DFG speculative JIT does not initialize integer tags for PredictInt32 temporaries
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 8 Sep 2011 21:36:35 +0000 (21:36 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 8 Sep 2011 21:36:35 +0000 (21:36 +0000)
https://bugs.webkit.org/show_bug.cgi?id=67840

Reviewed by Gavin Barraclough.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::initializeVariableTypes):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@94801 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

index 67770a1..7353b2c 100644 (file)
@@ -1,3 +1,13 @@
+2011-09-08  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG speculative JIT does not initialize integer tags for PredictInt32 temporaries
+        https://bugs.webkit.org/show_bug.cgi?id=67840
+
+        Reviewed by Gavin Barraclough.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::initializeVariableTypes):
+
 2011-09-08  Thouraya ANDOLSI  <thouraya.andolsi@st.com>
 
         https://bugs.webkit.org/show_bug.cgi?id=67771
index 4d7a345..4bc8e35 100644 (file)
@@ -1431,7 +1431,7 @@ void SpeculativeJIT::checkArgumentTypes()
 void SpeculativeJIT::initializeVariableTypes()
 {
     ASSERT(!m_compileIndex);
-    for (int var = 0; var < m_jit.codeBlock()->m_numVars; ++var) {
+    for (int var = 0; var < (int)m_jit.graph().predictions().numberOfVariables(); ++var) {
         if (isInt32Prediction(m_jit.graph().getPrediction(var)))
             m_jit.storePtr(GPRInfo::tagTypeNumberRegister, JITCompiler::addressFor((VirtualRegister)var));
     }