[webkit-changes] [91428] trunk/Source/JavaScriptCore

[commit-queue]

Title: [91428] trunk/Source/_javascript_Core

Revision

91428

Author

commit-qu...@webkit.org

Date

2011-07-20 17:24:01 -0700 (Wed, 20 Jul 2011)

Log Message

DFG speculative JIT sometimes claims to use compare operands twice, leading to
use count corruption.
https://bugs.webkit.org/show_bug.cgi?id=64903

Patch by Filip Pizlo <fpi...@apple.com> on 2011-07-20
Reviewed by Gavin Barraclough.

Move the calls to use() in SpeculativeJIT::compare() so that they only happen
if the JITCodeGenerator's helper method (which also calls use()) is not called.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compare):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (91427 => 91428)

--- trunk/Source/_javascript_Core/ChangeLog	2011-07-21 00:22:42 UTC (rev 91427)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-07-21 00:24:01 UTC (rev 91428)
@@ -1,3 +1,17 @@
+2011-07-20  Filip Pizlo  <fpi...@apple.com>
+
+        DFG speculative JIT sometimes claims to use compare operands twice, leading to
+        use count corruption.
+        https://bugs.webkit.org/show_bug.cgi?id=64903
+
+        Reviewed by Gavin Barraclough.
+        
+        Move the calls to use() in SpeculativeJIT::compare() so that they only happen
+        if the JITCodeGenerator's helper method (which also calls use()) is not called.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compare):
+
 2011-07-20  Oliver Hunt  <oli...@apple.com>
 
         Don't throw away code when JSGarbageCollect API is called

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (91427 => 91428)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2011-07-21 00:22:42 UTC (rev 91427)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2011-07-21 00:24:01 UTC (rev 91428)
@@ -390,13 +390,13 @@
         // so can be no intervening nodes to also reference the compare. 
         ASSERT(node.adjustedRefCount() == 1);
 
-        if (shouldSpeculateInteger(node.child1(), node.child2()))
+        if (shouldSpeculateInteger(node.child1(), node.child2())) {
             compilePeepHoleIntegerBranch(node, branchNodeIndex, condition);
-        else
+            use(node.child1());
+            use(node.child2());
+        } else
             nonSpeculativePeepholeBranch(node, branchNodeIndex, condition, operation);
 
-        use(node.child1());
-        use(node.child2());
         m_compileIndex = branchNodeIndex;
         return true;
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes