summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Hahnenberg <mhahnenberg@apple.com>2013-10-16 16:01:27 +0200
committerThe Qt Project <gerrit-noreply@qt-project.org>2013-10-16 19:33:30 +0200
commit6d6a120fd6d80f8ebae638a118e0727a4b04253b (patch)
tree1921ce8ab6c5d35989dcc4ea2463a88d02746ee0
parent332de746f32edbb3dfc1cd4b39d8c815fd47b28e (diff)
32-bit code gen for TypeOf doesn't properly update the AbstractInterpreter state
https://bugs.webkit.org/show_bug.cgi?id=119555 Reviewed by Geoffrey Garen. It uses a speculationCheck where it should be using a DFG_TYPE_CHECK like the 64-bit backend does. This was causing crashes on maps.google.com in 32-bit debug builds. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): Change-Id: Icdcfe0719d22df7db6dc7ffcee309b75b63914df git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153793 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Simon Hausmann <simon.hausmann@digia.com>
Diffstat
-rw-r--r--Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
index 1d213c6fe..de4ca9674 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -4399,7 +4399,7 @@ void SpeculativeJIT::compile(Node* node)
JITCompiler::Jump isNotCell = m_jit.branch32(JITCompiler::NotEqual, tagGPR, JITCompiler::TrustedImm32(JSValue::CellTag));
if (node->child1().useKind() != UntypedUse)
- speculationCheck(BadType, JSValueRegs(tagGPR, payloadGPR), node->child1(), isNotCell);
+ DFG_TYPE_CHECK(JSValueRegs(tagGPR, payloadGPR), node->child1(), SpecCell, isNotCell);
if (!node->child1()->shouldSpeculateObject() || node->child1().useKind() == StringUse) {
m_jit.loadPtr(JITCompiler::Address(payloadGPR, JSCell::structureOffset()), tempGPR);
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-23 07:20:11 +0000