Modified: trunk/Source/_javascript_Core/ChangeLog (270430 => 270431)
--- trunk/Source/_javascript_Core/ChangeLog 2020-12-04 15:43:41 UTC (rev 270430)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-12-04 15:54:44 UTC (rev 270431)
@@ -1,3 +1,19 @@
+2020-12-04 Caio Lima <[email protected]>
+
+ [JIT] Value profile stores wrong value in BaselineJIT for some operations
+ https://bugs.webkit.org/show_bug.cgi?id=219535
+
+ Reviewed by Mark Lam.
+
+ This patch is a follow up from r270423 to fix 32-bits baseline JIT
+ code from `op_iterator_next`. It's also fixing wrong profile value for
+ `op_get_prototype_of`.
+
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::emit_op_iterator_next):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_get_prototype_of):
+
2020-12-03 Saam Barati <[email protected]>
"done" checkpoint of iterator_next stores the wrong register in the value profile in baseline JIT
Modified: trunk/Source/_javascript_Core/jit/JITCall32_64.cpp (270430 => 270431)
--- trunk/Source/_javascript_Core/jit/JITCall32_64.cpp 2020-12-04 15:43:41 UTC (rev 270430)
+++ trunk/Source/_javascript_Core/jit/JITCall32_64.cpp 2020-12-04 15:54:44 UTC (rev 270431)
@@ -497,6 +497,8 @@
GPRReg payloadDoneGPR = regT4;
{
+ JSValueRegs doneRegs = JSValueRegs(tagDoneGPR, payloadDoneGPR);
+
GPRReg tagIterResultGPR = regT3;
GPRReg payloadIterResultGPR = regT2;
@@ -516,18 +518,19 @@
preservedRegs,
CacheableIdentifier::createFromImmortalIdentifier(vm().propertyNames->done.impl()),
JSValueRegs(tagIterResultGPR, payloadIterResultGPR),
- JSValueRegs(tagDoneGPR, payloadDoneGPR),
+ doneRegs,
AccessType::GetById);
gen.generateFastPath(*this);
addSlowCase(gen.slowPathJump());
m_getByIds.append(gen);
- emitValueProfilingSite(metadata);
- emitPutVirtualRegister(bytecode.m_done, JSValueRegs(tagDoneGPR, payloadDoneGPR));
+ emitValueProfilingSite(metadata, doneRegs);
+ emitPutVirtualRegister(bytecode.m_done, doneRegs);
advanceToNextCheckpoint();
}
{
+ JSValueRegs resultRegs = JSValueRegs(tagValueGPR, payloadValueGPR);
GPRReg tagIterResultGPR = regT1;
GPRReg payloadIterResultGPR = regT0;
@@ -543,14 +546,14 @@
RegisterSet::stubUnavailableRegisters(),
CacheableIdentifier::createFromImmortalIdentifier(vm().propertyNames->value.impl()),
JSValueRegs(tagIterResultGPR, payloadIterResultGPR),
- JSValueRegs(tagValueGPR, payloadValueGPR),
+ resultRegs,
AccessType::GetById);
gen.generateFastPath(*this);
addSlowCase(gen.slowPathJump());
m_getByIds.append(gen);
- emitValueProfilingSite(metadata);
- emitPutVirtualRegister(bytecode.m_value, JSValueRegs(tagValueGPR, payloadValueGPR));
+ emitValueProfilingSite(metadata, resultRegs);
+ emitPutVirtualRegister(bytecode.m_value, resultRegs);
iterationDone.link(this);
}
Modified: trunk/Source/_javascript_Core/jit/JITOpcodes.cpp (270430 => 270431)
--- trunk/Source/_javascript_Core/jit/JITOpcodes.cpp 2020-12-04 15:43:41 UTC (rev 270430)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes.cpp 2020-12-04 15:54:44 UTC (rev 270431)
@@ -1785,7 +1785,7 @@
emitLoadPrototype(vm(), valueRegs.payloadGPR(), resultRegs, scratchGPR, slowCases);
addSlowCase(slowCases);
- emitValueProfilingSite(bytecode.metadata(m_codeBlock));
+ emitValueProfilingSite(bytecode.metadata(m_codeBlock), resultRegs);
emitPutVirtualRegister(bytecode.m_dst, resultRegs);
}
