OverridesHasInstance should not branch across register allocations.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 12 Aug 2016 03:38:54 +0000 (03:38 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 12 Aug 2016 03:38:54 +0000 (03:38 +0000)
commit9212106d9ce1c5c44552a93b8013ebb8571b1e03
treeaf48dc62d309cc82cec1f489d58e45e81d3dc4af
parent6ede96a01c479ee020f107ed33cb8d95b0fd353d
OverridesHasInstance should not branch across register allocations.
https://bugs.webkit.org/show_bug.cgi?id=160792
<rdar://problem/27361778>

Reviewed by Benjamin Poulain.

JSTests:

* stress/OverrideHasInstance-should-not-branch-across-register-allocations.js: Added.

Source/JavaScriptCore:

The OverrideHasInstance node has a branch test that is emitted conditionally.
It also has a bug where it allocated a register after this branch, which is not
allowed and would fail an assertion introduced in https://trac.webkit.org/r145931.
From the ChangeLog for r145931:

"This [assertion that register allocations are not branched around] protects
against the case where an allocation could have spilled register contents to free
up a register and that spill only occurs on one path of many through the code.
A subsequent fill of the spilled register may load garbage."

Because the branch isn't always emitted, this bug has gone unnoticed until now.
This patch fixes this issue by pre-allocating the registers before emitting the
branch in OverrideHasInstance.

Note: this issue is only present in DFGSpeculativeJIT64.cpp.  The 32-bit version
is doing it right.

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@204403 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/OverrideHasInstance-should-not-branch-across-register-allocations.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp