Title: [171460] branches/safari-600.1-branch/Source/_javascript_Core
- Revision
- 171460
- Author
- [email protected]
- Date
- 2014-07-23 01:10:05 -0700 (Wed, 23 Jul 2014)
Log Message
Merged r171354. <rdar://problem/17763909>
Modified Paths
Added Paths
Diff
Modified: branches/safari-600.1-branch/Source/_javascript_Core/ChangeLog (171459 => 171460)
--- branches/safari-600.1-branch/Source/_javascript_Core/ChangeLog 2014-07-23 08:07:17 UTC (rev 171459)
+++ branches/safari-600.1-branch/Source/_javascript_Core/ChangeLog 2014-07-23 08:10:05 UTC (rev 171460)
@@ -1,3 +1,24 @@
+2014-07-23 Lucas Forschler <[email protected]>
+
+ Merge r171354
+
+ 2014-07-22 Filip Pizlo <[email protected]>
+
+ ASSERTION FAILED: info.spillFormat() & DataFormatJS in JSC::DFG::SpeculativeJIT::fillSpeculateCell
+ https://bugs.webkit.org/show_bug.cgi?id=135155
+ <rdar://problem/17763909>
+
+ Reviewed by Oliver Hunt.
+
+ The DFG fillSpeculate code paths all need to be mindful of the fact that they may be stumbling upon a
+ contradiction, and that this is OK. In this case, we were speculating cell on an int.
+
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ * tests/stress/regress-135155.js: Added.
+ (run.t.length):
+ (run):
+
2014-07-22 Dana Burkart <[email protected]>
Merge r171228.
Modified: branches/safari-600.1-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (171459 => 171460)
--- branches/safari-600.1-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2014-07-23 08:07:17 UTC (rev 171459)
+++ branches/safari-600.1-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2014-07-23 08:10:05 UTC (rev 171460)
@@ -1019,7 +1019,12 @@
terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
return gpr;
}
- RELEASE_ASSERT(info.spillFormat() & DataFormatJS);
+
+ if (!(info.spillFormat() & DataFormatJS)) {
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+ return gpr;
+ }
+
m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
Copied: branches/safari-600.1-branch/Source/_javascript_Core/tests/stress/regress-135155.js (from rev 171354, trunk/Source/_javascript_Core/tests/stress/regress-135155.js) (0 => 171460)
--- branches/safari-600.1-branch/Source/_javascript_Core/tests/stress/regress-135155.js (rev 0)
+++ branches/safari-600.1-branch/Source/_javascript_Core/tests/stress/regress-135155.js 2014-07-23 08:10:05 UTC (rev 171460)
@@ -0,0 +1,9 @@
+function run() {
+ for (var t = 1, i = 0; i < 10000; t++, i++) {
+ t.length = function() {
+ var foo = iv.charCodeAt(foo, undefined);
+ };
+ }
+}
+
+run();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
