Commit 7539f5a7 authored by fpizlo@apple.com's avatar fpizlo@apple.com
Browse files

ValueToInt32 bool case does bad things to registers

https://bugs.webkit.org/show_bug.cgi?id=97505
<rdar://problem/12356331>

Reviewed by Mark Hahnenberg.

Source/JavaScriptCore: 

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueToInt32):

LayoutTests: 

* fast/js/dfg-bool-to-int32-reuse-expected.txt: Added.
* fast/js/dfg-bool-to-int32-reuse.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-bool-to-int32-reuse.js: Added.
(foo):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@129435 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 9cc5df7d
2012-09-24 Filip Pizlo <fpizlo@apple.com>
ValueToInt32 bool case does bad things to registers
https://bugs.webkit.org/show_bug.cgi?id=97505
<rdar://problem/12356331>
Reviewed by Mark Hahnenberg.
* fast/js/dfg-bool-to-int32-reuse-expected.txt: Added.
* fast/js/dfg-bool-to-int32-reuse.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-bool-to-int32-reuse.js: Added.
(foo):
2012-09-24 Filip Pizlo <fpizlo@apple.com>
 
JSArray::putByIndex asserts with readonly property on prototype
Tests that using a value predicted boolean after it is converted to an int32 doesn't crash the compiler while causing bad code gen.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS foo(true) is [2, true]
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<script src="resources/js-test-pre.js"></script>
</head>
<body>
<script src="script-tests/dfg-bool-to-int32-reuse.js"></script>
<script src="resources/js-test-post.js"></script>
</body>
</html>
......@@ -80,6 +80,7 @@ fast/js/dfg-arguments-osr-exit
fast/js/dfg-arguments-out-of-bounds
fast/js/dfg-arguments-unexpected-escape
fast/js/dfg-array-length-dead
fast/js/dfg-bool-to-int32-reuse
fast/js/dfg-branch-not-fail
fast/js/dfg-check-two-structures
fast/js/dfg-constant-fold-first-local-read-after-block-merge
......
description(
"Tests that using a value predicted boolean after it is converted to an int32 doesn't crash the compiler while causing bad code gen."
);
function foo(x) {
return [x << 1, x];
}
for (var i = 0; i < 100; ++i)
shouldBe("foo(true)", "[2, true]");
2012-09-24 Filip Pizlo <fpizlo@apple.com>
ValueToInt32 bool case does bad things to registers
https://bugs.webkit.org/show_bug.cgi?id=97505
<rdar://problem/12356331>
Reviewed by Mark Hahnenberg.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
2012-09-24 Mark Lam <mark.lam@apple.com>
 
Add cloopDo instruction for debugging the llint C++ backend.
......
......@@ -1907,9 +1907,10 @@ void SpeculativeJIT::compileValueToInt32(Node& node)
SpeculateBooleanOperand op1(this, node.child1());
GPRTemporary result(this, op1);
m_jit.and32(JITCompiler::TrustedImm32(1), op1.gpr());
m_jit.move(op1.gpr(), result.gpr());
m_jit.and32(JITCompiler::TrustedImm32(1), result.gpr());
integerResult(op1.gpr(), m_compileIndex);
integerResult(result.gpr(), m_compileIndex);
return;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment