Title: [218729] trunk/Source/_javascript_Core
- Revision
- 218729
- Author
- [email protected]
- Date
- 2017-06-22 17:22:45 -0700 (Thu, 22 Jun 2017)
Log Message
The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
https://bugs.webkit.org/show_bug.cgi?id=173743
<rdar://problem/32932536>
Reviewed by Mark Lam.
The code always manually speculates, however, we weren't specifying
ManualOperandSpeculation when creating a JSValueOperand. This would
fire an assertion in JSValueOperand construction for a node like:
Identity(String:@otherNode)
I spent about 45 minutes trying to craft a test and came up
empty. However, this fixes a debug assertion on an internal
Apple website.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (218728 => 218729)
--- trunk/Source/_javascript_Core/ChangeLog 2017-06-22 23:34:05 UTC (rev 218728)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-06-23 00:22:45 UTC (rev 218729)
@@ -1,5 +1,27 @@
2017-06-22 Saam Barati <[email protected]>
+ The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
+ https://bugs.webkit.org/show_bug.cgi?id=173743
+ <rdar://problem/32932536>
+
+ Reviewed by Mark Lam.
+
+ The code always manually speculates, however, we weren't specifying
+ ManualOperandSpeculation when creating a JSValueOperand. This would
+ fire an assertion in JSValueOperand construction for a node like:
+ Identity(String:@otherNode)
+
+ I spent about 45 minutes trying to craft a test and came up
+ empty. However, this fixes a debug assertion on an internal
+ Apple website.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2017-06-22 Saam Barati <[email protected]>
+
ValueRep(DoubleRep(@v)) can not simply convert to @v
https://bugs.webkit.org/show_bug.cgi?id=173687
<rdar://problem/32855563>
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (218728 => 218729)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2017-06-22 23:34:05 UTC (rev 218728)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2017-06-23 00:22:45 UTC (rev 218729)
@@ -2100,7 +2100,7 @@
break;
}
default: {
- JSValueOperand op(this, node->child1());
+ JSValueOperand op(this, node->child1(), ManualOperandSpeculation);
GPRTemporary resultTag(this, Reuse, op, TagWord);
GPRTemporary resultPayload(this, Reuse, op, PayloadWord);
GPRReg sourceTag = op.tagGPR();
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (218728 => 218729)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2017-06-22 23:34:05 UTC (rev 218728)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2017-06-23 00:22:45 UTC (rev 218729)
@@ -2210,7 +2210,7 @@
break;
}
default: {
- JSValueOperand op(this, node->child1());
+ JSValueOperand op(this, node->child1(), ManualOperandSpeculation);
GPRTemporary result(this, Reuse, op);
m_jit.move(op.gpr(), result.gpr());
jsValueResult(result.gpr(), node);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
