Diff
Modified: trunk/LayoutTests/ChangeLog (156370 => 156371)
--- trunk/LayoutTests/ChangeLog 2013-09-24 23:18:05 UTC (rev 156370)
+++ trunk/LayoutTests/ChangeLog 2013-09-24 23:27:51 UTC (rev 156371)
@@ -1,3 +1,19 @@
+2013-09-24 Filip Pizlo <fpi...@apple.com>
+
+ Crashing under JSC::DFG::SpeculativeJIT::spill visiting citicards.com
+ https://bugs.webkit.org/show_bug.cgi?id=121844
+
+ Reviewed by Mark Hahnenberg.
+
+ * js/dfg-int52-spill-expected.txt: Added.
+ * js/dfg-int52-spill-trickier-expected.txt: Added.
+ * js/dfg-int52-spill-trickier.html: Added.
+ * js/dfg-int52-spill.html: Added.
+ * js/script-tests/dfg-int52-spill-trickier.js: Added.
+ (foo):
+ * js/script-tests/dfg-int52-spill.js: Added.
+ (foo):
+
2013-09-24 Alexey Proskuryakov <a...@apple.com>
Flaky Test: compositing/reflections/load-video-in-reflection.html
Added: trunk/LayoutTests/js/dfg-int52-spill-expected.txt (0 => 156371)
--- trunk/LayoutTests/js/dfg-int52-spill-expected.txt (rev 0)
+++ trunk/LayoutTests/js/dfg-int52-spill-expected.txt 2013-09-24 23:27:51 UTC (rev 156371)
@@ -0,0 +1,10 @@
+Tests that spilling an int52 works.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo(2000000000, array) is 209000001908 on all iterations including after DFG tier-up.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/dfg-int52-spill-trickier-expected.txt (0 => 156371)
--- trunk/LayoutTests/js/dfg-int52-spill-trickier-expected.txt (rev 0)
+++ trunk/LayoutTests/js/dfg-int52-spill-trickier-expected.txt 2013-09-24 23:27:51 UTC (rev 156371)
@@ -0,0 +1,10 @@
+Tests that spilling an int52 works for a program that is more tricky and wouldn't be subject to reassociation.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo(2000000000, array) is 120000003788 on all iterations including after DFG tier-up.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/dfg-int52-spill-trickier.html (0 => 156371)
--- trunk/LayoutTests/js/dfg-int52-spill-trickier.html (rev 0)
+++ trunk/LayoutTests/js/dfg-int52-spill-trickier.html 2013-09-24 23:27:51 UTC (rev 156371)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/js/dfg-int52-spill.html (0 => 156371)
--- trunk/LayoutTests/js/dfg-int52-spill.html (rev 0)
+++ trunk/LayoutTests/js/dfg-int52-spill.html 2013-09-24 23:27:51 UTC (rev 156371)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/js/script-tests/dfg-int52-spill-trickier.js (0 => 156371)
--- trunk/LayoutTests/js/script-tests/dfg-int52-spill-trickier.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/dfg-int52-spill-trickier.js 2013-09-24 23:27:51 UTC (rev 156371)
@@ -0,0 +1,103 @@
+description(
+"Tests that spilling an int52 works for a program that is more tricky and wouldn't be subject to reassociation."
+);
+
+function foo(x, a) {
+ var y0 = a[47 + 0] + 3000000000;
+ var y1 = a[47 + 1] + 3000000000;
+ var y2 = a[47 + 2] + 3000000000;
+ var y3 = a[47 + 3] + 3000000000;
+ var y4 = a[47 + 4] + 3000000000;
+ var y5 = a[47 + 5] + 3000000000;
+ var y6 = a[47 + 6] + 3000000000;
+ var y7 = a[47 + 7] + 3000000000;
+ var y8 = a[47 + 8] + 3000000000;
+ var y9 = a[47 + 9] + 3000000000;
+ var y10 = a[47 + 10] + 3000000000;
+ var y11 = a[47 + 11] + 3000000000;
+ var y12 = a[47 + 12] + 3000000000;
+ var y13 = a[47 + 13] + 3000000000;
+ var y14 = a[47 + 14] + 3000000000;
+ var y15 = a[47 + 15] + 3000000000;
+ var y16 = a[47 + 16] + 3000000000;
+ var y17 = a[47 + 17] + 3000000000;
+ var y18 = a[47 + 18] + 3000000000;
+ var y19 = a[47 + 19] + 3000000000;
+ var y20 = a[47 + 20] + 3000000000;
+ var y21 = a[47 + 21] + 3000000000;
+ var y22 = a[47 + 22] + 3000000000;
+ var y23 = a[47 + 23] + 3000000000;
+ var y24 = a[47 + 24] + 3000000000;
+ var y25 = a[47 + 25] + 3000000000;
+ var y26 = a[47 + 26] + 3000000000;
+ var y27 = a[47 + 27] + 3000000000;
+ var y28 = a[47 + 28] + 3000000000;
+ var y29 = a[47 + 29] + 3000000000;
+ var y30 = a[47 + 30] + 3000000000;
+ var y31 = a[47 + 31] + 3000000000;
+ var y32 = a[47 + 32] + 3000000000;
+ var y33 = a[47 + 33] + 3000000000;
+ var y34 = a[47 + 34] + 3000000000;
+ var y35 = a[47 + 35] + 3000000000;
+ var y36 = a[47 + 36] + 3000000000;
+ var y37 = a[47 + 37] + 3000000000;
+ var y38 = a[47 + 38] + 3000000000;
+ var y39 = a[47 + 39] + 3000000000;
+
+ var b = a[1];
+ var c = a[2];
+ var d = a[3];
+ var e = a[4];
+ var f = a[5];
+ var g = a[6];
+ var h = a[7];
+ var i = a[8];
+ var j = a[9];
+ var k = a[10];
+ var l = a[11];
+ var m = a[12];
+ var n = a[13];
+ var o = a[14];
+ var p = a[15];
+ var q = a[16];
+ var r = a[17];
+ var s = a[18];
+ var t = a[19];
+ var u = a[20];
+ var v = a[21];
+ var w = a[22];
+ var A = a[23];
+ var B = a[24];
+ var C = a[25];
+ var D = a[26];
+ var E = a[27];
+ var F = a[28];
+ var G = a[29];
+ var H = a[30];
+ var I = a[31];
+ var J = a[32];
+ var K = a[33];
+ var L = a[34];
+ var M = a[35];
+ var N = a[36];
+ var O = a[37];
+ var P = a[38];
+ var Q = a[39];
+ var R = a[40];
+ var S = a[41];
+ var T = a[42];
+ var U = a[43];
+ var V = a[44];
+ var W = a[45];
+ var X = a[46];
+ var Y = a[47];
+ var Z = a[0];
+
+ return b + c + d + e + f + g + h + i + j + k + l + m + n + o + p + q + r + s + t + u + v + w + A + B + C + D + E + F + G + H + I + J + K + L + M + N + O + P + Q + R + S + T + U + V + W + X + Y + Z + y0 + y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8 + y9 + y10 + y11 + y12 + y13 + y14 + y15 + y16 + y17 + y18 + y19 + y20 + y21 + y22 + y23 + y24 + y25 + y26 + y27 + y28 + y29 + y30 + y31 + y32 + y33 + y34 + y35 + y36 + y37 + y38 + y39;
+}
+
+var array = [];
+for (var i = 0; i < 100; ++i)
+ array[i] = i;
+
+dfgShouldBe(foo, "foo(2000000000, array)", "120000003788");
Added: trunk/LayoutTests/js/script-tests/dfg-int52-spill.js (0 => 156371)
--- trunk/LayoutTests/js/script-tests/dfg-int52-spill.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/dfg-int52-spill.js 2013-09-24 23:27:51 UTC (rev 156371)
@@ -0,0 +1,104 @@
+description(
+"Tests that spilling an int52 works."
+);
+
+function foo(x, a) {
+ var y = x + 3000000000;
+ var y0 = y + 0;
+ var y1 = y + 1;
+ var y2 = y + 2;
+ var y3 = y + 3;
+ var y4 = y + 4;
+ var y5 = y + 5;
+ var y6 = y + 6;
+ var y7 = y + 7;
+ var y8 = y + 8;
+ var y9 = y + 9;
+ var y10 = y + 10;
+ var y11 = y + 11;
+ var y12 = y + 12;
+ var y13 = y + 13;
+ var y14 = y + 14;
+ var y15 = y + 15;
+ var y16 = y + 16;
+ var y17 = y + 17;
+ var y18 = y + 18;
+ var y19 = y + 19;
+ var y20 = y + 20;
+ var y21 = y + 21;
+ var y22 = y + 22;
+ var y23 = y + 23;
+ var y24 = y + 24;
+ var y25 = y + 25;
+ var y26 = y + 26;
+ var y27 = y + 27;
+ var y28 = y + 28;
+ var y29 = y + 29;
+ var y30 = y + 30;
+ var y31 = y + 31;
+ var y32 = y + 32;
+ var y33 = y + 33;
+ var y34 = y + 34;
+ var y35 = y + 35;
+ var y36 = y + 36;
+ var y37 = y + 37;
+ var y38 = y + 38;
+ var y39 = y + 39;
+
+ var b = a[1];
+ var c = a[2];
+ var d = a[3];
+ var e = a[4];
+ var f = a[5];
+ var g = a[6];
+ var h = a[7];
+ var i = a[8];
+ var j = a[9];
+ var k = a[10];
+ var l = a[11];
+ var m = a[12];
+ var n = a[13];
+ var o = a[14];
+ var p = a[15];
+ var q = a[16];
+ var r = a[17];
+ var s = a[18];
+ var t = a[19];
+ var u = a[20];
+ var v = a[21];
+ var w = a[22];
+ var A = a[23];
+ var B = a[24];
+ var C = a[25];
+ var D = a[26];
+ var E = a[27];
+ var F = a[28];
+ var G = a[29];
+ var H = a[30];
+ var I = a[31];
+ var J = a[32];
+ var K = a[33];
+ var L = a[34];
+ var M = a[35];
+ var N = a[36];
+ var O = a[37];
+ var P = a[38];
+ var Q = a[39];
+ var R = a[40];
+ var S = a[41];
+ var T = a[42];
+ var U = a[43];
+ var V = a[44];
+ var W = a[45];
+ var X = a[46];
+ var Y = a[47];
+ var Z = a[0];
+
+ return y + 4000000000 + b + c + d + e + f + g + h + i + j + k + l + m + n + o + p + q + r + s + t + u + v + w + A + B + C + D + E + F + G + H + I + J + K + L + M + N + O + P + Q + R + S + T + U + V + W + X + Y + Z + y0 + y1 + y2 + y3 + y4 + y5 + y6 + y7 + y8 + y9 + y10 + y11 + y12 + y13 + y14 + y15 + y16 + y17 + y18 + y19 + y20 + y21 + y22 + y23 + y24 + y25 + y26 + y27 + y28 + y29 + y30 + y31 + y32 + y33 + y34 + y35 + y36 + y37 + y38 + y39;
+}
+
+var array = [];
+for (var i = 0; i < 48; ++i)
+ array[i] = i;
+
+dfgShouldBe(foo, "foo(2000000000, array)", "209000001908");
Modified: trunk/Source/_javascript_Core/ChangeLog (156370 => 156371)
--- trunk/Source/_javascript_Core/ChangeLog 2013-09-24 23:18:05 UTC (rev 156370)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-09-24 23:27:51 UTC (rev 156371)
@@ -1,3 +1,19 @@
+2013-09-24 Filip Pizlo <fpi...@apple.com>
+
+ Crashing under JSC::DFG::SpeculativeJIT::spill visiting citicards.com
+ https://bugs.webkit.org/show_bug.cgi?id=121844
+
+ Reviewed by Mark Hahnenberg.
+
+ Fix some int52 bugs that caused this.
+
+ * bytecode/ValueRecovery.h:
+ (JSC::ValueRecovery::dumpInContext): There's no such thing as int53.
+ * dfg/DFGSpeculativeJIT.h:
+ (JSC::DFG::SpeculativeJIT::spill): Actually spill int52's, instead of hitting an assert and crashing.
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): Use the right format (from before when we clobber it).
+
2013-09-24 Mark Rowe <mr...@apple.com>
<rdar://problem/14971518> WebKit should build against the Xcode default toolchain when targeting OS X 10.8
Modified: trunk/Source/_javascript_Core/bytecode/ValueRecovery.h (156370 => 156371)
--- trunk/Source/_javascript_Core/bytecode/ValueRecovery.h 2013-09-24 23:18:05 UTC (rev 156370)
+++ trunk/Source/_javascript_Core/bytecode/ValueRecovery.h 2013-09-24 23:27:51 UTC (rev 156371)
@@ -331,7 +331,7 @@
out.print("int32(", gpr(), ")");
return;
case UnboxedInt52InGPR:
- out.print("int53(", gpr(), ")");
+ out.print("int52(", gpr(), ")");
return;
case UnboxedStrictInt52InGPR:
out.print("strictInt52(", gpr(), ")");
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (156370 => 156371)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2013-09-24 23:18:05 UTC (rev 156370)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2013-09-24 23:27:51 UTC (rev 156371)
@@ -513,6 +513,13 @@
info.spill(*m_stream, spillMe, DataFormatDouble);
return;
}
+
+ case DataFormatInt52:
+ case DataFormatStrictInt52: {
+ m_jit.store64(info.gpr(), JITCompiler::addressFor(spillMe));
+ info.spill(*m_stream, spillMe, spillFormat);
+ return;
+ }
default:
// The following code handles JSValues, int32s, and cells.
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (156370 => 156371)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2013-09-24 23:18:05 UTC (rev 156370)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2013-09-24 23:27:51 UTC (rev 156371)
@@ -919,6 +919,7 @@
case DataFormatInt52: {
GPRReg gpr = info.gpr();
GPRReg result;
+ DataFormat oldFormat = info.registerFormat();
if (m_gprs.isLocked(gpr)) {
result = allocate();
m_jit.move(gpr, result);
@@ -928,7 +929,7 @@
result = gpr;
}
RELEASE_ASSERT(!(type & ~SpecMachineInt));
- if (info.registerFormat() == DataFormatInt52)
+ if (oldFormat == DataFormatInt52)
m_jit.rshift64(TrustedImm32(JSValue::int52ShiftAmount), result);
if (type & SpecInt52) {
GPRReg temp = allocate();
Modified: trunk/Tools/ChangeLog (156370 => 156371)
--- trunk/Tools/ChangeLog 2013-09-24 23:18:05 UTC (rev 156370)
+++ trunk/Tools/ChangeLog 2013-09-24 23:27:51 UTC (rev 156371)
@@ -1,3 +1,12 @@
+2013-09-24 Filip Pizlo <fpi...@apple.com>
+
+ Crashing under JSC::DFG::SpeculativeJIT::spill visiting citicards.com
+ https://bugs.webkit.org/show_bug.cgi?id=121844
+
+ Reviewed by Mark Hahnenberg.
+
+ * Scripts/run-_javascript_core-tests: Be more clear about what test suite failed.
+
2013-09-24 Alexey Proskuryakov <a...@apple.com>
[Mac][WK2] Multiple font tests fail is there is a global setting for font antialiasing threshold
Modified: trunk/Tools/Scripts/run-_javascript_core-tests (156370 => 156371)
--- trunk/Tools/Scripts/run-_javascript_core-tests 2013-09-24 23:18:05 UTC (rev 156370)
+++ trunk/Tools/Scripts/run-_javascript_core-tests 2013-09-24 23:27:51 UTC (rev 156371)
@@ -306,13 +306,13 @@
my $numJSCrashes = @layoutJSCrashList;
if ($numJSFailures) {
- print "\n** The following js test failures have been introduced:\n";
+ print "\n** The following LayoutTests/js test failures have been introduced:\n";
foreach my $testFailure (@layoutJSFailList) {
print "\t$testFailure";
}
}
if ($numJSCrashes) {
- print "\n** The following js test crashes have been introduced:\n";
+ print "\n** The following LayoutTests/js test crashes have been introduced:\n";
foreach my $testCrash (@layoutJSCrashList) {
print "\t$testCrash";
}
