Title: [282336] trunk/Source/_javascript_Core
- Revision
- 282336
- Author
- [email protected]
- Date
- 2021-09-13 10:37:02 -0700 (Mon, 13 Sep 2021)
Log Message
[JSC][32bit] in-by-val fails inside for-in loop after delete
https://bugs.webkit.org/show_bug.cgi?id=230150
Patch by Xan López <[email protected]> on 2021-09-13
Reviewed by Carlos Garcia Campos.
The order of payload and tag was reversed when constructing the
base value for compileEnumeratorHasProperty.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (282335 => 282336)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-13 17:20:57 UTC (rev 282335)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-13 17:37:02 UTC (rev 282336)
@@ -1,3 +1,16 @@
+2021-09-13 Xan López <[email protected]>
+
+ [JSC][32bit] in-by-val fails inside for-in loop after delete
+ https://bugs.webkit.org/show_bug.cgi?id=230150
+
+ Reviewed by Carlos Garcia Campos.
+
+ The order of payload and tag was reversed when constructing the
+ base value for compileEnumeratorHasProperty.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
+
2021-09-10 Stephan Szabo <[email protected]>
[PlayStation] Support running applications with ENABLE_STATIC_JSC=ON
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (282335 => 282336)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-09-13 17:20:57 UTC (rev 282335)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-09-13 17:37:02 UTC (rev 282336)
@@ -13833,7 +13833,7 @@
#if USE(JSVALUE32_64)
m_jit.move(TrustedImm32(JSValue::CellTag), resultRegs.tagGPR());
- auto baseRegs = JSValueRegs(baseCellGPR, resultRegs.tagGPR());
+ auto baseRegs = JSValueRegs(resultRegs.tagGPR(), baseCellGPR);
#else
auto baseRegs = base;
#endif
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
