Changeset 95168 in webkit


Ignore:
Timestamp:
Sep 14, 2011 10:17:20 PM (13 years ago)
Author:
barraclough@apple.com
Message:

[n]stricteq code is bogus in JSValue32_64 JIT
https://bugs.webkit.org/show_bug.cgi?id=68141

Reviewed by Sam Weinig.

The code tries to check for both ints or cells, but this check also
catches cases where values that are undefined, null, etc (probably
was incorrectly assuming cell was the 2nd highest tag?).

Also, there is no need not to handle int on the fast path.
stricteq is just a case of comparing the payloads, if we:

  • handle cases of differing tags on a slow path
  • handle doubles a slow path
  • handle both-are-string on a slow path
  • jit/JITOpcodes32_64.cpp:

(JSC::JIT::compileOpStrictEq):
(JSC::JIT::emitSlow_op_stricteq):
(JSC::JIT::emitSlow_op_nstricteq):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r95167 r95168  
     12011-09-14  Gavin Barraclough  <barraclough@apple.com>
     2
     3        [n]stricteq code is bogus in JSValue32_64 JIT
     4        https://bugs.webkit.org/show_bug.cgi?id=68141
     5
     6        Reviewed by Sam Weinig.
     7
     8        The code tries to check for both ints or cells, but this check also
     9        catches cases where values that are undefined, null, etc (probably
     10        was incorrectly assuming cell was the 2nd highest tag?).
     11
     12        Also, there is no need not to handle int on the fast path.
     13        stricteq is just a case of comparing the payloads, if we:
     14            * handle cases of differing tags on a slow path
     15            * handle doubles a slow path
     16            * handle both-are-string on a slow path
     17
     18        * jit/JITOpcodes32_64.cpp:
     19        (JSC::JIT::compileOpStrictEq):
     20        (JSC::JIT::emitSlow_op_stricteq):
     21        (JSC::JIT::emitSlow_op_nstricteq):
     22
    1232011-09-14  Mark Hahnenberg  <mhahnenberg@apple.com>
    224
  • trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp

    r94920 r95168  
    996996    unsigned src2 = currentInstruction[3].u.operand;
    997997
    998     emitLoadTag(src1, regT0);
    999     emitLoadTag(src2, regT1);
    1000 
    1001     // Jump to a slow case if either operand is double, or if both operands are
    1002     // cells and/or Int32s.
    1003     move(regT0, regT2);
    1004     and32(regT1, regT2);
    1005     addSlowCase(branch32(Below, regT2, TrustedImm32(JSValue::LowestTag)));
    1006     addSlowCase(branch32(AboveOrEqual, regT2, TrustedImm32(JSValue::CellTag)));
    1007 
     998    emitLoad2(src1, regT1, regT0, src2, regT3, regT2);
     999
     1000    // Bail if the tags differ, or are double.
     1001    addSlowCase(branch32(NotEqual, regT1, regT3));
     1002    addSlowCase(branch32(Below, regT1, TrustedImm32(JSValue::LowestTag)));
     1003
     1004    // Jump to a slow case if both are strings.
     1005    Jump notCell = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag));
     1006    Jump firstNotString = branchPtr(NotEqual, Address(regT0), TrustedImmPtr(m_globalData->jsStringVPtr));
     1007    addSlowCase(branchPtr(Equal, Address(regT2), TrustedImmPtr(m_globalData->jsStringVPtr)));
     1008    notCell.link(this);
     1009    firstNotString.link(this);
     1010
     1011    // Simply compare the payloads.
    10081012    if (type == OpStrictEq)
    1009         compare32(Equal, regT0, regT1, regT0);
     1013        compare32(Equal, regT0, regT2, regT0);
    10101014    else
    1011         compare32(NotEqual, regT0, regT1, regT0);
     1015        compare32(NotEqual, regT0, regT2, regT0);
    10121016
    10131017    emitStoreBool(dst, regT0);
     
    10251029    unsigned src2 = currentInstruction[3].u.operand;
    10261030
     1031    linkSlowCase(iter);
    10271032    linkSlowCase(iter);
    10281033    linkSlowCase(iter);
     
    10451050    unsigned src2 = currentInstruction[3].u.operand;
    10461051
     1052    linkSlowCase(iter);
    10471053    linkSlowCase(iter);
    10481054    linkSlowCase(iter);
Note: See TracChangeset for help on using the changeset viewer.