Diff
Modified: tags/Safari-537.15.1/LayoutTests/ChangeLog (131796 => 131797)
--- tags/Safari-537.15.1/LayoutTests/ChangeLog 2012-10-18 20:18:00 UTC (rev 131796)
+++ tags/Safari-537.15.1/LayoutTests/ChangeLog 2012-10-18 20:24:39 UTC (rev 131797)
@@ -1,5 +1,23 @@
2012-10-18 Lucas Forschler <lforsch...@apple.com>
+ Merge r131642.
+
+ 2012-10-17 Filip Pizlo <fpi...@apple.com>
+
+ JIT op_get_by_pname should call cti_get_by_val_generic and not cti_get_by_val
+ https://bugs.webkit.org/show_bug.cgi?id=99631
+ <rdar://problem/12483221>
+
+ Reviewed by Mark Hahnenberg.
+
+ * fast/js/get-by-pname-that-looks-like-a-patchable-get-by-val-expected.txt: Added.
+ * fast/js/get-by-pname-that-looks-like-a-patchable-get-by-val.html: Added.
+ * fast/js/jsc-test-list:
+ * fast/js/script-tests/get-by-pname-that-looks-like-a-patchable-get-by-val.js: Added.
+ (foo):
+
+2012-10-18 Lucas Forschler <lforsch...@apple.com>
+
Merge r131501
2012-10-16 Filip Pizlo <fpi...@apple.com>
Copied: tags/Safari-537.15.1/LayoutTests/fast/js/get-by-pname-that-looks-like-a-patchable-get-by-val-expected.txt (from rev 131642, trunk/LayoutTests/fast/js/get-by-pname-that-looks-like-a-patchable-get-by-val-expected.txt) (0 => 131797)
--- tags/Safari-537.15.1/LayoutTests/fast/js/get-by-pname-that-looks-like-a-patchable-get-by-val-expected.txt (rev 0)
+++ tags/Safari-537.15.1/LayoutTests/fast/js/get-by-pname-that-looks-like-a-patchable-get-by-val-expected.txt 2012-10-18 20:24:39 UTC (rev 131797)
@@ -0,0 +1,10 @@
+Tests that using get_by_pname in a way that appears like a get_by_val that can be patched does not cause the patching machinery to crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo() is 300
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: tags/Safari-537.15.1/LayoutTests/fast/js/get-by-pname-that-looks-like-a-patchable-get-by-val.html (from rev 131642, trunk/LayoutTests/fast/js/get-by-pname-that-looks-like-a-patchable-get-by-val.html) (0 => 131797)
--- tags/Safari-537.15.1/LayoutTests/fast/js/get-by-pname-that-looks-like-a-patchable-get-by-val.html (rev 0)
+++ tags/Safari-537.15.1/LayoutTests/fast/js/get-by-pname-that-looks-like-a-patchable-get-by-val.html 2012-10-18 20:24:39 UTC (rev 131797)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Modified: tags/Safari-537.15.1/LayoutTests/fast/js/jsc-test-list (131796 => 131797)
--- tags/Safari-537.15.1/LayoutTests/fast/js/jsc-test-list 2012-10-18 20:18:00 UTC (rev 131796)
+++ tags/Safari-537.15.1/LayoutTests/fast/js/jsc-test-list 2012-10-18 20:24:39 UTC (rev 131797)
@@ -204,6 +204,7 @@
fast/js/getter-setter-gc
fast/js/get-by-pname
fast/js/get-by-pname-non-final-object
+fast/js/get-by-pname-that-looks-like-a-patchable-get-by-val
fast/js/global-resolve-through-eval
fast/js/gmail-re-re
fast/js/has-own-property
Copied: tags/Safari-537.15.1/LayoutTests/fast/js/script-tests/get-by-pname-that-looks-like-a-patchable-get-by-val.js (from rev 131642, trunk/LayoutTests/fast/js/script-tests/get-by-pname-that-looks-like-a-patchable-get-by-val.js) (0 => 131797)
--- tags/Safari-537.15.1/LayoutTests/fast/js/script-tests/get-by-pname-that-looks-like-a-patchable-get-by-val.js (rev 0)
+++ tags/Safari-537.15.1/LayoutTests/fast/js/script-tests/get-by-pname-that-looks-like-a-patchable-get-by-val.js 2012-10-18 20:24:39 UTC (rev 131797)
@@ -0,0 +1,21 @@
+description(
+"Tests that using get_by_pname in a way that appears like a get_by_val that can be patched does not cause the patching machinery to crash."
+);
+
+function foo() {
+ var o = [1, 2, 3];
+ var result = 0;
+
+ for (var i = 0; i < 100; ++i) {
+ for (var s in o) {
+ s = 0;
+ result += o[s];
+ }
+ }
+
+ return result;
+}
+
+shouldBe("foo()", "300");
+
+
Modified: tags/Safari-537.15.1/Source/_javascript_Core/ChangeLog (131796 => 131797)
--- tags/Safari-537.15.1/Source/_javascript_Core/ChangeLog 2012-10-18 20:18:00 UTC (rev 131796)
+++ tags/Safari-537.15.1/Source/_javascript_Core/ChangeLog 2012-10-18 20:24:39 UTC (rev 131797)
@@ -1,5 +1,25 @@
2012-10-18 Lucas Forschler <lforsch...@apple.com>
+ Merge r131642.
+
+ 2012-10-17 Filip Pizlo <fpi...@apple.com>
+
+ JIT op_get_by_pname should call cti_get_by_val_generic and not cti_get_by_val
+ https://bugs.webkit.org/show_bug.cgi?id=99631
+ <rdar://problem/12483221>
+
+ Reviewed by Mark Hahnenberg.
+
+ cti_get_by_val assumes that the return address has patching metadata associated with it, which won't
+ be true for op_get_by_pname. cti_get_by_val_generic makes no such assumptions.
+
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitSlow_op_get_by_pname):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emitSlow_op_get_by_pname):
+
+2012-10-18 Lucas Forschler <lforsch...@apple.com>
+
Merge r131501.
2012-10-16 Filip Pizlo <fpi...@apple.com>
Modified: tags/Safari-537.15.1/Source/_javascript_Core/jit/JITPropertyAccess.cpp (131796 => 131797)
--- tags/Safari-537.15.1/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2012-10-18 20:18:00 UTC (rev 131796)
+++ tags/Safari-537.15.1/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2012-10-18 20:24:39 UTC (rev 131797)
@@ -278,7 +278,7 @@
linkSlowCase(iter);
linkSlowCase(iter);
- JITStubCall stubCall(this, cti_op_get_by_val);
+ JITStubCall stubCall(this, cti_op_get_by_val_generic);
stubCall.addArgument(base, regT2);
stubCall.addArgument(property, regT2);
stubCall.call(dst);
Modified: tags/Safari-537.15.1/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp (131796 => 131797)
--- tags/Safari-537.15.1/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2012-10-18 20:18:00 UTC (rev 131796)
+++ tags/Safari-537.15.1/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2012-10-18 20:24:39 UTC (rev 131797)
@@ -1226,7 +1226,7 @@
linkSlowCase(iter);
linkSlowCase(iter);
- JITStubCall stubCall(this, cti_op_get_by_val);
+ JITStubCall stubCall(this, cti_op_get_by_val_generic);
stubCall.addArgument(base);
stubCall.addArgument(property);
stubCall.call(dst);
