Skip to site navigation (Press enter)

[webkit-changes] [90799] trunk/Source/JavaScriptCore

commit-queue Mon, 11 Jul 2011 18:10:16 -0700

Title: [90799] trunk/Source/_javascript_Core

Revision: 90799
Author: [email protected]
Date: 2011-07-11 18:10:07 -0700 (Mon, 11 Jul 2011)

Log Message

DFG speculative JIT does not guard itself against floating point speculation
failures on non-floating-point constants.
https://bugs.webkit.org/show_bug.cgi?id=64330


Patch by Filip Pizlo <[email protected]> on 2011-07-11
Reviewed by Gavin Barraclough.

Made fillSpeculateDouble immediate invoke terminateSpeculativeExecution() as
soon as it notices that it's speculating on something that is a non-numeric
JSConstant.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (90798 => 90799)


--- trunk/Source/_javascript_Core/ChangeLog	2011-07-12 00:39:46 UTC (rev 90798)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-07-12 01:10:07 UTC (rev 90799)
@@ -1,5 +1,20 @@
 2011-07-11  Filip Pizlo  <[email protected]>
 
+        DFG speculative JIT does not guard itself against floating point speculation
+        failures on non-floating-point constants.
+        https://bugs.webkit.org/show_bug.cgi?id=64330
+
+        Reviewed by Gavin Barraclough.
+        
+        Made fillSpeculateDouble immediate invoke terminateSpeculativeExecution() as
+        soon as it notices that it's speculating on something that is a non-numeric
+        JSConstant.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+
+2011-07-11  Filip Pizlo  <[email protected]>
+
         DFG Speculative JIT does not always insert speculation checks when speculating
         arrays.
         https://bugs.webkit.org/show_bug.cgi?id=64254

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (90798 => 90799)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2011-07-12 00:39:46 UTC (rev 90798)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2011-07-12 01:10:07 UTC (rev 90799)
@@ -206,12 +206,8 @@
                 info.fillDouble(fpr);
                 return fpr;
             }
-            ASSERT(isJSConstant(nodeIndex));
-            JSValue jsValue = valueOfJSConstant(nodeIndex);
-            m_jit.move(MacroAssembler::ImmPtr(JSValue::encode(jsValue)), gpr);
-            m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
-            info.fillJSValue(gpr, DataFormatJS);
-            unlock(gpr);
+            terminateSpeculativeExecution();
+            return fprAllocate();
         } else {
             DataFormat spillFormat = info.spillFormat();
             ASSERT(spillFormat & DataFormatJS);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes