[webkit-changes] [172962] trunk/Source/JavaScriptCore

[msaboff]

Title: [172962] trunk/Source/_javascript_Core

Revision

172962

Author

msab...@apple.com

Date

2014-08-26 10:34:21 -0700 (Tue, 26 Aug 2014)

Log Message

REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result
https://bugs.webkit.org/show_bug.cgi?id=136187

Reviewed by Mark Hahnenberg.

Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that
doesn't require a tag for the second argument, instead it fills in a CellTag.  This is
used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we
haven't set up a register with a tag and we know that argument 2 is a cell.

* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR
with CellTag as it wasn't in the control flow for the slow path that needed the tag.
Instead changed to calling new version of callOperation with an implicit CellTag.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (172961 => 172962)

--- trunk/Source/_javascript_Core/ChangeLog	2014-08-26 16:46:10 UTC (rev 172961)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-08-26 17:34:21 UTC (rev 172962)
@@ -1,3 +1,22 @@
+2014-08-26  Michael Saboff  <msab...@apple.com>
+
+        REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result
+        https://bugs.webkit.org/show_bug.cgi?id=136187
+
+        Reviewed by Mark Hahnenberg.
+
+        Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that
+        doesn't require a tag for the second argument, instead it fills in a CellTag.  This is
+        used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we
+        haven't set up a register with a tag and we know that argument 2 is a cell.
+
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag.
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR
+        with CellTag as it wasn't in the control flow for the slow path that needed the tag.
+        Instead changed to calling new version of callOperation with an implicit CellTag.
+
 2014-08-26  Commit Queue  <commit-qu...@webkit.org>
 
         Unreviewed, rolling out r172940.

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (172961 => 172962)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h	2014-08-26 16:46:10 UTC (rev 172961)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h	2014-08-26 17:34:21 UTC (rev 172962)
@@ -1695,6 +1695,11 @@
         m_jit.setupArgumentsWithExecState(arg1, arg2Payload, arg2Tag);
         return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
     }
+    JITCompiler::Call callOperation(J_JITOperation_ECJ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2Payload)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2Payload, MacroAssembler::TrustedImm32(JSValue::CellTag));
+        return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+    }
     JITCompiler::Call callOperation(J_JITOperation_ECJ operation, JSValueRegs result, GPRReg arg1, JSValueRegs arg2)
     {
         m_jit.setupArgumentsWithExecState(arg1, arg2.payloadGPR(), arg2.tagGPR());

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (172961 => 172962)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2014-08-26 16:46:10 UTC (rev 172961)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2014-08-26 17:34:21 UTC (rev 172962)
@@ -4771,8 +4771,7 @@
 
         done.link(&m_jit);
 
-        m_jit.move(MacroAssembler::TrustedImm32(JSValue::CellTag), scratchGPR);
-        addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, scratchGPR, propertyGPR));
+        addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, propertyGPR));
 #endif
 
         jsValueResult(resultTagGPR, resultPayloadGPR, node);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes