Changeset 91825 in webkit for trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

Timestamp:

Jul 27, 2011, 12:12:38 AM (14 years ago)

Author:

[email protected]

Message:

DFG JIT speculation failure code performs incorrect conversions in
the case where two registers need to be swapped.
​https://bugs.webkit.org/show_bug.cgi?id=65233

Patch by Filip Pizlo <​[email protected]> on 2011-07-27
Reviewed by Gavin Barraclough.

• dfg/DFGJITCompiler.cpp:

(JSC::DFG::GeneralizedRegister::swapWith):

File:

• trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

@@ -245 +245 @@
         jit.swap(gpr(), other.gpr());
         
-        if (UNLIKELY(needDataFormatConversion(myDataFormat, myNewDataFormat))) {
-            if (myDataFormat == DataFormatInteger)
+        if (UNLIKELY(needDataFormatConversion(otherDataFormat, myNewDataFormat))) {
+            if (otherDataFormat == DataFormatInteger)
                 jit.orPtr(GPRInfo::tagTypeNumberRegister, gpr());
             else if (myNewDataFormat == DataFormatInteger)
@@ -252 +252 @@
         }
         
-        if (UNLIKELY(needDataFormatConversion(otherDataFormat, myNewDataFormat))) {
-            if (otherDataFormat == DataFormatInteger)
+        if (UNLIKELY(needDataFormatConversion(myDataFormat, otherNewDataFormat))) {
+            if (myDataFormat == DataFormatInteger)
                 jit.orPtr(GPRInfo::tagTypeNumberRegister, other.gpr());
             else if (otherNewDataFormat == DataFormatInteger)