2018-09-19 Saam barati <sbarati@apple.com>
+ CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code
+ https://bugs.webkit.org/show_bug.cgi?id=189703
+
+ Reviewed by Mark Lam.
+
+ This fixes a crash that a TypeProfiler change revealed.
+
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2018-09-19 Saam barati <sbarati@apple.com>
+
AI rule for MultiPutByOffset executes its effects in the wrong order
https://bugs.webkit.org/show_bug.cgi?id=189757
<rdar://problem/43535257>
case CheckStructureOrEmpty: {
SpeculateCellOperand cell(this, node->child1());
GPRReg cellGPR = cell.gpr();
+
+ GPRReg tempGPR = InvalidGPRReg;
+ std::optional<GPRTemporary> temp;
+ if (node->structureSet().size() > 1) {
+ temp.emplace(this);
+ tempGPR = temp->gpr();
+ }
+
MacroAssembler::Jump isEmpty;
if (m_interpreter.forNode(node->child1()).m_type & SpecEmpty)
isEmpty = m_jit.branchIfEmpty(cellGPR);
- emitStructureCheck(node, cellGPR, InvalidGPRReg);
+ emitStructureCheck(node, cellGPR, tempGPR);
if (isEmpty.isSet())
isEmpty.link(&m_jit);
git://git.webkit.org / WebKit-https.git / commitdiff