- Revision
- 97286
- Author
- [email protected]
- Date
- 2011-10-12 12:28:12 -0700 (Wed, 12 Oct 2011)
Log Message
DFG JIT 32_64 - Fix ArrayPop
https://bugs.webkit.org/show_bug.cgi?id=69918
Patch by Yuqiang Xian <[email protected]> on 2011-10-12
Reviewed by Filip Pizlo.
The storageLengthGPR is polluted by EmptyValueTag and later used to
index the array, which results in abnormal behaviors in execution.
This fix makes 32_64 DFG pass v8-deltablue and kraken
crypto-sha256-iterative on Linux ia32.
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::store32):
* assembler/X86Assembler.h:
(JSC::X86Assembler::movl_i32m):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (97285 => 97286)
--- trunk/Source/_javascript_Core/ChangeLog 2011-10-12 19:23:50 UTC (rev 97285)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-10-12 19:28:12 UTC (rev 97286)
@@ -1,3 +1,22 @@
+2011-10-12 Yuqiang Xian <[email protected]>
+
+ DFG JIT 32_64 - Fix ArrayPop
+ https://bugs.webkit.org/show_bug.cgi?id=69918
+
+ Reviewed by Filip Pizlo.
+
+ The storageLengthGPR is polluted by EmptyValueTag and later used to
+ index the array, which results in abnormal behaviors in execution.
+ This fix makes 32_64 DFG pass v8-deltablue and kraken
+ crypto-sha256-iterative on Linux ia32.
+
+ * assembler/MacroAssemblerX86Common.h:
+ (JSC::MacroAssemblerX86Common::store32):
+ * assembler/X86Assembler.h:
+ (JSC::X86Assembler::movl_i32m):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2011-10-12 Gustavo Noronha Silva <[email protected]>
Fix build with GLib 2.31
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.h (97285 => 97286)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.h 2011-10-12 19:23:50 UTC (rev 97285)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerX86Common.h 2011-10-12 19:28:12 UTC (rev 97286)
@@ -511,6 +511,11 @@
m_assembler.movl_i32m(imm.m_value, address.offset, address.base);
}
+ void store32(TrustedImm32 imm, BaseIndex address)
+ {
+ m_assembler.movl_i32m(imm.m_value, address.offset, address.base, address.index, address.scale);
+ }
+
void store8(TrustedImm32 imm, Address address)
{
ASSERT(-128 <= imm.m_value && imm.m_value < 128);
Modified: trunk/Source/_javascript_Core/assembler/X86Assembler.h (97285 => 97286)
--- trunk/Source/_javascript_Core/assembler/X86Assembler.h 2011-10-12 19:23:50 UTC (rev 97285)
+++ trunk/Source/_javascript_Core/assembler/X86Assembler.h 2011-10-12 19:28:12 UTC (rev 97286)
@@ -1066,6 +1066,12 @@
m_formatter.immediate32(imm);
}
+ void movl_i32m(int imm, int offset, RegisterID base, RegisterID index, int scale)
+ {
+ m_formatter.oneByteOp(OP_GROUP11_EvIz, GROUP11_MOV, base, index, scale, offset);
+ m_formatter.immediate32(imm);
+ }
+
void movb_i8m(int imm, int offset, RegisterID base)
{
ASSERT(-128 <= imm && imm < 128);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (97285 => 97286)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2011-10-12 19:23:50 UTC (rev 97285)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2011-10-12 19:28:12 UTC (rev 97286)
@@ -1544,8 +1544,7 @@
MacroAssembler::Jump holeCase = m_jit.branch32(MacroAssembler::Equal, Imm32(JSValue::EmptyValueTag), valueTagGPR);
- m_jit.move(Imm32(JSValue::EmptyValueTag), storageLengthGPR);
- m_jit.store32(storageLengthGPR, MacroAssembler::BaseIndex(storageGPR, storageLengthGPR, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
+ m_jit.store32(TrustedImm32(JSValue::EmptyValueTag), MacroAssembler::BaseIndex(storageGPR, storageLengthGPR, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)));
m_jit.sub32(MacroAssembler::Imm32(1), MacroAssembler::Address(storageGPR, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector)));
