Skip to site navigation (Press enter)

[webkit-changes] [106495] branches/safari-534.54-branch/Source/JavaScriptCore

lforschler Wed, 01 Feb 2012 14:12:45 -0800

Title: [106495] branches/safari-534.54-branch/Source/_javascript_Core

Revision: 106495
Author: [email protected]
Date: 2012-02-01 14:12:27 -0800 (Wed, 01 Feb 2012)

Log Message

Merged r106207.


Modified Paths

branches/safari-534.54-branch/Source/_javascript_Core/ChangeLog
branches/safari-534.54-branch/Source/_javascript_Core/jit/JITCall.cpp

Diff

Modified: branches/safari-534.54-branch/Source/_javascript_Core/ChangeLog (106494 => 106495)


--- branches/safari-534.54-branch/Source/_javascript_Core/ChangeLog	2012-02-01 22:05:01 UTC (rev 106494)
+++ branches/safari-534.54-branch/Source/_javascript_Core/ChangeLog	2012-02-01 22:12:27 UTC (rev 106495)
@@ -1,3 +1,26 @@
+2011-02-01  Lucas Forschler  <[email protected]>
+
+    Merge 106207
+
+    2012-01-29  Filip Pizlo  <[email protected]>
+
+            REGRESSION (r105576-r105582): Web Inspector Crash in JSC::JSValue::toString(JSC::ExecState*) const
+            https://bugs.webkit.org/show_bug.cgi?id=77146
+            <rdar://problem/10770586>
+
+            Reviewed by Oliver Hunt.
+
+            The old JIT expects that the result of the last operation is in the lastResultRegister.  The DFG JIT is
+            designed to correctly track the lastResultRegister by looking at SetLocal nodes.  However, when the DFG
+            JIT inlines a code block, it forgets that the inlined code block's result would have been placed in the
+            lastResultRegister.  Hence if we OSR exit on the first node following the end of an inlined code block
+            that had a return value, and that first node uses the return value, the old JIT will get massively
+            confused.  This patch takes a surgical approach: instead of making the DFG smarter, it makes the old
+            JIT slightly dumber.
+
+            * jit/JITCall.cpp:
+            (JSC::JIT::emit_op_call_put_result):
+
 2011-01-27  Lucas Forschler  <[email protected]>
 
     Merge 106067

Modified: branches/safari-534.54-branch/Source/_javascript_Core/jit/JITCall.cpp (106494 => 106495)


--- branches/safari-534.54-branch/Source/_javascript_Core/jit/JITCall.cpp	2012-02-01 22:05:01 UTC (rev 106494)
+++ branches/safari-534.54-branch/Source/_javascript_Core/jit/JITCall.cpp	2012-02-01 22:12:27 UTC (rev 106495)
@@ -52,6 +52,8 @@
     int dst = instruction[1].u.operand;
     emitValueProfilingSite(FirstProfilingSite);
     emitPutVirtualRegister(dst);
+    if (canBeOptimized())
+        killLastResultRegister(); // Make lastResultRegister tracking simpler in the DFG.
 }
 
 void JIT::compileLoadVarargs(Instruction* instruction)

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes