Title: [229545] trunk/Source/_javascript_Core
- Revision
- 229545
- Author
- fpi...@apple.com
- Date
- 2018-03-12 13:19:53 -0700 (Mon, 12 Mar 2018)
Log Message
Unreviewed, fix simple goof that was causing 32-bit DFG crashes.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (229544 => 229545)
--- trunk/Source/_javascript_Core/ChangeLog 2018-03-12 19:44:17 UTC (rev 229544)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-03-12 20:19:53 UTC (rev 229545)
@@ -1,3 +1,10 @@
+2018-03-12 Filip Pizlo <fpi...@apple.com>
+
+ Unreviewed, fix simple goof that was causing 32-bit DFG crashes.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
+
2018-03-11 Yusuke Suzuki <utatane....@gmail.com>
[DFG] AI should convert CreateThis to NewObject if the prototype object is proved
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (229544 => 229545)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-03-12 19:44:17 UTC (rev 229544)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-03-12 20:19:53 UTC (rev 229545)
@@ -7006,7 +7006,8 @@
GPRTemporary length;
if (isX86() && is32Bit() && !lengthIsKnown) {
- GPRFlushedCallResult result(this);
+ GPRFlushedCallResult realResult(this);
+ result.adopt(realResult);
resultGPR = result.gpr();
RELEASE_ASSERT(resultGPR == GPRInfo::regT0);
flushRegisters();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
