Modified: trunk/Source/_javascript_Core/ChangeLog (282721 => 282722)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-18 06:03:19 UTC (rev 282721)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-18 06:51:07 UTC (rev 282722)
@@ -1,3 +1,22 @@
+2021-09-17 Mikhail R. Gadelha <[email protected]>
+
+ Fix CellTag being set 32 bits even if the base is not a cell
+ https://bugs.webkit.org/show_bug.cgi?id=230364
+
+ Reviewed by Yusuke Suzuki.
+
+ Initial patch by Caio Lima.
+
+ In 32 bits the tag of the base was not being preserved before calling
+ the slow path and was instead being always being set to cellTag.
+
+ This patch slightly changes the code to instead of setting the cellTag,
+ it now calls the slow path using only the payload if the base is a cell,
+ otherwise it uses tag+payload.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
+
2021-09-17 Yusuke Suzuki <[email protected]>
[JSC] Add fast property enumeration mode for JSON.stringify
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (282721 => 282722)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-09-18 06:03:19 UTC (rev 282721)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-09-18 06:51:07 UTC (rev 282722)
@@ -13691,7 +13691,7 @@
void SpeculativeJIT::compileEnumeratorHasProperty(Node* node, SlowPathFunctionType slowPathFunction)
{
Edge baseEdge = m_graph.varArgChild(node, 0);
- auto generate = [&] (auto base, GPRReg baseCellGPR) {
+ auto generate = [&] (JSValueRegs baseRegs) {
JSValueOperand propertyName(this, m_graph.varArgChild(node, 1));
SpeculateStrictInt32Operand index(this, m_graph.varArgChild(node, 2));
SpeculateStrictInt32Operand mode(this, m_graph.varArgChild(node, 3));
@@ -13710,12 +13710,12 @@
MacroAssembler::JumpList operationCases;
if (m_state.forNode(baseEdge).m_type & ~SpecCell)
- operationCases.append(m_jit.branchIfNotCell(base));
+ operationCases.append(m_jit.branchIfNotCell(baseRegs));
// FIXME: We shouldn't generate this code if we know base is not a cell.
operationCases.append(m_jit.branchTest32(MacroAssembler::Zero, modeGPR, TrustedImm32(JSPropertyNameEnumerator::OwnStructureMode)));
- m_jit.load32(MacroAssembler::Address(baseCellGPR, JSCell::structureIDOffset()), resultRegs.payloadGPR());
+ m_jit.load32(MacroAssembler::Address(baseRegs.payloadGPR(), JSCell::structureIDOffset()), resultRegs.payloadGPR());
operationCases.append(m_jit.branch32(MacroAssembler::NotEqual, resultRegs.payloadGPR(), MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedStructureIDOffset())));
moveTrueTo(resultRegs.payloadGPR());
@@ -13723,13 +13723,10 @@
operationCases.link(&m_jit);
-#if USE(JSVALUE32_64)
- m_jit.move(TrustedImm32(JSValue::CellTag), resultRegs.tagGPR());
- auto baseRegs = JSValueRegs(resultRegs.tagGPR(), baseCellGPR);
-#else
- auto baseRegs = base;
-#endif
- callOperation(slowPathFunction, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyNameRegs, indexGPR, modeGPR);
+ if (baseRegs.tagGPR() == InvalidGPRReg)
+ callOperation(slowPathFunction, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), CCallHelpers::CellValue(baseRegs.payloadGPR()), propertyNameRegs, indexGPR, modeGPR);
+ else
+ callOperation(slowPathFunction, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyNameRegs, indexGPR, modeGPR);
m_jit.exceptionCheck();
done.link(&m_jit);
@@ -13739,10 +13736,10 @@
if (isCell(baseEdge.useKind())) {
SpeculateCellOperand base(this, baseEdge);
- generate(base.gpr(), base.gpr());
+ generate(JSValueRegs::payloadOnly(base.gpr()));
} else {
JSValueOperand base(this, baseEdge);
- generate(base.regs(), base.regs().payloadGPR());
+ generate(base.regs());
}
}
