Changeset 34500 in webkit

Timestamp:

Jun 11, 2008 5:33:48 PM (16 years ago)

Author:

cwzwarich@webkit.org

Message:

2008-06-11 Cameron Zwarich <​cwzwarich@uwaterloo.ca>

Reviewed by Maciej.

Bug 19498: REGRESSION (r34497): crash while loading GMail
<​https://bugs.webkit.org/show_bug.cgi?id=19498>

JavaScriptCore:

• VM/CodeGenerator.cpp: (KJS::CodeGenerator::emitJumpIfTrueOptimized): (KJS::CodeGenerator::emitJumpIfTrue):
• VM/CodeGenerator.h:
• kjs/nodes.cpp: (KJS::DoWhileNode::emitCode): (KJS::WhileNode::emitCode): (KJS::ForNode::emitCode): (KJS::CaseBlockNode::emitCodeForBlock):

LayoutTests:

• fast/js/logical-or-jless-expected.txt: Added.
• fast/js/logical-or-jless.html: Added.
• fast/js/resources/logical-or-jless.js: Added.

Location:

trunk

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/VM/CodeGenerator.cpp (modified) (2 diffs)
• JavaScriptCore/VM/CodeGenerator.h (modified) (1 diff)
• JavaScriptCore/kjs/nodes.cpp (modified) (5 diffs)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/logical-or-jless-expected.txt (added)
• LayoutTests/fast/js/logical-or-jless.html (added)
• LayoutTests/fast/js/resources/logical-or-jless.js (added)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2008-06-11  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
+
+        Reviewed by Maciej.
+
+        Bug 19498: REGRESSION (r34497): crash while loading GMail
+        <https://bugs.webkit.org/show_bug.cgi?id=19498>
+
+        * VM/CodeGenerator.cpp:
+        (KJS::CodeGenerator::emitJumpIfTrueMayCombine):
+        (KJS::CodeGenerator::emitJumpIfTrue):
+        * VM/CodeGenerator.h:
+        * kjs/nodes.cpp:
+        (KJS::DoWhileNode::emitCode):
+        (KJS::WhileNode::emitCode):
+        (KJS::ForNode::emitCode):
+        (KJS::CaseBlockNode::emitCodeForBlock):
+
 2008-06-11  Darin Adler  <darin@apple.com>
 

trunk/JavaScriptCore/VM/CodeGenerator.cpp

@@ -415 +415 @@
 }
 
-PassRefPtr<LabelID> CodeGenerator::emitJumpIfTrue(RegisterID* cond, LabelID* target)
+PassRefPtr<LabelID> CodeGenerator::emitJumpIfTrueMayCombine(RegisterID* cond, LabelID* target)
 {
     if (m_lastOpcodeID == op_less) {
@@ -434 +434 @@
     }
     
+    return emitJumpIfTrue(cond, target);
+}
+
+PassRefPtr<LabelID> CodeGenerator::emitJumpIfTrue(RegisterID* cond, LabelID* target)
+{
     emitOpcode(op_jtrue);
     instructions().append(cond->index());

trunk/JavaScriptCore/VM/CodeGenerator.h

@@ -261 +261 @@
         PassRefPtr<LabelID> emitLabel(LabelID*);
         PassRefPtr<LabelID> emitJump(LabelID* target);
+        PassRefPtr<LabelID> emitJumpIfTrueMayCombine(RegisterID* cond, LabelID* target);
         PassRefPtr<LabelID> emitJumpIfTrue(RegisterID* cond, LabelID* target);
         PassRefPtr<LabelID> emitJumpIfFalse(RegisterID* cond, LabelID* target);

trunk/JavaScriptCore/kjs/nodes.cpp

@@ -1355 +1355 @@
     generator.emitLabel(continueTarget.get());
     RegisterID* cond = generator.emitNode(m_expr.get());
-    generator.emitJumpIfTrue(cond, topOfLoop.get());
+    generator.emitJumpIfTrueMayCombine(cond, topOfLoop.get());
     generator.emitLabel(breakTarget.get());
     return result.get();
@@ -1377 +1377 @@
     generator.emitLabel(continueTarget.get());
     RegisterID* cond = generator.emitNode(m_expr.get());
-    generator.emitJumpIfTrue(cond, topOfLoop.get());
+    generator.emitJumpIfTrueMayCombine(cond, topOfLoop.get());
 
     generator.emitLabel(breakTarget.get());
@@ -1409 +1409 @@
     if (m_expr2) {
         RegisterID* cond = generator.emitNode(m_expr2.get());
-        generator.emitJumpIfTrue(cond, topOfLoop.get());
+        generator.emitJumpIfTrueMayCombine(cond, topOfLoop.get());
     } else {
         generator.emitJump(topOfLoop.get());
@@ -1577 +1577 @@
         generator.emitStrictEqual(clauseVal, clauseVal, switchExpression);
         labelVector.append(generator.newLabel());
-        generator.emitJumpIfTrue(clauseVal, labelVector[labelVector.size() - 1].get());
+        generator.emitJumpIfTrueMayCombine(clauseVal, labelVector[labelVector.size() - 1].get());
     }
 
@@ -1584 +1584 @@
         generator.emitStrictEqual(clauseVal, clauseVal, switchExpression);
         labelVector.append(generator.newLabel());
-        generator.emitJumpIfTrue(clauseVal, labelVector[labelVector.size() - 1].get());
+        generator.emitJumpIfTrueMayCombine(clauseVal, labelVector[labelVector.size() - 1].get());
     }
 

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2008-06-11  Cameron Zwarich  <cwzwarich@uwaterloo.ca>
+
+        Reviewed by Maciej.
+
+        Test for:
+
+        Bug 19498: REGRESSION (r34497): crash while loading GMail
+        <https://bugs.webkit.org/show_bug.cgi?id=19498>
+
+        * fast/js/logical-or-jless-expected.txt: Added.
+        * fast/js/logical-or-jless.html: Added.
+        * fast/js/resources/logical-or-jless.js: Added.
+
 2008-06-11  Sam Weinig  <sam@webkit.org>