Changeset 148711 in webkit for trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

Timestamp:

Apr 18, 2013, 3:52:06 PM (12 years ago)

Author:

[email protected]

Message:

Crash beneath JSC::JIT::privateCompileSlowCases @ stephenrdonaldson.com
​https://bugs.webkit.org/show_bug.cgi?id=114774

Reviewed by Geoffrey Garen.

We're not linking up all of the slow cases in the baseline JIT when compiling put_to_base.

Source/JavaScriptCore:

• jit/JITOpcodes.cpp:

(JSC::JIT::emitSlow_op_put_to_base):

LayoutTests:

• fast/js/put-to-base-global-checked-expected.txt: Added.
• fast/js/put-to-base-global-checked.html: Added.
• fast/js/script-tests/put-to-base-global-checked.js: Added.

(globalF):
(warmup):
(foo):

File:

• trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/jit/JITOpcodes.cpp

@@ -1598 +1598 @@
         return;
 
+    case PutToBaseOperation::GlobalVariablePutChecked:
+        linkSlowCase(iter);
     case PutToBaseOperation::GlobalVariablePut:
         if (!putToBaseOperation->m_isDynamic)
@@ -1609 +1611 @@
         return;
 
-    case PutToBaseOperation::GlobalVariablePutChecked:
     case PutToBaseOperation::GlobalPropertyPut:
         linkSlowCase(iter);