Title: [112164] trunk/Source/_javascript_Core
- Revision
- 112164
- Author
- [email protected]
- Date
- 2012-03-26 15:58:35 -0700 (Mon, 26 Mar 2012)
Log Message
DFG should assert that argument value recoveries can only be
AlreadyInRegisterFile or Constant
https://bugs.webkit.org/show_bug.cgi?id=82249
Reviewed by Michael Saboff.
Made the assertions that the DFG makes for argument value recoveries match
what Arguments expects.
* bytecode/ValueRecovery.h:
(JSC::ValueRecovery::isConstant):
(ValueRecovery):
(JSC::ValueRecovery::isAlreadyInRegisterFile):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (112163 => 112164)
--- trunk/Source/_javascript_Core/ChangeLog 2012-03-26 22:57:22 UTC (rev 112163)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-03-26 22:58:35 UTC (rev 112164)
@@ -1,3 +1,21 @@
+2012-03-26 Filip Pizlo <[email protected]>
+
+ DFG should assert that argument value recoveries can only be
+ AlreadyInRegisterFile or Constant
+ https://bugs.webkit.org/show_bug.cgi?id=82249
+
+ Reviewed by Michael Saboff.
+
+ Made the assertions that the DFG makes for argument value recoveries match
+ what Arguments expects.
+
+ * bytecode/ValueRecovery.h:
+ (JSC::ValueRecovery::isConstant):
+ (ValueRecovery):
+ (JSC::ValueRecovery::isAlreadyInRegisterFile):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2012-03-26 Dan Bernstein <[email protected]>
Tried to fix the Windows build.
Modified: trunk/Source/_javascript_Core/bytecode/ValueRecovery.h (112163 => 112164)
--- trunk/Source/_javascript_Core/bytecode/ValueRecovery.h 2012-03-26 22:57:22 UTC (rev 112163)
+++ trunk/Source/_javascript_Core/bytecode/ValueRecovery.h 2012-03-26 22:58:35 UTC (rev 112164)
@@ -192,6 +192,8 @@
ValueRecoveryTechnique technique() const { return m_technique; }
+ bool isConstant() const { return m_technique == Constant; }
+
bool isInRegisters() const
{
switch (m_technique) {
@@ -208,6 +210,20 @@
}
}
+ bool isAlreadyInRegisterFile() const
+ {
+ switch (technique()) {
+ case AlreadyInRegisterFile:
+ case AlreadyInRegisterFileAsUnboxedInt32:
+ case AlreadyInRegisterFileAsUnboxedCell:
+ case AlreadyInRegisterFileAsUnboxedBoolean:
+ case AlreadyInRegisterFileAsUnboxedDouble:
+ return true;
+ default:
+ return false;
+ }
+ }
+
MacroAssembler::RegisterID gpr() const
{
ASSERT(m_technique == InGPR || m_technique == UnboxedInt32InGPR || m_technique == UnboxedBooleanInGPR || m_technique == UInt32InGPR);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (112163 => 112164)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-03-26 22:57:22 UTC (rev 112163)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-03-26 22:58:35 UTC (rev 112164)
@@ -954,10 +954,12 @@
int argumentCountIncludingThis = inlineCallFrame->arguments.size();
for (int i = 0; i < argumentCountIncludingThis; ++i) {
ValueRecovery recovery = computeValueRecoveryFor(m_variables[inlineCallFrame->stackOffset + CallFrame::argumentOffsetIncludingThis(i)]);
- // The recovery cannot point to registers, since the call frame reification isn't
- // as smart as OSR, so it can't handle that. The exception is the this argument,
- // which we don't really need to be able to recover.
- ASSERT(!i || !recovery.isInRegisters());
+ // The recovery should refer either to something that has already been
+ // stored into the register file at the right place, or to a constant,
+ // since the Arguments code isn't smart enough to handle anything else.
+ // The exception is the this argument, which we don't really need to be
+ // able to recover.
+ ASSERT(!i || (recovery.isAlreadyInRegisterFile() || recovery.isConstant()));
inlineCallFrame->arguments[i] = recovery;
}
break;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
