Changeset 207697 in webkit


Ignore:
Timestamp:
Oct 21, 2016 3:38:22 PM (7 years ago)
Author:
sbarati@apple.com
Message:

SpeculativeJIT::compileTryGetById needs to pass in NeedsToSpill along both the cell speculation and untyped speculation path
https://bugs.webkit.org/show_bug.cgi?id=163622

Reviewed by Yusuke Suzuki.

JSTests:

  • stress/try-get-by-id-should-spill-registers-dfg.js: Added.

(let.f.createBuiltin):

Source/JavaScriptCore:

We were passing in DontSpill in the Untyped:child1() case, which caused us
not to spill the base register. This is obviously wrong because the
DFG's register allocator expected the base to still be in the register
that it allocated for it after the TryGetById node executed.

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileTryGetById):

Location:
trunk
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r207684 r207697  
     12016-10-21  Saam Barati  <sbarati@apple.com>
     2
     3        SpeculativeJIT::compileTryGetById needs to pass in NeedsToSpill along both the cell speculation and untyped speculation path
     4        https://bugs.webkit.org/show_bug.cgi?id=163622
     5
     6        Reviewed by Yusuke Suzuki.
     7
     8        * stress/try-get-by-id-should-spill-registers-dfg.js: Added.
     9        (let.f.createBuiltin):
     10
    1112016-10-21  Caitlin Potter  <caitp@igalia.com>
    212
  • trunk/Source/JavaScriptCore/ChangeLog

    r207696 r207697  
     12016-10-21  Saam Barati  <sbarati@apple.com>
     2
     3        SpeculativeJIT::compileTryGetById needs to pass in NeedsToSpill along both the cell speculation and untyped speculation path
     4        https://bugs.webkit.org/show_bug.cgi?id=163622
     5
     6        Reviewed by Yusuke Suzuki.
     7
     8        We were passing in DontSpill in the Untyped:child1() case, which caused us
     9        not to spill the base register. This is obviously wrong because the
     10        DFG's register allocator expected the base to still be in the register
     11        that it allocated for it after the TryGetById node executed.
     12
     13        * dfg/DFGSpeculativeJIT.cpp:
     14        (JSC::DFG::SpeculativeJIT::compileTryGetById):
     15
    1162016-10-21  Keith Miller  <keith_miller@apple.com>
    217
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r207369 r207697  
    10211021        JITCompiler::Jump notCell = m_jit.branchIfNotCell(baseRegs);
    10221022
    1023         cachedGetById(node->origin.semantic, baseRegs, resultRegs, node->identifierNumber(), notCell, DontSpill, AccessType::GetPure);
     1023        cachedGetById(node->origin.semantic, baseRegs, resultRegs, node->identifierNumber(), notCell, NeedToSpill, AccessType::GetPure);
    10241024
    10251025        jsValueResult(resultRegs, node, DataFormatJS, UseChildrenCalledExplicitly);
Note: See TracChangeset for help on using the changeset viewer.