[webkit-changes] [104337] branches/safari-534.54-branch/Source/JavaScriptCore

Fri, 06 Jan 2012 14:15:18 -0800

Title: [104337] branches/safari-534.54-branch/Source/_javascript_Core

Diff

Modified: branches/safari-534.54-branch/Source/_javascript_Core/ChangeLog (104336 => 104337)


--- branches/safari-534.54-branch/Source/_javascript_Core/ChangeLog	2012-01-06 22:13:51 UTC (rev 104336)
+++ branches/safari-534.54-branch/Source/_javascript_Core/ChangeLog	2012-01-06 22:14:49 UTC (rev 104337)
@@ -1,3 +1,22 @@
+2011-1-6  Lucas Forschler  <[email protected]>
+
+    Merge 104330
+
+    2012-01-06  Oliver Hunt  <[email protected]>
+
+            GetByteArrayLength is incorrect
+            https://bugs.webkit.org/show_bug.cgi?id=75735
+
+            Reviewed by Filip Pizlo.
+
+            Load the byte array length from the correct location.
+            This stops an existing test from hanging.
+
+            * dfg/DFGSpeculativeJIT32_64.cpp:
+            (JSC::DFG::SpeculativeJIT::compile):
+            * dfg/DFGSpeculativeJIT64.cpp:
+            (JSC::DFG::SpeculativeJIT::compile):
+
 2012-01-05  Lucas Forschler  <[email protected]>
 
         Fix debug build.

Modified: branches/safari-534.54-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (104336 => 104337)


--- branches/safari-534.54-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2012-01-06 22:13:51 UTC (rev 104336)
+++ branches/safari-534.54-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2012-01-06 22:14:49 UTC (rev 104337)
@@ -3505,7 +3505,7 @@
             speculationCheck(BadType, JSValueSource::unboxedCell(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
         
         m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSByteArray::offsetOfStorage()), resultGPR);
-        m_jit.load32(MacroAssembler::Address(baseGPR, ByteArray::offsetOfSize()), resultGPR);
+        m_jit.load32(MacroAssembler::Address(resultGPR, ByteArray::offsetOfSize()), resultGPR);
         
         integerResult(resultGPR, m_compileIndex);
         break;

Modified: branches/safari-534.54-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (104336 => 104337)


--- branches/safari-534.54-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2012-01-06 22:13:51 UTC (rev 104336)
+++ branches/safari-534.54-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2012-01-06 22:14:49 UTC (rev 104337)
@@ -3457,7 +3457,7 @@
             speculationCheck(BadType, JSValueRegs(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsByteArrayVPtr)));
         
         m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSByteArray::offsetOfStorage()), resultGPR);
-        m_jit.load32(MacroAssembler::Address(baseGPR, ByteArray::offsetOfSize()), resultGPR);
+        m_jit.load32(MacroAssembler::Address(resultGPR, ByteArray::offsetOfSize()), resultGPR);
 
         integerResult(resultGPR, m_compileIndex);
         break;

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to