Title: [231710] trunk
- Revision
- 231710
- Author
- [email protected]
- Date
- 2018-05-11 11:39:06 -0700 (Fri, 11 May 2018)
Log Message
[DFG] Compiler uses incorrect output register for NumberIsInteger operation
https://bugs.webkit.org/show_bug.cgi?id=185328
Reviewed by Keith Miller.
JSTests:
New regression test.
* stress/isInteger-doesnt-overwrite-argument.js: Added.
(testIsInteger):
Source/_javascript_Core:
Fixed a typo from when this code was added in r228968 where resultGPR
was assigned the input register instead of the result.gpr().
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (231709 => 231710)
--- trunk/JSTests/ChangeLog 2018-05-11 18:33:43 UTC (rev 231709)
+++ trunk/JSTests/ChangeLog 2018-05-11 18:39:06 UTC (rev 231710)
@@ -1,3 +1,15 @@
+2018-05-11 Michael Saboff <[email protected]>
+
+ [DFG] Compiler uses incorrect output register for NumberIsInteger operation
+ https://bugs.webkit.org/show_bug.cgi?id=185328
+
+ Reviewed by Keith Miller.
+
+ New regression test.
+
+ * stress/isInteger-doesnt-overwrite-argument.js: Added.
+ (testIsInteger):
+
2018-05-09 Yusuke Suzuki <[email protected]>
[JSC] Object.assign for final objects should be faster
Added: trunk/JSTests/stress/isInteger-doesnt-overwrite-argument.js (0 => 231710)
--- trunk/JSTests/stress/isInteger-doesnt-overwrite-argument.js (rev 0)
+++ trunk/JSTests/stress/isInteger-doesnt-overwrite-argument.js 2018-05-11 18:39:06 UTC (rev 231710)
@@ -0,0 +1,13 @@
+// This test shouldn't throw.
+
+function testIsInteger(arg)
+{
+ var x = Number.isInteger(arg);
+ return arg;
+}
+
+for (var i = 0; i < 100000; i++) {
+ var r = testIsInteger(13.37);
+ if (r === false)
+ throw "Wrong value returned from function calling Number.isInteger";
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (231709 => 231710)
--- trunk/Source/_javascript_Core/ChangeLog 2018-05-11 18:33:43 UTC (rev 231709)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-05-11 18:39:06 UTC (rev 231710)
@@ -1,3 +1,16 @@
+2018-05-11 Michael Saboff <[email protected]>
+
+ [DFG] Compiler uses incorrect output register for NumberIsInteger operation
+ https://bugs.webkit.org/show_bug.cgi?id=185328
+
+ Reviewed by Keith Miller.
+
+ Fixed a typo from when this code was added in r228968 where resultGPR
+ was assigned the input register instead of the result.gpr().
+
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2018-05-11 Saam Barati <[email protected]>
Don't use inferred types when the JIT is disabled
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (231709 => 231710)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-05-11 18:33:43 UTC (rev 231709)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-05-11 18:39:06 UTC (rev 231710)
@@ -3854,7 +3854,7 @@
FPRTemporary temp2(this);
JSValueRegs valueRegs = JSValueRegs(value.gpr());
- GPRReg resultGPR = value.gpr();
+ GPRReg resultGPR = result.gpr();
FPRReg tempFPR1 = temp1.fpr();
FPRReg tempFPR2 = temp2.fpr();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
