Skip to site navigation (Press enter)

[webkit-changes] [94478] trunk/Source/JavaScriptCore

fpizlo Fri, 02 Sep 2011 22:22:34 -0700

Title: [94478] trunk/Source/_javascript_Core

Revision: 94478
Author: [email protected]
Date: 2011-09-02 22:23:35 -0700 (Fri, 02 Sep 2011)

Log Message

DFG JIT speculation failure does recovery of additions in reverse and
doesn't rebox
https://bugs.webkit.org/show_bug.cgi?id=67551


Reviewed by Sam Weinig.

* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (94477 => 94478)


--- trunk/Source/_javascript_Core/ChangeLog	2011-09-03 05:14:04 UTC (rev 94477)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-09-03 05:23:35 UTC (rev 94478)
@@ -1,5 +1,16 @@
 2011-09-02  Filip Pizlo  <[email protected]>
 
+        DFG JIT speculation failure does recovery of additions in reverse and
+        doesn't rebox
+        https://bugs.webkit.org/show_bug.cgi?id=67551
+
+        Reviewed by Sam Weinig.
+
+        * dfg/DFGJITCompiler.cpp:
+        (JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):
+
+2011-09-02  Filip Pizlo  <[email protected]>
+
         ValueProfile does not make it safe to introspect cell values
         after garbage collection
         https://bugs.webkit.org/show_bug.cgi?id=67354

Modified: trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp (94477 => 94478)


--- trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp	2011-09-03 05:14:04 UTC (rev 94477)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCompiler.cpp	2011-09-03 05:23:35 UTC (rev 94478)
@@ -495,8 +495,16 @@
     if (recovery) {
         // The only additional recovery we currently support is for integer add operation
         ASSERT(recovery->type() == SpeculativeAdd);
+        ASSERT(check.m_gprInfo[GPRInfo::toIndex(recovery->dest())].nodeIndex != NoNode);
         // Revert the add.
         sub32(recovery->src(), recovery->dest());
+        
+        // If recovery->dest() should have been boxed prior to the addition, then rebox
+        // it.
+        DataFormat format = check.m_gprInfo[GPRInfo::toIndex(recovery->dest())].format;
+        ASSERT(format == DataFormatInteger || format == DataFormatJSInteger || format == DataFormatJS);
+        if (format != DataFormatInteger)
+            orPtr(GPRInfo::tagTypeNumberRegister, recovery->dest());
     }
     
     // First, we need a reverse mapping that tells us, for a NodeIndex, which register

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes