[webkit-changes] [282650] releases/WebKitGTK/webkit-2.34/Source/JavaScriptCore

Fri, 17 Sep 2021 03:34:11 -0700

Title: [282650] releases/WebKitGTK/webkit-2.34/Source/_javascript_Core
Revision
282650
Author
[email protected]
Date
2021-09-17 03:33:17 -0700 (Fri, 17 Sep 2021)

Log Message

Merge r282336 - [JSC][32bit] in-by-val fails inside for-in loop after delete
https://bugs.webkit.org/show_bug.cgi?id=230150

Patch by Xan López <[email protected]> on 2021-09-13
Reviewed by Carlos Garcia Campos.

The order of payload and tag was reversed when constructing the
base value for compileEnumeratorHasProperty.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog (282649 => 282650)


--- releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog	2021-09-17 10:13:31 UTC (rev 282649)
+++ releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog	2021-09-17 10:33:17 UTC (rev 282650)
@@ -1,3 +1,16 @@
+2021-09-13  Xan López  <[email protected]>
+
+        [JSC][32bit] in-by-val fails inside for-in loop after delete
+        https://bugs.webkit.org/show_bug.cgi?id=230150
+
+        Reviewed by Carlos Garcia Campos.
+
+        The order of payload and tag was reversed when constructing the
+        base value for compileEnumeratorHasProperty.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
+
 2021-09-01  Zan Dobersek  <[email protected]>
 
         REGRESSION(r279256): Crash in JSC::FTL::saveAllRegisters

Modified: releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (282649 => 282650)


--- releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2021-09-17 10:13:31 UTC (rev 282649)
+++ releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2021-09-17 10:33:17 UTC (rev 282650)
@@ -13769,7 +13769,7 @@
 
 #if USE(JSVALUE32_64)
         m_jit.move(TrustedImm32(JSValue::CellTag), resultRegs.tagGPR());
-        auto baseRegs = JSValueRegs(baseCellGPR, resultRegs.tagGPR());
+        auto baseRegs = JSValueRegs(resultRegs.tagGPR(), baseCellGPR);
 #else
         auto baseRegs = base;
 #endif

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to