Changeset 191625 in webkit
- Timestamp:
- Oct 27, 2015, 10:48:51 AM (10 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 5 edited
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/js/regress-150580-expected.txt (added)
-
LayoutTests/js/regress-150580.html (added)
-
LayoutTests/js/script-tests/regress-150580.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/ftl/FTLJSTailCall.cpp (modified) (1 diff)
-
Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (modified) (1 diff)
-
Source/JavaScriptCore/jit/CallFrameShuffler.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r191623 r191625 1 2015-10-27 Michael Saboff <msaboff@apple.com> 2 3 REGRESSION (r191360): Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL:: + 386 4 https://bugs.webkit.org/show_bug.cgi?id=150580 5 6 Reviewed by Mark Lam. 7 8 New regression test. 9 10 * js/regress-150580-expected.txt: Added. 11 * js/regress-150580.html: Added. 12 * js/script-tests/regress-150580.js: Added. 13 (addEmUp): 14 (sumVector): 15 (test): 16 1 17 2015-10-20 Zalan Bujtas <zalan@apple.com> 2 18 -
trunk/Source/JavaScriptCore/ChangeLog
r191621 r191625 1 2015-10-27 Michael Saboff <msaboff@apple.com> 2 3 REGRESSION (r191360): Crash: com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::FTL:: + 386 4 https://bugs.webkit.org/show_bug.cgi?id=150580 5 6 Reviewed by Mark Lam. 7 8 Changed code to box 32 bit integers and booleans arguments when generating the call instead of boxing 9 them in the shuffler. 10 11 The ASSERT in CallFrameShuffler::extendFrameIfNeeded is wrong when called from CallFrameShuffler::spill(), 12 as we could be making space to spill a register so that we have a spare that we can use for the new 13 frame's base pointer. 14 15 * ftl/FTLJSTailCall.cpp: 16 (JSC::FTL::DFG::recoveryFor): Added RELEASE_ASSERT to check that we never see unboxed 32 bit 17 arguments stored in the stack. 18 * ftl/FTLLowerDFGToLLVM.cpp: 19 (JSC::FTL::DFG::LowerDFGToLLVM::exitValueForTailCall): 20 * jit/CallFrameShuffler.cpp: 21 (JSC::CallFrameShuffler::extendFrameIfNeeded): Removed unneeded ASSERT. 22 1 23 2015-10-26 Yusuke Suzuki <utatane.tea@gmail.com> 2 24 -
trunk/Source/JavaScriptCore/ftl/FTLJSTailCall.cpp
r191394 r191625 78 78 RELEASE_ASSERT(location.dwarfReg().reg() == Reg(MacroAssembler::framePointerRegister)); 79 79 RELEASE_ASSERT(!(location.offset() % sizeof(void*))); 80 // DataFormatInt32 and DataFormatBoolean should be already be boxed. 81 RELEASE_ASSERT(format != DataFormatInt32 && format != DataFormatBoolean); 80 82 return ValueRecovery::displacedInJSStack(VirtualRegister { static_cast<int>(location.offset() / sizeof(void*)) }, format); 81 83 -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp
r191621 r191625 9008 9008 value = m_int32Values.get(node); 9009 9009 if (isValid(value)) 9010 return exitArgument(arguments, DataFormat Int32, value.value());9010 return exitArgument(arguments, DataFormatJS, boxInt32(value.value())); 9011 9011 9012 9012 value = m_booleanValues.get(node); 9013 if (isValid(value)) { 9014 LValue valueToPass = m_out.zeroExt(value.value(), m_out.int32); 9015 return exitArgument(arguments, DataFormatBoolean, valueToPass); 9016 } 9013 if (isValid(value)) 9014 return exitArgument(arguments, DataFormatJS, boxBoolean(value.value())); 9017 9015 9018 9016 // Doubles and Int52 have been converted by ValueRep() -
trunk/Source/JavaScriptCore/jit/CallFrameShuffler.cpp
r190370 r191625 307 307 { 308 308 ASSERT(!m_didExtendFrame); 309 ASSERT(!isUndecided());310 309 311 310 VirtualRegister firstRead { firstOld() };
Note:
See TracChangeset
for help on using the changeset viewer.
