Skip to site navigation (Press enter)

[webkit-changes] [91825] trunk/Source/JavaScriptCore

commit-queue Wed, 27 Jul 2011 00:12:51 -0700

Title: [91825] trunk/Source/_javascript_Core

Revision: 91825
Author: [email protected]
Date: 2011-07-27 00:12:38 -0700 (Wed, 27 Jul 2011)

Log Message

DFG JIT speculation failure code performs incorrect conversions in
the case where two registers need to be swapped.
https://bugs.webkit.org/show_bug.cgi?id=65233


Patch by Filip Pizlo <[email protected]> on 2011-07-27
Reviewed by Gavin Barraclough.

* dfg/DFGJITCompiler.cpp:
(JSC::DFG::GeneralizedRegister::swapWith):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (91824 => 91825)


--- trunk/Source/_javascript_Core/ChangeLog	2011-07-27 06:02:54 UTC (rev 91824)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-07-27 07:12:38 UTC (rev 91825)
@@ -1,3 +1,14 @@
+2011-07-27  Filip Pizlo  <[email protected]>
+
+        DFG JIT speculation failure code performs incorrect conversions in
+        the case where two registers need to be swapped.
+        https://bugs.webkit.org/show_bug.cgi?id=65233
+
+        Reviewed by Gavin Barraclough.
+        
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::GeneralizedRegister::swapWith):
+
 2011-07-26  Mark Hahnenberg  <[email protected]>
 
         reduce and reduceRight bind callback's this to null rather than undefined

Modified: trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp (91824 => 91825)


--- trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp	2011-07-27 06:02:54 UTC (rev 91824)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp	2011-07-27 07:12:38 UTC (rev 91825)
@@ -244,15 +244,15 @@
         
         jit.swap(gpr(), other.gpr());
         
-        if (UNLIKELY(needDataFormatConversion(myDataFormat, myNewDataFormat))) {
-            if (myDataFormat == DataFormatInteger)
+        if (UNLIKELY(needDataFormatConversion(otherDataFormat, myNewDataFormat))) {
+            if (otherDataFormat == DataFormatInteger)
                 jit.orPtr(GPRInfo::tagTypeNumberRegister, gpr());
             else if (myNewDataFormat == DataFormatInteger)
                 jit.zeroExtend32ToPtr(gpr(), gpr());
         }
         
-        if (UNLIKELY(needDataFormatConversion(otherDataFormat, myNewDataFormat))) {
-            if (otherDataFormat == DataFormatInteger)
+        if (UNLIKELY(needDataFormatConversion(myDataFormat, otherNewDataFormat))) {
+            if (myDataFormat == DataFormatInteger)
                 jit.orPtr(GPRInfo::tagTypeNumberRegister, other.gpr());
             else if (otherNewDataFormat == DataFormatInteger)
                 jit.zeroExtend32ToPtr(other.gpr(), other.gpr());

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes