diff options
author | Julien Brianceau <jbriance@cisco.com> | 2014-06-25 16:30:34 +0200 |
---|---|---|
committer | Julien Brianceau <jbriance@cisco.com> | 2014-06-26 12:15:38 +0200 |
commit | b16a6f1c1caf3ee0b4fb256f6cd21aa294a0da9d (patch) | |
tree | acfbbd60f389bfb495b62e66a87a3d86bbb6aca3 | |
parent | a9d7d46164a3d8133e46b3a9197bf7995104a280 (diff) | |
download | qtwebkit-b16a6f1c1caf3ee0b4fb256f6cd21aa294a0da9d.tar.gz |
Fix SpeculateCellOperand ASSERT failure in DFG for 32-bit builds.
Original patch by Filip Pizlo <fpizlo@apple.com> on 2013-08-28
taken from WebKit r154804 (http://trac.webkit.org/changeset/154804).
Task-number: QTBUG-39768
Change-Id: I239f2ee2ec5d1c21f7e50709b8989e744fd87995
Reviewed-by: Zhang Zengbo <zengbo.zhang@gmail.com>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
-rw-r--r-- | Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp | 45 |
1 files changed, 27 insertions, 18 deletions
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp index de4ca9674..5fc35cb73 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp @@ -3870,7 +3870,8 @@ void SpeculativeJIT::compile(Node* node) break; } - if (isCellSpeculation(node->child1()->prediction())) { + switch (node->child1().useKind()) { + case CellUse: { SpeculateCellOperand base(this, node->child1()); GPRTemporary resultTag(this, base); GPRTemporary resultPayload(this); @@ -3886,23 +3887,31 @@ void SpeculativeJIT::compile(Node* node) jsValueResult(resultTagGPR, resultPayloadGPR, node, UseChildrenCalledExplicitly); break; } - - JSValueOperand base(this, node->child1()); - GPRTemporary resultTag(this, base); - GPRTemporary resultPayload(this); - - GPRReg baseTagGPR = base.tagGPR(); - GPRReg basePayloadGPR = base.payloadGPR(); - GPRReg resultTagGPR = resultTag.gpr(); - GPRReg resultPayloadGPR = resultPayload.gpr(); - - base.use(); - - JITCompiler::Jump notCell = m_jit.branch32(JITCompiler::NotEqual, baseTagGPR, TrustedImm32(JSValue::CellTag)); - - cachedGetById(node->codeOrigin, baseTagGPR, basePayloadGPR, resultTagGPR, resultPayloadGPR, node->identifierNumber(), notCell); - - jsValueResult(resultTagGPR, resultPayloadGPR, node, UseChildrenCalledExplicitly); + + case UntypedUse: { + JSValueOperand base(this, node->child1()); + GPRTemporary resultTag(this, base); + GPRTemporary resultPayload(this); + + GPRReg baseTagGPR = base.tagGPR(); + GPRReg basePayloadGPR = base.payloadGPR(); + GPRReg resultTagGPR = resultTag.gpr(); + GPRReg resultPayloadGPR = resultPayload.gpr(); + + base.use(); + + JITCompiler::Jump notCell = m_jit.branch32(JITCompiler::NotEqual, baseTagGPR, TrustedImm32(JSValue::CellTag)); + + cachedGetById(node->codeOrigin, baseTagGPR, basePayloadGPR, resultTagGPR, resultPayloadGPR, node->identifierNumber(), notCell); + + jsValueResult(resultTagGPR, resultPayloadGPR, node, UseChildrenCalledExplicitly); + break; + } + + default: + RELEASE_ASSERT_NOT_REACHED(); + break; + } break; } |