Title: [96451] trunk/Source/_javascript_Core
- Revision
- 96451
- Author
- commit-qu...@webkit.org
- Date
- 2011-09-30 19:14:36 -0700 (Fri, 30 Sep 2011)
Log Message
DFG operation results are not set correctly in JSVALUE32_64 DFG JIT
https://bugs.webkit.org/show_bug.cgi?id=69126
Patch by Yuqiang Xian <yuqiang.x...@intel.com> on 2011-09-30
Reviewed by Gavin Barraclough.
The setupResults routine has the bug of reversing the source and destination.
Also some other trivial (but stupid) bugs need to be fixed in JSVALUE32_64 DFG JIT.
* dfg/DFGJITCodeGenerator.h:
(JSC::DFG::setupTwoStubArgs):
(JSC::DFG::setupResults):
* dfg/DFGJITCodeGenerator32_64.cpp:
(JSC::DFG::JITCodeGenerator::fillJSValue):
(JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
(JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (96450 => 96451)
--- trunk/Source/_javascript_Core/ChangeLog 2011-10-01 02:12:06 UTC (rev 96450)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-10-01 02:14:36 UTC (rev 96451)
@@ -1,3 +1,21 @@
+2011-09-30 Yuqiang Xian <yuqiang.x...@intel.com>
+
+ DFG operation results are not set correctly in JSVALUE32_64 DFG JIT
+ https://bugs.webkit.org/show_bug.cgi?id=69126
+
+ Reviewed by Gavin Barraclough.
+
+ The setupResults routine has the bug of reversing the source and destination.
+ Also some other trivial (but stupid) bugs need to be fixed in JSVALUE32_64 DFG JIT.
+
+ * dfg/DFGJITCodeGenerator.h:
+ (JSC::DFG::setupTwoStubArgs):
+ (JSC::DFG::setupResults):
+ * dfg/DFGJITCodeGenerator32_64.cpp:
+ (JSC::DFG::JITCodeGenerator::fillJSValue):
+ (JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
+ (JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
+
2011-09-30 Gavin Barraclough <barraclo...@apple.com>
Remove toStrictThisObject, toThisString, toThisJSString
Modified: trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h (96450 => 96451)
--- trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h 2011-10-01 02:12:06 UTC (rev 96450)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h 2011-10-01 02:14:36 UTC (rev 96451)
@@ -921,6 +921,7 @@
m_generationInfo[node.virtualRegister()].initConstant(nodeIndex, node.refCount());
}
+#if CPU(X86_64)
// These methods used to sort arguments into the correct registers.
template<GPRReg destA, GPRReg destB>
void setupTwoStubArgs(GPRReg srcA, GPRReg srcB)
@@ -950,7 +951,6 @@
} else
m_jit.swap(destA, destB);
}
-#if CPU(X86_64)
template<FPRReg destA, FPRReg destB>
void setupTwoStubArgs(FPRReg srcA, FPRReg srcB)
{
@@ -1182,7 +1182,21 @@
void setupResults(GPRReg tag, GPRReg payload)
{
- setupTwoStubArgs<GPRInfo::returnValueGPR, GPRInfo::returnValueGPR2>(payload, tag);
+ GPRReg srcA = GPRInfo::returnValueGPR;
+ GPRReg srcB = GPRInfo::returnValueGPR2;
+ GPRReg destA = payload;
+ GPRReg destB = tag;
+
+ if (srcB != destA) {
+ // Handle the easy cases - two simple moves.
+ m_jit.move(srcA, destA);
+ m_jit.move(srcB, destB);
+ } else if (srcA != destB) {
+ // Handle the non-swap case - just put srcB in place first.
+ m_jit.move(srcB, destB);
+ m_jit.move(srcA, destA);
+ } else
+ m_jit.swap(destA, destB);
}
// These methods add calls to C++ helper functions.
Modified: trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator32_64.cpp (96450 => 96451)
--- trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator32_64.cpp 2011-10-01 02:12:06 UTC (rev 96450)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator32_64.cpp 2011-10-01 02:14:36 UTC (rev 96451)
@@ -253,7 +253,6 @@
GPRReg gpr = info.gpr();
// If the register has already been locked we need to take a copy.
// If not, we'll zero extend in place, so mark on the info that this is now type DataFormatInteger, not DataFormatJSInteger.
- tagGPR = allocate();
if (m_gprs.isLocked(gpr)) {
payloadGPR = allocate();
m_jit.move(gpr, payloadGPR);
@@ -261,6 +260,7 @@
payloadGPR = gpr;
m_gprs.lock(gpr);
}
+ tagGPR = allocate();
m_jit.move(info.registerFormat() == DataFormatInteger ? JITCompiler::TrustedImm32(JSValue::Int32Tag) : JITCompiler::TrustedImm32(JSValue::CellTag), tagGPR);
m_gprs.release(gpr);
m_gprs.retain(tagGPR, virtualRegister, SpillOrderJS);
@@ -386,9 +386,11 @@
silentSpillAllRegisters(gpr);
- m_jit.moveDouble(fpr, FPRInfo::argumentFPR0);
+ m_jit.subPtr(TrustedImm32(sizeof(double)), JITCompiler::stackPointerRegister);
+ m_jit.storeDouble(fpr, JITCompiler::stackPointerRegister);
appendCallWithExceptionCheck(toInt32);
m_jit.move(GPRInfo::returnValueGPR, gpr);
+ m_jit.addPtr(TrustedImm32(sizeof(double)), JITCompiler::stackPointerRegister);
silentFillAllRegisters(gpr);
@@ -1353,7 +1355,7 @@
} else {
GPRTemporary resultTag(this, arg1);
GPRTemporary resultPayload(this, arg1, false);
- GPRReg resultTagGPR = resultPayload.gpr();
+ GPRReg resultTagGPR = resultTag.gpr();
GPRReg resultPayloadGPR = resultPayload.gpr();
arg1.use();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
