projects / profile / ivi / webkit-efl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 126674b)
[Qt]REGRESSION(r95865): It made 4 tests crash
authorggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Sep 2011 18:52:00 +0000 (18:52 +0000)
committerggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 26 Sep 2011 18:52:00 +0000 (18:52 +0000)
https://bugs.webkit.org/show_bug.cgi?id=68780

Patch by Zoltan Herczeg <zherczeg@webkit.org> on 2011-09-26
Reviewed by Oliver Hunt.

emitJumpSlowCaseIfNotJSCell(...) cannot be moved
away since the next load depends on it.

* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_val):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95965 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog patch | blob | history
Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp patch | blob | history

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 94b5c8d..e3675d7 100644 (file)
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2011-09-26  Zoltan Herczeg  <zherczeg@webkit.org>
+
+        [Qt]REGRESSION(r95865): It made 4 tests crash
+        https://bugs.webkit.org/show_bug.cgi?id=68780
+        
+        Reviewed by Oliver Hunt.
+
+        emitJumpSlowCaseIfNotJSCell(...) cannot be moved
+        away since the next load depends on it.
+
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_put_by_val):
+
 2011-09-25  Mark Hahnenberg  <mhahnenberg@apple.com>
 
         Add custom vtable struct to ClassInfo struct
diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp
index 3549083..e097ec8 100644 (file)
--- a/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp
+++ b/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp
@@ -258,12 +258,11 @@ void JIT::emit_op_put_by_val(Instruction* currentInstruction)
     emitLoad2(base, regT1, regT0, property, regT3, regT2);
     
     addSlowCase(branch32(NotEqual, regT3, TrustedImm32(JSValue::Int32Tag)));
+    emitJumpSlowCaseIfNotJSCell(base, regT1);
     addSlowCase(branchPtr(NotEqual, Address(regT0), TrustedImmPtr(m_globalData->jsArrayVPtr)));
     addSlowCase(branch32(AboveOrEqual, regT2, Address(regT0, JSArray::vectorLengthOffset())));
-    
-    emitJumpSlowCaseIfNotJSCell(base, regT1);
-    emitWriteBarrier(regT0, regT1, regT1, regT3, UnconditionalWriteBarrier, WriteBarrierForPropertyAccess);
 
+    emitWriteBarrier(regT0, regT1, regT1, regT3, UnconditionalWriteBarrier, WriteBarrierForPropertyAccess);
     loadPtr(Address(regT0, JSArray::storageOffset()), regT3);
     
     Jump empty = branch32(Equal, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::EmptyValueTag));
Domain: Web Framework / Uncategorized;