Modified: trunk/Source/_javascript_Core/ChangeLog (209646 => 209647)
--- trunk/Source/_javascript_Core/ChangeLog 2016-12-10 03:25:40 UTC (rev 209646)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-12-10 04:27:26 UTC (rev 209647)
@@ -1,3 +1,18 @@
+2016-12-09 Filip Pizlo <fpi...@apple.com>
+
+ REGRESSION (r209554-209571): stress/poly-setter-combo crashing
+ https://bugs.webkit.org/show_bug.cgi?id=165669
+
+ Reviewed by Geoffrey Garen.
+
+ We now rely on objects being zero-filled in a bunch of places, not just concurrent GC.
+ So, we need 32-bit to do it too.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_new_object):
+
2016-12-09 Eric Carlson <eric.carl...@apple.com>
Annotate MediaStream and WebRTC idl with EnabledAtRuntime flag
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (209646 => 209647)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2016-12-10 03:25:40 UTC (rev 209646)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2016-12-10 04:27:26 UTC (rev 209647)
@@ -4131,6 +4131,7 @@
// Rare data is only used to access the allocator & structure
// We can avoid using an additional GPR this way
GPRReg rareDataGPR = structureGPR;
+ GPRReg inlineCapacityGPR = rareDataGPR;
MacroAssembler::JumpList slowPath;
@@ -4143,6 +4144,10 @@
slowPath.append(m_jit.branchTestPtr(MacroAssembler::Zero, allocatorGPR));
emitAllocateJSObject(resultGPR, nullptr, allocatorGPR, structureGPR, TrustedImmPtr(0), scratchGPR, slowPath);
+ m_jit.loadPtr(JITCompiler::Address(calleeGPR, JSFunction::offsetOfRareData()), rareDataGPR);
+ m_jit.load32(JITCompiler::Address(rareDataGPR, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), inlineCapacityGPR);
+ m_jit.emitInitializeInlineStorage(resultGPR, inlineCapacityGPR);
+
addSlowPathGenerator(slowPathCall(slowPath, this, operationCreateThis, resultGPR, calleeGPR, node->inlineCapacity()));
cellResult(resultGPR, node);
@@ -4166,6 +4171,7 @@
m_jit.move(TrustedImmPtr(allocatorPtr), allocatorGPR);
emitAllocateJSObject(resultGPR, allocatorPtr, allocatorGPR, TrustedImmPtr(structure), TrustedImmPtr(0), scratchGPR, slowPath);
+ m_jit.emitInitializeInlineStorage(resultGPR, structure->inlineCapacity());
addSlowPathGenerator(slowPathCall(slowPath, this, operationNewObject, resultGPR, structure));
Modified: trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp (209646 => 209647)
--- trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp 2016-12-10 03:25:40 UTC (rev 209646)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp 2016-12-10 04:27:26 UTC (rev 209647)
@@ -175,6 +175,7 @@
addSlowCase(Jump());
JumpList slowCases;
emitAllocateJSObject(resultReg, allocator, allocatorReg, TrustedImmPtr(structure), TrustedImmPtr(0), scratchReg, slowCases);
+ emitInitializeInlineStorage(resultReg, structure->inlineCapacity());
addSlowCase(slowCases);
emitStoreCell(currentInstruction[1].u.operand, resultReg);
}
