Title: [96429] trunk/Source/_javascript_Core
- Revision
- 96429
- Author
- fpi...@apple.com
- Date
- 2011-09-30 14:44:20 -0700 (Fri, 30 Sep 2011)
Log Message
DFG 32-bit support for op_call and op_construct causes
run-_javascript_core-tests to fail
https://bugs.webkit.org/show_bug.cgi?id=69171
Reviewed by Gavin Barraclough.
This fixes one obvious bug that was causing test failures (no
support for dummy slow case for op_add in 32_64), and disables
op_call and op_construct by default.
* dfg/DFGCapabilities.h:
(JSC::DFG::canCompileOpcode):
* jit/JITArithmetic32_64.cpp:
(JSC::JIT::emit_op_add):
(JSC::JIT::emitSlow_op_add):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (96428 => 96429)
--- trunk/Source/_javascript_Core/ChangeLog 2011-09-30 21:38:26 UTC (rev 96428)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-09-30 21:44:20 UTC (rev 96429)
@@ -1,3 +1,21 @@
+2011-09-30 Filip Pizlo <fpi...@apple.com>
+
+ DFG 32-bit support for op_call and op_construct causes
+ run-_javascript_core-tests to fail
+ https://bugs.webkit.org/show_bug.cgi?id=69171
+
+ Reviewed by Gavin Barraclough.
+
+ This fixes one obvious bug that was causing test failures (no
+ support for dummy slow case for op_add in 32_64), and disables
+ op_call and op_construct by default.
+
+ * dfg/DFGCapabilities.h:
+ (JSC::DFG::canCompileOpcode):
+ * jit/JITArithmetic32_64.cpp:
+ (JSC::JIT::emit_op_add):
+ (JSC::JIT::emitSlow_op_add):
+
2011-09-30 Geoffrey Garen <gga...@apple.com>
Crash due to out of bounds read/write in MarkedSpace
Modified: trunk/Source/_javascript_Core/dfg/DFGCapabilities.h (96428 => 96429)
--- trunk/Source/_javascript_Core/dfg/DFGCapabilities.h 2011-09-30 21:38:26 UTC (rev 96428)
+++ trunk/Source/_javascript_Core/dfg/DFGCapabilities.h 2011-09-30 21:44:20 UTC (rev 96429)
@@ -33,6 +33,13 @@
#define ENABLE_DFG_RESTRICTIONS 1
+#if USE(JSVALUE64)
+#define ENABLE_DFG_32BIT_RESTRICTIONS 0
+#else
+#define ENABLE_DFG_32BIT_RESTRICTIONS 1
+#endif
+
+
#if ENABLE(DFG_JIT)
// Fast check functions; if they return true it is still necessary to
// check opcodes.
@@ -113,8 +120,6 @@
case op_loop_if_greatereq:
case op_ret:
case op_end:
- case op_call:
- case op_construct:
case op_call_put_result:
case op_resolve:
case op_resolve_base:
@@ -140,7 +145,18 @@
#else
return true;
#endif
+
+ // Opcodes we support conditionally on 32-bit builds. Enabling these opcodes
+ // currently results in crashes, which are still being investigated.
+ case op_call:
+ case op_construct:
+#if ENABLE(DFG_32BIT_RESTRICTIONS)
+ return false;
+#else
+ return true;
+#endif
+
default:
return false;
}
Modified: trunk/Source/_javascript_Core/jit/JITArithmetic32_64.cpp (96428 => 96429)
--- trunk/Source/_javascript_Core/jit/JITArithmetic32_64.cpp 2011-09-30 21:38:26 UTC (rev 96428)
+++ trunk/Source/_javascript_Core/jit/JITArithmetic32_64.cpp 2011-09-30 21:44:20 UTC (rev 96429)
@@ -603,6 +603,7 @@
OperandTypes types = OperandTypes::fromInt(currentInstruction[4].u.operand);
if (!types.first().mightBeNumber() || !types.second().mightBeNumber()) {
+ addSlowCase();
JITStubCall stubCall(this, cti_op_add);
stubCall.addArgument(op1);
stubCall.addArgument(op2);
@@ -674,8 +675,10 @@
unsigned op2 = currentInstruction[3].u.operand;
OperandTypes types = OperandTypes::fromInt(currentInstruction[4].u.operand);
- if (!types.first().mightBeNumber() || !types.second().mightBeNumber())
+ if (!types.first().mightBeNumber() || !types.second().mightBeNumber()) {
+ linkDummySlowCase(iter);
return;
+ }
unsigned op;
int32_t constant;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
