From 78a1a9d24e75faaeb6994477fb1403a861e1ea81 Mon Sep 17 00:00:00 2001
From: "ggaren@apple.com"
 <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon, 26 Sep 2011 18:52:00 +0000
Subject: [PATCH] [Qt]REGRESSION(r95865): It made 4 tests crash
 https://bugs.webkit.org/show_bug.cgi?id=68780

Patch by Zoltan Herczeg <zherczeg@webkit.org> on 2011-09-26
Reviewed by Oliver Hunt.

emitJumpSlowCaseIfNotJSCell(...) cannot be moved
away since the next load depends on it.

* jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emit_op_put_by_val):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@95965 268f45cc-cd09-0410-ab3c-d52691b4dbfc
---
 Source/JavaScriptCore/ChangeLog                      | 13 +++++++++++++
 Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp |  5 ++---
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 94b5c8d..e3675d7 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2011-09-26  Zoltan Herczeg  <zherczeg@webkit.org>
+
+        [Qt]REGRESSION(r95865): It made 4 tests crash
+        https://bugs.webkit.org/show_bug.cgi?id=68780
+        
+        Reviewed by Oliver Hunt.
+
+        emitJumpSlowCaseIfNotJSCell(...) cannot be moved
+        away since the next load depends on it.
+
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_put_by_val):
+
 2011-09-25  Mark Hahnenberg  <mhahnenberg@apple.com>
 
         Add custom vtable struct to ClassInfo struct
diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp
index 3549083..e097ec8 100644
--- a/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp
+++ b/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp
@@ -258,12 +258,11 @@ void JIT::emit_op_put_by_val(Instruction* currentInstruction)
     emitLoad2(base, regT1, regT0, property, regT3, regT2);
     
     addSlowCase(branch32(NotEqual, regT3, TrustedImm32(JSValue::Int32Tag)));
+    emitJumpSlowCaseIfNotJSCell(base, regT1);
     addSlowCase(branchPtr(NotEqual, Address(regT0), TrustedImmPtr(m_globalData->jsArrayVPtr)));
     addSlowCase(branch32(AboveOrEqual, regT2, Address(regT0, JSArray::vectorLengthOffset())));
-    
-    emitJumpSlowCaseIfNotJSCell(base, regT1);
-    emitWriteBarrier(regT0, regT1, regT1, regT3, UnconditionalWriteBarrier, WriteBarrierForPropertyAccess);
 
+    emitWriteBarrier(regT0, regT1, regT1, regT3, UnconditionalWriteBarrier, WriteBarrierForPropertyAccess);
     loadPtr(Address(regT0, JSArray::storageOffset()), regT3);
     
     Jump empty = branch32(Equal, BaseIndex(regT3, regT2, TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), TrustedImm32(JSValue::EmptyValueTag));
-- 
2.7.4