Modified: trunk/LayoutTests/ChangeLog (147932 => 147933)
--- trunk/LayoutTests/ChangeLog 2013-04-08 17:46:55 UTC (rev 147932)
+++ trunk/LayoutTests/ChangeLog 2013-04-08 17:48:28 UTC (rev 147933)
@@ -1,3 +1,15 @@
+2013-04-08 Filip Pizlo <[email protected]>
+
+ REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests
+ https://bugs.webkit.org/show_bug.cgi?id=114129 and https://bugs.webkit.org/show_bug.cgi?id=90649
+ <rdar://problem/13594898> and <rdar://problem/11815727>
+
+ Reviewed by Darin Adler.
+
+ Unskip these tests because they give us DFG coverage and they are now passing.
+
+ * platform/mac/TestExpectations:
+
2013-04-08 Yi Shen <[email protected]>
Counter still gets incremented when counter-increment is set to none
Modified: trunk/LayoutTests/platform/mac/TestExpectations (147932 => 147933)
--- trunk/LayoutTests/platform/mac/TestExpectations 2013-04-08 17:46:55 UTC (rev 147932)
+++ trunk/LayoutTests/platform/mac/TestExpectations 2013-04-08 17:48:28 UTC (rev 147933)
@@ -844,10 +844,6 @@
# https://bugs.webkit.org/show_bug.cgi?id=89845
fast/forms/input-set-composition-scroll.html
-# https://bugs.webkit.org/show_bug.cgi?id=90649
-fast/canvas/webgl/tex-image-with-format-and-type.html
-fast/canvas/webgl/tex-sub-image-2d.html
-
# https://bugs.webkit.org/show_bug.cgi?id=90706
inspector/timeline/timeline-frames.html
Modified: trunk/Source/_javascript_Core/ChangeLog (147932 => 147933)
--- trunk/Source/_javascript_Core/ChangeLog 2013-04-08 17:46:55 UTC (rev 147932)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-04-08 17:48:28 UTC (rev 147933)
@@ -1,3 +1,18 @@
+2013-04-08 Filip Pizlo <[email protected]>
+
+ REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests
+ https://bugs.webkit.org/show_bug.cgi?id=114129
+ <rdar://problem/13594898>
+
+ Reviewed by Darin Adler.
+
+ The check to see if we need a cell check when simplifying a GetById or PutById needs to be hoisted to
+ above where we abstractly execute the instruction, since after we abstracting execute it, it will
+ seem like it no longer needs the cell check.
+
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
2013-04-07 Oliver Hunt <[email protected]>
Add bounds checking for WTF::Vector::operator[]
Modified: trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp (147932 => 147933)
--- trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2013-04-08 17:46:55 UTC (rev 147932)
+++ trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2013-04-08 17:48:28 UTC (rev 147933)
@@ -152,6 +152,7 @@
break;
bool needsWatchpoint = !m_state.forNode(child).m_currentKnownStructure.hasSingleton();
+ bool needsCellCheck = m_state.forNode(child).m_type & ~SpecCell;
GetByIdStatus status = GetByIdStatus::computeFor(
globalData(), structure, codeBlock()->identifier(identifierNumber));
@@ -177,7 +178,7 @@
m_insertionSet.insertNode(
indexInBlock, SpecNone, StructureTransitionWatchpoint, codeOrigin,
OpInfo(structure), childEdge);
- } else if (m_state.forNode(child).m_type & ~SpecCell) {
+ } else if (needsCellCheck) {
m_insertionSet.insertNode(
indexInBlock, SpecNone, Phantom, codeOrigin, childEdge);
}
@@ -216,6 +217,7 @@
break;
bool needsWatchpoint = !m_state.forNode(child).m_currentKnownStructure.hasSingleton();
+ bool needsCellCheck = m_state.forNode(child).m_type & ~SpecCell;
PutByIdStatus status = PutByIdStatus::computeFor(
globalData(),
@@ -240,7 +242,7 @@
m_insertionSet.insertNode(
indexInBlock, SpecNone, StructureTransitionWatchpoint, codeOrigin,
OpInfo(structure), childEdge);
- } else if (m_state.forNode(child).m_type & ~SpecCell) {
+ } else if (needsCellCheck) {
m_insertionSet.insertNode(
indexInBlock, SpecNone, Phantom, codeOrigin, childEdge);
}
@@ -269,7 +271,7 @@
}
}
}
-
+
Edge propertyStorage;
if (isInlineOffset(status.offset()))
