Changeset 90768 in webkit
- Timestamp:
- Jul 11, 2011 11:39:14 AM (13 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r90738 r90768 1 2011-07-11 Filip Pizlo <fpizlo@apple.com> 2 3 DFG Speculative JIT does not always insert speculation checks when speculating 4 arrays. 5 https://bugs.webkit.org/show_bug.cgi?id=64254 6 7 Reviewed by Gavin Barraclough. 8 9 Changed the SetLocal instruction to always validate that the value being stored 10 into the local variable is an array, if that variable was marked PredictArray. 11 This is necessary since uses of arrays assume that if a PredictArray value is 12 in a local variable then the speculation check validating that the value is an 13 array was already performed. 14 15 * dfg/DFGSpeculativeJIT.cpp: 16 (JSC::DFG::SpeculativeJIT::compile): 17 1 18 2011-07-11 Gabor Loki <loki@webkit.org> 2 19 -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r90673 r90768 492 492 case PredictArray: { 493 493 SpeculateCellOperand cell(this, node.child1()); 494 m_jit.storePtr(cell.gpr(), JITCompiler::addressFor(node.local())); 494 GPRReg cellGPR = cell.gpr(); 495 speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr))); 496 m_jit.storePtr(cellGPR, JITCompiler::addressFor(node.local())); 495 497 noResult(m_compileIndex); 496 498 break;
Note: See TracChangeset
for help on using the changeset viewer.
