Title: [201301] trunk/Source/_javascript_Core
- Revision
- 201301
- Author
- [email protected]
- Date
- 2016-05-23 15:46:41 -0700 (Mon, 23 May 2016)
Log Message
The baseline JIT crashes when compiling "(1,1)/1"
https://bugs.webkit.org/show_bug.cgi?id=157933
Reviewed by Benjamin Poulain.
op_div in the baseline JIT needed to better handle when both the lhs
and rhs are constants. It needs to make sure to load either the lhs or
the rhs into a register since the div generator can't handle both
the lhs and rhs being constants.
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_op_div):
* tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js: Added.
(assert):
(test):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (201300 => 201301)
--- trunk/Source/_javascript_Core/ChangeLog 2016-05-23 22:37:52 UTC (rev 201300)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-05-23 22:46:41 UTC (rev 201301)
@@ -1,5 +1,23 @@
2016-05-23 Saam barati <[email protected]>
+ The baseline JIT crashes when compiling "(1,1)/1"
+ https://bugs.webkit.org/show_bug.cgi?id=157933
+
+ Reviewed by Benjamin Poulain.
+
+ op_div in the baseline JIT needed to better handle when both the lhs
+ and rhs are constants. It needs to make sure to load either the lhs or
+ the rhs into a register since the div generator can't handle both
+ the lhs and rhs being constants.
+
+ * jit/JITArithmetic.cpp:
+ (JSC::JIT::emit_op_div):
+ * tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js: Added.
+ (assert):
+ (test):
+
+2016-05-23 Saam barati <[email protected]>
+
String template don't handle let initialization properly inside eval
https://bugs.webkit.org/show_bug.cgi?id=157991
Modified: trunk/Source/_javascript_Core/jit/JITArithmetic.cpp (201300 => 201301)
--- trunk/Source/_javascript_Core/jit/JITArithmetic.cpp 2016-05-23 22:37:52 UTC (rev 201300)
+++ trunk/Source/_javascript_Core/jit/JITArithmetic.cpp 2016-05-23 22:46:41 UTC (rev 201301)
@@ -816,8 +816,7 @@
else if (isOperandConstantDouble(op1))
leftOperand.setConstDouble(getOperandConstantDouble(op1));
#endif
-
- if (isOperandConstantInt(op2))
+ else if (isOperandConstantInt(op2))
rightOperand.setConstInt32(getOperandConstantInt(op2));
#if USE(JSVALUE64)
else if (isOperandConstantDouble(op2))
Added: trunk/Source/_javascript_Core/tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js (0 => 201301)
--- trunk/Source/_javascript_Core/tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/jit-gracefully-handle-double-constants-in-math-operators.js 2016-05-23 22:46:41 UTC (rev 201301)
@@ -0,0 +1,25 @@
+function assert(b) {
+ if (!b)
+ throw new Error("bad assertion!");
+}
+
+
+function test() {
+ let cases = [
+ ["/", 1],
+ ["*", 1],
+ ["+", 2],
+ ["-", 0],
+ [">>", 0],
+ [">>>", 0],
+ ["<<", 2],
+ ["^", 0],
+ ["&", 1],
+ ];
+
+ for (let [op, result] of cases) {
+ let program = `for (let i = 0; i < 500; i++) { assert((1,1)${op}1 === ${result}); }`;
+ eval(program);
+ }
+}
+test();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
