Skip to site navigation (Press enter)

[webkit-changes] [122919] trunk/Source/JavaScriptCore

fpizlo Tue, 17 Jul 2012 21:43:02 -0700

Title: [122919] trunk/Source/_javascript_Core

Revision: 122919
Author: [email protected]
Date: 2012-07-17 21:42:55 -0700 (Tue, 17 Jul 2012)

Log Message

DFG 32-bit PutById transition stub passes the payload/tag arguments to a DFG operation in the wrong order
https://bugs.webkit.org/show_bug.cgi?id=91576


Reviewed by Gavin Barraclough.

* dfg/DFGRepatch.cpp:
(JSC::DFG::emitPutTransitionStub):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (122918 => 122919)


--- trunk/Source/_javascript_Core/ChangeLog	2012-07-18 04:18:19 UTC (rev 122918)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-07-18 04:42:55 UTC (rev 122919)
@@ -1,5 +1,15 @@
 2012-07-17  Filip Pizlo  <[email protected]>
 
+        DFG 32-bit PutById transition stub passes the payload/tag arguments to a DFG operation in the wrong order
+        https://bugs.webkit.org/show_bug.cgi?id=91576
+
+        Reviewed by Gavin Barraclough.
+
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::emitPutTransitionStub):
+
+2012-07-17  Filip Pizlo  <[email protected]>
+
         [Qt] REGRESSION(r122768, r122771): They broke jquery/data.html and inspector/elements/edit-dom-actions.html
         https://bugs.webkit.org/show_bug.cgi?id=91476

Modified: trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp (122918 => 122919)


--- trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp	2012-07-18 04:18:19 UTC (rev 122918)
+++ trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp	2012-07-18 04:42:55 UTC (rev 122919)
@@ -908,7 +908,7 @@
 #if USE(JSVALUE64)
         stubJit.setupArgumentsWithExecState(baseGPR, MacroAssembler::TrustedImmPtr(structure), MacroAssembler::TrustedImm32(slot.cachedOffset()), valueGPR);
 #else
-        stubJit.setupArgumentsWithExecState(baseGPR, MacroAssembler::TrustedImmPtr(structure), MacroAssembler::TrustedImm32(slot.cachedOffset()), valueTagGPR, valueGPR);
+        stubJit.setupArgumentsWithExecState(baseGPR, MacroAssembler::TrustedImmPtr(structure), MacroAssembler::TrustedImm32(slot.cachedOffset()), valueGPR, valueTagGPR);
 #endif
         operationCall = stubJit.call();
         allocator.restoreUsedRegistersFromScratchBuffer(stubJit, scratchBuffer, scratchGPR1);

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes