[webkit-changes] [94098] branches/safari-534.51-branch

Tue, 30 Aug 2011 13:05:26 -0700

Title: [94098] branches/safari-534.51-branch

Diff

Modified: branches/safari-534.51-branch/LayoutTests/ChangeLog (94097 => 94098)


--- branches/safari-534.51-branch/LayoutTests/ChangeLog	2011-08-30 20:01:17 UTC (rev 94097)
+++ branches/safari-534.51-branch/LayoutTests/ChangeLog	2011-08-30 20:06:22 UTC (rev 94098)
@@ -1,3 +1,21 @@
+2011-08-29  Lucas Forschler  <[email protected]>
+
+    Merged 93934
+
+    2011-08-26  Gavin Barraclough  <[email protected]>
+
+            DFG JIT - ArithMod may clobber operands.
+            https://bugs.webkit.org/show_bug.cgi?id=67085
+
+            Reviewed by Sam Weinig.
+
+            Added test case.
+
+            * fast/js/mod-crash-expected.txt:
+            * fast/js/script-tests/mod-crash.js:
+            (nonSpeculativeModReuseInner):
+            (nonSpeculativeModReuse):
+
 2011-08-23  Mark Rowe  <[email protected]>
 
         Merge r90691.

Modified: branches/safari-534.51-branch/LayoutTests/fast/js/mod-crash-expected.txt (94097 => 94098)


--- branches/safari-534.51-branch/LayoutTests/fast/js/mod-crash-expected.txt	2011-08-30 20:01:17 UTC (rev 94097)
+++ branches/safari-534.51-branch/LayoutTests/fast/js/mod-crash-expected.txt	2011-08-30 20:06:22 UTC (rev 94098)
@@ -7,6 +7,7 @@
 PASS n % 0 is NaN
 PASS f() is NaN
 PASS g() is NaN
+PASS nonSpeculativeModReuse(0.5) is 1
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: branches/safari-534.51-branch/LayoutTests/fast/js/script-tests/mod-crash.js (94097 => 94098)


--- branches/safari-534.51-branch/LayoutTests/fast/js/script-tests/mod-crash.js	2011-08-30 20:01:17 UTC (rev 94097)
+++ branches/safari-534.51-branch/LayoutTests/fast/js/script-tests/mod-crash.js	2011-08-30 20:06:22 UTC (rev 94098)
@@ -22,4 +22,20 @@
 
 shouldBe("g()", "NaN");
 
+// Test that reusing a floating point value after use in a modulus works correctly.
+function nonSpeculativeModReuseInner(argument, o1, o2)
+{
+ 	// The + operator on objects is a reliable way to avoid the speculative JIT path for now at least.
+    o1 + o2;
+
+    var knownDouble = argument - 0;
+    return knownDouble % 1 + knownDouble;
+}
+function nonSpeculativeModReuse(argument)
+{
+    return nonSpeculativeModReuseInner(argument, {}, {});
+}
+
+shouldBe("nonSpeculativeModReuse(0.5)", "1");
+
 var successfullyParsed = true;

Modified: branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog (94097 => 94098)


--- branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog	2011-08-30 20:01:17 UTC (rev 94097)
+++ branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog	2011-08-30 20:06:22 UTC (rev 94098)
@@ -1,3 +1,25 @@
+2011-08-29  Lucas Forschler  <[email protected]>
+
+    Merged 93934
+
+    2011-08-26  Gavin Barraclough  <[email protected]>
+
+            DFG JIT - ArithMod may clobber operands.
+            https://bugs.webkit.org/show_bug.cgi?id=67085
+
+            Reviewed by Sam Weinig.
+
+            unboxDouble must be called on a temporary.
+
+            * dfg/DFGJITCodeGenerator.cpp:
+            (JSC::DFG::JITCodeGenerator::fillDouble):
+            * dfg/DFGJITCodeGenerator.h:
+            (JSC::DFG::JITCodeGenerator::boxDouble):
+            * dfg/DFGNonSpeculativeJIT.cpp:
+            (JSC::DFG::NonSpeculativeJIT::compile):
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+
 2011-08-23  Mark Rowe  <[email protected]>
 
         Merge r93487.

Modified: branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp (94097 => 94098)


--- branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp	2011-08-30 20:01:17 UTC (rev 94097)
+++ branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp	2011-08-30 20:06:22 UTC (rev 94098)
@@ -199,7 +199,15 @@
     // Unbox the double
     case DataFormatJSDouble: {
         GPRReg gpr = info.gpr();
-        FPRReg fpr = unboxDouble(gpr);
+        FPRReg fpr = fprAllocate();
+        if (m_gprs.isLocked(gpr)) {
+            // Make sure we don't trample gpr if it is in use.
+            GPRReg temp = allocate();
+            m_jit.move(gpr, temp);
+            unboxDouble(temp, fpr);
+            unlock(temp);
+        } else
+            unboxDouble(gpr, fpr);
 
         m_gprs.release(gpr);
         m_fprs.retain(fpr, virtualRegister, SpillOrderDouble);

Modified: branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h (94097 => 94098)


--- branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h	2011-08-30 20:01:17 UTC (rev 94097)
+++ branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h	2011-08-30 20:06:22 UTC (rev 94098)
@@ -371,10 +371,6 @@
     {
         return boxDouble(fpr, allocate());
     }
-    FPRReg unboxDouble(GPRReg gpr)
-    {
-        return unboxDouble(gpr, fprAllocate());
-    }
 
     // Spill a VirtualRegister to the RegisterFile.
     void spill(VirtualRegister spillMe)

Modified: branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp (94097 => 94098)


--- branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp	2011-08-30 20:01:17 UTC (rev 94097)
+++ branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp	2011-08-30 20:06:22 UTC (rev 94098)
@@ -608,12 +608,19 @@
         op2.use();
     
         GPRReg temp2 = InvalidGPRReg;
+        GPRReg unboxGPR;
         if (op2GPR == X86Registers::eax || op2GPR == X86Registers::edx) {
             temp2 = allocate();
             m_jit.move(op2GPR, temp2);
             op2GPR = temp2;
-        }
-    
+            unboxGPR = temp2;
+        } else if (op1GPR == X86Registers::eax)
+            unboxGPR = X86Registers::edx;
+        else
+            unboxGPR = X86Registers::eax;
+        ASSERT(unboxGPR != op1.gpr());
+        ASSERT(unboxGPR != op2.gpr());
+
         JITCompiler::Jump firstOpNotInt;
         JITCompiler::Jump secondOpNotInt;
         JITCompiler::JumpList done;
@@ -658,12 +665,14 @@
                 secondOpNotInt2.link(&m_jit);
             
                 // first op is a double, second op is a double.
-                unboxDouble(op2GPR, op2FPR);
+                m_jit.move(op2GPR, unboxGPR);
+                unboxDouble(unboxGPR, op2FPR);
             
                 gotSecondOp.link(&m_jit);
             }
         
-            unboxDouble(op1GPR, op1FPR);
+            m_jit.move(op1GPR, unboxGPR);
+            unboxDouble(unboxGPR, op1FPR);
         
             gotDoubleArgs = m_jit.jump();
         }
@@ -673,7 +682,8 @@
         
             // we know that the first op is an int, and the second is a double
             m_jit.convertInt32ToDouble(op1GPR, op1FPR);
-            unboxDouble(op2GPR, op2FPR);
+            m_jit.move(op2GPR, unboxGPR);
+            unboxDouble(unboxGPR, op2FPR);
         }
     
         if (!isKnownInteger(node.child1()))

Modified: branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (94097 => 94098)


--- branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2011-08-30 20:01:17 UTC (rev 94097)
+++ branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2011-08-30 20:06:22 UTC (rev 94098)
@@ -272,7 +272,15 @@
     // Unbox the double
     case DataFormatJSDouble: {
         GPRReg gpr = info.gpr();
-        FPRReg fpr = unboxDouble(gpr);
+        FPRReg fpr = fprAllocate();
+        if (m_gprs.isLocked(gpr)) {
+            // Make sure we don't trample gpr if it is in use.
+            GPRReg temp = allocate();
+            m_jit.move(gpr, temp);
+            unboxDouble(temp, fpr);
+            unlock(temp);
+        } else
+            unboxDouble(gpr, fpr);
 
         m_gprs.release(gpr);
         m_fprs.retain(fpr, virtualRegister, SpillOrderDouble);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to