Skip to site navigation (Press enter)

[webkit-changes] [167832] trunk

oliver Fri, 25 Apr 2014 16:15:06 -0700

Title: [167832] trunk

Revision: 167832
Author: [email protected]
Date: 2014-04-25 16:14:16 -0700 (Fri, 25 Apr 2014)

Log Message

Need earlier cell test
https://bugs.webkit.org/show_bug.cgi?id=132211

Reviewed by Mark Lam.


Source/_javascript_Core:
Move cell test to before the function call repatch
location, as the repatch logic for 32bit assumes that the
caller will already have performed a cell check.

* jit/JITCall32_64.cpp:
(JSC::JIT::compileOpCall):

LayoutTests:
Tests

* js/regress/polymorphic-array-call-expected.txt: Added.
* js/regress/polymorphic-array-call.html: Added.
* js/regress/script-tests/polymorphic-array-call.js: Added.
(func.C.this.m):
(func.C):
(func):

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/JITCall32_64.cpp

Added Paths

trunk/LayoutTests/js/regress/polymorphic-array-call-expected.txt
trunk/LayoutTests/js/regress/polymorphic-array-call.html
trunk/LayoutTests/js/regress/script-tests/polymorphic-array-call.js

Diff

Modified: trunk/LayoutTests/ChangeLog (167831 => 167832)


--- trunk/LayoutTests/ChangeLog	2014-04-25 23:08:01 UTC (rev 167831)
+++ trunk/LayoutTests/ChangeLog	2014-04-25 23:14:16 UTC (rev 167832)
@@ -1,3 +1,19 @@
+2014-04-25  Oliver Hunt  <[email protected]>
+
+        Need earlier cell test
+        https://bugs.webkit.org/show_bug.cgi?id=132211
+
+        Reviewed by Mark Lam.
+
+        Tests
+
+        * js/regress/polymorphic-array-call-expected.txt: Added.
+        * js/regress/polymorphic-array-call.html: Added.
+        * js/regress/script-tests/polymorphic-array-call.js: Added.
+        (func.C.this.m):
+        (func.C):
+        (func):
+
 2014-04-11  Jer Noble  <[email protected]>
 
         Support "Live" streams in media controls.

Added: trunk/LayoutTests/js/regress/polymorphic-array-call-expected.txt (0 => 167832)


--- trunk/LayoutTests/js/regress/polymorphic-array-call-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/js/regress/polymorphic-array-call-expected.txt	2014-04-25 23:14:16 UTC (rev 167832)
@@ -0,0 +1,10 @@
+JSRegress/polymorphic-array-call
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/js/regress/polymorphic-array-call.html (0 => 167832)


--- trunk/LayoutTests/js/regress/polymorphic-array-call.html	                        (rev 0)
+++ trunk/LayoutTests/js/regress/polymorphic-array-call.html	2014-04-25 23:14:16 UTC (rev 167832)
@@ -0,0 +1,12 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/js/regress/script-tests/polymorphic-array-call.js (0 => 167832)


--- trunk/LayoutTests/js/regress/script-tests/polymorphic-array-call.js	                        (rev 0)
+++ trunk/LayoutTests/js/regress/script-tests/polymorphic-array-call.js	2014-04-25 23:14:16 UTC (rev 167832)
@@ -0,0 +1,23 @@
+//@ runDefault
+var result = 0;
+function func() {
+    function C() { 
+        this.m = function () {
+        	result ^= result * 3 + 5 + (result << 3);
+        };
+    };
+    var a=[];
+    for (var i =0; i < 10000; i++) {
+        a[i] = (new C);
+    }
+    a[9000].m = 0.876555555; 
+    for (var i = 0; i < 10000; i++)
+        a[i].m();
+}
+try {
+	func();
+} catch(e) {
+
+}
+if (result != 1561806289)
+	throw "Expected 1561806289 but got " + result

Modified: trunk/Source/_javascript_Core/ChangeLog (167831 => 167832)


--- trunk/Source/_javascript_Core/ChangeLog	2014-04-25 23:08:01 UTC (rev 167831)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-04-25 23:14:16 UTC (rev 167832)
@@ -1,3 +1,17 @@
+2014-04-25  Oliver Hunt  <[email protected]>
+
+        Need earlier cell test
+        https://bugs.webkit.org/show_bug.cgi?id=132211
+
+        Reviewed by Mark Lam.
+
+        Move cell test to before the function call repatch
+        location, as the repatch logic for 32bit assumes that the
+        caller will already have performed a cell check.
+
+        * jit/JITCall32_64.cpp:
+        (JSC::JIT::compileOpCall):
+
 2014-04-25  Andreas Kling  <[email protected]>
 
         Un-fast-allocate JSGlobalObjectRareData because Windows doesn't build and I'm not in the mood.

Modified: trunk/Source/_javascript_Core/jit/JITCall32_64.cpp (167831 => 167832)


--- trunk/Source/_javascript_Core/jit/JITCall32_64.cpp	2014-04-25 23:08:01 UTC (rev 167831)
+++ trunk/Source/_javascript_Core/jit/JITCall32_64.cpp	2014-04-25 23:14:16 UTC (rev 167832)
@@ -304,11 +304,12 @@
         return;
     }
 
+    addSlowCase(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)));
+
     DataLabelPtr addressOfLinkedFunctionCheck;
     Jump slowCase = branchPtrWithPatch(NotEqual, regT0, addressOfLinkedFunctionCheck, TrustedImmPtr(0));
 
     addSlowCase(slowCase);
-    addSlowCase(branch32(NotEqual, regT1, TrustedImm32(JSValue::CellTag)));
 
     ASSERT(m_callCompilationInfo.size() == callLinkInfoIndex);
     CallLinkInfo* info = m_codeBlock->addCallLinkInfo();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes