Skip to site navigation (Press enter)

[webkit-changes] [157556] trunk/Source/JavaScriptCore

fpizlo Wed, 16 Oct 2013 20:28:52 -0700

Title: [157556] trunk/Source/_javascript_Core

Revision: 157556
Author: fpi...@apple.com
Date: 2013-10-16 20:29:38 -0700 (Wed, 16 Oct 2013)

Log Message

Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
https://bugs.webkit.org/show_bug.cgi?id=122938


Reviewed by Sam Weinig.
        
This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.

* jit/Repatch.cpp:
(JSC::tryBuildGetByIDList):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/Repatch.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (157555 => 157556)


--- trunk/Source/_javascript_Core/ChangeLog	2013-10-17 03:10:47 UTC (rev 157555)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-10-17 03:29:38 UTC (rev 157556)
@@ -1,5 +1,17 @@
 2013-10-16  Filip Pizlo  <fpi...@apple.com>
 
+        Prototype chain repatching in the polymorphic case fails to check if the receiver is a dictionary
+        https://bugs.webkit.org/show_bug.cgi?id=122938
+
+        Reviewed by Sam Weinig.
+        
+        This fixes jsc-layout-tests.yaml/js/script-tests/dictionary-prototype-caching.js.layout-no-llint.
+
+        * jit/Repatch.cpp:
+        (JSC::tryBuildGetByIDList):
+
+2013-10-16  Filip Pizlo  <fpi...@apple.com>
+
         JIT::appendCall() needs to killLastResultRegister() or equivalent since there's some really bad code that expects it
         https://bugs.webkit.org/show_bug.cgi?id=122937

Modified: trunk/Source/_javascript_Core/jit/Repatch.cpp (157555 => 157556)


--- trunk/Source/_javascript_Core/jit/Repatch.cpp	2013-10-17 03:10:47 UTC (rev 157555)
+++ trunk/Source/_javascript_Core/jit/Repatch.cpp	2013-10-17 03:29:38 UTC (rev 157556)
@@ -570,7 +570,9 @@
         return listIndex < (POLYMORPHIC_LIST_CACHE_SIZE - 1);
     }
     
-    if (baseValue.asCell()->structure()->typeInfo().prohibitsPropertyCaching() || !slot.isCacheableValue())
+    if (baseValue.asCell()->structure()->typeInfo().prohibitsPropertyCaching()
+        || baseValue.asCell()->structure()->isDictionary()
+        || !slot.isCacheableValue())
         return false;
 
     PropertyOffset offset = slot.cachedOffset();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes