[webkit-changes] [282812] releases/WebKitGTK/webkit-2.34/Source/JavaScriptCore

Tue, 21 Sep 2021 07:12:01 -0700

Title: [282812] releases/WebKitGTK/webkit-2.34/Source/_javascript_Core
Revision
282812
Author
[email protected]
Date
2021-09-21 07:11:11 -0700 (Tue, 21 Sep 2021)

Log Message

Merge r282722 - Fix CellTag being set 32 bits even if the base is not a cell
https://bugs.webkit.org/show_bug.cgi?id=230364

Patch by Mikhail R. Gadelha <[email protected]> on 2021-09-17
Reviewed by Yusuke Suzuki.

Initial patch by Caio Lima.

In 32 bits the tag of the base was not being preserved before calling
the slow path and was instead being always being set to cellTag.

This patch slightly changes the code to instead of setting the cellTag,
it now calls the slow path using only the payload if the base is a cell,
otherwise it uses tag+payload.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog (282811 => 282812)


--- releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog	2021-09-21 13:46:16 UTC (rev 282811)
+++ releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog	2021-09-21 14:11:11 UTC (rev 282812)
@@ -1,3 +1,22 @@
+2021-09-17  Mikhail R. Gadelha  <[email protected]>
+
+        Fix CellTag being set 32 bits even if the base is not a cell
+        https://bugs.webkit.org/show_bug.cgi?id=230364
+
+        Reviewed by Yusuke Suzuki.
+
+        Initial patch by Caio Lima.
+
+        In 32 bits the tag of the base was not being preserved before calling
+        the slow path and was instead being always being set to cellTag.
+
+        This patch slightly changes the code to instead of setting the cellTag,
+        it now calls the slow path using only the payload if the base is a cell,
+        otherwise it uses tag+payload.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileEnumeratorHasProperty):
+
 2021-09-02  Mikhail R. Gadelha  <[email protected]>
 
         Fix IndexedDoubleStore InlineAccess for 32 bits

Modified: releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (282811 => 282812)


--- releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2021-09-21 13:46:16 UTC (rev 282811)
+++ releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2021-09-21 14:11:11 UTC (rev 282812)
@@ -13627,7 +13627,7 @@
 void SpeculativeJIT::compileEnumeratorHasProperty(Node* node, SlowPathFunctionType slowPathFunction)
 {
     Edge baseEdge = m_graph.varArgChild(node, 0);
-    auto generate = [&] (auto base, GPRReg baseCellGPR) {
+    auto generate = [&] (JSValueRegs baseRegs) {
         JSValueOperand propertyName(this, m_graph.varArgChild(node, 1));
         SpeculateStrictInt32Operand index(this, m_graph.varArgChild(node, 2));
         SpeculateStrictInt32Operand mode(this, m_graph.varArgChild(node, 3));
@@ -13646,12 +13646,12 @@
         MacroAssembler::JumpList operationCases;
 
         if (m_state.forNode(baseEdge).m_type & ~SpecCell)
-            operationCases.append(m_jit.branchIfNotCell(base));
+            operationCases.append(m_jit.branchIfNotCell(baseRegs));
 
         // FIXME: We shouldn't generate this code if we know base is not a cell.
         operationCases.append(m_jit.branchTest32(MacroAssembler::Zero, modeGPR, TrustedImm32(JSPropertyNameEnumerator::OwnStructureMode)));
 
-        m_jit.load32(MacroAssembler::Address(baseCellGPR, JSCell::structureIDOffset()), resultRegs.payloadGPR());
+        m_jit.load32(MacroAssembler::Address(baseRegs.payloadGPR(), JSCell::structureIDOffset()), resultRegs.payloadGPR());
         operationCases.append(m_jit.branch32(MacroAssembler::NotEqual, resultRegs.payloadGPR(), MacroAssembler::Address(enumeratorGPR, JSPropertyNameEnumerator::cachedStructureIDOffset())));
 
         moveTrueTo(resultRegs.payloadGPR());
@@ -13659,13 +13659,10 @@
 
         operationCases.link(&m_jit);
 
-#if USE(JSVALUE32_64)
-        m_jit.move(TrustedImm32(JSValue::CellTag), resultRegs.tagGPR());
-        auto baseRegs = JSValueRegs(resultRegs.tagGPR(), baseCellGPR);
-#else
-        auto baseRegs = base;
-#endif
-        callOperation(slowPathFunction, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyNameRegs, indexGPR, modeGPR);
+        if (baseRegs.tagGPR() == InvalidGPRReg)
+            callOperation(slowPathFunction, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), CCallHelpers::CellValue(baseRegs.payloadGPR()), propertyNameRegs, indexGPR, modeGPR);
+        else
+            callOperation(slowPathFunction, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyNameRegs, indexGPR, modeGPR);
         m_jit.exceptionCheck();
 
         done.link(&m_jit);
@@ -13675,10 +13672,10 @@
 
     if (isCell(baseEdge.useKind())) {
         SpeculateCellOperand base(this, baseEdge);
-        generate(base.gpr(), base.gpr());
+        generate(JSValueRegs::payloadOnly(base.gpr()));
     } else {
         JSValueOperand base(this, baseEdge);
-        generate(base.regs(), base.regs().payloadGPR());
+        generate(base.regs());
     }
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to