Title: [233473] trunk/Source/_javascript_Core
- Revision
- 233473
- Author
- [email protected]
- Date
- 2018-07-03 12:25:54 -0700 (Tue, 03 Jul 2018)
Log Message
[32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
https://bugs.webkit.org/show_bug.cgi?id=187255
<rdar://problem/41785257>
Reviewed by Saam Barati.
The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
too: basically, do what the 64-bit code is doing. At present, this change only
serves to pacify an assertion. It is not needed for correctness because the
concurrent GC is not used on 32-bit builds.
This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
test.
* jit/JITOpcodes32_64.cpp:
(JSC::JIT::emit_op_create_this):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (233472 => 233473)
--- trunk/Source/_javascript_Core/ChangeLog 2018-07-03 19:12:14 UTC (rev 233472)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-07-03 19:25:54 UTC (rev 233473)
@@ -1,3 +1,22 @@
+2018-07-03 Mark Lam <[email protected]>
+
+ [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
+ https://bugs.webkit.org/show_bug.cgi?id=187255
+ <rdar://problem/41785257>
+
+ Reviewed by Saam Barati.
+
+ The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
+ too: basically, do what the 64-bit code is doing. At present, this change only
+ serves to pacify an assertion. It is not needed for correctness because the
+ concurrent GC is not used on 32-bit builds.
+
+ This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
+ test.
+
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_create_this):
+
2018-07-03 Yusuke Suzuki <[email protected]>
[JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
Modified: trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp (233472 => 233473)
--- trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp 2018-07-03 19:12:14 UTC (rev 233472)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp 2018-07-03 19:25:54 UTC (rev 233473)
@@ -962,6 +962,10 @@
JumpList slowCases;
auto butterfly = TrustedImmPtr(nullptr);
emitAllocateJSObject(resultReg, JITAllocator::variable(), allocatorReg, structureReg, butterfly, scratchReg, slowCases);
+ emitLoadPayload(callee, scratchReg);
+ loadPtr(Address(scratchReg, JSFunction::offsetOfRareData()), scratchReg);
+ load32(Address(scratchReg, FunctionRareData::offsetOfObjectAllocationProfile() + ObjectAllocationProfile::offsetOfInlineCapacity()), scratchReg);
+ emitInitializeInlineStorage(resultReg, scratchReg);
addSlowCase(slowCases);
emitStoreCell(currentInstruction[1].u.operand, resultReg);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
