Modified: trunk/Source/_javascript_Core/ChangeLog (172958 => 172959)
--- trunk/Source/_javascript_Core/ChangeLog 2014-08-26 15:20:15 UTC (rev 172958)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-08-26 15:55:01 UTC (rev 172959)
@@ -1,3 +1,16 @@
+2014-08-26 Michael Saboff <msab...@apple.com>
+
+ REGRESSION(r172794) + 32Bit build: ASSERT failures in for-in-tests.js tests.
+ https://bugs.webkit.org/show_bug.cgi?id=136165
+
+ Reviewed by Mark Hahnenberg.
+
+ Changed switch case GetDirectPname: to always use the slow path for X86 since it only has
+ 6 registers available, but the code requires 7.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2014-08-25 Saam Barati <sbar...@apple.com>
TypeProfiler search breaks on return statements
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (172958 => 172959)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-08-26 15:20:15 UTC (rev 172958)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-08-26 15:55:01 UTC (rev 172959)
@@ -4722,25 +4722,34 @@
case GetDirectPname: {
Edge& baseEdge = m_jit.graph().varArgChild(node, 0);
Edge& propertyEdge = m_jit.graph().varArgChild(node, 1);
- Edge& indexEdge = m_jit.graph().varArgChild(node, 2);
- Edge& enumeratorEdge = m_jit.graph().varArgChild(node, 3);
SpeculateCellOperand base(this, baseEdge);
SpeculateCellOperand property(this, propertyEdge);
- SpeculateInt32Operand index(this, indexEdge);
- SpeculateCellOperand enumerator(this, enumeratorEdge);
GPRResult resultPayload(this);
GPRResult2 resultTag(this);
GPRTemporary scratch(this);
GPRReg baseGPR = base.gpr();
GPRReg propertyGPR = property.gpr();
- GPRReg indexGPR = index.gpr();
- GPRReg enumeratorGPR = enumerator.gpr();
GPRReg resultTagGPR = resultTag.gpr();
GPRReg resultPayloadGPR = resultPayload.gpr();
GPRReg scratchGPR = scratch.gpr();
+#if CPU(X86)
+ // Not enough registers on X86 for this code, so always use the slow path.
+ flushRegisters();
+ m_jit.move(MacroAssembler::TrustedImm32(JSValue::CellTag), scratchGPR);
+ callOperation(operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, scratchGPR, propertyGPR);
+#else
+ Edge& indexEdge = m_jit.graph().varArgChild(node, 2);
+ Edge& enumeratorEdge = m_jit.graph().varArgChild(node, 3);
+
+ SpeculateInt32Operand index(this, indexEdge);
+ SpeculateCellOperand enumerator(this, enumeratorEdge);
+
+ GPRReg indexGPR = index.gpr();
+ GPRReg enumeratorGPR = enumerator.gpr();
+
// Check the structure
m_jit.load32(MacroAssembler::Address(baseGPR, JSCell::structureIDOffset()), scratchGPR);
MacroAssembler::Jump wrongStructure = m_jit.branch32(MacroAssembler::NotEqual,
@@ -4775,6 +4784,7 @@
m_jit.move(MacroAssembler::TrustedImm32(JSValue::CellTag), scratchGPR);
addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, scratchGPR, propertyGPR));
+#endif
jsValueResult(resultTagGPR, resultPayloadGPR, node);
break;
