Title: [90768] trunk/Source/_javascript_Core
- Revision
- 90768
- Author
- commit-qu...@webkit.org
- Date
- 2011-07-11 11:39:14 -0700 (Mon, 11 Jul 2011)
Log Message
DFG Speculative JIT does not always insert speculation checks when speculating
arrays.
https://bugs.webkit.org/show_bug.cgi?id=64254
Patch by Filip Pizlo <fpi...@apple.com> on 2011-07-11
Reviewed by Gavin Barraclough.
Changed the SetLocal instruction to always validate that the value being stored
into the local variable is an array, if that variable was marked PredictArray.
This is necessary since uses of arrays assume that if a PredictArray value is
in a local variable then the speculation check validating that the value is an
array was already performed.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (90767 => 90768)
--- trunk/Source/_javascript_Core/ChangeLog 2011-07-11 18:39:11 UTC (rev 90767)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-07-11 18:39:14 UTC (rev 90768)
@@ -1,3 +1,20 @@
+2011-07-11 Filip Pizlo <fpi...@apple.com>
+
+ DFG Speculative JIT does not always insert speculation checks when speculating
+ arrays.
+ https://bugs.webkit.org/show_bug.cgi?id=64254
+
+ Reviewed by Gavin Barraclough.
+
+ Changed the SetLocal instruction to always validate that the value being stored
+ into the local variable is an array, if that variable was marked PredictArray.
+ This is necessary since uses of arrays assume that if a PredictArray value is
+ in a local variable then the speculation check validating that the value is an
+ array was already performed.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2011-07-11 Gabor Loki <l...@webkit.org>
Fix the condition of the optimized code in doubleTransfer
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (90767 => 90768)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2011-07-11 18:39:11 UTC (rev 90767)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2011-07-11 18:39:14 UTC (rev 90768)
@@ -491,7 +491,9 @@
}
case PredictArray: {
SpeculateCellOperand cell(this, node.child1());
- m_jit.storePtr(cell.gpr(), JITCompiler::addressFor(node.local()));
+ GPRReg cellGPR = cell.gpr();
+ speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+ m_jit.storePtr(cellGPR, JITCompiler::addressFor(node.local()));
noResult(m_compileIndex);
break;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
