From: fpizlo@apple.com Date: Sun, 25 Sep 2011 02:20:41 +0000 (+0000) Subject: JIT implementation of put_by_val increments m_length instead of setting X-Git-Tag: 070512121124~23720 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=766f19eb0a996b0eee23afaf734a4632061a1724;p=profile%2Fivi%2Fwebkit-efl.git JIT implementation of put_by_val increments m_length instead of setting it to index+1 https://bugs.webkit.org/show_bug.cgi?id=68766 Reviewed by Geoffrey Garen. * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_by_val): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95918 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 9c83dac..2b4e7df 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,14 @@ +2011-09-24 Filip Pizlo + + JIT implementation of put_by_val increments m_length instead of setting + it to index+1 + https://bugs.webkit.org/show_bug.cgi?id=68766 + + Reviewed by Geoffrey Garen. + + * jit/JITPropertyAccess.cpp: + (JSC::JIT::emit_op_put_by_val): + 2011-09-24 Geoffrey Garen More build fixage. diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp index d272eff..10eea4b 100644 --- a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp +++ b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp @@ -215,7 +215,9 @@ void JIT::emit_op_put_by_val(Instruction* currentInstruction) add32(TrustedImm32(1), Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_numValuesInVector))); branch32(Below, regT1, Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length))).linkTo(storeResult, this); - add32(TrustedImm32(1), Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length))); + add32(TrustedImm32(1), regT1); + store32(regT1, Address(regT2, OBJECT_OFFSETOF(ArrayStorage, m_length))); + sub32(TrustedImm32(1), regT1); jump().linkTo(storeResult, this); end.link(this);