Changeset 55198 in webkit for trunk/JavaScriptCore/jit/JITPropertyAccess.cpp

Timestamp:

Feb 24, 2010, 1:20:42 PM (15 years ago)

Author:

[email protected]

Message:

2010-02-24 Oliver Hunt <​[email protected]>

Reviewed by Geoffrey Garen.

[REGRESSION in r55185] EXC_BAD_ACCESS on opening inspector.
​https://bugs.webkit.org/show_bug.cgi?id=35335

compileGetDirectOffset modifies the contents of the object register
when the object is not using the inline storage array. As the object
register contains our 'this' pointer we can't allow it to be clobbered.
The fix is simply to copy the register into a separate scratch register
when we're loading off an object that doesn't use inline storage.

• jit/JITPropertyAccess.cpp: (JSC::JIT::privateCompileGetByIdSelfList):
• jit/JITPropertyAccess32_64.cpp: (JSC::JIT::privateCompileGetByIdSelfList):

2010-02-24 Oliver Hunt <​[email protected]>

Reviewed by Geoffrey Garen.

[REGRESSION in r55185] EXC_BAD_ACCESS on opening inspector.
​https://bugs.webkit.org/show_bug.cgi?id=35335

Add tests for caching getter lookup on large objects (eg. those not
using the inline storage array).

• fast/js/pic/cached-getter-setter-expected.txt:
• fast/js/pic/cached-getter-setter.html:

File:

• trunk/JavaScriptCore/jit/JITPropertyAccess.cpp (modified) (1 diff)

trunk/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -759 +759 @@
     Jump failureCase = checkStructure(regT0, structure);
     if (isGetter) {
-        compileGetDirectOffset(regT0, regT1, structure, cachedOffset);
+        if (!structure->isUsingInlineStorage()) {
+            move(regT0, regT1);
+            compileGetDirectOffset(regT1, regT1, structure, cachedOffset);
+        } else
+            compileGetDirectOffset(regT0, regT1, structure, cachedOffset);
         JITStubCall stubCall(this, cti_op_get_by_id_getter_stub);
         stubCall.addArgument(regT1);