Changeset 172962 in webkit

Timestamp:

Aug 26, 2014 10:34:21 AM (10 years ago)

Author:

msaboff@apple.com

Message:

REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result
​https://bugs.webkit.org/show_bug.cgi?id=136187

Reviewed by Mark Hahnenberg.

Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that
doesn't require a tag for the second argument, instead it fills in a CellTag. This is
used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we
haven't set up a register with a tag and we know that argument 2 is a cell.

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag.

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR
with CellTag as it wasn't in the control flow for the slow path that needed the tag.
Instead changed to calling new version of callOperation with an implicit CellTag.

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGSpeculativeJIT.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-08-26  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION(r172794) + 32Bit build: for-in-base-reassigned-later-and-change-structure.js fail with NaN result
+        https://bugs.webkit.org/show_bug.cgi?id=136187
+
+        Reviewed by Mark Hahnenberg.
+
+        Added two arg version for 32 bit builds of callOperation(J_JITOperation_ECJ, ...) that
+        doesn't require a tag for the second argument, instead it fills in a CellTag.  This is
+        used for the slow case of the GetDirectPname case in SpeculativeJIT::compile since we
+        haven't set up a register with a tag and we know that argument 2 is a cell.
+
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::callOperation): New version with implicit CellTag.
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile): Eliminated extraneous filling of the scratchGPR
+        with CellTag as it wasn't in the control flow for the slow path that needed the tag.
+        Instead changed to calling new version of callOperation with an implicit CellTag.
+
 2014-08-26  Commit Queue  <commit-queue@webkit.org>
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -1694 +1694 @@
     {
         m_jit.setupArgumentsWithExecState(arg1, arg2Payload, arg2Tag);
+        return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
+    }
+    JITCompiler::Call callOperation(J_JITOperation_ECJ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2Payload)
+    {
+        m_jit.setupArgumentsWithExecState(arg1, arg2Payload, MacroAssembler::TrustedImm32(JSValue::CellTag));
         return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);
     }

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -4772 +4772 @@
         done.link(&m_jit);
 
-        m_jit.move(MacroAssembler::TrustedImm32(JSValue::CellTag), scratchGPR);
-        addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, scratchGPR, propertyGPR));
+        addSlowPathGenerator(slowPathCall(wrongStructure, this, operationGetByValCell, resultTagGPR, resultPayloadGPR, baseGPR, propertyGPR));
 #endif