Title: [92986] trunk/Source/_javascript_Core
- Revision
- 92986
- Author
- [email protected]
- Date
- 2011-08-12 13:33:25 -0700 (Fri, 12 Aug 2011)
Log Message
REGRESSION (r91610?): Bing Maps fail to initialize (InvalidOperation:
Matrix3D.invert)
https://bugs.webkit.org/show_bug.cgi?id=66038
Patch by Filip Pizlo <[email protected]> on 2011-08-12
Reviewed by Gavin Barraclough.
Simplest and lowest-impact fix for the case where the spilled format
of a DFG node differs from the register format: if the format is
converted then indicate that the spilled value is no longer valid
("kill the spill").
* dfg/DFGGenerationInfo.h:
(JSC::DFG::GenerationInfo::killSpilled):
* dfg/DFGJITCodeGenerator.cpp:
(JSC::DFG::JITCodeGenerator::fillDouble):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (92985 => 92986)
--- trunk/Source/_javascript_Core/ChangeLog 2011-08-12 20:33:04 UTC (rev 92985)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-08-12 20:33:25 UTC (rev 92986)
@@ -1,3 +1,23 @@
+2011-08-12 Filip Pizlo <[email protected]>
+
+ REGRESSION (r91610?): Bing Maps fail to initialize (InvalidOperation:
+ Matrix3D.invert)
+ https://bugs.webkit.org/show_bug.cgi?id=66038
+
+ Reviewed by Gavin Barraclough.
+
+ Simplest and lowest-impact fix for the case where the spilled format
+ of a DFG node differs from the register format: if the format is
+ converted then indicate that the spilled value is no longer valid
+ ("kill the spill").
+
+ * dfg/DFGGenerationInfo.h:
+ (JSC::DFG::GenerationInfo::killSpilled):
+ * dfg/DFGJITCodeGenerator.cpp:
+ (JSC::DFG::JITCodeGenerator::fillDouble):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+
2011-08-12 Sam Weinig <[email protected]>
Move compiler specific macros to their own header
Modified: trunk/Source/_javascript_Core/dfg/DFGGenerationInfo.h (92985 => 92986)
--- trunk/Source/_javascript_Core/dfg/DFGGenerationInfo.h 2011-08-12 20:33:04 UTC (rev 92985)
+++ trunk/Source/_javascript_Core/dfg/DFGGenerationInfo.h 2011-08-12 20:33:25 UTC (rev 92986)
@@ -238,6 +238,12 @@
ASSERT(m_canFill && m_registerFormat != DataFormatNone);
m_registerFormat = DataFormatNone;
}
+
+ void killSpilled()
+ {
+ m_spillFormat = DataFormatNone;
+ m_canFill = false;
+ }
// Record that this value is filled into machine registers,
// tracking which registers, and what format the value has.
Modified: trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp (92985 => 92986)
--- trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp 2011-08-12 20:33:04 UTC (rev 92985)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp 2011-08-12 20:33:25 UTC (rev 92986)
@@ -182,6 +182,7 @@
m_gprs.unlock(tempGpr);
m_fprs.retain(fpr, virtualRegister, SpillOrderDouble);
info.fillDouble(fpr);
+ info.killSpilled();
return fpr;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (92985 => 92986)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2011-08-12 20:33:04 UTC (rev 92985)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2011-08-12 20:33:25 UTC (rev 92986)
@@ -255,6 +255,7 @@
m_gprs.unlock(tempGpr);
m_fprs.retain(fpr, virtualRegister, SpillOrderDouble);
info.fillDouble(fpr);
+ info.killSpilled();
return fpr;
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
