Ignore:
Timestamp:
Sep 2, 2011, 10:23:35 PM (14 years ago)
Author:
[email protected]
Message:

DFG JIT speculation failure does recovery of additions in reverse and
doesn't rebox
https://bugs.webkit.org/show_bug.cgi?id=67551

Reviewed by Sam Weinig.

  • dfg/DFGJITCompiler.cpp:

(JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp

    r93698 r94478  
    496496        // The only additional recovery we currently support is for integer add operation
    497497        ASSERT(recovery->type() == SpeculativeAdd);
     498        ASSERT(check.m_gprInfo[GPRInfo::toIndex(recovery->dest())].nodeIndex != NoNode);
    498499        // Revert the add.
    499500        sub32(recovery->src(), recovery->dest());
     501       
     502        // If recovery->dest() should have been boxed prior to the addition, then rebox
     503        // it.
     504        DataFormat format = check.m_gprInfo[GPRInfo::toIndex(recovery->dest())].format;
     505        ASSERT(format == DataFormatInteger || format == DataFormatJSInteger || format == DataFormatJS);
     506        if (format != DataFormatInteger)
     507            orPtr(GPRInfo::tagTypeNumberRegister, recovery->dest());
    500508    }
    501509   
Note: See TracChangeset for help on using the changeset viewer.