Title: [199025] trunk/Source/_javascript_Core
- Revision
- 199025
- Author
- [email protected]
- Date
- 2016-04-04 15:12:23 -0700 (Mon, 04 Apr 2016)
Log Message
[JSC][x86] Fix an assertion in MacroAssembler::branch8()
https://bugs.webkit.org/show_bug.cgi?id=156181
Patch by Benjamin Poulain <[email protected]> on 2016-04-04
Reviewed by Geoffrey Garen.
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::branch8):
The test was wrong because valid negative numbers have ones
in the top bits.
I replaced the assertion to be explicit about the valid range.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (199024 => 199025)
--- trunk/Source/_javascript_Core/ChangeLog 2016-04-04 22:10:50 UTC (rev 199024)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-04-04 22:12:23 UTC (rev 199025)
@@ -1,3 +1,17 @@
+2016-04-04 Benjamin Poulain <[email protected]>
+
+ [JSC][x86] Fix an assertion in MacroAssembler::branch8()
+ https://bugs.webkit.org/show_bug.cgi?id=156181
+
+ Reviewed by Geoffrey Garen.
+
+ * assembler/MacroAssemblerX86Common.h:
+ (JSC::MacroAssemblerX86Common::branch8):
+ The test was wrong because valid negative numbers have ones
+ in the top bits.
+
+ I replaced the assertion to be explicit about the valid range.
+
2016-04-04 Chris Dumez <[email protected]>
Regression(r196145): Crash in getOwnPropertyDescriptor on http://www.history.com/shows/vikings
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.h (199024 => 199025)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.h 2016-04-04 22:10:50 UTC (rev 199024)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.h 2016-04-04 22:12:23 UTC (rev 199025)
@@ -2228,7 +2228,7 @@
Jump branch8(RelationalCondition cond, BaseIndex left, TrustedImm32 right)
{
- ASSERT(!(right.m_value & 0xFFFFFF00));
+ ASSERT(std::numeric_limits<int8_t>::min() <= right.m_value && right.m_value <= std::numeric_limits<int8_t>::max());
m_assembler.cmpb_im(right.m_value, left.offset, left.base, left.index, left.scale);
return Jump(m_assembler.jCC(x86Condition(cond)));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes