[webkit-changes] [121466] trunk/Source/JavaScriptCore

Thu, 28 Jun 2012 13:54:13 -0700

Title: [121466] trunk/Source/_javascript_Core
Revision
121466
Author
[email protected]
Date
2012-06-28 13:54:06 -0700 (Thu, 28 Jun 2012)

Log Message

32bit DFG incorrectly claims an fpr is fillable even if it has not been proven double
https://bugs.webkit.org/show_bug.cgi?id=90127

Reviewed by Filip Pizlo.

The 32-bit version of fillSpeculateDouble doesn't handle Number->fpr loads
correctly.  This patch fixes this by killing the fill info in the GenerationInfo
when the spillFormat doesn't guarantee the value is a double.

* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (121465 => 121466)


--- trunk/Source/_javascript_Core/ChangeLog	2012-06-28 20:47:17 UTC (rev 121465)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-06-28 20:54:06 UTC (rev 121466)
@@ -1,3 +1,17 @@
+2012-06-28  Oliver Hunt  <[email protected]>
+
+        32bit DFG incorrectly claims an fpr is fillable even if it has not been proven double
+        https://bugs.webkit.org/show_bug.cgi?id=90127
+
+        Reviewed by Filip Pizlo.
+
+        The 32-bit version of fillSpeculateDouble doesn't handle Number->fpr loads
+        correctly.  This patch fixes this by killing the fill info in the GenerationInfo
+        when the spillFormat doesn't guarantee the value is a double.
+
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+
 2012-06-28  Kent Tamura  <[email protected]>
 
         Classify form control states by their owner forms

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (121465 => 121466)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2012-06-28 20:47:17 UTC (rev 121465)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2012-06-28 20:54:06 UTC (rev 121466)
@@ -1173,7 +1173,7 @@
         } else {
             DataFormat spillFormat = info.spillFormat();
             ASSERT((spillFormat & DataFormatJS) || spillFormat == DataFormatInteger);
-            if (spillFormat == DataFormatJSDouble) {
+            if (spillFormat == DataFormatJSDouble || spillFormat == DataFormatDouble) {
                 FPRReg fpr = fprAllocate();
                 m_jit.loadDouble(JITCompiler::addressFor(virtualRegister), fpr);
                 m_fprs.retain(fpr, virtualRegister, SpillOrderSpilled);
@@ -1201,6 +1201,7 @@
 
             m_fprs.retain(fpr, virtualRegister, SpillOrderSpilled);
             info.fillDouble(fpr);
+            info.killSpilled();
             return fpr;
         }
     }

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to