DFG Speculative JIT does not always insert speculation checks when speculating
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
index f7f21d6..4aee49d 100644 (file)
@@ -1,3 +1,143 @@
+2011-07-11  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG Speculative JIT does not always insert speculation checks when speculating
+        arrays.
+        https://bugs.webkit.org/show_bug.cgi?id=64254
+
+        Reviewed by Gavin Barraclough.
+        
+        Changed the SetLocal instruction to always validate that the value being stored
+        into the local variable is an array, if that variable was marked PredictArray.
+        This is necessary since uses of arrays assume that if a PredictArray value is
+        in a local variable then the speculation check validating that the value is an
+        array was already performed.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+
+2011-07-11  Gabor Loki  <loki@webkit.org>
+
+        Fix the condition of the optimized code in doubleTransfer
+        https://bugs.webkit.org/show_bug.cgi?id=64261
+
+        Reviewed by Zoltan Herczeg.
+
+        The condition of the optimized code in doubleTransfer is wrong. The
+        data transfer should be executed with four bytes aligned address.
+        VFP cannot perform unaligned memory access.
+
+        Reported by Jacob Bramley.
+
+        * assembler/ARMAssembler.cpp:
+        (JSC::ARMAssembler::doubleTransfer):
+
+2011-07-11  Gabor Loki  <loki@webkit.org>
+
+        Signed arithmetic bug in dataTransfer32.
+        https://bugs.webkit.org/show_bug.cgi?id=64257
+
+        Reviewed by Zoltan Herczeg.
+
+        An arithmetic bug is fixed. If the offset of dataTransfer is half of the
+        addressable memory space on a 32-bit machine (-2147483648 = 0x80000000)
+        a load instruction is emitted with a wrong zero offset.
+
+        Inspired by Jacob Bramley's patch from JaegerMonkey.
+
+        * assembler/ARMAssembler.cpp:
+        (JSC::ARMAssembler::dataTransfer32):
+
+2011-07-09  Thouraya Andolsi  <thouraya.andolsi@st.com>
+
+        Fix unaligned userspace access for SH4 platforms. 
+        https://bugs.webkit.org/show_bug.cgi?id=62993
+
+        * wtf/Platform.h:
+
+2011-07-09  Chao-ying Fu  <fu@mips.com>
+
+        Fix MIPS build due to readInt32 and readPointer
+        https://bugs.webkit.org/show_bug.cgi?id=63962
+
+        * assembler/MIPSAssembler.h:
+        (JSC::MIPSAssembler::readInt32):
+        (JSC::MIPSAssembler::readPointer):
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::rshift32):
+
+2011-07-08  Gavin Barraclough  <barraclough@apple.com>
+
+        https://bugs.webkit.org/show_bug.cgi?id=64181
+        REGRESSION (r90602): Gmail doesn't load
+
+        Rolling out r90601, r90602.
+
+        * dfg/DFGAliasTracker.h:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addVarArgChild):
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::emitCall):
+        * dfg/DFGNode.h:
+        * dfg/DFGNonSpeculativeJIT.cpp:
+        (JSC::DFG::NonSpeculativeJIT::compile):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGRepatch.cpp:
+        (JSC::DFG::tryCacheGetByID):
+        (JSC::DFG::dfgLinkCall):
+        * dfg/DFGRepatch.h:
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * runtime/JSObject.h:
+        (JSC::JSObject::isUsingInlineStorage):
+
+2011-07-08  Kalev Lember  <kalev@smartlink.ee>
+
+        Reviewed by Adam Roben.
+
+        Add missing _WIN32_WINNT and WINVER definitions
+        https://bugs.webkit.org/show_bug.cgi?id=59702
+
+        Moved _WIN32_WINNT and WINVER definitions to config.h so that they are
+        available for all source files.
+
+        In particular, wtf/FastMalloc.cpp uses CreateTimerQueueTimer and
+        DeleteTimerQueueTimer which are both guarded by
+        #if (_WIN32_WINNT >= 0x0500)
+        in MinGW headers.
+
+        * config.h:
+        * wtf/Assertions.cpp:
+
+2011-07-08  Chang Shu  <cshu@webkit.org>
+
+        Rename "makeSecure" to "fill" and remove the support for displaying last character
+        to avoid layering violatation.
+        https://bugs.webkit.org/show_bug.cgi?id=59114
+
+        Reviewed by Alexey Proskuryakov.
+
+        * JavaScriptCore.exp:
+        * JavaScriptCore.order:
+        * wtf/text/StringImpl.cpp:
+        (WTF::StringImpl::fill):
+        * wtf/text/StringImpl.h:
+        * wtf/text/WTFString.h:
+        (WTF::String::fill):
+
+2011-07-08  Benjamin Poulain  <benjamin@webkit.org>
+
+        [WK2] Do not forward touch events to the web process when it does not need them
+        https://bugs.webkit.org/show_bug.cgi?id=64164
+
+        Reviewed by Kenneth Rohde Christiansen.
+
+        Add a convenience function to obtain a reference to the last element of a Deque.
+
+        * wtf/Deque.h:
+        (WTF::Deque::last):
+
 2011-07-07  Filip Pizlo  <fpizlo@apple.com>
 
         DFG JIT does not implement op_construct.