Unreviewed, rolling out r217156.
authorryanhaddad@apple.com <ryanhaddad@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 19 May 2017 23:25:09 +0000 (23:25 +0000)
committerryanhaddad@apple.com <ryanhaddad@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 19 May 2017 23:25:09 +0000 (23:25 +0000)
This change broke the iOS build.

Reverted changeset:

"DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring
result registers."
https://bugs.webkit.org/show_bug.cgi?id=172383
http://trac.webkit.org/changeset/217156

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@217169 268f45cc-cd09-0410-ab3c-d52691b4dbfc

13 files changed:
JSTests/ChangeLog
JSTests/stress/regress-172383.js [deleted file]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/MacroAssembler.h
Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h
Source/JavaScriptCore/dfg/DFGCallArrayAllocatorSlowPathGenerator.h
Source/JavaScriptCore/dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h
Source/JavaScriptCore/dfg/DFGSaneStringGetByValSlowPathGenerator.h
Source/JavaScriptCore/dfg/DFGSlowPathGenerator.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

index a3f733e..2e8c5e5 100644 (file)
@@ -1,3 +1,16 @@
+2017-05-19  Ryan Haddad  <ryanhaddad@apple.com>
+
+        Unreviewed, rolling out r217156.
+
+        This change broke the iOS build.
+
+        Reverted changeset:
+
+        "DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring
+        result registers."
+        https://bugs.webkit.org/show_bug.cgi?id=172383
+        http://trac.webkit.org/changeset/217156
+
 2017-05-19  Mark Lam  <mark.lam@apple.com>
 
         Add missing exception check.
diff --git a/JSTests/stress/regress-172383.js b/JSTests/stress/regress-172383.js
deleted file mode 100644 (file)
index fc3c032..0000000
+++ /dev/null
@@ -1,40 +0,0 @@
-// This test should not crash.
-
-let x = undefined;
-
-function foo(w, a0, a1) {
-    var r0 = x % a0; 
-    var r1 = w ^ a1; 
-
-    var r4 = 3 % 7; 
-
-    var r6 = w ^ 0;
-    var r7 = r4 / r4; 
-    var r9 = x - r7; 
-    a1 = 0 + r0;
-
-    var r11 = 0 & a0; 
-    var r12 = r4 * a1; 
-    var r7 = r11 & a0; 
-
-    var r15 = r11 | r4; 
-    var r16 = 0 & r1; 
-    var r20 = 5 * a0; 
-
-    var r2 = 0 + r9;
-    var r26 = r11 | r15; 
-    var r29 = r16 + 0;
-    var r29 = r28 * r1; 
-    var r34 = w / r12; 
-
-    var r28 = 0 / r7;
-    var r64 = r20 + 0;
-    var r65 = 0 + r6;
-
-    return a1;
-}
-noInline(foo);
-
-for (var i = 0; i < 1886; i++)
-    foo("q");
-
index e4af12a..e07f357 100644 (file)
@@ -1,3 +1,16 @@
+2017-05-19  Ryan Haddad  <ryanhaddad@apple.com>
+
+        Unreviewed, rolling out r217156.
+
+        This change broke the iOS build.
+
+        Reverted changeset:
+
+        "DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring
+        result registers."
+        https://bugs.webkit.org/show_bug.cgi?id=172383
+        http://trac.webkit.org/changeset/217156
+
 2017-05-19  Mark Lam  <mark.lam@apple.com>
 
         Add missing exception check.
index 927a5d4..7558fe3 100644 (file)
@@ -1328,20 +1328,6 @@ public:
             move(imm.asTrustedImm64(), dest);
     }
 
-#if CPU(X86_64)
-    void moveDouble(Imm64 imm, FPRegisterID dest)
-    {
-        move(imm, scratchRegister());
-        move64ToDouble(scratchRegister(), dest);
-    }
-#elif CPU(ARM64)
-    void moveDouble(Imm64 imm, FPRegisterID dest)
-    {
-        move(imm, dataMemoryTempRegister());
-        move64ToDouble(dataMemoryTempRegister(), dest);
-    }
-#endif
-
     void and64(Imm32 imm, RegisterID dest)
     {
         if (shouldBlind(imm)) {
index 2c4a92e..ba4d5fe 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -111,7 +111,7 @@ protected:
             break;
         }
         for (unsigned i = m_plans.size(); i--;)
-            jit->silentFill(m_plans[i]);
+            jit->silentFill(m_plans[i], GPRInfo::regT0);
         jit->m_jit.exceptionCheck();
         
         if (m_op == ArrayifyToStructure) {
index cd1144a..59c4092 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2012 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -57,8 +57,9 @@ protected:
         for (unsigned i = 0; i < m_plans.size(); ++i)
             jit->silentSpill(m_plans[i]);
         jit->callOperation(m_function, m_resultGPR, m_structure, m_size, m_storageGPR);
+        GPRReg canTrample = SpeculativeJIT::pickCanTrample(m_resultGPR);
         for (unsigned i = m_plans.size(); i--;)
-            jit->silentFill(m_plans[i]);
+            jit->silentFill(m_plans[i], canTrample);
         jit->m_jit.exceptionCheck();
         jit->m_jit.loadPtr(MacroAssembler::Address(m_resultGPR, JSObject::butterflyOffset()), m_storageGPR);
         jumpTo(jit);
@@ -106,8 +107,9 @@ protected:
         } else
             jit->m_jit.move(SpeculativeJIT::TrustedImmPtr(m_contiguousStructure), scratchGPR);
         jit->callOperation(m_function, m_resultGPR, scratchGPR, m_sizeGPR, m_storageGPR);
+        GPRReg canTrample = SpeculativeJIT::pickCanTrample(m_resultGPR);
         for (unsigned i = m_plans.size(); i--;)
-            jit->silentFill(m_plans[i]);
+            jit->silentFill(m_plans[i], canTrample);
         jit->m_jit.exceptionCheck();
         jumpTo(jit);
     }
@@ -126,15 +128,16 @@ class CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator : pub
 public:
     CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator(
         MacroAssembler::JumpList from, SpeculativeJIT* jit, P_JITOperation_EStZB function,
-        GPRReg resultGPR, GPRReg structureGPR, GPRReg sizeGPR, GPRReg storageGPR)
+        GPRReg resultGPR, GPRReg structureGPR, GPRReg sizeGPR, GPRReg storageGPR, GPRReg scratchGPR)
         : JumpingSlowPathGenerator<MacroAssembler::JumpList>(from, jit)
         , m_function(function)
         , m_resultGPR(resultGPR)
         , m_structureGPR(structureGPR)
         , m_sizeGPR(sizeGPR)
         , m_storageGPR(storageGPR)
+        , m_scratchGPR(scratchGPR)
     {
-        jit->silentSpillAllRegistersImpl(false, m_plans, resultGPR);
+        jit->silentSpillAllRegistersImpl(false, m_plans, resultGPR, m_scratchGPR);
     }
 
 protected:
@@ -145,7 +148,7 @@ protected:
             jit->silentSpill(m_plans[i]);
         jit->callOperation(m_function, m_resultGPR, m_structureGPR, m_sizeGPR, m_storageGPR);
         for (unsigned i = m_plans.size(); i--;)
-            jit->silentFill(m_plans[i]);
+            jit->silentFill(m_plans[i], m_scratchGPR);
         jit->m_jit.exceptionCheck();
         jumpTo(jit);
     }
@@ -156,6 +159,7 @@ private:
     GPRReg m_structureGPR;
     GPRReg m_sizeGPR;
     GPRReg m_storageGPR;
+    GPRReg m_scratchGPR;
     Vector<SilentRegisterSavePlan, 2> m_plans;
 };
 
index 3f041fd..feed81f 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -58,8 +58,9 @@ protected:
             jit->silentSpill(m_plans[i]);
         jit->callOperation(
             operationCreateDirectArguments, m_resultGPR, m_structure, m_lengthGPR, m_minCapacity);
+        GPRReg canTrample = SpeculativeJIT::pickCanTrample(m_resultGPR);
         for (unsigned i = m_plans.size(); i--;)
-            jit->silentFill(m_plans[i]);
+            jit->silentFill(m_plans[i], canTrample);
         jit->m_jit.exceptionCheck();
         jit->m_jit.loadPtr(
             MacroAssembler::Address(m_resultGPR, DirectArguments::offsetOfLength()), m_lengthGPR);
index e4dd753..1386b7c 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2013 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -72,8 +72,9 @@ protected:
         for (unsigned i = 0; i < m_plans.size(); ++i)
             jit->silentSpill(m_plans[i]);
         jit->callOperation(operationGetByValStringInt, extractResult(m_resultRegs), m_baseReg, m_propertyReg);
+        GPRReg canTrample = SpeculativeJIT::pickCanTrample(extractResult(m_resultRegs));
         for (unsigned i = m_plans.size(); i--;)
-            jit->silentFill(m_plans[i]);
+            jit->silentFill(m_plans[i], canTrample);
         jit->m_jit.exceptionCheck();
         
         jumpTo(jit);
index 78293bf..67aba80 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2012 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -141,8 +141,9 @@ protected:
     void tearDown(SpeculativeJIT* jit)
     {
         if (m_spillMode == NeedToSpill) {
+            GPRReg canTrample = SpeculativeJIT::pickCanTrample(extractResult(m_result));
             for (unsigned i = m_plans.size(); i--;)
-                jit->silentFill(m_plans[i]);
+                jit->silentFill(m_plans[i], canTrample);
         }
         if (m_exceptionCheckRequirement == ExceptionCheckRequirement::CheckNeeded)
             jit->m_jit.exceptionCheck();
index 20d0271..696536c 100644 (file)
@@ -625,8 +625,11 @@ void SpeculativeJIT::silentSpill(const SilentRegisterSavePlan& plan)
     }
 }
     
-void SpeculativeJIT::silentFill(const SilentRegisterSavePlan& plan)
+void SpeculativeJIT::silentFill(const SilentRegisterSavePlan& plan, GPRReg canTrample)
 {
+#if USE(JSVALUE32_64)
+    UNUSED_PARAM(canTrample);
+#endif
     switch (plan.fillAction()) {
     case DoNothingForFill:
         break;
@@ -656,7 +659,8 @@ void SpeculativeJIT::silentFill(const SilentRegisterSavePlan& plan)
         m_jit.move(valueOfJSConstantAsImm64(plan.node()), plan.gpr());
         break;
     case SetDoubleConstant:
-        m_jit.moveDouble(Imm64(reinterpretDoubleToInt64(plan.node()->asNumber())), plan.fpr());
+        m_jit.move(Imm64(reinterpretDoubleToInt64(plan.node()->asNumber())), canTrample);
+        m_jit.move64ToDouble(canTrample, plan.fpr());
         break;
     case Load32PayloadBoxInt:
         m_jit.load32(JITCompiler::payloadFor(plan.node()->virtualRegister()), plan.gpr());
@@ -1530,7 +1534,7 @@ void SpeculativeJIT::compileToLowerCase(Node* node)
     slowPath.link(&m_jit);
     silentSpillAllRegisters(lengthGPR);
     callOperation(operationToLowerCase, lengthGPR, stringGPR, indexGPR);
-    silentFillAllRegisters();
+    silentFillAllRegisters(lengthGPR);
     m_jit.exceptionCheck();
     auto done = m_jit.jump();
 
@@ -2265,7 +2269,7 @@ void SpeculativeJIT::compileValueToInt32(Node* node)
 
             silentSpillAllRegisters(resultGpr);
             callOperation(operationToInt32, resultGpr, fpr);
-            silentFillAllRegisters();
+            silentFillAllRegisters(resultGpr);
 
             converted.append(m_jit.jump());
 
@@ -2324,7 +2328,7 @@ void SpeculativeJIT::compileValueToInt32(Node* node)
 
                 silentSpillAllRegisters(resultGpr);
                 callOperation(operationToInt32, resultGpr, fpr);
-                silentFillAllRegisters();
+                silentFillAllRegisters(resultGpr);
 
                 converted.append(m_jit.jump());
 
@@ -3120,7 +3124,7 @@ void SpeculativeJIT::compileInstanceOfForObject(Node*, GPRReg valueReg, GPRReg p
     performDefaultHasInstance.link(&m_jit);
     silentSpillAllRegisters(scratchReg);
     callOperation(operationDefaultHasInstance, scratchReg, valueReg, prototypeReg); 
-    silentFillAllRegisters();
+    silentFillAllRegisters(scratchReg);
     m_jit.exceptionCheck();
 #if USE(JSVALUE64)
     m_jit.or32(TrustedImm32(ValueFalse), scratchReg);
@@ -3353,7 +3357,7 @@ void SpeculativeJIT::emitUntypedBitOp(Node* node)
 
     callOperation(snippetSlowPathFunction, resultRegs, leftRegs, rightRegs);
 
-    silentFillAllRegisters();
+    silentFillAllRegisters(resultRegs);
     m_jit.exceptionCheck();
 
     gen.endJumpList().link(&m_jit);
@@ -3507,7 +3511,7 @@ void SpeculativeJIT::emitUntypedRightShiftBitOp(Node* node)
 
     callOperation(snippetSlowPathFunction, resultRegs, leftRegs, rightRegs);
 
-    silentFillAllRegisters();
+    silentFillAllRegisters(resultRegs);
     m_jit.exceptionCheck();
 
     gen.endJumpList().link(&m_jit);
@@ -4861,7 +4865,7 @@ void SpeculativeJIT::compileArithDiv(Node* node)
 
         callOperation(operationValueDiv, resultRegs, leftRegs, rightRegs);
 
-        silentFillAllRegisters();
+        silentFillAllRegisters(resultRegs);
         m_jit.exceptionCheck();
 
         gen.endJumpList().link(&m_jit);
@@ -7393,7 +7397,7 @@ void SpeculativeJIT::compileArraySlice(Node* node)
             m_jit.mutatorFence(*m_jit.vm());
 
             addSlowPathGenerator(std::make_unique<CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator>(
-                slowCases, this, operationNewArrayWithSize, resultGPR, tempValue, sizeGPR, storageResultGPR));
+                slowCases, this, operationNewArrayWithSize, resultGPR, tempValue, sizeGPR, storageResultGPR, scratchGPR));
         }
     }
 
@@ -8933,7 +8937,7 @@ void SpeculativeJIT::emitSwitchImm(Node* node, SwitchData* data)
             data->fallThrough.block);
         silentSpillAllRegisters(scratch);
         callOperation(operationFindSwitchImmTargetForDouble, scratch, valueRegs.gpr(), data->switchTableIndex);
-        silentFillAllRegisters();
+        silentFillAllRegisters(scratch);
         m_jit.jump(scratch);
 #else
         JITCompiler::Jump notInt = m_jit.branch32(
@@ -8947,7 +8951,7 @@ void SpeculativeJIT::emitSwitchImm(Node* node, SwitchData* data)
             data->fallThrough.block);
         silentSpillAllRegisters(scratch);
         callOperation(operationFindSwitchImmTargetForDouble, scratch, valueRegs, data->switchTableIndex);
-        silentFillAllRegisters();
+        silentFillAllRegisters(scratch);
 
         m_jit.jump(scratch);
 #endif
@@ -9245,7 +9249,7 @@ void SpeculativeJIT::emitSwitchStringOnString(SwitchData* data, GPRReg string)
     slowCases.link(&m_jit);
     silentSpillAllRegisters(string);
     callOperation(operationSwitchString, string, data->switchTableIndex, string);
-    silentFillAllRegisters();
+    silentFillAllRegisters(string);
     m_jit.exceptionCheck();
     m_jit.jump(string);
 }
@@ -9374,7 +9378,7 @@ void SpeculativeJIT::compileStoreBarrier(Node* node)
 
     silentSpillAllRegisters(InvalidGPRReg);
     callOperation(operationWriteBarrierSlowPath, baseGPR);
-    silentFillAllRegisters();
+    silentFillAllRegisters(InvalidGPRReg);
 
     ok.link(&m_jit);
 
index 6726047..a0ec859 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2016 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -387,7 +387,7 @@ public:
     SilentRegisterSavePlan silentSavePlanForGPR(VirtualRegister spillMe, GPRReg source);
     SilentRegisterSavePlan silentSavePlanForFPR(VirtualRegister spillMe, FPRReg source);
     void silentSpill(const SilentRegisterSavePlan&);
-    void silentFill(const SilentRegisterSavePlan&);
+    void silentFill(const SilentRegisterSavePlan&, GPRReg canTrample);
 
     template<typename CollectionType>
     void silentSpill(const CollectionType& savePlans)
@@ -397,10 +397,11 @@ public:
     }
 
     template<typename CollectionType>
-    void silentFill(const CollectionType& savePlans)
+    void silentFill(const CollectionType& savePlans, GPRReg exclude = InvalidGPRReg)
     {
+        GPRReg canTrample = SpeculativeJIT::pickCanTrample(exclude);
         for (unsigned i = savePlans.size(); i--;)
-            silentFill(savePlans[i]);
+            silentFill(savePlans[i], canTrample);
     }
 
     template<typename CollectionType>
@@ -461,12 +462,53 @@ public:
         silentSpillAllRegisters(exclude.payloadGPR(), exclude.tagGPR());
 #endif
     }
+    
+    static GPRReg pickCanTrample(GPRReg exclude)
+    {
+        GPRReg result = GPRInfo::regT0;
+        if (result == exclude)
+            result = GPRInfo::regT1;
+        return result;
+    }
+    static GPRReg pickCanTrample(FPRReg)
+    {
+        return GPRInfo::regT0;
+    }
+    static GPRReg pickCanTrample(NoResultTag)
+    {
+        return GPRInfo::regT0;
+    }
 
-    void silentFillAllRegisters()
+#if USE(JSVALUE64)
+    static GPRReg pickCanTrample(JSValueRegs exclude)
     {
+        return pickCanTrample(exclude.payloadGPR());
+    }
+#else
+    static GPRReg pickCanTrample(JSValueRegs exclude)
+    {
+        GPRReg result = GPRInfo::regT0;
+        if (result == exclude.tagGPR()) {
+            result = GPRInfo::regT1;
+            if (result == exclude.payloadGPR())
+                result = GPRInfo::regT2;
+        } else if (result == exclude.payloadGPR()) {
+            result = GPRInfo::regT1;
+            if (result == exclude.tagGPR())
+                result = GPRInfo::regT2;
+        }
+        return result;
+    }
+#endif
+    
+    template<typename RegisterType>
+    void silentFillAllRegisters(RegisterType exclude)
+    {
+        GPRReg canTrample = pickCanTrample(exclude);
+        
         while (!m_plans.isEmpty()) {
             SilentRegisterSavePlan& plan = m_plans.last();
-            silentFill(plan);
+            silentFill(plan, canTrample);
             m_plans.removeLast();
         }
     }
index 9fbad0e..db88e41 100644 (file)
@@ -478,7 +478,7 @@ void SpeculativeJIT::nonSpeculativePeepholeBranch(Node* node, Node* branchNode,
             silentSpillAllRegisters(resultGPR);
             callOperation(helperFunction, resultGPR, arg1Regs, arg2Regs);
             m_jit.exceptionCheck();
-            silentFillAllRegisters();
+            silentFillAllRegisters(resultGPR);
         
             branchTest32(callResultCondition, resultGPR, taken);
         }
@@ -607,8 +607,8 @@ void SpeculativeJIT::nonSpeculativePeepholeStrictEq(Node* node, Node* branchNode
         silentSpillAllRegisters(resultPayloadGPR);
         callOperation(operationCompareStrictEqCell, resultPayloadGPR, arg1Regs, arg2Regs);
         m_jit.exceptionCheck();
-        silentFillAllRegisters();
-
+        silentFillAllRegisters(resultPayloadGPR);
+        
         branchTest32(invert ? JITCompiler::Zero : JITCompiler::NonZero, resultPayloadGPR, taken);
     } else {
         // FIXME: Add fast paths for twoCells, number etc.
@@ -616,8 +616,8 @@ void SpeculativeJIT::nonSpeculativePeepholeStrictEq(Node* node, Node* branchNode
         silentSpillAllRegisters(resultPayloadGPR);
         callOperation(operationCompareStrictEq, resultPayloadGPR, arg1Regs, arg2Regs);
         m_jit.exceptionCheck();
-        silentFillAllRegisters();
-
+        silentFillAllRegisters(resultPayloadGPR);
+        
         branchTest32(invert ? JITCompiler::Zero : JITCompiler::NonZero, resultPayloadGPR, taken);
     }
     
@@ -653,8 +653,8 @@ void SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq(Node* node, bool invert)
         silentSpillAllRegisters(resultPayloadGPR);
         callOperation(operationCompareStrictEqCell, resultPayloadGPR, arg1Regs, arg2Regs);
         m_jit.exceptionCheck();
-        silentFillAllRegisters();
-
+        silentFillAllRegisters(resultPayloadGPR);
+        
         m_jit.andPtr(JITCompiler::TrustedImm32(1), resultPayloadGPR);
         
         done.link(&m_jit);
@@ -663,7 +663,7 @@ void SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq(Node* node, bool invert)
 
         silentSpillAllRegisters(resultPayloadGPR);
         callOperation(operationCompareStrictEq, resultPayloadGPR, arg1Regs, arg2Regs);
-        silentFillAllRegisters();
+        silentFillAllRegisters(resultPayloadGPR);
         m_jit.exceptionCheck();
         
         m_jit.andPtr(JITCompiler::TrustedImm32(1), resultPayloadGPR);
@@ -1041,7 +1041,7 @@ void SpeculativeJIT::emitCall(Node* node)
             
             silentSpillAllRegisters(InvalidGPRReg);
             callOperation(operationLinkDirectCall, info, calleePayloadGPR);
-            silentFillAllRegisters();
+            silentFillAllRegisters(InvalidGPRReg);
             m_jit.exceptionCheck();
             m_jit.jump().linkTo(mainPath, &m_jit);
             
@@ -3750,7 +3750,7 @@ void SpeculativeJIT::compile(Node* node)
             notNumber.link(&m_jit);
             silentSpillAllRegisters(resultRegs);
             callOperation(operationToNumber, resultRegs, argumentRegs);
-            silentFillAllRegisters();
+            silentFillAllRegisters(resultRegs);
             m_jit.exceptionCheck();
 
             done.link(&m_jit);
@@ -5174,7 +5174,7 @@ void SpeculativeJIT::compile(Node* node)
             keyRegs = JSValueRegs(tempGPR, keyRegs.payloadGPR());
         }
         callOperation(operationHasOwnProperty, resultGPR, objectGPR, keyRegs);
-        silentFillAllRegisters();
+        silentFillAllRegisters(resultGPR);
         m_jit.exceptionCheck();
 
         done.link(&m_jit);
index d3892db..1bd936b 100644 (file)
@@ -417,7 +417,7 @@ void SpeculativeJIT::nonSpeculativePeepholeBranch(Node* node, Node* branchNode,
     
             silentSpillAllRegisters(resultGPR);
             callOperation(helperFunction, resultGPR, arg1GPR, arg2GPR);
-            silentFillAllRegisters();
+            silentFillAllRegisters(resultGPR);
             m_jit.exceptionCheck();
         
             branchTest32(callResultCondition, resultGPR, taken);
@@ -538,7 +538,7 @@ void SpeculativeJIT::nonSpeculativePeepholeStrictEq(Node* node, Node* branchNode
         
         silentSpillAllRegisters(resultGPR);
         callOperation(operationCompareStrictEqCell, resultGPR, arg1GPR, arg2GPR);
-        silentFillAllRegisters();
+        silentFillAllRegisters(resultGPR);
         m_jit.exceptionCheck();
         
         branchTest32(invert ? JITCompiler::Zero : JITCompiler::NonZero, resultGPR, taken);
@@ -565,7 +565,7 @@ void SpeculativeJIT::nonSpeculativePeepholeStrictEq(Node* node, Node* branchNode
         
         silentSpillAllRegisters(resultGPR);
         callOperation(operationCompareStrictEq, resultGPR, arg1GPR, arg2GPR);
-        silentFillAllRegisters();
+        silentFillAllRegisters(resultGPR);
         m_jit.exceptionCheck();
         
         branchTest32(invert ? JITCompiler::Zero : JITCompiler::NonZero, resultGPR, taken);
@@ -601,7 +601,7 @@ void SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq(Node* node, bool invert)
         
         silentSpillAllRegisters(resultGPR);
         callOperation(operationCompareStrictEqCell, resultGPR, arg1GPR, arg2GPR);
-        silentFillAllRegisters();
+        silentFillAllRegisters(resultGPR);
         m_jit.exceptionCheck();
         
         m_jit.and64(JITCompiler::TrustedImm32(1), resultGPR);
@@ -996,7 +996,7 @@ void SpeculativeJIT::emitCall(Node* node)
             
             silentSpillAllRegisters(InvalidGPRReg);
             callOperation(operationLinkDirectCall, callLinkInfo, calleeGPR);
-            silentFillAllRegisters();
+            silentFillAllRegisters(InvalidGPRReg);
             m_jit.exceptionCheck();
             m_jit.jump().linkTo(mainPath, &m_jit);
             
@@ -3371,7 +3371,7 @@ void SpeculativeJIT::compile(Node* node)
             for (unsigned i = numExtraArgs; i--;)
                 m_jit.boxInt32(argGPRs[i], JSValueRegs(argGPRs[i]));
             callSlowPath();
-            silentFillAllRegisters();
+            silentFillAllRegisters(resultGPR);
             m_jit.exceptionCheck();
         }
         
@@ -3958,7 +3958,7 @@ void SpeculativeJIT::compile(Node* node)
             notNumber.link(&m_jit);
             silentSpillAllRegisters(resultGPR);
             callOperation(operationToNumber, resultGPR, argumentGPR);
-            silentFillAllRegisters();
+            silentFillAllRegisters(resultGPR);
             m_jit.exceptionCheck();
 
             done.link(&m_jit);
@@ -5070,7 +5070,7 @@ void SpeculativeJIT::compile(Node* node)
             slowPath.link(&m_jit);
             silentSpillAllRegisters(resultGPR);
             callOperation(operationMapHash, resultGPR, JSValueRegs(inputGPR));
-            silentFillAllRegisters();
+            silentFillAllRegisters(resultGPR);
             m_jit.exceptionCheck();
 
             done.link(&m_jit);
@@ -5118,7 +5118,7 @@ void SpeculativeJIT::compile(Node* node)
         slowPath.link(&m_jit);
         silentSpillAllRegisters(resultGPR);
         callOperation(operationMapHash, resultGPR, JSValueRegs(inputGPR));
-        silentFillAllRegisters();
+        silentFillAllRegisters(resultGPR);
         m_jit.exceptionCheck();
 
         done.link(&m_jit);
@@ -5245,7 +5245,7 @@ void SpeculativeJIT::compile(Node* node)
                 callOperation(operationJSMapFindBucket, resultGPR, mapGPR, keyGPR, hashGPR);
             else
                 callOperation(operationJSSetFindBucket, resultGPR, mapGPR, keyGPR, hashGPR);
-            silentFillAllRegisters();
+            silentFillAllRegisters(indexGPR);
             m_jit.exceptionCheck();
             done.append(m_jit.jump());
         }
@@ -5562,7 +5562,7 @@ void SpeculativeJIT::compile(Node* node)
         slowPath.link(&m_jit);
         silentSpillAllRegisters(resultGPR);
         callOperation(operationHasOwnProperty, resultGPR, objectGPR, keyGPR);
-        silentFillAllRegisters();
+        silentFillAllRegisters(resultGPR);
         m_jit.exceptionCheck();
 
         done.link(&m_jit);
@@ -6023,7 +6023,7 @@ void SpeculativeJIT::compile(Node* node)
         silentSpillAllRegisters(InvalidGPRReg);
         m_jit.setupArgumentsExecState();
         appendCall(triggerTierUpNow);
-        silentFillAllRegisters();
+        silentFillAllRegisters(InvalidGPRReg);
         
         done.link(&m_jit);
         break;
@@ -6151,7 +6151,7 @@ void SpeculativeJIT::convertAnyInt(Edge valueEdge, GPRReg resultGPR)
     notInt32.link(&m_jit);
     silentSpillAllRegisters(resultGPR);
     callOperation(operationConvertBoxedDoubleToInt52, resultGPR, valueGPR);
-    silentFillAllRegisters();
+    silentFillAllRegisters(resultGPR);
 
     DFG_TYPE_CHECK(
         JSValueRegs(valueGPR), valueEdge, SpecInt32Only | SpecAnyIntAsDouble,