Fix SpeculateCellOperand ASSERT failure in DFG for 32-bit builds.

Original patch by Filip Pizlo <fpizlo@apple.com> on 2013-08-28 taken from WebKit r154804 (http://trac.webkit.org/changeset/154804). Task-number: QTBUG-39768 Change-Id: I239f2ee2ec5d1c21f7e50709b8989e744fd87995 Reviewed-by: Zhang Zengbo <zengbo.zhang@gmail.com> Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
author: Julien Brianceau <jbriance@cisco.com> 2014-06-25 16:30:34 +0200
committer: Julien Brianceau <jbriance@cisco.com> 2014-06-26 12:15:38 +0200
commit: b16a6f1c1caf3ee0b4fb256f6cd21aa294a0da9d (patch)
tree: acfbbd60f389bfb495b62e66a87a3d86bbb6aca3
parent: a9d7d46164a3d8133e46b3a9197bf7995104a280 (diff)
download: qtwebkit-b16a6f1c1caf3ee0b4fb256f6cd21aa294a0da9d.tar.gz
1 files changed, 27 insertions, 18 deletions
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
index de4ca9674..5fc35cb73 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -3870,7 +3870,8 @@ void SpeculativeJIT::compile(Node* node)
             break;
         }
         
-        if (isCellSpeculation(node->child1()->prediction())) {
+        switch (node->child1().useKind()) {
+        case CellUse: {
             SpeculateCellOperand base(this, node->child1());
             GPRTemporary resultTag(this, base);
             GPRTemporary resultPayload(this);
@@ -3886,23 +3887,31 @@ void SpeculativeJIT::compile(Node* node)
             jsValueResult(resultTagGPR, resultPayloadGPR, node, UseChildrenCalledExplicitly);
             break;
         }
-        
-        JSValueOperand base(this, node->child1());
-        GPRTemporary resultTag(this, base);
-        GPRTemporary resultPayload(this);
-        
-        GPRReg baseTagGPR = base.tagGPR();
-        GPRReg basePayloadGPR = base.payloadGPR();
-        GPRReg resultTagGPR = resultTag.gpr();
-        GPRReg resultPayloadGPR = resultPayload.gpr();
-        
-        base.use();
-        
-        JITCompiler::Jump notCell = m_jit.branch32(JITCompiler::NotEqual, baseTagGPR, TrustedImm32(JSValue::CellTag));
-        
-        cachedGetById(node->codeOrigin, baseTagGPR, basePayloadGPR, resultTagGPR, resultPayloadGPR, node->identifierNumber(), notCell);
-        
-        jsValueResult(resultTagGPR, resultPayloadGPR, node, UseChildrenCalledExplicitly);
+
+        case UntypedUse: {
+            JSValueOperand base(this, node->child1());
+            GPRTemporary resultTag(this, base);
+            GPRTemporary resultPayload(this);
+
+            GPRReg baseTagGPR = base.tagGPR();
+            GPRReg basePayloadGPR = base.payloadGPR();
+            GPRReg resultTagGPR = resultTag.gpr();
+            GPRReg resultPayloadGPR = resultPayload.gpr();
+
+            base.use();
+
+            JITCompiler::Jump notCell = m_jit.branch32(JITCompiler::NotEqual, baseTagGPR, TrustedImm32(JSValue::CellTag));
+
+            cachedGetById(node->codeOrigin, baseTagGPR, basePayloadGPR, resultTagGPR, resultPayloadGPR, node->identifierNumber(), notCell);
+
+            jsValueResult(resultTagGPR, resultPayloadGPR, node, UseChildrenCalledExplicitly);
+            break;
+        }
+
+        default:
+            RELEASE_ASSERT_NOT_REACHED();
+            break;
+        }
         break;
     }
author	Julien Brianceau <jbriance@cisco.com>	2014-06-25 16:30:34 +0200
committer	Julien Brianceau <jbriance@cisco.com>	2014-06-26 12:15:38 +0200
commit	b16a6f1c1caf3ee0b4fb256f6cd21aa294a0da9d (patch)
tree	acfbbd60f389bfb495b62e66a87a3d86bbb6aca3
parent	a9d7d46164a3d8133e46b3a9197bf7995104a280 (diff)
download	qtwebkit-b16a6f1c1caf3ee0b4fb256f6cd21aa294a0da9d.tar.gz