DFG Speculative JIT does not always insert speculation checks when speculating
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 Jul 2011 18:39:14 +0000 (18:39 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 11 Jul 2011 18:39:14 +0000 (18:39 +0000)
commitcba4f16ddbdcff28689f4afca5d41f4636e2d471
tree558c7d43673d3bad5de7efafe5f35e6c36d27bd9
parentffba64f2de426864854f16ebb4f19b4f8f054400
DFG Speculative JIT does not always insert speculation checks when speculating
arrays.
https://bugs.webkit.org/show_bug.cgi?id=64254

Patch by Filip Pizlo <fpizlo@apple.com> on 2011-07-11
Reviewed by Gavin Barraclough.

Changed the SetLocal instruction to always validate that the value being stored
into the local variable is an array, if that variable was marked PredictArray.
This is necessary since uses of arrays assume that if a PredictArray value is
in a local variable then the speculation check validating that the value is an
array was already performed.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compile):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@90768 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp