Changeset 233473 in webkit


Ignore:
Timestamp:
Jul 3, 2018 12:25:54 PM (6 years ago)
Author:
mark.lam@apple.com
Message:
[32-bit JSC tests] ASSERTION FAILED: !getDirect(offset)
!JSValue::encode(getDirect(offset)).

https://bugs.webkit.org/show_bug.cgi?id=187255
<rdar://problem/41785257>

Reviewed by Saam Barati.

The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
too: basically, do what the 64-bit code is doing. At present, this change only
serves to pacify an assertion. It is not needed for correctness because the
concurrent GC is not used on 32-bit builds.

This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
test.

  • jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_create_this):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r233467 r233473  
     12018-07-03  Mark Lam  <mark.lam@apple.com>
     2
     3        [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
     4        https://bugs.webkit.org/show_bug.cgi?id=187255
     5        <rdar://problem/41785257>
     6
     7        Reviewed by Saam Barati.
     8
     9        The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
     10        too: basically, do what the 64-bit code is doing.  At present, this change only
     11        serves to pacify an assertion.  It is not needed for correctness because the
     12        concurrent GC is not used on 32-bit builds.
     13
     14        This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
     15        test.
     16
     17        * jit/JITOpcodes32_64.cpp:
     18        (JSC::JIT::emit_op_create_this):
     19
    1202018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
    221

  • trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

    r232444 r233473  
    963963    auto butterfly = TrustedImmPtr(nullptr);
    964964    emitAllocateJSObject(resultReg, JITAllocator::variable(), allocatorReg, structureReg, butterfly, scratchReg, slowCases);
     965    emitLoadPayload(callee, scratchReg);
     966    loadPtr(Address(scratchReg, JSFunction::offsetOfRareData()), scratchReg);
     967    load32(Address(scratchReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), scratchReg);
     968    emitInitializeInlineStorage(resultReg, scratchReg);
    965969    addSlowCase(slowCases);
    966970    emitStoreCell(currentInstruction[1].u.operand, resultReg);
Note: See TracChangeset for help on using the changeset viewer.