Changeset 204403 in webkit
- Timestamp:
- Aug 11, 2016 8:38:54 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 3 edited
-
JSTests/ChangeLog (modified) (1 diff)
-
JSTests/stress/OverrideHasInstance-should-not-branch-across-register-allocations.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r204388 r204403 1 2016-08-11 Mark Lam <mark.lam@apple.com> 2 3 OverridesHasInstance should not branch across register allocations. 4 https://bugs.webkit.org/show_bug.cgi?id=160792 5 <rdar://problem/27361778> 6 7 Reviewed by Benjamin Poulain. 8 9 * stress/OverrideHasInstance-should-not-branch-across-register-allocations.js: Added. 10 1 11 2016-08-11 Mark Lam <mark.lam@apple.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r204402 r204403 1 2016-08-11 Mark Lam <mark.lam@apple.com> 2 3 OverridesHasInstance should not branch across register allocations. 4 https://bugs.webkit.org/show_bug.cgi?id=160792 5 <rdar://problem/27361778> 6 7 Reviewed by Benjamin Poulain. 8 9 The OverrideHasInstance node has a branch test that is emitted conditionally. 10 It also has a bug where it allocated a register after this branch, which is not 11 allowed and would fail an assertion introduced in https://trac.webkit.org/r145931. 12 From the ChangeLog for r145931: 13 14 "This [assertion that register allocations are not branched around] protects 15 against the case where an allocation could have spilled register contents to free 16 up a register and that spill only occurs on one path of many through the code. 17 A subsequent fill of the spilled register may load garbage." 18 19 Because the branch isn't always emitted, this bug has gone unnoticed until now. 20 This patch fixes this issue by pre-allocating the registers before emitting the 21 branch in OverrideHasInstance. 22 23 Note: this issue is only present in DFGSpeculativeJIT64.cpp. The 32-bit version 24 is doing it right. 25 26 * dfg/DFGSpeculativeJIT64.cpp: 27 (JSC::DFG::SpeculativeJIT::compile): 28 1 29 2016-08-11 Benjamin Poulain <bpoulain@apple.com> 2 30 -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
r204140 r204403 4576 4576 4577 4577 GPRReg resultGPR = result.gpr(); 4578 GPRReg baseGPR = base.gpr(); 4578 4579 4579 4580 // It would be great if constant folding handled automatically the case where we knew the hasInstance function 4580 4581 // was a constant. Unfortunately, the folding rule for OverridesHasInstance is in the strength reduction phase 4581 4582 // since it relies on OSR information. https://bugs.webkit.org/show_bug.cgi?id=154832 4582 if (!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction != hasInstanceValueNode->asCell()) 4583 notDefault = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValue.gpr(), TrustedImmPtr(defaultHasInstanceFunction)); 4583 if (!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction != hasInstanceValueNode->asCell()) { 4584 GPRReg hasInstanceValueGPR = hasInstanceValue.gpr(); 4585 notDefault = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValueGPR, TrustedImmPtr(defaultHasInstanceFunction)); 4586 } 4584 4587 4585 4588 // Check that base 'ImplementsDefaultHasInstance'. 4586 m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(base .gpr(), JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);4589 m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(baseGPR, JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR); 4587 4590 m_jit.or32(TrustedImm32(ValueFalse), resultGPR); 4588 4591 MacroAssembler::Jump done = m_jit.jump();
Note: See TracChangeset
for help on using the changeset viewer.
