DFG tracking of the value in cachedResultRegister does not handle

op_mov correctly
https://bugs.webkit.org/show_bug.cgi?id=68781

Reviewed by Oliver Hunt.

This takes the simplest approach: it makes the old JIT dumber rather
than making the DFG JIT smarter. This is performance-neutral.

* jit/JIT.h:
(JSC::JIT::canBeOptimized):
* jit/JITOpcodes.cpp:
(JSC::JIT::emit_op_mov):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95925 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 0534779..0b953d3 100644 (file)
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,19 @@
+2011-09-25  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG tracking of the value in cachedResultRegister does not handle
+        op_mov correctly
+        https://bugs.webkit.org/show_bug.cgi?id=68781
+
+        Reviewed by Oliver Hunt.
+        
+        This takes the simplest approach: it makes the old JIT dumber rather
+        than making the DFG JIT smarter. This is performance-neutral.
+
+        * jit/JIT.h:
+        (JSC::JIT::canBeOptimized):
+        * jit/JITOpcodes.cpp:
+        (JSC::JIT::emit_op_mov):
+
 2011-09-25  Adam Barth  <abarth@webkit.org>
 
         Remove PLATFORM(HAIKU) and associated code

diff --git a/Source/JavaScriptCore/jit/JIT.h b/Source/JavaScriptCore/jit/JIT.h
index 97c3de3..fc8f6d3 100644 (file)
--- a/Source/JavaScriptCore/jit/JIT.h
+++ b/Source/JavaScriptCore/jit/JIT.h
@@ -1034,8 +1034,10 @@ namespace JSC {
 #endif
 
 #if ENABLE(DFG_JIT)
+        bool canBeOptimized() { return m_canBeOptimized; }
         bool shouldEmitProfiling() { return m_canBeOptimized; }
 #else
+        bool canBeOptimized() { return false; }
         // Enables use of value profiler with tiered compilation turned off,
         // in which case all code gets profiled.
         bool shouldEmitProfiling() { return true; }

diff --git a/Source/JavaScriptCore/jit/JITOpcodes.cpp b/Source/JavaScriptCore/jit/JITOpcodes.cpp
index e084da0..0a400f3 100644 (file)
--- a/Source/JavaScriptCore/jit/JITOpcodes.cpp
+++ b/Source/JavaScriptCore/jit/JITOpcodes.cpp
@@ -303,19 +303,26 @@ void JIT::emit_op_mov(Instruction* currentInstruction)
     int dst = currentInstruction[1].u.operand;
     int src = currentInstruction[2].u.operand;
 
-    if (m_codeBlock->isConstantRegisterIndex(src)) {
-        storePtr(ImmPtr(JSValue::encode(getConstantOperand(src))), Address(callFrameRegister, dst * sizeof(Register)));
-        if (dst == m_lastResultBytecodeRegister)
-            killLastResultRegister();
-    } else if ((src == m_lastResultBytecodeRegister) || (dst == m_lastResultBytecodeRegister)) {
-        // If either the src or dst is the cached register go though
-        // get/put registers to make sure we track this correctly.
+    if (canBeOptimized()) {
+        // Use simpler approach, since the DFG thinks that the last result register
+        // is always set to the destination on every operation.
         emitGetVirtualRegister(src, regT0);
         emitPutVirtualRegister(dst);
     } else {
-        // Perform the copy via regT1; do not disturb any mapping in regT0.
-        loadPtr(Address(callFrameRegister, src * sizeof(Register)), regT1);
-        storePtr(regT1, Address(callFrameRegister, dst * sizeof(Register)));
+        if (m_codeBlock->isConstantRegisterIndex(src)) {
+            storePtr(ImmPtr(JSValue::encode(getConstantOperand(src))), Address(callFrameRegister, dst * sizeof(Register)));
+            if (dst == m_lastResultBytecodeRegister)
+                killLastResultRegister();
+        } else if ((src == m_lastResultBytecodeRegister) || (dst == m_lastResultBytecodeRegister)) {
+            // If either the src or dst is the cached register go though
+            // get/put registers to make sure we track this correctly.
+            emitGetVirtualRegister(src, regT0);
+            emitPutVirtualRegister(dst);
+        } else {
+            // Perform the copy via regT1; do not disturb any mapping in regT0.
+            loadPtr(Address(callFrameRegister, src * sizeof(Register)), regT1);
+            storePtr(regT1, Address(callFrameRegister, dst * sizeof(Register)));
+        }
     }
 }