Diff
Modified: trunk/LayoutTests/ChangeLog (92709 => 92710)
--- trunk/LayoutTests/ChangeLog 2011-08-09 21:32:04 UTC (rev 92709)
+++ trunk/LayoutTests/ChangeLog 2011-08-09 21:38:57 UTC (rev 92710)
@@ -1,3 +1,18 @@
+2011-08-09 Filip Pizlo <[email protected]>
+
+ DFG JIT failure loading web site
+ https://bugs.webkit.org/show_bug.cgi?id=65930
+
+ Reviewed by Oliver Hunt.
+
+ Reproduced the failure seen in
+ http://www.skinnytaste.com/2011/06/ricotta-cheese-chocolate-chip-muffins.html
+
+ * fast/js/boxed-double-to-int-expected.txt: Added.
+ * fast/js/boxed-double-to-int.html: Added.
+ * fast/js/script-tests/boxed-double-to-int.js: Added.
+ (boxedDoubleToInt):
+
2011-08-09 Anders Carlsson <[email protected]>
Add updated media test results for Lion.
Added: trunk/LayoutTests/fast/js/boxed-double-to-int-expected.txt (0 => 92710)
--- trunk/LayoutTests/fast/js/boxed-double-to-int-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/boxed-double-to-int-expected.txt 2011-08-09 21:38:57 UTC (rev 92710)
@@ -0,0 +1,14 @@
+This tests that converting a boxed double to an integer does not crash the register allocator.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS boxedDoubleToInt(1, 2) is 3.5
+PASS boxedDoubleToInt(3, 4) is 4.5
+PASS boxedDoubleToInt(5, 6) is 7.5
+PASS boxedDoubleToInt(7, 8) is 8.5
+PASS boxedDoubleToInt(9, 10) is 11.5
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/js/boxed-double-to-int.html (0 => 92710)
--- trunk/LayoutTests/fast/js/boxed-double-to-int.html (rev 0)
+++ trunk/LayoutTests/fast/js/boxed-double-to-int.html 2011-08-09 21:38:57 UTC (rev 92710)
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href=""
+<script src=""
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/fast/js/script-tests/boxed-double-to-int.js (0 => 92710)
--- trunk/LayoutTests/fast/js/script-tests/boxed-double-to-int.js (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/boxed-double-to-int.js 2011-08-09 21:38:57 UTC (rev 92710)
@@ -0,0 +1,17 @@
+description(
+"This tests that converting a boxed double to an integer does not crash the register allocator."
+);
+
+function boxedDoubleToInt(x, y) {
+ var y = x / 2;
+ var z = y + 2;
+ return (y | 1) + z;
+}
+
+shouldBe("boxedDoubleToInt(1, 2)", "3.5");
+shouldBe("boxedDoubleToInt(3, 4)", "4.5");
+shouldBe("boxedDoubleToInt(5, 6)", "7.5");
+shouldBe("boxedDoubleToInt(7, 8)", "8.5");
+shouldBe("boxedDoubleToInt(9, 10)", "11.5");
+
+var successfullyParsed = true;
Modified: trunk/Source/_javascript_Core/ChangeLog (92709 => 92710)
--- trunk/Source/_javascript_Core/ChangeLog 2011-08-09 21:32:04 UTC (rev 92709)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-08-09 21:38:57 UTC (rev 92710)
@@ -1,3 +1,16 @@
+2011-08-09 Filip Pizlo <[email protected]>
+
+ DFG JIT failure loading web site
+ https://bugs.webkit.org/show_bug.cgi?id=65930
+
+ Reviewed by Oliver Hunt.
+
+ Put the use() call after the fpr()/gpr() calls, since doing otherwise
+ breaks the register allocator.
+
+ * dfg/DFGNonSpeculativeJIT.cpp:
+ (JSC::DFG::NonSpeculativeJIT::compile):
+
2011-08-09 Mark Hahnenberg <[email protected]>
Add ParentClass typedef in all JSC classes
Modified: trunk/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp (92709 => 92710)
--- trunk/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp 2011-08-09 21:32:04 UTC (rev 92709)
+++ trunk/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp 2011-08-09 21:38:57 UTC (rev 92710)
@@ -510,9 +510,11 @@
if ((childInfo.registerFormat() | DataFormatJS) == DataFormatJSDouble) {
DoubleOperand op1(this, node.child1());
GPRTemporary result(this);
+ FPRReg fpr = op1.fpr();
+ GPRReg gpr = result.gpr();
op1.use();
- numberToInt32(op1.fpr(), result.gpr());
- integerResult(result.gpr(), m_compileIndex, UseChildrenCalledExplicitly);
+ numberToInt32(fpr, gpr);
+ integerResult(gpr, m_compileIndex, UseChildrenCalledExplicitly);
break;
}
