[webkit-changes] [133361] trunk/Source/JavaScriptCore

Fri, 02 Nov 2012 15:25:53 -0700

Title: [133361] trunk/Source/_javascript_Core
Revision
133361
Author
fpi...@apple.com
Date
2012-11-02 15:27:19 -0700 (Fri, 02 Nov 2012)

Log Message

DFG::SpeculativeJIT::typedArrayDescriptor should use the Float64Array descriptor for Float64Arrays
https://bugs.webkit.org/show_bug.cgi?id=101114

Reviewed by Gavin Barraclough.

As in https://bugs.webkit.org/show_bug.cgi?id=101112, this was only wrong when Float64Array descriptors
hadn't been initialized yet. That happens rarely, but when it does happen, we would crash.
        
This would also become much more wrong if we ever put type size info (num bytes, etc) in the descriptor
and used that directly. So it's good to fix it.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::typedArrayDescriptor):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (133360 => 133361)


--- trunk/Source/_javascript_Core/ChangeLog	2012-11-02 22:25:16 UTC (rev 133360)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-11-02 22:27:19 UTC (rev 133361)
@@ -1,5 +1,21 @@
 2012-11-02  Filip Pizlo  <fpi...@apple.com>
 
+        DFG::SpeculativeJIT::typedArrayDescriptor should use the Float64Array descriptor for Float64Arrays
+        https://bugs.webkit.org/show_bug.cgi?id=101114
+
+        Reviewed by Gavin Barraclough.
+
+        As in https://bugs.webkit.org/show_bug.cgi?id=101112, this was only wrong when Float64Array descriptors
+        hadn't been initialized yet. That happens rarely, but when it does happen, we would crash.
+        
+        This would also become much more wrong if we ever put type size info (num bytes, etc) in the descriptor
+        and used that directly. So it's good to fix it.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::typedArrayDescriptor):
+
+2012-11-02  Filip Pizlo  <fpi...@apple.com>
+
         JIT::privateCompileGetByVal should use the uint8ClampedArrayDescriptor for compiling accesses to Uint8ClampedArrays
         https://bugs.webkit.org/show_bug.cgi?id=101112

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (133360 => 133361)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2012-11-02 22:25:16 UTC (rev 133360)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2012-11-02 22:27:19 UTC (rev 133361)
@@ -337,7 +337,7 @@
     case Array::Float32Array:
         return &m_jit.globalData()->float32ArrayDescriptor();
     case Array::Float64Array:
-        return &m_jit.globalData()->float32ArrayDescriptor();
+        return &m_jit.globalData()->float64ArrayDescriptor();
     default:
         return 0;
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to