Bug 58600 - DFG JIT bugs in ValueToInt, PutByVal
authorbarraclough@apple.com <barraclough@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Apr 2011 00:25:59 +0000 (00:25 +0000)
committerbarraclough@apple.com <barraclough@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Apr 2011 00:25:59 +0000 (00:25 +0000)
commit6f772b6a83ef27343598348a48aaac05eb6deecb
tree5f0c7a7be5ac9859ced6ffbe439529f46b4ebbd3
parent0d77f1eb5336a541c098355c627ae33cd1b30e0e
Bug 58600 - DFG JIT bugs in ValueToInt, PutByVal

Reviewed by Geoffrey Garen.

The bug in PutByVal is that an operand is in JSValueOperand - when this
locks an integer into a register it will always retag the value without
checking if the register is already locked. This is a problem where the
value being stored by a PutByVal is the same as the subscript.
The subscript is locked into a register first, as a strict integer.
Locking the value results in the subscript being modified.

The bug in ValueToInt related to the function of sillentFillAllRegisters.
The problem is that this method will restore all register values from
prior to the call, overwriting the result of the call out. Allow a
register to be passed to specifically be excluded from being preserved.

Source/JavaScriptCore:

* assembler/ARMAssembler.h:
(JSC::ARMAssembler::debugOffset):
* assembler/ARMv7Assembler.h:
(JSC::ARMv7Assembler::ARMInstructionFormatter::debugOffset):
* assembler/AbstractMacroAssembler.h:
(JSC::AbstractMacroAssembler::debugOffset):
* assembler/AssemblerBuffer.h:
(JSC::AssemblerBuffer::debugOffset):
* assembler/LinkBuffer.h:
(JSC::LinkBuffer::debugAddress):
* assembler/MIPSAssembler.h:
(JSC::MIPSAssembler::debugOffset):
* assembler/MacroAssemblerX86_64.h:
(JSC::MacroAssemblerX86_64::orPtr):
* assembler/X86Assembler.h:
(JSC::X86Assembler::debugOffset):
(JSC::X86Assembler::X86InstructionFormatter::debugOffset):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parse):
* dfg/DFGGenerationInfo.h:
* dfg/DFGJITCodeGenerator.cpp:
(JSC::DFG::JITCodeGenerator::fillJSValue):
* dfg/DFGJITCodeGenerator.h:
(JSC::DFG::JITCodeGenerator::isConstant):
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compileFunction):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::isConstant):
* dfg/DFGNonSpeculativeJIT.cpp:
(JSC::DFG::NonSpeculativeJIT::valueToNumber):
(JSC::DFG::NonSpeculativeJIT::valueToInt32):
(JSC::DFG::NonSpeculativeJIT::numberToInt32):
(JSC::DFG::NonSpeculativeJIT::isKnownInteger):
(JSC::DFG::NonSpeculativeJIT::isKnownNumeric):
(JSC::DFG::NonSpeculativeJIT::compile):
* dfg/DFGNonSpeculativeJIT.h:
(JSC::DFG::NonSpeculativeJIT::silentSpillGPR):
(JSC::DFG::NonSpeculativeJIT::silentSpillFPR):
(JSC::DFG::NonSpeculativeJIT::silentFillGPR):
(JSC::DFG::NonSpeculativeJIT::silentFillFPR):
(JSC::DFG::NonSpeculativeJIT::silentSpillAllRegisters):
(JSC::DFG::NonSpeculativeJIT::silentFillAllRegisters):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compile):

LayoutTests:

* fast/js/array-index-immediate-types-expected.txt:
* fast/js/script-tests/array-index-immediate-types.js:
(putSelf):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@83916 268f45cc-cd09-0410-ab3c-d52691b4dbfc
21 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/js/array-index-immediate-types-expected.txt
LayoutTests/fast/js/script-tests/array-index-immediate-types.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/ARMAssembler.h
Source/JavaScriptCore/assembler/ARMv7Assembler.h
Source/JavaScriptCore/assembler/AbstractMacroAssembler.h
Source/JavaScriptCore/assembler/AssemblerBuffer.h
Source/JavaScriptCore/assembler/LinkBuffer.h
Source/JavaScriptCore/assembler/MIPSAssembler.h
Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h
Source/JavaScriptCore/assembler/X86Assembler.h
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGGenerationInfo.h
Source/JavaScriptCore/dfg/DFGJITCodeGenerator.cpp
Source/JavaScriptCore/dfg/DFGJITCodeGenerator.h
Source/JavaScriptCore/dfg/DFGJITCompiler.cpp
Source/JavaScriptCore/dfg/DFGJITCompiler.h
Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp