Changeset 95918 in webkit


Ignore:
Timestamp:
Sep 24, 2011 7:20:41 PM (13 years ago)
Author:
fpizlo@apple.com
Message:

JIT implementation of put_by_val increments m_length instead of setting
it to index+1
https://bugs.webkit.org/show_bug.cgi?id=68766

Reviewed by Geoffrey Garen.

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_put_by_val):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r95917 r95918  
     12011-09-24  Filip Pizlo  <fpizlo@apple.com>
     2
     3        JIT implementation of put_by_val increments m_length instead of setting
     4        it to index+1
     5        https://bugs.webkit.org/show_bug.cgi?id=68766
     6
     7        Reviewed by Geoffrey Garen.
     8
     9        * jit/JITPropertyAccess.cpp:
     10        (JSC::JIT::emit_op_put_by_val):
     11
    1122011-09-24  Geoffrey Garen  <ggaren@apple.com>
    213
  • trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

    r95901 r95918  
    216216    branch32(Below, regT1, Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length))).linkTo(storeResult, this);
    217217
    218     add32(TrustedImm32(1), Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length)));
     218    add32(TrustedImm32(1), regT1);
     219    store32(regT1, Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length)));
     220    sub32(TrustedImm32(1), regT1);
    219221    jump().linkTo(storeResult, this);
    220222
Note: See TracChangeset for help on using the changeset viewer.