Changeset 95168 in webkit
- Timestamp:
- Sep 14, 2011 10:17:20 PM (13 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r95167 r95168 1 2011-09-14 Gavin Barraclough <barraclough@apple.com> 2 3 [n]stricteq code is bogus in JSValue32_64 JIT 4 https://bugs.webkit.org/show_bug.cgi?id=68141 5 6 Reviewed by Sam Weinig. 7 8 The code tries to check for both ints or cells, but this check also 9 catches cases where values that are undefined, null, etc (probably 10 was incorrectly assuming cell was the 2nd highest tag?). 11 12 Also, there is no need not to handle int on the fast path. 13 stricteq is just a case of comparing the payloads, if we: 14 * handle cases of differing tags on a slow path 15 * handle doubles a slow path 16 * handle both-are-string on a slow path 17 18 * jit/JITOpcodes32_64.cpp: 19 (JSC::JIT::compileOpStrictEq): 20 (JSC::JIT::emitSlow_op_stricteq): 21 (JSC::JIT::emitSlow_op_nstricteq): 22 1 23 2011-09-14 Mark Hahnenberg <mhahnenberg@apple.com> 2 24 -
trunk/Source/JavaScriptCore/jit/JITOpcodes32_64.cpp
r94920 r95168 996 996 unsigned src2 = currentInstruction[3].u.operand; 997 997 998 emitLoadTag(src1, regT0); 999 emitLoadTag(src2, regT1); 1000 1001 // Jump to a slow case if either operand is double, or if both operands are 1002 // cells and/or Int32s. 1003 move(regT0, regT2); 1004 and32(regT1, regT2); 1005 addSlowCase(branch32(Below, regT2, TrustedImm32(JSValue::LowestTag))); 1006 addSlowCase(branch32(AboveOrEqual, regT2, TrustedImm32(JSValue::CellTag))); 1007 998 emitLoad2(src1, regT1, regT0, src2, regT3, regT2); 999 1000 // Bail if the tags differ, or are double. 1001 addSlowCase(branch32(NotEqual, regT1, regT3)); 1002 addSlowCase(branch32(Below, regT1, TrustedImm32(JSValue::LowestTag))); 1003 1004 // Jump to a slow case if both are strings. 1005 Jump notCell = branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)); 1006 Jump firstNotString = branchPtr(NotEqual, Address(regT0), TrustedImmPtr(m_globalData->jsStringVPtr)); 1007 addSlowCase(branchPtr(Equal, Address(regT2), TrustedImmPtr(m_globalData->jsStringVPtr))); 1008 notCell.link(this); 1009 firstNotString.link(this); 1010 1011 // Simply compare the payloads. 1008 1012 if (type == OpStrictEq) 1009 compare32(Equal, regT0, regT 1, regT0);1013 compare32(Equal, regT0, regT2, regT0); 1010 1014 else 1011 compare32(NotEqual, regT0, regT 1, regT0);1015 compare32(NotEqual, regT0, regT2, regT0); 1012 1016 1013 1017 emitStoreBool(dst, regT0); … … 1025 1029 unsigned src2 = currentInstruction[3].u.operand; 1026 1030 1031 linkSlowCase(iter); 1027 1032 linkSlowCase(iter); 1028 1033 linkSlowCase(iter); … … 1045 1050 unsigned src2 = currentInstruction[3].u.operand; 1046 1051 1052 linkSlowCase(iter); 1047 1053 linkSlowCase(iter); 1048 1054 linkSlowCase(iter);
Note: See TracChangeset
for help on using the changeset viewer.