Title: [207697] trunk
- Revision
- 207697
- Author
- sbar...@apple.com
- Date
- 2016-10-21 15:38:22 -0700 (Fri, 21 Oct 2016)
Log Message
SpeculativeJIT::compileTryGetById needs to pass in NeedsToSpill along both the cell speculation and untyped speculation path
https://bugs.webkit.org/show_bug.cgi?id=163622
Reviewed by Yusuke Suzuki.
JSTests:
* stress/try-get-by-id-should-spill-registers-dfg.js: Added.
(let.f.createBuiltin):
Source/_javascript_Core:
We were passing in DontSpill in the Untyped:child1() case, which caused us
not to spill the base register. This is obviously wrong because the
DFG's register allocator expected the base to still be in the register
that it allocated for it after the TryGetById node executed.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileTryGetById):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (207696 => 207697)
--- trunk/JSTests/ChangeLog 2016-10-21 22:20:05 UTC (rev 207696)
+++ trunk/JSTests/ChangeLog 2016-10-21 22:38:22 UTC (rev 207697)
@@ -1,3 +1,13 @@
+2016-10-21 Saam Barati <sbar...@apple.com>
+
+ SpeculativeJIT::compileTryGetById needs to pass in NeedsToSpill along both the cell speculation and untyped speculation path
+ https://bugs.webkit.org/show_bug.cgi?id=163622
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/try-get-by-id-should-spill-registers-dfg.js: Added.
+ (let.f.createBuiltin):
+
2016-10-21 Caitlin Potter <ca...@igalia.com>
[JSC] don't crash when arguments to `new Function()` produce unexpected AST
Added: trunk/JSTests/stress/try-get-by-id-should-spill-registers-dfg.js (0 => 207697)
--- trunk/JSTests/stress/try-get-by-id-should-spill-registers-dfg.js (rev 0)
+++ trunk/JSTests/stress/try-get-by-id-should-spill-registers-dfg.js 2016-10-21 22:38:22 UTC (rev 207697)
@@ -0,0 +1,10 @@
+let f = createBuiltin(`(function (arg) {
+ let r = @tryGetById(arg, "prototype");
+ if (arg !== true) throw new @Error("Bad clobber of arg");
+ return r;
+})`);
+noInline(f);
+
+for (let i = 0; i < 10000; i++) {
+ f(true);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (207696 => 207697)
--- trunk/Source/_javascript_Core/ChangeLog 2016-10-21 22:20:05 UTC (rev 207696)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-10-21 22:38:22 UTC (rev 207697)
@@ -1,3 +1,18 @@
+2016-10-21 Saam Barati <sbar...@apple.com>
+
+ SpeculativeJIT::compileTryGetById needs to pass in NeedsToSpill along both the cell speculation and untyped speculation path
+ https://bugs.webkit.org/show_bug.cgi?id=163622
+
+ Reviewed by Yusuke Suzuki.
+
+ We were passing in DontSpill in the Untyped:child1() case, which caused us
+ not to spill the base register. This is obviously wrong because the
+ DFG's register allocator expected the base to still be in the register
+ that it allocated for it after the TryGetById node executed.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileTryGetById):
+
2016-10-21 Keith Miller <keith_mil...@apple.com>
Expand Trunc in B3 to support Double to Float
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (207696 => 207697)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2016-10-21 22:20:05 UTC (rev 207696)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2016-10-21 22:38:22 UTC (rev 207697)
@@ -1020,7 +1020,7 @@
JITCompiler::Jump notCell = m_jit.branchIfNotCell(baseRegs);
- cachedGetById(node->origin.semantic, baseRegs, resultRegs, node->identifierNumber(), notCell, DontSpill, AccessType::GetPure);
+ cachedGetById(node->origin.semantic, baseRegs, resultRegs, node->identifierNumber(), notCell, NeedToSpill, AccessType::GetPure);
jsValueResult(resultRegs, node, DataFormatJS, UseChildrenCalledExplicitly);
break;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
