DFG Speculative JIT does not always insert speculation checks when speculating
[WebKit-https.git] / Source / JavaScriptCore / dfg / DFGSpeculativeJIT.cpp
index f97a7b7..47def27 100644 (file)
@@ -491,7 +491,9 @@ void SpeculativeJIT::compile(Node& node)
         }
         case PredictArray: {
             SpeculateCellOperand cell(this, node.child1());
-            m_jit.storePtr(cell.gpr(), JITCompiler::addressFor(node.local()));
+            GPRReg cellGPR = cell.gpr();
+            speculationCheck(m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(cellGPR), MacroAssembler::TrustedImmPtr(m_jit.globalData()->jsArrayVPtr)));
+            m_jit.storePtr(cellGPR, JITCompiler::addressFor(node.local()));
             noResult(m_compileIndex);
             break;
         }
@@ -1019,6 +1021,18 @@ void SpeculativeJIT::compile(Node& node)
         jsValueResult(resultGPR, m_compileIndex);
         break;
     }
+        
+    case GetMethod: {
+        SpeculateCellOperand base(this, node.child1());
+        GPRTemporary result(this, base);
+
+        GPRReg resultGPR = result.gpr();
+
+        cachedGetMethod(base.gpr(), resultGPR, node.identifierNumber());
+
+        jsValueResult(resultGPR, m_compileIndex);
+        break;
+    }
 
     case PutById: {
         SpeculateCellOperand base(this, node.child1());
@@ -1133,9 +1147,7 @@ void SpeculativeJIT::compile(Node& node)
         break;
         
     case Call:
-        JSValueOperand callee(this, m_jit.graph().m_varArgChildren[node.firstChild()]);
-        GPRReg calleeGPR = callee.gpr();
-        emitCall(node, calleeGPR);
+        emitCall(node);
         break;
     }