Title: [94801] trunk/Source/_javascript_Core
- Revision
- 94801
- Author
- [email protected]
- Date
- 2011-09-08 14:36:35 -0700 (Thu, 08 Sep 2011)
Log Message
DFG speculative JIT does not initialize integer tags for PredictInt32 temporaries
https://bugs.webkit.org/show_bug.cgi?id=67840
Reviewed by Gavin Barraclough.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::initializeVariableTypes):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (94800 => 94801)
--- trunk/Source/_javascript_Core/ChangeLog 2011-09-08 21:31:36 UTC (rev 94800)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-09-08 21:36:35 UTC (rev 94801)
@@ -1,3 +1,13 @@
+2011-09-08 Filip Pizlo <[email protected]>
+
+ DFG speculative JIT does not initialize integer tags for PredictInt32 temporaries
+ https://bugs.webkit.org/show_bug.cgi?id=67840
+
+ Reviewed by Gavin Barraclough.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
+
2011-09-08 Thouraya ANDOLSI <[email protected]>
https://bugs.webkit.org/show_bug.cgi?id=67771
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (94800 => 94801)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2011-09-08 21:31:36 UTC (rev 94800)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2011-09-08 21:36:35 UTC (rev 94801)
@@ -1431,7 +1431,7 @@
void SpeculativeJIT::initializeVariableTypes()
{
ASSERT(!m_compileIndex);
- for (int var = 0; var < m_jit.codeBlock()->m_numVars; ++var) {
+ for (int var = 0; var < (int)m_jit.graph().predictions().numberOfVariables(); ++var) {
if (isInt32Prediction(m_jit.graph().getPrediction(var)))
m_jit.storePtr(GPRInfo::tagTypeNumberRegister, JITCompiler::addressFor((VirtualRegister)var));
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
