[webkit-changes] [143800] trunk/Source/JavaScriptCore

Fri, 22 Feb 2013 14:36:14 -0800

Title: [143800] trunk/Source/_javascript_Core
Revision
143800
Author
fpi...@apple.com
Date
2013-02-22 14:38:14 -0800 (Fri, 22 Feb 2013)

Log Message

REGRESSION(r143654): some fast/js test crashes on 32 bit build
https://bugs.webkit.org/show_bug.cgi?id=110590

Reviewed by Mark Hahnenberg.
        
In compileValueToInt32, the refactoring in r143654 undid one of the fixes from
r143314 due to a merge goof.
        
In speculateNumber, we were simply forgetting to indicate that we need a
ManualOperandSpeculation on a JSValueOperand. ManualOperandSpeculation should
be passed whenever you will be performing the type checks yourself rather than
using the operand class to do it for you.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::speculateNumber):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (143799 => 143800)


--- trunk/Source/_javascript_Core/ChangeLog	2013-02-22 22:30:32 UTC (rev 143799)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-02-22 22:38:14 UTC (rev 143800)
@@ -1,3 +1,22 @@
+2013-02-22  Filip Pizlo  <fpi...@apple.com>
+
+        REGRESSION(r143654): some fast/js test crashes on 32 bit build
+        https://bugs.webkit.org/show_bug.cgi?id=110590
+
+        Reviewed by Mark Hahnenberg.
+        
+        In compileValueToInt32, the refactoring in r143654 undid one of the fixes from
+        r143314 due to a merge goof.
+        
+        In speculateNumber, we were simply forgetting to indicate that we need a
+        ManualOperandSpeculation on a JSValueOperand. ManualOperandSpeculation should
+        be passed whenever you will be performing the type checks yourself rather than
+        using the operand class to do it for you.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+        (JSC::DFG::SpeculativeJIT::speculateNumber):
+
 2013-02-22  Geoffrey Garen  <gga...@apple.com>
 
         Not reviewed.

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (143799 => 143800)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2013-02-22 22:30:32 UTC (rev 143799)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2013-02-22 22:38:14 UTC (rev 143800)
@@ -2288,7 +2288,7 @@
             return;
         }
         case GeneratedOperandTypeUnknown:
-            RELEASE_ASSERT_NOT_REACHED();
+            RELEASE_ASSERT(!m_compileOkay);
             return;
         }
         RELEASE_ASSERT_NOT_REACHED();
@@ -3944,7 +3944,7 @@
         m_jit.branchTest64(MacroAssembler::Zero, operand.gpr(), GPRInfo::tagTypeNumberRegister));
     isInteger.link(&m_jit);
 #else
-    JSValueOperand op1(this, edge);
+    JSValueOperand op1(this, edge, ManualOperandSpeculation);
     JITCompiler::Jump isInteger = m_jit.branch32(MacroAssembler::Equal, operand.tagGPR(), TrustedImm32(JSValue::Int32Tag));
     typeCheck(
         JSValueRegs(operand.tagGPR(), op1.payloadGPR()), edge, SpecNumber,

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to