DFG Speculative JIT does not always insert speculation checks when speculating
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
index b2f0455..4aee49d 100644 (file)
@@ -1,3 +1,97 @@
+2011-07-11  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG Speculative JIT does not always insert speculation checks when speculating
+        arrays.
+        https://bugs.webkit.org/show_bug.cgi?id=64254
+
+        Reviewed by Gavin Barraclough.
+        
+        Changed the SetLocal instruction to always validate that the value being stored
+        into the local variable is an array, if that variable was marked PredictArray.
+        This is necessary since uses of arrays assume that if a PredictArray value is
+        in a local variable then the speculation check validating that the value is an
+        array was already performed.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2011-07-11  Gabor Loki  <loki@webkit.org>
+
+        Fix the condition of the optimized code in doubleTransfer
+        https://bugs.webkit.org/show_bug.cgi?id=64261
+
+        Reviewed by Zoltan Herczeg.
+
+        The condition of the optimized code in doubleTransfer is wrong. The
+        data transfer should be executed with four bytes aligned address.
+        VFP cannot perform unaligned memory access.
+
+        Reported by Jacob Bramley.
+
+        * assembler/ARMAssembler.cpp:
+        (JSC::ARMAssembler::doubleTransfer):
+
+2011-07-11  Gabor Loki  <loki@webkit.org>
+
+        Signed arithmetic bug in dataTransfer32.
+        https://bugs.webkit.org/show_bug.cgi?id=64257
+
+        Reviewed by Zoltan Herczeg.
+
+        An arithmetic bug is fixed. If the offset of dataTransfer is half of the
+        addressable memory space on a 32-bit machine (-2147483648 = 0x80000000)
+        a load instruction is emitted with a wrong zero offset.
+
+        Inspired by Jacob Bramley's patch from JaegerMonkey.
+
+        * assembler/ARMAssembler.cpp:
+        (JSC::ARMAssembler::dataTransfer32):
+
+2011-07-09  Thouraya Andolsi  <thouraya.andolsi@st.com>
+
+        Fix unaligned userspace access for SH4 platforms. 
+        https://bugs.webkit.org/show_bug.cgi?id=62993
+
+        * wtf/Platform.h:
+
+2011-07-09  Chao-ying Fu  <fu@mips.com>
+
+        Fix MIPS build due to readInt32 and readPointer
+        https://bugs.webkit.org/show_bug.cgi?id=63962
+
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::readInt32):
+        (JSC::MIPSAssembler::readPointer):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::rshift32):
+
+2011-07-08  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=64181
+        REGRESSION (r90602): Gmail doesn't load
+
+        Rolling out r90601, r90602.
+
+        * dfg/DFGAliasTracker.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addVarArgChild):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::emitCall):
+        * dfg/DFGNode.h:
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::tryCacheGetByID):
+        (JSC::DFG::dfgLinkCall):
+        * dfg/DFGRepatch.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * runtime/JSObject.h:
+        (JSC::JSObject::isUsingInlineStorage):
+
 2011-07-08  Kalev Lember  <kalev@smartlink.ee>
 
         Reviewed by Adam Roben.