Skip to site navigation (Press enter)

[webkit-changes] [92010] trunk/Source/JavaScriptCore

fpizlo Fri, 29 Jul 2011 14:34:51 -0700

Title: [92010] trunk/Source/_javascript_Core

Revision: 92010
Author: [email protected]
Date: 2011-07-29 14:34:44 -0700 (Fri, 29 Jul 2011)

Log Message

Crash when opening docs.google.com
https://bugs.webkit.org/show_bug.cgi?id=65327


Reviewed by Gavin Barraclough.

The speculative JIT was only checking whether a value is an array when
we had already checked that it was, rather then when we hadn't.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compile):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (92009 => 92010)


--- trunk/Source/_javascript_Core/ChangeLog	2011-07-29 21:29:01 UTC (rev 92009)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-07-29 21:34:44 UTC (rev 92010)
@@ -1,3 +1,16 @@
+2011-07-29  Filip Pizlo  <[email protected]>
+
+        Crash when opening docs.google.com
+        https://bugs.webkit.org/show_bug.cgi?id=65327
+
+        Reviewed by Gavin Barraclough.
+        
+        The speculative JIT was only checking whether a value is an array when
+        we had already checked that it was, rather then when we hadn't.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
 2011-07-28  Oliver Hunt  <[email protected]>
 
         *_list instructions are only used in one place, where the code is wrong.

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (92009 => 92010)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2011-07-29 21:29:01 UTC (rev 92009)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2011-07-29 21:34:44 UTC (rev 92010)
@@ -946,7 +946,7 @@
         // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
         // If we have predicted the base to be type array, we can skip the check.
         Node& baseNode = m_jit.graph()[node.child1()];
-        if (baseNode.op != GetLocal || isArrayPrediction(m_jit.graph().getPrediction(baseNode.local())))
+        if (baseNode.op != GetLocal || !isArrayPrediction(m_jit.graph().getPrediction(baseNode.local())))
             speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseReg), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
 
         base.use();

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes