[webkit-changes] [218801] releases/WebKitGTK/webkit-2.16

Sun, 25 Jun 2017 23:52:03 -0700

Title: [218801] releases/WebKitGTK/webkit-2.16
Revision
218801
Author
carlo...@webkit.org
Date
2017-06-25 23:51:42 -0700 (Sun, 25 Jun 2017)

Log Message

Merge r215387 - ParseInt intrinsic in DFG backend doesn't properly flush its operands
https://bugs.webkit.org/show_bug.cgi?id=170865

Reviewed by Mark Lam and Geoffrey Garen.

JSTests:

* stress/parse-int-intrinsic-dfg-backend-flush.js: Added.
(assert):
(foo):

Source/_javascript_Core:

The DFG backend code needed to first call .gpr()/.jsValueRegs()
before calling flushRegisters(), or the input JSValueOperand would
not be flushed.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileParseInt):

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog (218800 => 218801)


--- releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog	2017-06-25 21:41:51 UTC (rev 218800)
+++ releases/WebKitGTK/webkit-2.16/JSTests/ChangeLog	2017-06-26 06:51:42 UTC (rev 218801)
@@ -1,3 +1,14 @@
+2017-04-14  Saam Barati  <sbar...@apple.com>
+
+        ParseInt intrinsic in DFG backend doesn't properly flush its operands
+        https://bugs.webkit.org/show_bug.cgi?id=170865
+
+        Reviewed by Mark Lam and Geoffrey Garen.
+
+        * stress/parse-int-intrinsic-dfg-backend-flush.js: Added.
+        (assert):
+        (foo):
+
 2017-05-10  Filip Pizlo  <fpi...@apple.com>
 
         Null pointer dereference in WTF::RefPtr<WTF::StringImpl>::operator!() under slow_path_get_direct_pname

Added: releases/WebKitGTK/webkit-2.16/JSTests/stress/parse-int-intrinsic-dfg-backend-flush.js (0 => 218801)


--- releases/WebKitGTK/webkit-2.16/JSTests/stress/parse-int-intrinsic-dfg-backend-flush.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.16/JSTests/stress/parse-int-intrinsic-dfg-backend-flush.js	2017-06-26 06:51:42 UTC (rev 218801)
@@ -0,0 +1,14 @@
+function assert(b) {
+    if (!b)
+        throw new Error("Bad")
+}
+
+function foo(x) {
+    return x === parseInt(x, 10);
+}
+noInline(foo);
+
+for (let i = 0; i < 10000; i++) {
+    assert(!foo(`${i}`));
+    assert(foo(i));
+}

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog (218800 => 218801)


--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog	2017-06-25 21:41:51 UTC (rev 218800)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog	2017-06-26 06:51:42 UTC (rev 218801)
@@ -1,3 +1,17 @@
+2017-04-14  Saam Barati  <sbar...@apple.com>
+
+        ParseInt intrinsic in DFG backend doesn't properly flush its operands
+        https://bugs.webkit.org/show_bug.cgi?id=170865
+
+        Reviewed by Mark Lam and Geoffrey Garen.
+
+        The DFG backend code needed to first call .gpr()/.jsValueRegs()
+        before calling flushRegisters(), or the input JSValueOperand would
+        not be flushed.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileParseInt):
+
 2017-06-16  Konstantin Tokarev  <annu...@yandex.ru>
 
         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (218800 => 218801)


--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2017-06-25 21:41:51 UTC (rev 218800)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2017-06-26 06:51:42 UTC (rev 218801)
@@ -3139,13 +3139,16 @@
         GPRReg radixGPR = radix.gpr();
         if (node->child1().useKind() == UntypedUse) {
             JSValueOperand value(this, node->child1());
-
-            flushRegisters();
 #if USE(JSVALUE64)
-            callOperation(operationParseIntGeneric, resultRegs.gpr(), value.gpr(), radixGPR);
+            auto result = resultRegs.gpr();
+            auto valueReg = value.gpr();
 #else
-            callOperation(operationParseIntGeneric, resultRegs, value.jsValueRegs(), radixGPR);
+            auto result = resultRegs;
+            auto valueReg = value.jsValueRegs();
 #endif
+
+            flushRegisters();
+            callOperation(operationParseIntGeneric, result, valueReg, radixGPR);
             m_jit.exceptionCheck();
         } else {
             SpeculateCellOperand value(this, node->child1());
@@ -3152,24 +3155,28 @@
             GPRReg valueGPR = value.gpr();
             speculateString(node->child1(), valueGPR);
 
-            flushRegisters();
 #if USE(JSVALUE64)
-            callOperation(operationParseIntString, resultRegs.gpr(), valueGPR, radixGPR);
+            auto result = resultRegs.gpr();
 #else
-            callOperation(operationParseIntString, resultRegs, valueGPR, radixGPR);
+            auto result = resultRegs;
 #endif
+
+            flushRegisters();
+            callOperation(operationParseIntString, result, valueGPR, radixGPR);
             m_jit.exceptionCheck();
         }
     } else {
         if (node->child1().useKind() == UntypedUse) {
             JSValueOperand value(this, node->child1());
-
-            flushRegisters();
 #if USE(JSVALUE64)
-            callOperation(operationParseIntNoRadixGeneric, resultRegs.gpr(), value.jsValueRegs());
+            auto result = resultRegs.gpr();
 #else
-            callOperation(operationParseIntNoRadixGeneric, resultRegs, value.jsValueRegs());
+            auto result = resultRegs;
 #endif
+            JSValueRegs valueRegs = value.jsValueRegs();
+
+            flushRegisters();
+            callOperation(operationParseIntNoRadixGeneric, result, valueRegs);
             m_jit.exceptionCheck();
         } else {
             SpeculateCellOperand value(this, node->child1());

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to