[webkit-changes] [172282] trunk/Source/JavaScriptCore

Thu, 07 Aug 2014 15:08:43 -0700

Title: [172282] trunk/Source/_javascript_Core
Revision
172282
Author
mhahnenb...@apple.com
Date
2014-08-07 15:08:19 -0700 (Thu, 07 Aug 2014)

Log Message

SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
https://bugs.webkit.org/show_bug.cgi?id=135722

Reviewed by Filip Pizlo.

We should be using SpeculateStrictInt32Operand instead.

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (172281 => 172282)


--- trunk/Source/_javascript_Core/ChangeLog	2014-08-07 22:07:46 UTC (rev 172281)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-08-07 22:08:19 UTC (rev 172282)
@@ -1,3 +1,15 @@
+2014-08-07  Mark Hahnenberg  <mhahnenb...@apple.com>
+
+        SpeculateInt32Operand is sometimes used in a 64-bit context, which has undefined behavior
+        https://bugs.webkit.org/show_bug.cgi?id=135722
+
+        Reviewed by Filip Pizlo.
+
+        We should be using SpeculateStrictInt32Operand instead.
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2014-08-07  Benjamin Poulain  <bpoul...@apple.com>
 
         Get rid of INPUT_SPEECH

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (172281 => 172282)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2014-08-07 22:07:46 UTC (rev 172281)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2014-08-07 22:08:19 UTC (rev 172282)
@@ -4721,7 +4721,7 @@
     }
     case HasIndexedProperty: {
         SpeculateCellOperand base(this, node->child1());
-        SpeculateInt32Operand index(this, node->child2());
+        SpeculateStrictInt32Operand index(this, node->child2());
         GPRResult result(this);
 
         GPRReg baseGPR = base.gpr();
@@ -4806,7 +4806,7 @@
 
         SpeculateCellOperand base(this, baseEdge);
         SpeculateCellOperand property(this, propertyEdge);
-        SpeculateInt32Operand index(this, indexEdge);
+        SpeculateStrictInt32Operand index(this, indexEdge);
         SpeculateCellOperand enumerator(this, enumeratorEdge);
         GPRResult result(this);
         GPRTemporary scratch1(this);
@@ -4876,15 +4876,13 @@
     }
     case GetEnumeratorPname: {
         SpeculateCellOperand enumerator(this, node->child1());
-        SpeculateInt32Operand index(this, node->child2());
+        SpeculateStrictInt32Operand index(this, node->child2());
         GPRTemporary scratch1(this);
-        GPRTemporary scratch2(this);
         GPRResult result(this);
 
         GPRReg enumeratorGPR = enumerator.gpr();
         GPRReg indexGPR = index.gpr();
         GPRReg scratch1GPR = scratch1.gpr();
-        GPRReg scratch2GPR = scratch2.gpr();
         GPRReg resultGPR = result.gpr();
 
         MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, 
@@ -4896,9 +4894,7 @@
         inBounds.link(&m_jit);
 
         m_jit.loadPtr(MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedPropertyNamesVectorOffset()), scratch1GPR);
-        m_jit.move(indexGPR, scratch2GPR);
-        m_jit.signExtend32ToPtr(scratch2GPR, scratch2GPR);
-        m_jit.load64(MacroAssembler::BaseIndex(scratch1GPR, scratch2GPR, MacroAssembler::TimesEight), resultGPR);
+        m_jit.load64(MacroAssembler::BaseIndex(scratch1GPR, indexGPR, MacroAssembler::TimesEight), resultGPR);
 
         done.link(&m_jit);
         jsValueResult(resultGPR, node);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to