Ignore:
Timestamp:
Nov 11, 2013, 12:57:51 PM (12 years ago)
Author:
[email protected]
Message:

DFG Int52 boxing code may clobber the source without telling anyone
https://bugs.webkit.org/show_bug.cgi?id=124137

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::boxInt52): This is called in places where source is expected to be unchanged. We never call this expecting super-amazing codegen. So, preserve the source's value the dumb way (by recovering it mathematically).

  • jit/AssemblyHelpers.h: Document the invariant for boxInt52.
  • jsc.cpp:

(GlobalObject::finishCreation): It's been super annoying that sometimes we say noInline() and sometimes we say neverInlineFunction(). The LayoutTests harnesses ensure that we have something called noInline(), but it's great to also ensure that the shell has it.

LayoutTests:

Reviewed by Mark Hahnenberg.

Write the test as a JSRegress test because we currently need a couple
recompiles to get the bug. JSRegress tests are meant to be longer-running
stress tests and they are usually run with different compilation thresholds, so
that ensures that we will actually hit the relevant code path.

  • js/regress/int52-spill-expected.txt: Added.
  • js/regress/int52-spill.html: Added.
  • js/regress/script-tests/int52-spill.js: Added.

(bar):
(foo):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/jsc.cpp

    r158586 r159064  
    232232        addFunction(vm, "preciseTime", functionPreciseTime, 0);
    233233        addFunction(vm, "neverInlineFunction", functionNeverInlineFunction, 1);
     234        addFunction(vm, "noInline", functionNeverInlineFunction, 1);
    234235        addFunction(vm, "numberOfDFGCompiles", functionNumberOfDFGCompiles, 1);
    235236#if ENABLE(SAMPLING_FLAGS)
Note: See TracChangeset for help on using the changeset viewer.