DFG operation results are not set correctly in JSVALUE32_64 DFG JIT

https://bugs.webkit.org/show_bug.cgi?id=69126

Patch by Yuqiang Xian <yuqiang.xian@intel.com> on 2011-09-30
Reviewed by Gavin Barraclough.

The setupResults routine has the bug of reversing the source and destination.
Also some other trivial (but stupid) bugs need to be fixed in JSVALUE32_64 DFG JIT.

* dfg/DFGJITCodeGenerator.h:
(JSC::DFG::setupTwoStubArgs):
(JSC::DFG::setupResults):
* dfg/DFGJITCodeGenerator32_64.cpp:
(JSC::DFG::JITCodeGenerator::fillJSValue):
(JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
(JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@96451 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 44bd4c71
2011-09-30 Yuqiang Xian <yuqiang.xian@intel.com>
DFG operation results are not set correctly in JSVALUE32_64 DFG JIT
https://bugs.webkit.org/show_bug.cgi?id=69126
Reviewed by Gavin Barraclough.
The setupResults routine has the bug of reversing the source and destination.
Also some other trivial (but stupid) bugs need to be fixed in JSVALUE32_64 DFG JIT.
* dfg/DFGJITCodeGenerator.h:
(JSC::DFG::setupTwoStubArgs):
(JSC::DFG::setupResults):
* dfg/DFGJITCodeGenerator32_64.cpp:
(JSC::DFG::JITCodeGenerator::fillJSValue):
(JSC::DFG::JITCodeGenerator::nonSpeculativeValueToInt32):
(JSC::DFG::JITCodeGenerator::nonSpeculativeNonPeepholeCompare):
2011-09-30 Gavin Barraclough <barraclough@apple.com>
Remove toStrictThisObject, toThisString, toThisJSString
......@@ -921,6 +921,7 @@ protected:
m_generationInfo[node.virtualRegister()].initConstant(nodeIndex, node.refCount());
}
#if CPU(X86_64)
// These methods used to sort arguments into the correct registers.
template<GPRReg destA, GPRReg destB>
void setupTwoStubArgs(GPRReg srcA, GPRReg srcB)
......@@ -950,7 +951,6 @@ protected:
} else
m_jit.swap(destA, destB);
}
#if CPU(X86_64)
template<FPRReg destA, FPRReg destB>
void setupTwoStubArgs(FPRReg srcA, FPRReg srcB)
{
......@@ -1182,7 +1182,21 @@ protected:
void setupResults(GPRReg tag, GPRReg payload)
{
setupTwoStubArgs<GPRInfo::returnValueGPR, GPRInfo::returnValueGPR2>(payload, tag);
GPRReg srcA = GPRInfo::returnValueGPR;
GPRReg srcB = GPRInfo::returnValueGPR2;
GPRReg destA = payload;
GPRReg destB = tag;
if (srcB != destA) {
// Handle the easy cases - two simple moves.
m_jit.move(srcA, destA);
m_jit.move(srcB, destB);
} else if (srcA != destB) {
// Handle the non-swap case - just put srcB in place first.
m_jit.move(srcB, destB);
m_jit.move(srcA, destA);
} else
m_jit.swap(destA, destB);
}
// These methods add calls to C++ helper functions.
......
......@@ -253,7 +253,6 @@ bool JITCodeGenerator::fillJSValue(NodeIndex nodeIndex, GPRReg& tagGPR, GPRReg&
GPRReg gpr = info.gpr();
// If the register has already been locked we need to take a copy.
// If not, we'll zero extend in place, so mark on the info that this is now type DataFormatInteger, not DataFormatJSInteger.
tagGPR = allocate();
if (m_gprs.isLocked(gpr)) {
payloadGPR = allocate();
m_jit.move(gpr, payloadGPR);
......@@ -261,6 +260,7 @@ bool JITCodeGenerator::fillJSValue(NodeIndex nodeIndex, GPRReg& tagGPR, GPRReg&
payloadGPR = gpr;
m_gprs.lock(gpr);
}
tagGPR = allocate();
m_jit.move(info.registerFormat() == DataFormatInteger ? JITCompiler::TrustedImm32(JSValue::Int32Tag) : JITCompiler::TrustedImm32(JSValue::CellTag), tagGPR);
m_gprs.release(gpr);
m_gprs.retain(tagGPR, virtualRegister, SpillOrderJS);
......@@ -386,9 +386,11 @@ void JITCodeGenerator::nonSpeculativeValueToInt32(Node& node)
silentSpillAllRegisters(gpr);
m_jit.moveDouble(fpr, FPRInfo::argumentFPR0);
m_jit.subPtr(TrustedImm32(sizeof(double)), JITCompiler::stackPointerRegister);
m_jit.storeDouble(fpr, JITCompiler::stackPointerRegister);
appendCallWithExceptionCheck(toInt32);
m_jit.move(GPRInfo::returnValueGPR, gpr);
m_jit.addPtr(TrustedImm32(sizeof(double)), JITCompiler::stackPointerRegister);
silentFillAllRegisters(gpr);
......@@ -1353,7 +1355,7 @@ void JITCodeGenerator::nonSpeculativeNonPeepholeCompare(Node& node, MacroAssembl
} else {
GPRTemporary resultTag(this, arg1);
GPRTemporary resultPayload(this, arg1, false);
GPRReg resultTagGPR = resultPayload.gpr();
GPRReg resultTagGPR = resultTag.gpr();
GPRReg resultPayloadGPR = resultPayload.gpr();
arg1.use();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment