Changeset 90799 in webkit

Timestamp:

Jul 11, 2011 6:10:07 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

DFG speculative JIT does not guard itself against floating point speculation
failures on non-floating-point constants.
​https://bugs.webkit.org/show_bug.cgi?id=64330

Patch by Filip Pizlo <​fpizlo@apple.com> on 2011-07-11
Reviewed by Gavin Barraclough.

Made fillSpeculateDouble immediate invoke terminateSpeculativeExecution() as
soon as it notices that it's speculating on something that is a non-numeric
JSConstant.

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-07-11  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG speculative JIT does not guard itself against floating point speculation
+        failures on non-floating-point constants.
+        https://bugs.webkit.org/show_bug.cgi?id=64330
+
+        Reviewed by Gavin Barraclough.
+        
+        Made fillSpeculateDouble immediate invoke terminateSpeculativeExecution() as
+        soon as it notices that it's speculating on something that is a non-numeric
+        JSConstant.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+
 2011-07-11  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -207 +207 @@
                 return fpr;
             }
-            ASSERT(isJSConstant(nodeIndex));
-            JSValue jsValue = valueOfJSConstant(nodeIndex);
-            m_jit.move(MacroAssembler::ImmPtr(JSValue::encode(jsValue)), gpr);
-            m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
-            info.fillJSValue(gpr, DataFormatJS);
-            unlock(gpr);
+            terminateSpeculativeExecution();
+            return fprAllocate();
         } else {
             DataFormat spillFormat = info.spillFormat();