JIT implementation of put_by_val increments m_length instead of setting

it to index+1
https://bugs.webkit.org/show_bug.cgi?id=68766

Reviewed by Geoffrey Garen.

* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_by_val):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95918 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 9c83dac..2b4e7df 100644 (file)
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,14 @@
+2011-09-24  Filip Pizlo  <fpizlo@apple.com>
+
+        JIT implementation of put_by_val increments m_length instead of setting
+        it to index+1
+        https://bugs.webkit.org/show_bug.cgi?id=68766
+
+        Reviewed by Geoffrey Garen.
+
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_put_by_val):
+
 2011-09-24  Geoffrey Garen  <ggaren@apple.com>
 
         More build fixage.

diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
index d272eff..10eea4b 100644 (file)
--- a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
+++ b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
@@ -215,7 +215,9 @@ void JIT::emit_op_put_by_val(Instruction* currentInstruction)
     add32(TrustedImm32(1), Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector)));
     branch32(Below, regT1, Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length))).linkTo(storeResult, this);
 
-    add32(TrustedImm32(1), Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length)));
+    add32(TrustedImm32(1), regT1);
+    store32(regT1, Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length)));
+    sub32(TrustedImm32(1), regT1);
     jump().linkTo(storeResult, this);
 
     end.link(this);