SpeculativeJIT::fillStorage() should work with all the states that a cell may be in

https://bugs.webkit.org/show_bug.cgi?id=83722

Reviewed by Gavin Barraclough.

It's now possible to do StorageOperand on a cell, in the case that the storage is
inline. But this means that fillStorage() must be able to handle all of the states
that a cell might be in. Previously it didn't.

With this change, it now does handle all of the states, and moreover, it does so
by preserving the DataFormat of cells and performing all of the cell speculations
that should be performed if you're using a cell as storage. But if you use this on
something that is known to be storage already then it behaves as it did before.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::fillStorage):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@113919 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index ca5c8dd..cb97955 100644 (file)
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,5 +1,24 @@
 2012-04-11  Filip Pizlo  <fpizlo@apple.com>
 
+        SpeculativeJIT::fillStorage() should work with all the states that a cell may be in
+        https://bugs.webkit.org/show_bug.cgi?id=83722
+
+        Reviewed by Gavin Barraclough.
+        
+        It's now possible to do StorageOperand on a cell, in the case that the storage is
+        inline. But this means that fillStorage() must be able to handle all of the states
+        that a cell might be in. Previously it didn't.
+        
+        With this change, it now does handle all of the states, and moreover, it does so
+        by preserving the DataFormat of cells and performing all of the cell speculations
+        that should be performed if you're using a cell as storage. But if you use this on
+        something that is known to be storage already then it behaves as it did before.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::fillStorage):
+
+2012-04-11  Filip Pizlo  <fpizlo@apple.com>
+
         Global variable predictions should not be coalesced unnecessarily
         https://bugs.webkit.org/show_bug.cgi?id=83678
 

diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
index acad76b..cb315fc 100644 (file)
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -60,39 +60,27 @@ GPRReg SpeculativeJIT::fillStorage(NodeIndex nodeIndex)
     
     switch (info.registerFormat()) {
     case DataFormatNone: {
-        GPRReg gpr = allocate();
-        ASSERT(info.spillFormat() == DataFormatStorage);
-        m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
-        m_jit.loadPtr(JITCompiler::addressFor(virtualRegister), gpr);
-        info.fillStorage(gpr);
-        return gpr;
-    }
+        if (info.spillFormat() == DataFormatStorage) {
+            GPRReg gpr = allocate();
+            m_gprs.retain(gpr, virtualRegister, SpillOrderSpilled);
+            m_jit.loadPtr(JITCompiler::addressFor(virtualRegister), gpr);
+            info.fillStorage(gpr);
+            return gpr;
+        }
         
-    case DataFormatStorage:
-    case DataFormatCell: {
-        GPRReg gpr = info.gpr();
-        m_gprs.lock(gpr);
-        return gpr;
+        // Must be a cell; fill it as a cell and then return the pointer.
+        return fillSpeculateCell(nodeIndex);
     }
         
-    case DataFormatJS:
-    case DataFormatJSCell: {
-#if USE(JSVALUE64)
+    case DataFormatStorage: {
         GPRReg gpr = info.gpr();
         m_gprs.lock(gpr);
         return gpr;
-#else
-        GPRReg gpr = info.payloadGPR();
-        m_gprs.lock(gpr);
-        return gpr;
-#endif
     }
-
+        
     default:
-        ASSERT_NOT_REACHED();
+        return fillSpeculateCell(nodeIndex);
     }
-    
-    return InvalidGPRReg;
 }
 
 void SpeculativeJIT::useChildren(Node& node)