Changeset 200048 in webkit


Ignore:
Timestamp:
Apr 25, 2016 1:59:39 PM (8 years ago)
Author:
msaboff@apple.com
Message:

Crash using @tryGetById in DFG
https://bugs.webkit.org/show_bug.cgi?id=156992

Reviewed by Filip Pizlo.

We need to spill live registers when compiling TryGetById in DFG.

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileTryGetById):

  • tests/stress/regress-156992.js: New test.

(tryMultipleGetByIds):
(test):

Location:
trunk/Source/JavaScriptCore
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r200038 r200048  
     12016-04-25  Michael Saboff  <msaboff@apple.com>
     2
     3        Crash using @tryGetById in DFG
     4        https://bugs.webkit.org/show_bug.cgi?id=156992
     5
     6        Reviewed by Filip Pizlo.
     7
     8        We need to spill live registers when compiling TryGetById in DFG.
     9
     10        * dfg/DFGSpeculativeJIT.cpp:
     11        (JSC::DFG::SpeculativeJIT::compileTryGetById):
     12        * tests/stress/regress-156992.js: New test.
     13        (tryMultipleGetByIds):
     14        (test):
     15
    1162016-04-25  Saam barati  <sbarati@apple.com>
    217

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r200034 r200048  
    977977        base.use();
    978978
    979         cachedGetById(node->origin.semantic, baseRegs, resultRegs, node->identifierNumber(), JITCompiler::Jump(), DontSpill, AccessType::GetPure);
     979        cachedGetById(node->origin.semantic, baseRegs, resultRegs, node->identifierNumber(), JITCompiler::Jump(), NeedToSpill, AccessType::GetPure);
    980980
    981981        jsValueResult(resultRegs, node, DataFormatJS, UseChildrenCalledExplicitly);
Note: See TracChangeset for help on using the changeset viewer.