WebKit Bugzilla
Attachment 350140 Details for
Bug 189703
: CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch
c-backup.diff (text/plain), 1.75 KB, created by
Saam Barati
on 2018-09-19 12:16:05 PDT
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Saam Barati
Created:
2018-09-19 12:16:05 PDT
Size:
1.75 KB
patch
obsolete
>Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 236213) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,15 @@ >+2018-09-19 Saam barati <sbarati@apple.com> >+ >+ CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code >+ https://bugs.webkit.org/show_bug.cgi?id=189703 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ This fixes a crash that a TypeProfiler change revealed. >+ >+ * dfg/DFGSpeculativeJIT64.cpp: >+ (JSC::DFG::SpeculativeJIT::compile): >+ > 2018-09-18 Mark Lam <mark.lam@apple.com> > > Ensure that ForInContexts are invalidated if their loop local is over-written. >Index: Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp >=================================================================== >--- Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (revision 236213) >+++ Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (working copy) >@@ -3552,11 +3552,19 @@ void SpeculativeJIT::compile(Node* node) > case CheckStructureOrEmpty: { > SpeculateCellOperand cell(this, node->child1()); > GPRReg cellGPR = cell.gpr(); >+ >+ GPRReg tempGPR = InvalidGPRReg; >+ std::optional<GPRTemporary> temp; >+ if (node->structureSet().size() > 1) { >+ temp.emplace(this); >+ tempGPR = temp->gpr(); >+ } >+ > MacroAssembler::Jump isEmpty; > if (m_interpreter.forNode(node->child1()).m_type & SpecEmpty) > isEmpty = m_jit.branchIfEmpty(cellGPR); > >- emitStructureCheck(node, cellGPR, InvalidGPRReg); >+ emitStructureCheck(node, cellGPR, tempGPR); > > if (isEmpty.isSet()) > isEmpty.link(&m_jit);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=350140">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 189703
: 350140