Title: [104330] trunk/Source/_javascript_Core
- Revision
- 104330
- Author
- oli...@apple.com
- Date
- 2012-01-06 13:19:54 -0800 (Fri, 06 Jan 2012)
Log Message
GetByteArrayLength is incorrect
https://bugs.webkit.org/show_bug.cgi?id=75735
Reviewed by Filip Pizlo.
Load the byte array length from the correct location.
This stops an existing test from hanging.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (104329 => 104330)
--- trunk/Source/_javascript_Core/ChangeLog 2012-01-06 21:18:25 UTC (rev 104329)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-01-06 21:19:54 UTC (rev 104330)
@@ -1,3 +1,18 @@
+2012-01-06 Oliver Hunt <oli...@apple.com>
+
+ GetByteArrayLength is incorrect
+ https://bugs.webkit.org/show_bug.cgi?id=75735
+
+ Reviewed by Filip Pizlo.
+
+ Load the byte array length from the correct location.
+ This stops an existing test from hanging.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2012-01-06 Filip Pizlo <fpi...@apple.com>
Fix build.
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (104329 => 104330)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2012-01-06 21:18:25 UTC (rev 104329)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2012-01-06 21:19:54 UTC (rev 104330)
@@ -3203,7 +3203,7 @@
GPRReg resultGPR = result.gpr();
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSByteArray::offsetOfStorage()), resultGPR);
- m_jit.load32(MacroAssembler::Address(baseGPR, ByteArray::offsetOfSize()), resultGPR);
+ m_jit.load32(MacroAssembler::Address(resultGPR, ByteArray::offsetOfSize()), resultGPR);
integerResult(resultGPR, m_compileIndex);
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (104329 => 104330)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2012-01-06 21:18:25 UTC (rev 104329)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2012-01-06 21:19:54 UTC (rev 104330)
@@ -3198,7 +3198,7 @@
speculationCheck(BadType, JSValueRegs(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(&JSByteArray::s_info)));
m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSByteArray::offsetOfStorage()), resultGPR);
- m_jit.load32(MacroAssembler::Address(baseGPR, ByteArray::offsetOfSize()), resultGPR);
+ m_jit.load32(MacroAssembler::Address(resultGPR, ByteArray::offsetOfSize()), resultGPR);
integerResult(resultGPR, m_compileIndex);
break;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
