From 5b955fb4152c3685f5d9bb20279fbeff1772de77 Mon Sep 17 00:00:00 2001 From: "oliver@apple.com" Date: Fri, 6 Jan 2012 21:19:54 +0000 Subject: [PATCH] GetByteArrayLength is incorrect https://bugs.webkit.org/show_bug.cgi?id=75735 Reviewed by Filip Pizlo. Load the byte array length from the correct location. This stops an existing test from hanging. * dfg/DFGSpeculativeJIT32_64.cpp: (JSC::DFG::SpeculativeJIT::compile): * dfg/DFGSpeculativeJIT64.cpp: (JSC::DFG::SpeculativeJIT::compile): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@104330 268f45cc-cd09-0410-ab3c-d52691b4dbfc --- Source/JavaScriptCore/ChangeLog | 15 +++++++++++++++ .../JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp | 2 +- Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp | 2 +- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 078d2c91ad6..bed659f028a 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,18 @@ +2012-01-06 Oliver Hunt + + GetByteArrayLength is incorrect + https://bugs.webkit.org/show_bug.cgi?id=75735 + + Reviewed by Filip Pizlo. + + Load the byte array length from the correct location. + This stops an existing test from hanging. + + * dfg/DFGSpeculativeJIT32_64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + * dfg/DFGSpeculativeJIT64.cpp: + (JSC::DFG::SpeculativeJIT::compile): + 2012-01-06 Filip Pizlo Fix build. diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp index bbe6171eb1f..d6a82b1ccbc 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp @@ -3203,7 +3203,7 @@ void SpeculativeJIT::compile(Node& node) GPRReg resultGPR = result.gpr(); m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSByteArray::offsetOfStorage()), resultGPR); - m_jit.load32(MacroAssembler::Address(baseGPR, ByteArray::offsetOfSize()), resultGPR); + m_jit.load32(MacroAssembler::Address(resultGPR, ByteArray::offsetOfSize()), resultGPR); integerResult(resultGPR, m_compileIndex); break; diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp index c6586a67925..7e36165f308 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp @@ -3198,7 +3198,7 @@ void SpeculativeJIT::compile(Node& node) speculationCheck(BadType, JSValueRegs(baseGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(&JSByteArray::s_info))); m_jit.loadPtr(MacroAssembler::Address(baseGPR, JSByteArray::offsetOfStorage()), resultGPR); - m_jit.load32(MacroAssembler::Address(baseGPR, ByteArray::offsetOfSize()), resultGPR); + m_jit.load32(MacroAssembler::Address(resultGPR, ByteArray::offsetOfSize()), resultGPR); integerResult(resultGPR, m_compileIndex); break; -- GitLab