[webkit-changes] [236250] releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore

[carlosgc]

Title: [236250] releases/WebKitGTK/webkit-2.22/Source/_javascript_Core

Revision

236250

Author

carlo...@webkit.org

Date

2018-09-20 00:54:20 -0700 (Thu, 20 Sep 2018)

Log Message

Merge r236224 - CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code
https://bugs.webkit.org/show_bug.cgi?id=189703

Reviewed by Mark Lam.

This fixes a crash that a TypeProfiler change revealed.

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):

Modified Paths

• releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (236249 => 236250)

--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-09-20 07:54:16 UTC (rev 236249)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-09-20 07:54:20 UTC (rev 236250)
@@ -1,5 +1,17 @@
 2018-09-19  Saam barati  <sbar...@apple.com>
 
+        CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code
+        https://bugs.webkit.org/show_bug.cgi?id=189703
+
+        Reviewed by Mark Lam.
+
+        This fixes a crash that a TypeProfiler change revealed.
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2018-09-19  Saam barati  <sbar...@apple.com>
+
         AI rule for MultiPutByOffset executes its effects in the wrong order
         https://bugs.webkit.org/show_bug.cgi?id=189757
         <rdar://problem/43535257>

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (236249 => 236250)

--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2018-09-20 07:54:16 UTC (rev 236249)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2018-09-20 07:54:20 UTC (rev 236250)
@@ -3559,11 +3559,19 @@
     case CheckStructureOrEmpty: {
         SpeculateCellOperand cell(this, node->child1());
         GPRReg cellGPR = cell.gpr();
+
+        GPRReg tempGPR = InvalidGPRReg;
+        std::optional<GPRTemporary> temp;
+        if (node->structureSet().size() > 1) {
+            temp.emplace(this);
+            tempGPR = temp->gpr();
+        }
+
         MacroAssembler::Jump isEmpty;
         if (m_interpreter.forNode(node->child1()).m_type & SpecEmpty)
             isEmpty = m_jit.branchIfEmpty(cellGPR);
 
-        emitStructureCheck(node, cellGPR, InvalidGPRReg);
+        emitStructureCheck(node, cellGPR, tempGPR);
 
         if (isEmpty.isSet())
             isEmpty.link(&m_jit);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes