[webkit-changes] [97013] trunk/Source/JavaScriptCore

[commit-queue]

Title: [97013] trunk/Source/_javascript_Core

Revision

97013

Author

commit-qu...@webkit.org

Date

2011-10-08 13:40:03 -0700 (Sat, 08 Oct 2011)

Log Message

JSVALUE32_64 DFG JIT - Bug fixes for Branch and LogicalNot
https://bugs.webkit.org/show_bug.cgi?id=69702

Patch by Yuqiang Xian <yuqiang.x...@intel.com> on 2011-10-08
Reviewed by Filip Pizlo.

There are some errors in generating code for Branch and LogicalNot,
when the operand is predicted as ObjectOrOther.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (97012 => 97013)

--- trunk/Source/_javascript_Core/ChangeLog	2011-10-08 17:46:00 UTC (rev 97012)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-10-08 20:40:03 UTC (rev 97013)
@@ -1,3 +1,17 @@
+2011-10-08  Yuqiang Xian  <yuqiang.x...@intel.com>
+
+        JSVALUE32_64 DFG JIT - Bug fixes for Branch and LogicalNot
+        https://bugs.webkit.org/show_bug.cgi?id=69702
+
+        Reviewed by Filip Pizlo.
+
+        There are some errors in generating code for Branch and LogicalNot,
+        when the operand is predicted as ObjectOrOther.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
+        (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
+
 2011-10-08  Sheriff Bot  <webkit.review....@gmail.com>
 
         Unreviewed, rolling out r96996.

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (97012 => 97013)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2011-10-08 17:46:00 UTC (rev 97012)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2011-10-08 20:40:03 UTC (rev 97013)
@@ -452,16 +452,18 @@
     
     MacroAssembler::Jump notCell = m_jit.branch32(MacroAssembler::NotEqual, valueTagGPR, TrustedImm32(JSValue::CellTag));
     speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(valuePayloadGPR), MacroAssembler::TrustedImmPtr(vptr)));
-    m_jit.move(TrustedImm32(1), resultPayloadGPR);
+    m_jit.move(TrustedImm32(0), resultPayloadGPR);
     MacroAssembler::Jump done = m_jit.jump();
     
     notCell.link(&m_jit);
+ 
+    MacroAssembler::Jump isNull = m_jit.branch32(MacroAssembler::Equal, valueTagGPR, TrustedImm32(JSValue::NullTag));
+    speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, valueTagGPR, TrustedImm32(JSValue::UndefinedTag)));
+
+    isNull.link(&m_jit);
+
+    m_jit.move(TrustedImm32(1), resultPayloadGPR);
     
-    m_jit.move(valueTagGPR, resultPayloadGPR);
-    m_jit.and32(MacroAssembler::TrustedImm32(JSValue::UndefinedTag), resultPayloadGPR);
-    speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, resultPayloadGPR, TrustedImm32(JSValue::UndefinedTag)));
-    m_jit.move(TrustedImm32(0), resultPayloadGPR);
-    
     done.link(&m_jit);
     
     jsValueResult(resultTagGPR, resultPayloadGPR, m_compileIndex, DataFormatJSBoolean);
@@ -554,8 +556,11 @@
     
     notCell.link(&m_jit);
     
-    m_jit.and32(MacroAssembler::TrustedImm32(JSValue::UndefinedTag), valueTagGPR);
+    MacroAssembler::Jump isNull = m_jit.branch32(MacroAssembler::Equal, valueTagGPR, TrustedImm32(JSValue::NullTag));
     speculationCheck(m_jit.branch32(MacroAssembler::NotEqual, valueTagGPR, TrustedImm32(JSValue::UndefinedTag)));
+
+    isNull.link(&m_jit);
+
     if (notTaken != (m_block + 1))
         addBranch(m_jit.jump(), notTaken);
     

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes