Skip to site navigation (Press enter)

[webkit-changes] [94602] branches/safari-534.51-branch/Source/JavaScriptCore

mrowe Tue, 06 Sep 2011 15:16:03 -0700

Title: [94602] branches/safari-534.51-branch/Source/_javascript_Core

Revision: 94602
Author: [email protected]
Date: 2011-09-06 15:17:07 -0700 (Tue, 06 Sep 2011)

Log Message

Merge r94478.


Modified Paths

branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog
branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCompiler.cpp

Diff

Modified: branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog (94601 => 94602)


--- branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog	2011-09-06 22:15:38 UTC (rev 94601)
+++ branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog	2011-09-06 22:17:07 UTC (rev 94602)
@@ -1,3 +1,18 @@
+2011-09-06  Mark Rowe  <[email protected]>
+
+        Merge r94478.
+
+    2011-09-02  Filip Pizlo  <[email protected]>
+
+        DFG JIT speculation failure does recovery of additions in reverse and
+        doesn't rebox
+        https://bugs.webkit.org/show_bug.cgi?id=67551
+
+        Reviewed by Sam Weinig.
+
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
+
 2011-08-29  Lucas Forschler  <[email protected]>
 
     Merged 93934

Modified: branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCompiler.cpp (94601 => 94602)


--- branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCompiler.cpp	2011-09-06 22:15:38 UTC (rev 94601)
+++ branches/safari-534.51-branch/Source/_javascript_Core/dfg/DFGJITCompiler.cpp	2011-09-06 22:17:07 UTC (rev 94602)
@@ -501,8 +501,16 @@
     if (recovery) {
         // The only additional recovery we currently support is for integer add operation
         ASSERT(recovery->type() == SpeculativeAdd);
+        ASSERT(check.m_gprInfo[GPRInfo::toIndex(recovery->dest())].nodeIndex != NoNode);
         // Revert the add.
         sub32(recovery->src(), recovery->dest());
+        
+        // If recovery->dest() should have been boxed prior to the addition, then rebox
+        // it.
+        DataFormat format = check.m_gprInfo[GPRInfo::toIndex(recovery->dest())].format;
+        ASSERT(format == DataFormatInteger || format == DataFormatJSInteger || format == DataFormatJS);
+        if (format != DataFormatInteger)
+            orPtr(GPRInfo::tagTypeNumberRegister, recovery->dest());
     }
     
     // First, we need a reverse mapping that tells us, for a NodeIndex, which register

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes