Modified: trunk/Source/_javascript_Core/ChangeLog (231331 => 231332)
--- trunk/Source/_javascript_Core/ChangeLog 2018-05-03 23:18:29 UTC (rev 231331)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-05-03 23:21:37 UTC (rev 231332)
@@ -1,3 +1,10 @@
+2018-05-03 Keith Miller <keith_mil...@apple.com>
+
+ Unreviewed, fix 32-bit profile offset for change in bytecode
+ length of the get_by_id and get_array_length opcodes.
+
+ * llint/LowLevelInterpreter32_64.asm:
+
2018-05-03 Michael Saboff <msab...@apple.com>
WebContent crash loading page on seas.upenn.edu @ _javascript_Core: vmEntryToJavaScript
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (231331 => 231332)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-05-03 23:18:29 UTC (rev 231331)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-05-03 23:21:37 UTC (rev 231332)
@@ -1420,7 +1420,7 @@
loadi 4[PC], t2
storei t0, TagOffset[cfr, t2, 8]
storei t1, PayloadOffset[cfr, t2, 8]
- valueProfile(t0, t1, 32, t2)
+ valueProfile(t0, t1, 28, t2)
dispatch(constexpr op_get_by_id_length)
.opGetByIdSlow:
@@ -1441,7 +1441,7 @@
loadp JSObject::m_butterfly[t3], t0
loadi -sizeof IndexingHeader + IndexingHeader::u.lengths.publicLength[t0], t0
bilt t0, 0, .opGetArrayLengthSlow
- valueProfile(Int32Tag, t0, 32, t2)
+ valueProfile(Int32Tag, t0, 28, t2)
storep t0, PayloadOffset[cfr, t1, 8]
storep Int32Tag, TagOffset[cfr, t1, 8]
dispatch(constexpr op_get_array_length_length)
