[webkit-changes] [204495] trunk/Source/JavaScriptCore

[commit-queue]

Title: [204495] trunk/Source/_javascript_Core

Revision

204495

Author

commit-qu...@webkit.org

Date

2016-08-15 21:17:36 -0700 (Mon, 15 Aug 2016)

Log Message

[Regression 204203-204210] 32-bit ASSERTION FAILED: !m_data[index].name.isValid()
https://bugs.webkit.org/show_bug.cgi?id=160881

Patch by Benjamin Poulain <bpoul...@apple.com> on 2016-08-15
Reviewed by Mark Lam.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
We were trying to set the result of the Identity node to the same
value as the source of the Identity.
That is pretty messed up.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (204494 => 204495)

--- trunk/Source/_javascript_Core/ChangeLog	2016-08-16 03:32:38 UTC (rev 204494)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-08-16 04:17:36 UTC (rev 204495)
@@ -1,3 +1,16 @@
+2016-08-15  Benjamin Poulain  <bpoul...@apple.com>
+
+        [Regression 204203-204210] 32-bit ASSERTION FAILED: !m_data[index].name.isValid()
+        https://bugs.webkit.org/show_bug.cgi?id=160881
+
+        Reviewed by Mark Lam.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        We were trying to set the result of the Identity node to the same
+        value as the source of the Identity.
+        That is pretty messed up.
+
 2016-08-15  Saam Barati  <sbar...@apple.com>
 
         Web Inspector: Introduce a method to enable code coverage profiler without enabling type profiler

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (204494 => 204495)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2016-08-16 03:32:38 UTC (rev 204494)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2016-08-16 04:17:36 UTC (rev 204495)
@@ -1973,7 +1973,15 @@
         }
         default: {
             JSValueOperand op(this, node->child1());
-            jsValueResult(op.tagGPR(), op.payloadGPR(), node);
+            GPRTemporary resultTag(this, Reuse, op, TagWord);
+            GPRTemporary resultPayload(this, Reuse, op, PayloadWord);
+            GPRReg sourceTag = op.tagGPR();
+            GPRReg sourcePayload = op.payloadGPR();
+            GPRReg resultTagGPR = resultTag.gpr();
+            GPRReg resultPayloadGPR = resultPayload.gpr();
+            m_jit.move(sourceTag, resultTagGPR);
+            m_jit.move(sourcePayload, resultPayloadGPR);
+            jsValueResult(resultTagGPR, resultPayloadGPR, node);
             break;
         }
         } // switch

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes