell*,
we would still OSR exit after the speculation check.

  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.

  • dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):

Location:
trunk/Source/JavaScriptCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r182636 r182643  
     12015-04-10  Michael Saboff  <msaboff@apple.com>
     2
     3        REGRESSION (182567): regress/script-tests/sorting-benchmark.js fails on 32 bit dfg-eager tests
     4        https://bugs.webkit.org/show_bug.cgi?id=143582
     5
     6        Reviewed by Mark Lam.
     7
     8        For 32 bit builds, we favor spilling unboxed values.  The ASSERT at the root of this bug doesn't
     9        fire for 64 bit builds, because we spill an "Other" value as a full JS value (DataFormatJS).
     10        For 32 bit builds however, if we are able, we spill Other values as JSCell* (DataFormatCell).
     11        The fix is to add a check in fillSpeculateInt32Internal() before the ASSERT that always OSR exits
     12        if the spillFormat is DataFormatCell.  Had we spilled in DataFormatJS and the value was a JSCell*,
     13        we would still OSR exit after the speculation check.
     14
     15        * dfg/DFGFixupPhase.cpp:
     16        (JSC::DFG::FixupPhase::fixupNode): Fixed an error in a comment while debugging.
     17        * dfg/DFGSpeculativeJIT32_64.cpp:
     18        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
     19
    1202015-04-10  Milan Crha  <mcrha@redhat.com>
    221

  • trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

    r182498 r182643  
    9696        switch (op) {
    9797        case SetLocal: {
    98             // This gets handled by fixupSetLocalsInBlock().
     98            // This gets handled by fixupGetAndSetLocalsInBlock().
    9999            return;
    100100        }

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

    r182498 r182643  
    869869
    870870        DataFormat spillFormat = info.spillFormat();
     871
     872        if (spillFormat == DataFormatCell) {
     873            terminateSpeculativeExecution(BadType, JSValueRegs(), edge);
     874            returnFormat = DataFormatInt32;
     875            return allocate();
     876        }
     877
    871878        ASSERT_UNUSED(spillFormat, (spillFormat & DataFormatJS) || spillFormat == DataFormatInt32);
    872879
Note: See TracChangeset for help on using the changeset viewer.