Log Message
ValueToInt32 bool case does bad things to registers https://bugs.webkit.org/show_bug.cgi?id=97505 <rdar://problem/12356331>
Reviewed by Mark Hahnenberg. Source/_javascript_Core: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileValueToInt32): LayoutTests: * fast/js/dfg-bool-to-int32-reuse-expected.txt: Added. * fast/js/dfg-bool-to-int32-reuse.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-bool-to-int32-reuse.js: Added. (foo):
Modified Paths
- trunk/LayoutTests/ChangeLog
- trunk/LayoutTests/fast/js/jsc-test-list
- trunk/Source/_javascript_Core/ChangeLog
- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (129434 => 129435)
--- trunk/LayoutTests/ChangeLog 2012-09-25 00:38:51 UTC (rev 129434)
+++ trunk/LayoutTests/ChangeLog 2012-09-25 00:46:45 UTC (rev 129435)
@@ -1,5 +1,19 @@
2012-09-24 Filip Pizlo <[email protected]>
+ ValueToInt32 bool case does bad things to registers
+ https://bugs.webkit.org/show_bug.cgi?id=97505
+ <rdar://problem/12356331>
+
+ Reviewed by Mark Hahnenberg.
+
+ * fast/js/dfg-bool-to-int32-reuse-expected.txt: Added.
+ * fast/js/dfg-bool-to-int32-reuse.html: Added.
+ * fast/js/jsc-test-list:
+ * fast/js/script-tests/dfg-bool-to-int32-reuse.js: Added.
+ (foo):
+
+2012-09-24 Filip Pizlo <[email protected]>
+
JSArray::putByIndex asserts with readonly property on prototype
https://bugs.webkit.org/show_bug.cgi?id=97435
<rdar://problem/12357084>
Added: trunk/LayoutTests/fast/js/dfg-bool-to-int32-reuse-expected.txt (0 => 129435)
--- trunk/LayoutTests/fast/js/dfg-bool-to-int32-reuse-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-bool-to-int32-reuse-expected.txt 2012-09-25 00:46:45 UTC (rev 129435)
@@ -0,0 +1,109 @@
+Tests that using a value predicted boolean after it is converted to an int32 doesn't crash the compiler while causing bad code gen.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS foo(true) is [2, true]
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/js/dfg-bool-to-int32-reuse.html (0 => 129435)
--- trunk/LayoutTests/fast/js/dfg-bool-to-int32-reuse.html (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-bool-to-int32-reuse.html 2012-09-25 00:46:45 UTC (rev 129435)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Modified: trunk/LayoutTests/fast/js/jsc-test-list (129434 => 129435)
--- trunk/LayoutTests/fast/js/jsc-test-list 2012-09-25 00:38:51 UTC (rev 129434)
+++ trunk/LayoutTests/fast/js/jsc-test-list 2012-09-25 00:46:45 UTC (rev 129435)
@@ -80,6 +80,7 @@
fast/js/dfg-arguments-out-of-bounds
fast/js/dfg-arguments-unexpected-escape
fast/js/dfg-array-length-dead
+fast/js/dfg-bool-to-int32-reuse
fast/js/dfg-branch-not-fail
fast/js/dfg-check-two-structures
fast/js/dfg-constant-fold-first-local-read-after-block-merge
Added: trunk/LayoutTests/fast/js/script-tests/dfg-bool-to-int32-reuse.js (0 => 129435)
--- trunk/LayoutTests/fast/js/script-tests/dfg-bool-to-int32-reuse.js (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/dfg-bool-to-int32-reuse.js 2012-09-25 00:46:45 UTC (rev 129435)
@@ -0,0 +1,10 @@
+description(
+"Tests that using a value predicted boolean after it is converted to an int32 doesn't crash the compiler while causing bad code gen."
+);
+
+function foo(x) {
+ return [x << 1, x];
+}
+
+for (var i = 0; i < 100; ++i)
+ shouldBe("foo(true)", "[2, true]");
Modified: trunk/Source/_javascript_Core/ChangeLog (129434 => 129435)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-25 00:38:51 UTC (rev 129434)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-25 00:46:45 UTC (rev 129435)
@@ -1,3 +1,14 @@
+2012-09-24 Filip Pizlo <[email protected]>
+
+ ValueToInt32 bool case does bad things to registers
+ https://bugs.webkit.org/show_bug.cgi?id=97505
+ <rdar://problem/12356331>
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+
2012-09-24 Mark Lam <[email protected]>
Add cloopDo instruction for debugging the llint C++ backend.
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (129434 => 129435)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-09-25 00:38:51 UTC (rev 129434)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-09-25 00:46:45 UTC (rev 129435)
@@ -1907,9 +1907,10 @@
SpeculateBooleanOperand op1(this, node.child1());
GPRTemporary result(this, op1);
- m_jit.and32(JITCompiler::TrustedImm32(1), op1.gpr());
+ m_jit.move(op1.gpr(), result.gpr());
+ m_jit.and32(JITCompiler::TrustedImm32(1), result.gpr());
- integerResult(op1.gpr(), m_compileIndex);
+ integerResult(result.gpr(), m_compileIndex);
return;
}
_______________________________________________ webkit-changes mailing list [email protected] http://lists.webkit.org/mailman/listinfo/webkit-changes
