- Revision
- 141962
- Author
- [email protected]
- Date
- 2013-02-05 18:53:55 -0800 (Tue, 05 Feb 2013)
Log Message
put_to_base should emit a Phantom for "value" across the ForceOSRExit
https://bugs.webkit.org/show_bug.cgi?id=108998
Reviewed by Oliver Hunt.
Otherwise, the OSR exit compiler could clobber it, which would lead to badness.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::tallyFrequentExitSites): Build fixes for when DFG debug logging is enabled.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock): Added extra Phantoms for the "value" field where needed.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compile): Ditto.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (141961 => 141962)
--- trunk/Source/_javascript_Core/ChangeLog 2013-02-06 02:48:58 UTC (rev 141961)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-02-06 02:53:55 UTC (rev 141962)
@@ -1,3 +1,19 @@
+2013-02-05 Mark Hahnenberg <[email protected]>
+
+ put_to_base should emit a Phantom for "value" across the ForceOSRExit
+ https://bugs.webkit.org/show_bug.cgi?id=108998
+
+ Reviewed by Oliver Hunt.
+
+ Otherwise, the OSR exit compiler could clobber it, which would lead to badness.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::tallyFrequentExitSites): Build fixes for when DFG debug logging is enabled.
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock): Added extra Phantoms for the "value" field where needed.
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compile): Ditto.
+
2013-02-05 Michael Saboff <[email protected]>
Crash at JSC::call when loading www.gap.com with JSVALUE32_64 Enabled
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (141961 => 141962)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2013-02-06 02:48:58 UTC (rev 141961)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2013-02-06 02:53:55 UTC (rev 141962)
@@ -3277,7 +3277,7 @@
continue;
#if DFG_ENABLE(DEBUG_VERBOSE)
- dataLog("OSR exit #", i, " (bc#", exit.m_codeOrigin.bytecodeIndex, ", @", exit.m_nodeIndex, ", ", exit.m_kind, ") for ", *this, " occurred frequently: counting as frequent exit site.\n");
+ dataLog("OSR exit #", i, " (bc#", exit.m_codeOrigin.bytecodeIndex, ", ", exit.m_kind, ") for ", *this, " occurred frequently: counting as frequent exit site.\n");
#endif
}
}
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (141961 => 141962)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2013-02-06 02:48:58 UTC (rev 141961)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2013-02-06 02:53:55 UTC (rev 141962)
@@ -2999,6 +2999,7 @@
case PutToBaseOperation::Uninitialised:
addToGraph(ForceOSRExit);
addToGraph(Phantom, get(base));
+ addToGraph(Phantom, get(value));
break;
case PutToBaseOperation::GlobalVariablePutChecked: {
@@ -3028,6 +3029,7 @@
if (!putToBase->m_structure) {
addToGraph(ForceOSRExit);
addToGraph(Phantom, get(base));
+ addToGraph(Phantom, get(value));
NEXT_OPCODE(op_put_to_base);
}
Node* baseNode = get(base);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (141961 => 141962)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2013-02-06 02:48:58 UTC (rev 141961)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2013-02-06 02:53:55 UTC (rev 141962)
@@ -1790,7 +1790,7 @@
} else {
#if DFG_ENABLE(DEBUG_VERBOSE)
- dataLogF("SpeculativeJIT generating Node @%d (bc#%u) at JIT offset 0x%x ", (int)m_currentNode->index(), m_curretNode->codeOrigin.bytecodeIndex, m_jit.debugOffset());
+ dataLogF("SpeculativeJIT generating Node @%d (bc#%u) at JIT offset 0x%x ", (int)m_currentNode->index(), m_currentNode->codeOrigin.bytecodeIndex, m_jit.debugOffset());
#endif
#if DFG_ENABLE(JIT_BREAK_ON_EVERY_NODE)
m_jit.breakpoint();
