Title: [121946] trunk/Source/_javascript_Core
- Revision
- 121946
- Author
- fpi...@apple.com
- Date
- 2012-07-06 00:01:35 -0700 (Fri, 06 Jul 2012)
Log Message
REGRESSION(r121925): It broke 5 sputnik tests on x86 platforms
https://bugs.webkit.org/show_bug.cgi?id=90658
Reviewed by Zoltan Herczeg.
Under the new object model, out-of-line property accesses such as those
in ResolveGlobal must account for the fact that the offset to the Kth
property is represented by K + inlineStorageCapacity. Hence, the property
loads in ResolveGlobal must have an additional -inlineStorageCapacity *
sizeof(JSValue) offset.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (121945 => 121946)
--- trunk/Source/_javascript_Core/ChangeLog 2012-07-06 06:27:30 UTC (rev 121945)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-07-06 07:01:35 UTC (rev 121946)
@@ -1,3 +1,19 @@
+2012-07-05 Filip Pizlo <fpi...@apple.com>
+
+ REGRESSION(r121925): It broke 5 sputnik tests on x86 platforms
+ https://bugs.webkit.org/show_bug.cgi?id=90658
+
+ Reviewed by Zoltan Herczeg.
+
+ Under the new object model, out-of-line property accesses such as those
+ in ResolveGlobal must account for the fact that the offset to the Kth
+ property is represented by K + inlineStorageCapacity. Hence, the property
+ loads in ResolveGlobal must have an additional -inlineStorageCapacity *
+ sizeof(JSValue) offset.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2012-07-05 Csaba Osztrogonác <o...@webkit.org>
[Qt] Unreviewed 64 bit buildfix after r121925.
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (121945 => 121946)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2012-07-06 06:27:30 UTC (rev 121945)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2012-07-06 07:01:35 UTC (rev 121946)
@@ -3898,8 +3898,8 @@
m_jit.breakpoint();
isOutOfLine.link(&m_jit);
#endif
- m_jit.load32(JITCompiler::BaseIndex(resultPayloadGPR, resolveInfoGPR, JITCompiler::TimesEight, OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)), resultTagGPR);
- m_jit.load32(JITCompiler::BaseIndex(resultPayloadGPR, resolveInfoGPR, JITCompiler::TimesEight, OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)), resultPayloadGPR);
+ m_jit.load32(JITCompiler::BaseIndex(resultPayloadGPR, resolveInfoGPR, JITCompiler::TimesEight, OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag) - inlineStorageCapacity * static_cast<ptrdiff_t>(sizeof(JSValue))), resultTagGPR);
+ m_jit.load32(JITCompiler::BaseIndex(resultPayloadGPR, resolveInfoGPR, JITCompiler::TimesEight, OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload) - inlineStorageCapacity * static_cast<ptrdiff_t>(sizeof(JSValue))), resultPayloadGPR);
addSlowPathGenerator(
slowPathCall(
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
