Title: [123510] trunk/Source/_javascript_Core
- Revision
- 123510
- Author
- fpi...@apple.com
- Date
- 2012-07-24 12:47:18 -0700 (Tue, 24 Jul 2012)
Log Message
REGRESSION(r123417): It made tests assert/crash on 32 bit
https://bugs.webkit.org/show_bug.cgi?id=92088
Reviewed by Mark Hahnenberg.
The pointer arithmetic was wrong, because negative numbers are hard to think about.
* dfg/DFGRepatch.cpp:
(JSC::DFG::emitPutTransitionStub):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (123509 => 123510)
--- trunk/Source/_javascript_Core/ChangeLog 2012-07-24 19:45:17 UTC (rev 123509)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-07-24 19:47:18 UTC (rev 123510)
@@ -1,3 +1,17 @@
+2012-07-24 Filip Pizlo <fpi...@apple.com>
+
+ REGRESSION(r123417): It made tests assert/crash on 32 bit
+ https://bugs.webkit.org/show_bug.cgi?id=92088
+
+ Reviewed by Mark Hahnenberg.
+
+ The pointer arithmetic was wrong, because negative numbers are hard to think about.
+
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::emitPutTransitionStub):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+
2012-07-24 Patrick Gansterer <par...@webkit.org>
Store the full year in GregorianDateTime
Modified: trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp (123509 => 123510)
--- trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp 2012-07-24 19:45:17 UTC (rev 123509)
+++ trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp 2012-07-24 19:47:18 UTC (rev 123510)
@@ -839,8 +839,8 @@
stubJit.addPtr(MacroAssembler::TrustedImm32(sizeof(JSValue)), scratchGPR1);
// We have scratchGPR1 = new storage, scratchGPR3 = old storage, scratchGPR2 = available
for (ptrdiff_t offset = 0; offset < static_cast<ptrdiff_t>(oldSize); offset += sizeof(void*)) {
- stubJit.loadPtr(MacroAssembler::Address(scratchGPR3, -(offset + sizeof(JSValue) * 2)), scratchGPR2);
- stubJit.storePtr(scratchGPR2, MacroAssembler::Address(scratchGPR1, -(offset + sizeof(JSValue) * 2)));
+ stubJit.loadPtr(MacroAssembler::Address(scratchGPR3, -(offset + sizeof(JSValue) + sizeof(void*))), scratchGPR2);
+ stubJit.storePtr(scratchGPR2, MacroAssembler::Address(scratchGPR1, -(offset + sizeof(JSValue) + sizeof(void*))));
}
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (123509 => 123510)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-07-24 19:45:17 UTC (rev 123509)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-07-24 19:47:18 UTC (rev 123510)
@@ -3197,8 +3197,8 @@
slowPathCall(slowPath, this, operationAllocatePropertyStorage, scratchGPR2, newSize));
// We have scratchGPR2 = new storage, scratchGPR1 = scratch
for (ptrdiff_t offset = 0; offset < static_cast<ptrdiff_t>(oldSize); offset += sizeof(void*)) {
- m_jit.loadPtr(JITCompiler::Address(oldStorageGPR, -(offset + sizeof(JSValue) * 2)), scratchGPR1);
- m_jit.storePtr(scratchGPR1, JITCompiler::Address(scratchGPR2, -(offset + sizeof(JSValue) * 2)));
+ m_jit.loadPtr(JITCompiler::Address(oldStorageGPR, -(offset + sizeof(JSValue) + sizeof(void*))), scratchGPR1);
+ m_jit.storePtr(scratchGPR1, JITCompiler::Address(scratchGPR2, -(offset + sizeof(JSValue) + sizeof(void*))));
}
m_jit.storePtr(scratchGPR2, JITCompiler::Address(baseGPR, JSObject::offsetOfOutOfLineStorage()));
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
