Skip to site navigation (Press enter)

[webkit-changes] [96841] trunk/Source/JavaScriptCore

barraclough Thu, 06 Oct 2011 11:59:46 -0700

Title: [96841] trunk/Source/_javascript_Core

Revision: 96841
Author: [email protected]
Date: 2011-10-06 12:00:50 -0700 (Thu, 06 Oct 2011)

Log Message

DFG JIT 32_64 should check type of values being filled by fillSpeculateInt
https://bugs.webkit.org/show_bug.cgi?id=69549


Reviewed by Oliver Hunt.

This breaks sunspider/3d-cube.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
    - Speculation check on the tag.

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (96840 => 96841)


--- trunk/Source/_javascript_Core/ChangeLog	2011-10-06 18:58:04 UTC (rev 96840)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-10-06 19:00:50 UTC (rev 96841)
@@ -1,3 +1,16 @@
+2011-10-06  Gavin Barraclough  <[email protected]>
+
+        DFG JIT 32_64 should check type of values being filled by fillSpeculateInt
+        https://bugs.webkit.org/show_bug.cgi?id=69549
+
+        Reviewed by Oliver Hunt.
+
+        This breaks sunspider/3d-cube.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+            - Speculation check on the tag. 
+
 2011-10-06  Mark Hahnenberg  <[email protected]>
 
         Snow Leopard build fix

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (96840 => 96841)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2011-10-06 18:58:04 UTC (rev 96840)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2011-10-06 19:00:50 UTC (rev 96841)
@@ -61,12 +61,15 @@
             return allocate();
         }
 
-        ASSERT(info.spillFormat() & DataFormatJS);
+        DataFormat spillFormat = info.spillFormat();
+        ASSERT(spillFormat & DataFormatJS);
 
         m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
 
         // If we know this was spilled as an integer we can fill without checking.
-        // FIXME: Currently we always assume strict integers.
+        if (spillFormat != DataFormatJSInteger)
+            speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, JITCompiler::tagFor(virtualRegister), TrustedImm32(JSValue::Int32Tag)));
+
         m_jit.load32(JITCompiler::payloadFor(virtualRegister), gpr);
         info.fillInteger(gpr);
         returnFormat = DataFormatInteger;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes