ParseInt intrinsic in DFG backend doesn't properly flush its operands
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 15 Apr 2017 02:13:11 +0000 (02:13 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 15 Apr 2017 02:13:11 +0000 (02:13 +0000)
commit460e69a2e2a15b1ca31c124ac81c4f480e62691e
tree5b2bc4cbaa58f9b156469186fbf0e2b0f9976fa9
parentb79b22a5ac4fd35d0c93956bdb167b9650c945fb
ParseInt intrinsic in DFG backend doesn't properly flush its operands
https://bugs.webkit.org/show_bug.cgi?id=170865

Reviewed by Mark Lam and Geoffrey Garen.

JSTests:

* stress/parse-int-intrinsic-dfg-backend-flush.js: Added.
(assert):
(foo):

Source/JavaScriptCore:

The DFG backend code needed to first call .gpr()/.jsValueRegs()
before calling flushRegisters(), or the input JSValueOperand would
not be flushed.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileParseInt):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@215387 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/parse-int-intrinsic-dfg-backend-flush.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp