Modified: trunk/Source/_javascript_Core/ChangeLog (122887 => 122888)
--- trunk/Source/_javascript_Core/ChangeLog 2012-07-17 23:08:10 UTC (rev 122887)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-07-17 23:11:23 UTC (rev 122888)
@@ -1,3 +1,20 @@
+2012-07-17 Filip Pizlo <[email protected]>
+
+ [Qt] REGRESSION(r122768, r122771): They broke jquery/data.html and inspector/elements/edit-dom-actions.html
+ https://bugs.webkit.org/show_bug.cgi?id=91476
+
+ Reviewed by Mark Hahnenberg.
+
+ The 32-bit repatching code was not correctly adapted to the new world where there may not always
+ be an available scratch register. Fixed it by ensuring that the scratch register we select does
+ not overlap with the value tag.
+
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::generateProtoChainAccessStub):
+ (JSC::DFG::tryCacheGetByID):
+ (JSC::DFG::tryBuildGetByIDList):
+ (JSC::DFG::emitPutReplaceStub):
+
2012-07-17 Gabor Rapcsanyi <[email protected]>
Unreviewed buildfix from Zoltan Herczeg after 122768.
Modified: trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp (122887 => 122888)
--- trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp 2012-07-17 23:08:10 UTC (rev 122887)
+++ trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp 2012-07-17 23:11:23 UTC (rev 122888)
@@ -166,7 +166,11 @@
bool needToRestoreScratch = false;
if (scratchGPR == InvalidGPRReg) {
+#if USE(JSVALUE64)
scratchGPR = SpeculativeJIT::selectScratchGPR(baseGPR, resultGPR);
+#else
+ scratchGPR = SpeculativeJIT::selectScratchGPR(baseGPR, resultGPR, resultTagGPR);
+#endif
stubJit.push(scratchGPR);
needToRestoreScratch = true;
}
@@ -238,7 +242,11 @@
MacroAssembler stubJit;
if (scratchGPR == InvalidGPRReg) {
+#if USE(JSVALUE64)
scratchGPR = SpeculativeJIT::selectScratchGPR(baseGPR, resultGPR);
+#else
+ scratchGPR = SpeculativeJIT::selectScratchGPR(baseGPR, resultGPR, resultTagGPR);
+#endif
stubJit.push(scratchGPR);
needToRestoreScratch = true;
}
@@ -405,6 +413,7 @@
if (slot.cachedPropertyType() == PropertySlot::Getter
|| slot.cachedPropertyType() == PropertySlot::Custom) {
if (slot.cachedPropertyType() == PropertySlot::Getter) {
+ ASSERT(scratchGPR != InvalidGPRReg);
ASSERT(baseGPR != scratchGPR);
if (isInlineOffset(slot.cachedOffset())) {
#if USE(JSVALUE64)
@@ -642,7 +651,11 @@
MacroAssembler stubJit;
if (scratchGPR == InvalidGPRReg && (writeBarrierNeeded || isOutOfLineOffset(slot.cachedOffset()))) {
+#if USE(JSVALUE64)
scratchGPR = SpeculativeJIT::selectScratchGPR(baseGPR, valueGPR);
+#else
+ scratchGPR = SpeculativeJIT::selectScratchGPR(baseGPR, valueGPR, valueTagGPR);
+#endif
needToRestoreScratch = true;
stubJit.push(scratchGPR);
}
@@ -653,7 +666,11 @@
MacroAssembler::TrustedImmPtr(structure));
#if ENABLE(GGC) || ENABLE(WRITE_BARRIER_PROFILING)
+#if USE(JSVALUE64)
scratchGPR2 = SpeculativeJIT::selectScratchGPR(baseGPR, valueGPR, scratchGPR);
+#else
+ scratchGPR2 = SpeculativeJIT::selectScratchGPR(baseGPR, valueGPR, valueTagGPR, scratchGPR);
+#endif
stubJit.push(scratchGPR2);
SpeculativeJIT::writeBarrier(stubJit, baseGPR, scratchGPR, scratchGPR2, WriteBarrierForPropertyAccess);
stubJit.pop(scratchGPR2);
