[webkit-changes] [200541] trunk/Source/JavaScriptCore

Sat, 07 May 2016 01:20:06 -0700

Title: [200541] trunk/Source/_javascript_Core
Revision
200541
Author
[email protected]
Date
2016-05-07 01:19:49 -0700 (Sat, 07 May 2016)

Log Message

[JSC][32bit] stress/tagged-templates-template-object.js fails in debug
https://bugs.webkit.org/show_bug.cgi?id=157436

Patch by Benjamin Poulain <[email protected]> on 2016-05-07
Reviewed by Filip Pizlo.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
The node OverridesHasInstance had a speculation after a jump.

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (200540 => 200541)


--- trunk/Source/_javascript_Core/ChangeLog	2016-05-07 06:03:50 UTC (rev 200540)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-05-07 08:19:49 UTC (rev 200541)
@@ -1,3 +1,14 @@
+2016-05-07  Benjamin Poulain  <[email protected]>
+
+        [JSC][32bit] stress/tagged-templates-template-object.js fails in debug
+        https://bugs.webkit.org/show_bug.cgi?id=157436
+
+        Reviewed by Filip Pizlo.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        The node OverridesHasInstance had a speculation after a jump.
+
 2016-05-06  Joseph Pecoraro  <[email protected]>
 
         Web Inspector: Misc CommandLineAPI cleanup

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (200540 => 200541)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2016-05-07 06:03:50 UTC (rev 200540)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2016-05-07 08:19:49 UTC (rev 200541)
@@ -4385,6 +4385,7 @@
         JSValueOperand hasInstanceValue(this, node->child2());
         GPRTemporary result(this);
 
+        GPRReg baseGPR = base.gpr();
         GPRReg resultGPR = result.gpr();
 
         // If we have proven that the constructor's Symbol.hasInstance will always be the one on
@@ -4400,7 +4401,7 @@
         }
 
         // Check that constructor 'ImplementsDefaultHasInstance'.
-        m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(base.gpr(), JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);
+        m_jit.test8(MacroAssembler::Zero, MacroAssembler::Address(baseGPR, JSCell::typeInfoFlagsOffset()), MacroAssembler::TrustedImm32(ImplementsDefaultHasInstance), resultGPR);
         MacroAssembler::Jump done = m_jit.jump();
 
         if (!hasInstanceValueNode->isCellConstant()) {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to