diff options
| author | Filip Pizlo <fpizlo@apple.com> | 2013-03-27 10:34:00 +0100 |
|---|---|---|
| committer | The Qt Project <gerrit-noreply@qt-project.org> | 2013-03-27 11:56:38 +0100 |
| commit | 09961e4b798b98e1e35688ce692094186a8f5d07 (patch) | |
| tree | 82dcc2bcb3765697b85e0ef718662e08b7eb9709 /Source/JavaScriptCore/API/JavaScript.h | |
| parent | 909c9942ce927c3dac5f850d9bc110a66a72d397 (diff) | |
| download | qtwebkit-09961e4b798b98e1e35688ce692094186a8f5d07.tar.gz | |
DFG is too aggressive with eliding overflow checks in loops
https://bugs.webkit.org/show_bug.cgi?id=105226
Reviewed by Mark Hahnenberg and Oliver Hunt.
Source/JavaScriptCore:
If we see a variable's live range cross basic block boundaries, conservatively assume that it may
be part of a data-flow back-edge, and as a result, we may have entirely integer operations that
could lead to the creation of an integer that is out of range of 2^52 (the significand of a double
float). This does not seem to regress any of the benchmarks we care about, and it fixes the bug.
In future we may want to actually look at whether or not there was a data-flow back-edge instead
of being super conservative about it. But we have no evidence, yet, that this would help us on
real code.
* dfg/DFGNodeFlags.h:
(DFG):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
LayoutTests:
* fast/js/dfg-int-overflow-in-loop-expected.txt: Added.
* fast/js/dfg-int-overflow-in-loop.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-int-overflow-in-loop.js: Added.
(foo):
Change-Id: I9df2d6d17ba404802456f4e2da313e47f0f4f62e
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137963 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Diffstat (limited to 'Source/JavaScriptCore/API/JavaScript.h')
0 files changed, 0 insertions, 0 deletions