Changeset 97286 in webkit

Timestamp:

Oct 12, 2011 12:28:12 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

DFG JIT 32_64 - Fix ArrayPop
​https://bugs.webkit.org/show_bug.cgi?id=69918

Patch by Yuqiang Xian <​yuqiang.xian@intel.com> on 2011-10-12
Reviewed by Filip Pizlo.

The storageLengthGPR is polluted by EmptyValueTag and later used to
index the array, which results in abnormal behaviors in execution.
This fix makes 32_64 DFG pass v8-deltablue and kraken
crypto-sha256-iterative on Linux ia32.

• assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::store32):

• assembler/X86Assembler.h:

(JSC::X86Assembler::movl_i32m):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• assembler/MacroAssemblerX86Common.h (modified) (1 diff)
• assembler/X86Assembler.h (modified) (1 diff)
• dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2011-10-12  Yuqiang Xian  <yuqiang.xian@intel.com>
+
+        DFG JIT 32_64 - Fix ArrayPop
+        https://bugs.webkit.org/show_bug.cgi?id=69918
+
+        Reviewed by Filip Pizlo.
+
+        The storageLengthGPR is polluted by EmptyValueTag and later used to
+        index the array, which results in abnormal behaviors in execution.
+        This fix makes 32_64 DFG pass v8-deltablue and kraken
+        crypto-sha256-iterative on Linux ia32.
+
+        * assembler/MacroAssemblerX86Common.h:
+        (JSC::MacroAssemblerX86Common::store32):
+        * assembler/X86Assembler.h:
+        (JSC::X86Assembler::movl_i32m):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2011-10-12  Gustavo Noronha Silva  <gustavo.noronha@collabora.co.uk>
 

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h

@@ -512 +512 @@
     }
     
+    void store32(TrustedImm32 imm, BaseIndex address)
+    {
+        m_assembler.movl_i32m(imm.m_value, address.offset, address.base, address.index, address.scale);
+    }
+
     void store8(TrustedImm32 imm, Address address)
     {

trunk/Source/JavaScriptCore/assembler/X86Assembler.h

@@ -1067 +1067 @@
     }
     
+    void movl_i32m(int imm, int offset, RegisterID base, RegisterID index, int scale)
+    {
+        m_formatter.oneByteOp(OP_GROUP11_EvIz, GROUP11_MOV, base, index, scale, offset);
+        m_formatter.immediate32(imm);
+    }
+
     void movb_i8m(int imm, int offset, RegisterID base)
     {

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

@@ -1545 +1545 @@
         MacroAssembler::Jump holeCase = m_jit.branch32(MacroAssembler::Equal, Imm32(JSValue::EmptyValueTag), valueTagGPR);
         
-        m_jit.move(Imm32(JSValue::EmptyValueTag), storageLengthGPR);
-        m_jit.store32(storageLengthGPR, MacroAssembler::BaseIndex(storageGPR, storageLengthGPR, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
+        m_jit.store32(TrustedImm32(JSValue::EmptyValueTag), MacroAssembler::BaseIndex(storageGPR, storageLengthGPR, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
 
         m_jit.sub32(MacroAssembler::Imm32(1), MacroAssembler::Address(storageGPR, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector)));