Title: [96980] trunk/Source/_javascript_Core
- Revision
- 96980
- Author
- [email protected]
- Date
- 2011-10-07 13:52:56 -0700 (Fri, 07 Oct 2011)
Log Message
DFG ConvertThis speculation logic is wrong
https://bugs.webkit.org/show_bug.cgi?id=69663
Reviewed by Oliver Hunt.
* dfg/DFGPropagator.cpp:
(JSC::DFG::Propagator::fixupNode):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (96979 => 96980)
--- trunk/Source/_javascript_Core/ChangeLog 2011-10-07 20:43:41 UTC (rev 96979)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-10-07 20:52:56 UTC (rev 96980)
@@ -1,3 +1,17 @@
+2011-10-07 Filip Pizlo <[email protected]>
+
+ DFG ConvertThis speculation logic is wrong
+ https://bugs.webkit.org/show_bug.cgi?id=69663
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGPropagator.cpp:
+ (JSC::DFG::Propagator::fixupNode):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2011-10-07 Oliver Hunt <[email protected]>
Verify that our call speculation is valid.
Modified: trunk/Source/_javascript_Core/dfg/DFGPropagator.cpp (96979 => 96980)
--- trunk/Source/_javascript_Core/dfg/DFGPropagator.cpp 2011-10-07 20:43:41 UTC (rev 96979)
+++ trunk/Source/_javascript_Core/dfg/DFGPropagator.cpp 2011-10-07 20:52:56 UTC (rev 96980)
@@ -720,7 +720,7 @@
break;
#if ENABLE(DFG_DEBUG_PROPAGATION_VERBOSE)
- printf(" @%u -> %s", nodeIndex, isArray ? "GetArrayLength" : "GetStringLength");
+ printf(" @%u -> %s", m_compileIndex, isArray ? "GetArrayLength" : "GetStringLength");
#endif
node.op = isArray ? GetArrayLength : GetStringLength;
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (96979 => 96980)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2011-10-07 20:43:41 UTC (rev 96979)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2011-10-07 20:52:56 UTC (rev 96980)
@@ -1710,7 +1710,7 @@
}
case ConvertThis: {
- if (isOtherPrediction(node.prediction())) {
+ if (isOtherPrediction(at(node.child1()).prediction())) {
JSValueOperand thisValue(this, node.child1());
GPRTemporary scratch(this, thisValue);
@@ -1726,7 +1726,7 @@
break;
}
- if (isObjectPrediction(node.prediction())) {
+ if (isObjectPrediction(at(node.child1()).prediction())) {
SpeculateCellOperand thisValue(this, node.child1());
speculationCheck(m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(thisValue.gpr()), JITCompiler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (96979 => 96980)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2011-10-07 20:43:41 UTC (rev 96979)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2011-10-07 20:52:56 UTC (rev 96980)
@@ -1786,7 +1786,7 @@
}
case ConvertThis: {
- if (isOtherPrediction(node.prediction())) {
+ if (isOtherPrediction(at(node.child1()).prediction())) {
JSValueOperand thisValue(this, node.child1());
GPRTemporary scratch(this, thisValue);
GPRReg thisValueGPR = thisValue.gpr();
@@ -1801,7 +1801,7 @@
break;
}
- if (isObjectPrediction(node.prediction())) {
+ if (isObjectPrediction(at(node.child1()).prediction())) {
SpeculateCellOperand thisValue(this, node.child1());
speculationCheck(m_jit.branchPtr(JITCompiler::Equal, JITCompiler::Address(thisValue.gpr()), JITCompiler::TrustedImmPtr(m_jit.globalData()->jsStringVPtr)));
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
