Changeset 143314 in webkit
- Timestamp:
- Feb 19, 2013, 2:41:39 AM (12 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 3 edited
-
ChangeLog (modified) (1 diff)
-
dfg/DFGSpeculativeJIT.cpp (modified) (2 diffs)
-
dfg/DFGSpeculativeJIT32_64.cpp (modified) (8 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r143292 r143314 1 2013-02-19 Filip Pizlo <fpizlo@apple.com> 2 3 REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms 4 https://bugs.webkit.org/show_bug.cgi?id=110184 5 6 Reviewed by Zoltan Herczeg. 7 8 32-bit backend was making all sorts of crazy assumptions, which happened to mostly 9 not break things prior to http://trac.webkit.org/changeset/143241. This brings the 10 32-bit backend's type speculation fully into compliance with what the 64-bit 11 backend does. 12 13 * dfg/DFGSpeculativeJIT.cpp: 14 (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32): 15 (JSC::DFG::SpeculativeJIT::compileValueToInt32): 16 * dfg/DFGSpeculativeJIT32_64.cpp: 17 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal): 18 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble): 19 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 20 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 21 1 22 2013-02-18 Ilya Tikhonovsky <loislo@chromium.org> 2 23 -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r143242 r143314 2075 2075 2076 2076 switch (info.registerFormat()) { 2077 case DataFormatBoolean: // This type never occurs.2078 2077 case DataFormatStorage: 2079 2078 RELEASE_ASSERT_NOT_REACHED(); 2080 2079 2080 case DataFormatBoolean: 2081 2081 case DataFormatCell: 2082 2082 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); … … 2250 2250 } 2251 2251 case GeneratedOperandTypeUnknown: 2252 RELEASE_ASSERT_NOT_REACHED();2252 ASSERT(!m_compileOkay); 2253 2253 break; 2254 2254 } -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
r143276 r143314 856 856 switch (info.registerFormat()) { 857 857 case DataFormatNone: { 858 858 if ((node->hasConstant() && !isInt32Constant(node)) || info.spillFormat() == DataFormatDouble) { 859 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction); 860 returnFormat = DataFormatInteger; 861 return allocate(); 862 } 863 859 864 if (node->hasConstant()) { 860 865 ASSERT(isInt32Constant(node)); … … 914 919 case DataFormatJSCell: 915 920 case DataFormatJSBoolean: 921 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction); 922 returnFormat = DataFormatInteger; 923 return allocate(); 924 916 925 case DataFormatStorage: 917 RELEASE_ASSERT_NOT_REACHED();918 919 926 default: 920 927 RELEASE_ASSERT_NOT_REACHED(); … … 960 967 info.fillDouble(*m_stream, fpr); 961 968 return fpr; 962 } else 963 RELEASE_ASSERT_NOT_REACHED(); 969 } else { 970 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction); 971 return fprAllocate(); 972 } 964 973 } else { 965 974 DataFormat spillFormat = info.spillFormat(); … … 1053 1062 case DataFormatNone: 1054 1063 case DataFormatStorage: 1064 RELEASE_ASSERT_NOT_REACHED(); 1065 1055 1066 case DataFormatCell: 1056 1067 case DataFormatJSCell: 1057 1068 case DataFormatBoolean: 1058 1069 case DataFormatJSBoolean: 1059 RELEASE_ASSERT_NOT_REACHED(); 1070 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction); 1071 return fprAllocate(); 1060 1072 1061 1073 default: … … 1079 1091 if (node->hasConstant()) { 1080 1092 JSValue jsValue = valueOfJSConstant(node); 1081 ASSERT(jsValue.isCell());1082 1093 GPRReg gpr = allocate(); 1083 m_gprs.retain(gpr, virtualRegister, SpillOrderConstant); 1084 m_jit.move(MacroAssembler::TrustedImmPtr(jsValue.asCell()), gpr); 1085 info.fillCell(*m_stream, gpr); 1094 if (jsValue.isCell()) { 1095 m_gprs.retain(gpr, virtualRegister, SpillOrderConstant); 1096 m_jit.move(MacroAssembler::TrustedImmPtr(jsValue.asCell()), gpr); 1097 info.fillCell(*m_stream, gpr); 1098 return gpr; 1099 } 1100 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction); 1086 1101 return gpr; 1087 1102 } … … 1125 1140 case DataFormatJSBoolean: 1126 1141 case DataFormatBoolean: 1142 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction); 1143 return allocate(); 1144 1127 1145 case DataFormatStorage: 1128 1146 RELEASE_ASSERT_NOT_REACHED(); … … 1142 1160 VirtualRegister virtualRegister = node->virtualRegister(); 1143 1161 GenerationInfo& info = m_generationInfo[virtualRegister]; 1144 if ((node->hasConstant() && !valueOfJSConstant(node).isBoolean())1145 || !(info.isJSBoolean() || info.isUnknownJS())) {1146 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction);1147 return allocate();1148 }1149 1162 1150 1163 switch (info.registerFormat()) { 1151 1164 case DataFormatNone: { 1152 1165 if (info.spillFormat() == DataFormatInteger || info.spillFormat() == DataFormatDouble) { 1166 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction); 1167 return allocate(); 1168 } 1169 1153 1170 if (node->hasConstant()) { 1154 1171 JSValue jsValue = valueOfJSConstant(node); 1155 ASSERT(jsValue.isBoolean());1156 1172 GPRReg gpr = allocate(); 1157 m_gprs.retain(gpr, virtualRegister, SpillOrderConstant); 1158 m_jit.move(MacroAssembler::TrustedImm32(jsValue.asBoolean()), gpr); 1159 info.fillBoolean(*m_stream, gpr); 1173 if (jsValue.isBoolean()) { 1174 m_gprs.retain(gpr, virtualRegister, SpillOrderConstant); 1175 m_jit.move(MacroAssembler::TrustedImm32(jsValue.asBoolean()), gpr); 1176 info.fillBoolean(*m_stream, gpr); 1177 return gpr; 1178 } 1179 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction); 1160 1180 return gpr; 1161 1181 } … … 1202 1222 case DataFormatJSCell: 1203 1223 case DataFormatCell: 1224 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction); 1225 return allocate(); 1226 1204 1227 case DataFormatStorage: 1205 1228 RELEASE_ASSERT_NOT_REACHED();
Note:
See TracChangeset
for help on using the changeset viewer.
