Skip to content
Blame Permalink
  • fpizlo@apple.com's avatar
    644e77b7
    DFG Int52 boxing code may clobber the source without telling anyone · 644e77b7
    fpizlo@apple.com authored 
    https://bugs.webkit.org/show_bug.cgi?id=124137

Source/JavaScriptCore: 

Reviewed by Mark Hahnenberg.

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::boxInt52): This is called in places where source is expected to be unchanged. We never call this expecting super-amazing codegen. So, preserve the source's value the dumb way (by recovering it mathematically).
* jit/AssemblyHelpers.h: Document the invariant for boxInt52.
* jsc.cpp:
(GlobalObject::finishCreation): It's been super annoying that sometimes we say noInline() and sometimes we say neverInlineFunction(). The LayoutTests harnesses ensure that we have something called noInline(), but it's great to also ensure that the shell has it.

LayoutTests: 

Reviewed by Mark Hahnenberg.
        
Write the test as a JSRegress test because we currently need a couple
recompiles to get the bug. JSRegress tests are meant to be longer-running
stress tests and they are usually run with different compilation thresholds, so
that ensures that we will actually hit the relevant code path.

* js/regress/int52-spill-expected.txt: Added.
* js/regress/int52-spill.html: Added.
* js/regress/script-tests/int52-spill.js: Added.
(bar):
(foo):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159064 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    644e77b7
    DFG Int52 boxing code may clobber the source without telling anyone
    fpizlo@apple.com authored 
    https://bugs.webkit.org/show_bug.cgi?id=124137

Source/JavaScriptCore: 

Reviewed by Mark Hahnenberg.

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::boxInt52): This is called in places where source is expected to be unchanged. We never call this expecting super-amazing codegen. So, preserve the source's value the dumb way (by recovering it mathematically).
* jit/AssemblyHelpers.h: Document the invariant for boxInt52.
* jsc.cpp:
(GlobalObject::finishCreation): It's been super annoying that sometimes we say noInline() and sometimes we say neverInlineFunction(). The LayoutTests harnesses ensure that we have something called noInline(), but it's great to also ensure that the shell has it.

LayoutTests: 

Reviewed by Mark Hahnenberg.
        
Write the test as a JSRegress test because we currently need a couple
recompiles to get the bug. JSRegress tests are meant to be longer-running
stress tests and they are usually run with different compilation thresholds, so
that ensures that we will actually hit the relevant code path.

* js/regress/int52-spill-expected.txt: Added.
* js/regress/int52-spill.html: Added.
* js/regress/script-tests/int52-spill.js: Added.
(bar):
(foo):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@159064 268f45cc-cd09-0410-ab3c-d52691b4dbfc