<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[161006] branches/jsCStack/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/161006">161006</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2013-12-23 11:15:09 -0800 (Mon, 23 Dec 2013)</dd>
</dl>
<h3>Log Message</h3>
<pre>cStack branch doesn't run navier-stokes because closure calls aren't implemented yet
https://bugs.webkit.org/show_bug.cgi?id=126141
Reviewed by Michael Saboff.
Add a bunch of assertions regarding the sanity of argument counts. This is a great way of
making sure that SP/BP point to the right place.
Used that to diagnose problems with closure calls. Closure call linking expects that SP is
set up correctly very early on. The DFG JIT was doing this correctly, but the baseline JIT
wasn't: it was setting up T1 as a fake SP and then setting up SP for real very late. This
wasn't doing us any good and it was making closure calls fail.
Also, closure calls were still referring to BP instead of SP and assuming that the caller
was adjusting BP. Obviously, that's not what we do anymore.
These fixes make navier-stokes run. It probably fixes other bugs, but I haven't looked at
those yet.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileCurrentBlock):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::jitAssertArgumentCountSane):
* jit/AssemblyHelpers.h:
(JSC::AssemblyHelpers::jitAssertArgumentCountSane):
* jit/JIT.cpp:
(JSC::JIT::privateCompileMainPass):
* jit/JITCall.cpp:
(JSC::JIT::compileLoadVarargs):
(JSC::JIT::compileCallEval):
(JSC::JIT::compileCallEvalSlowCase):
(JSC::JIT::compileOpCall):
(JSC::JIT::compileOpCallSlowCase):
* jit/Repatch.cpp:
(JSC::linkClosureCall):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branchesjsCStackSourceJavaScriptCoreChangeLog">branches/jsCStack/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoredfgDFGSpeculativeJITcpp">branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCorejitAssemblyHelperscpp">branches/jsCStack/Source/JavaScriptCore/jit/AssemblyHelpers.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCorejitAssemblyHelpersh">branches/jsCStack/Source/JavaScriptCore/jit/AssemblyHelpers.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCorejitJITcpp">branches/jsCStack/Source/JavaScriptCore/jit/JIT.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCorejitJITCallcpp">branches/jsCStack/Source/JavaScriptCore/jit/JITCall.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCorejitRepatchcpp">branches/jsCStack/Source/JavaScriptCore/jit/Repatch.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchesjsCStackSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/ChangeLog (161005 => 161006)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ChangeLog 2013-12-23 19:04:11 UTC (rev 161005)
+++ branches/jsCStack/Source/JavaScriptCore/ChangeLog 2013-12-23 19:15:09 UTC (rev 161006)
</span><span class="lines">@@ -1,3 +1,41 @@
</span><ins>+2013-12-23 Filip Pizlo <fpizlo@apple.com>
+
+ cStack branch doesn't run navier-stokes because closure calls aren't implemented yet
+ https://bugs.webkit.org/show_bug.cgi?id=126141
+
+ Reviewed by Michael Saboff.
+
+ Add a bunch of assertions regarding the sanity of argument counts. This is a great way of
+ making sure that SP/BP point to the right place.
+
+ Used that to diagnose problems with closure calls. Closure call linking expects that SP is
+ set up correctly very early on. The DFG JIT was doing this correctly, but the baseline JIT
+ wasn't: it was setting up T1 as a fake SP and then setting up SP for real very late. This
+ wasn't doing us any good and it was making closure calls fail.
+
+ Also, closure calls were still referring to BP instead of SP and assuming that the caller
+ was adjusting BP. Obviously, that's not what we do anymore.
+
+ These fixes make navier-stokes run. It probably fixes other bugs, but I haven't looked at
+ those yet.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
+ * jit/AssemblyHelpers.cpp:
+ (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
+ * jit/AssemblyHelpers.h:
+ (JSC::AssemblyHelpers::jitAssertArgumentCountSane):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompileMainPass):
+ * jit/JITCall.cpp:
+ (JSC::JIT::compileLoadVarargs):
+ (JSC::JIT::compileCallEval):
+ (JSC::JIT::compileCallEvalSlowCase):
+ (JSC::JIT::compileOpCall):
+ (JSC::JIT::compileOpCallSlowCase):
+ * jit/Repatch.cpp:
+ (JSC::linkClosureCall):
+
</ins><span class="cx"> 2013-12-22 Mark Lam <mark.lam@apple.com>
</span><span class="cx">
</span><span class="cx"> CStack: Add #if ENABLE(LLINT_C_LOOP) to C loop LLINT only parts of JSStack.
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (161005 => 161006)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2013-12-23 19:04:11 UTC (rev 161005)
+++ branches/jsCStack/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2013-12-23 19:15:09 UTC (rev 161006)
</span><span class="lines">@@ -1467,6 +1467,7 @@
</span><span class="cx">
</span><span class="cx"> m_jit.jitAssertHasValidCallFrame();
</span><span class="cx"> m_jit.jitAssertTagsInPlace();
</span><ins>+ m_jit.jitAssertArgumentCountSane();
</ins><span class="cx">
</span><span class="cx"> for (size_t i = 0; i < m_block->variablesAtHead.numberOfArguments(); ++i) {
</span><span class="cx"> m_stream->appendAndLog(
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCorejitAssemblyHelperscpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/jit/AssemblyHelpers.cpp (161005 => 161006)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/jit/AssemblyHelpers.cpp 2013-12-23 19:04:11 UTC (rev 161005)
+++ branches/jsCStack/Source/JavaScriptCore/jit/AssemblyHelpers.cpp 2013-12-23 19:15:09 UTC (rev 161006)
</span><span class="lines">@@ -175,6 +175,13 @@
</span><span class="cx"> breakpoint();
</span><span class="cx"> checkNull.link(this);
</span><span class="cx"> }
</span><ins>+
+void AssemblyHelpers::jitAssertArgumentCountSane()
+{
+ Jump ok = branch32(Below, payloadFor(JSStack::ArgumentCount), TrustedImm32(10000000));
+ breakpoint();
+ ok.link(this);
+}
</ins><span class="cx"> #endif // !ASSERT_DISABLED
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCorejitAssemblyHelpersh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/jit/AssemblyHelpers.h (161005 => 161006)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/jit/AssemblyHelpers.h 2013-12-23 19:04:11 UTC (rev 161005)
+++ branches/jsCStack/Source/JavaScriptCore/jit/AssemblyHelpers.h 2013-12-23 19:15:09 UTC (rev 161006)
</span><span class="lines">@@ -344,6 +344,7 @@
</span><span class="cx"> void jitAssertHasValidCallFrame();
</span><span class="cx"> void jitAssertIsNull(GPRReg);
</span><span class="cx"> void jitAssertTagsInPlace();
</span><ins>+ void jitAssertArgumentCountSane();
</ins><span class="cx"> #else
</span><span class="cx"> void jitAssertIsInt32(GPRReg) { }
</span><span class="cx"> void jitAssertIsJSInt32(GPRReg) { }
</span><span class="lines">@@ -353,6 +354,7 @@
</span><span class="cx"> void jitAssertHasValidCallFrame() { }
</span><span class="cx"> void jitAssertIsNull(GPRReg) { }
</span><span class="cx"> void jitAssertTagsInPlace() { }
</span><ins>+ void jitAssertArgumentCountSane() { }
</ins><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> // These methods convert between doubles, and doubles boxed and JSValues.
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCorejitJITcpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/jit/JIT.cpp (161005 => 161006)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/jit/JIT.cpp 2013-12-23 19:04:11 UTC (rev 161005)
+++ branches/jsCStack/Source/JavaScriptCore/jit/JIT.cpp 2013-12-23 19:15:09 UTC (rev 161006)
</span><span class="lines">@@ -135,6 +135,7 @@
</span><span class="cx"> void JIT::privateCompileMainPass()
</span><span class="cx"> {
</span><span class="cx"> jitAssertTagsInPlace();
</span><ins>+ jitAssertArgumentCountSane();
</ins><span class="cx">
</span><span class="cx"> Instruction* instructionsBegin = m_codeBlock->instructions().begin();
</span><span class="cx"> unsigned instructionCount = m_codeBlock->instructions().size();
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCorejitJITCallcpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/jit/JITCall.cpp (161005 => 161006)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/jit/JITCall.cpp 2013-12-23 19:04:11 UTC (rev 161005)
+++ branches/jsCStack/Source/JavaScriptCore/jit/JITCall.cpp 2013-12-23 19:15:09 UTC (rev 161006)
</span><span class="lines">@@ -119,11 +119,13 @@
</span><span class="cx">
</span><span class="cx"> if (canOptimize)
</span><span class="cx"> end.link(this);
</span><ins>+
+ addPtr(TrustedImm32(sizeof(CallerFrameAndPC)), regT1, stackPointerRegister);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT::compileCallEval(Instruction* instruction)
</span><span class="cx"> {
</span><del>- addPtr(TrustedImm32(JSStack::CallerFrameAndPCSize * static_cast<int>(sizeof(Register))), regT1, stackPointerRegister);
</del><ins>+ addPtr(TrustedImm32(-static_cast<ptrdiff_t>(sizeof(CallerFrameAndPC))), stackPointerRegister, regT1);
</ins><span class="cx"> callOperationNoExceptionCheck(operationCallEval, regT1);
</span><span class="cx"> // Recalculate newCallFrame and put in regT1 for possible use in slow case
</span><span class="cx"> addPtr(TrustedImm32(-JSStack::CallerFrameAndPCSize * static_cast<int>(sizeof(Register))), stackPointerRegister, regT1);
</span><span class="lines">@@ -141,8 +143,7 @@
</span><span class="cx"> {
</span><span class="cx"> linkSlowCase(iter);
</span><span class="cx">
</span><del>- emitGetFromCallFrameHeader64(JSStack::Callee, regT0, regT1);
- addPtr(TrustedImm32(JSStack::CallerFrameAndPCSize * static_cast<int>(sizeof(Register))), regT1, stackPointerRegister);
</del><ins>+ load64(Address(stackPointerRegister, sizeof(Register) * JSStack::Callee - sizeof(CallerFrameAndPC)), regT0);
</ins><span class="cx"> emitNakedCall(m_vm->getCTIStub(virtualCallThunkGenerator).code());
</span><span class="cx"> addPtr(TrustedImm32(stackPointerOffsetFor(m_codeBlock) * sizeof(Register)), callFrameRegister, stackPointerRegister);
</span><span class="cx"> checkStackPointerAlignment();
</span><span class="lines">@@ -184,16 +185,16 @@
</span><span class="cx"> done.link(this);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- addPtr(TrustedImm32(registerOffset * sizeof(Register)), callFrameRegister, regT1);
- store32(TrustedImm32(argCount), Address(regT1, JSStack::ArgumentCount * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)));
- } // regT1 holds newCallFrame with ArgumentCount initialized.
</del><ins>+ addPtr(TrustedImm32(registerOffset * sizeof(Register) + sizeof(CallerFrameAndPC)), callFrameRegister, stackPointerRegister);
+ store32(TrustedImm32(argCount), Address(stackPointerRegister, JSStack::ArgumentCount * static_cast<int>(sizeof(Register)) + PayloadOffset - sizeof(CallerFrameAndPC)));
+ } // SP holds newCallFrame + sizeof(CallerFrameAndPC), with ArgumentCount initialized.
</ins><span class="cx">
</span><span class="cx"> uint32_t bytecodeOffset = instruction - m_codeBlock->instructions().begin();
</span><span class="cx"> uint32_t locationBits = CallFrame::Location::encodeAsBytecodeOffset(bytecodeOffset);
</span><del>- store32(TrustedImm32(locationBits), Address(callFrameRegister, JSStack::ArgumentCount * static_cast<int>(sizeof(Register)) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
</del><ins>+ store32(TrustedImm32(locationBits), Address(callFrameRegister, JSStack::ArgumentCount * static_cast<int>(sizeof(Register)) + TagOffset));
</ins><span class="cx"> emitGetVirtualRegister(callee, regT0); // regT0 holds callee.
</span><span class="cx">
</span><del>- store64(regT0, Address(regT1, JSStack::Callee * static_cast<int>(sizeof(Register))));
</del><ins>+ store64(regT0, Address(stackPointerRegister, JSStack::Callee * static_cast<int>(sizeof(Register)) - sizeof(CallerFrameAndPC)));
</ins><span class="cx">
</span><span class="cx"> if (opcodeID == op_call_eval) {
</span><span class="cx"> compileCallEval(instruction);
</span><span class="lines">@@ -211,8 +212,7 @@
</span><span class="cx"> m_callStructureStubCompilationInfo[callLinkInfoIndex].bytecodeIndex = m_bytecodeOffset;
</span><span class="cx">
</span><span class="cx"> loadPtr(Address(regT0, OBJECT_OFFSETOF(JSFunction, m_scope)), regT2);
</span><del>- store64(regT2, Address(regT1, JSStack::ScopeChain * sizeof(Register)));
- addPtr(TrustedImm32(JSStack::CallerFrameAndPCSize * static_cast<int>(sizeof(Register))), regT1, stackPointerRegister);
</del><ins>+ store64(regT2, Address(MacroAssembler::stackPointerRegister, JSStack::ScopeChain * sizeof(Register) - sizeof(CallerFrameAndPC)));
</ins><span class="cx">
</span><span class="cx"> m_callStructureStubCompilationInfo[callLinkInfoIndex].hotPathOther = emitNakedCall();
</span><span class="cx">
</span><span class="lines">@@ -233,8 +233,6 @@
</span><span class="cx">
</span><span class="cx"> linkSlowCase(iter);
</span><span class="cx">
</span><del>- addPtr(TrustedImm32(JSStack::CallerFrameAndPCSize * static_cast<int>(sizeof(Register))), regT1, stackPointerRegister);
-
</del><span class="cx"> ThunkGenerator generator = linkThunkGeneratorFor(
</span><span class="cx"> opcodeID == op_construct ? CodeForConstruct : CodeForCall,
</span><span class="cx"> RegisterPreservationNotRequired);
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCorejitRepatchcpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/jit/Repatch.cpp (161005 => 161006)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/jit/Repatch.cpp 2013-12-23 19:04:11 UTC (rev 161005)
+++ branches/jsCStack/Source/JavaScriptCore/jit/Repatch.cpp 2013-12-23 19:15:09 UTC (rev 161006)
</span><span class="lines">@@ -1342,6 +1342,15 @@
</span><span class="cx">
</span><span class="cx"> CCallHelpers::JumpList slowPath;
</span><span class="cx">
</span><ins>+ ptrdiff_t offsetToFrame = -sizeof(CallerFrameAndPC);
+
+ if (!ASSERT_DISABLED) {
+ CCallHelpers::Jump okArgumentCount = stubJit.branch32(
+ CCallHelpers::Below, CCallHelpers::Address(CCallHelpers::stackPointerRegister, static_cast<ptrdiff_t>(sizeof(Register) * JSStack::ArgumentCount) + offsetToFrame + PayloadOffset), CCallHelpers::TrustedImm32(10000000));
+ stubJit.breakpoint();
+ okArgumentCount.link(&stubJit);
+ }
+
</ins><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx"> // We can safely clobber everything except the calleeGPR. We can't rely on tagMaskRegister
</span><span class="cx"> // being set. So we do this the hard way.
</span><span class="lines">@@ -1367,18 +1376,18 @@
</span><span class="cx"> stubJit.loadPtr(
</span><span class="cx"> CCallHelpers::Address(calleeGPR, JSFunction::offsetOfScopeChain()),
</span><span class="cx"> GPRInfo::returnValueGPR);
</span><del>-
</del><ins>+
</ins><span class="cx"> #if USE(JSVALUE64)
</span><span class="cx"> stubJit.store64(
</span><span class="cx"> GPRInfo::returnValueGPR,
</span><del>- CCallHelpers::Address(GPRInfo::callFrameRegister, static_cast<ptrdiff_t>(sizeof(Register) * JSStack::ScopeChain)));
</del><ins>+ CCallHelpers::Address(MacroAssembler::stackPointerRegister, static_cast<ptrdiff_t>(sizeof(Register) * JSStack::ScopeChain) + offsetToFrame));
</ins><span class="cx"> #else
</span><span class="cx"> stubJit.storePtr(
</span><span class="cx"> GPRInfo::returnValueGPR,
</span><del>- CCallHelpers::Address(GPRInfo::callFrameRegister, static_cast<ptrdiff_t>(sizeof(Register) * JSStack::ScopeChain) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)));
</del><ins>+ CCallHelpers::Address(MacroAssembler::stackPointerRegister, static_cast<ptrdiff_t>(sizeof(Register) * JSStack::ScopeChain) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload) + offsetToFrame));
</ins><span class="cx"> stubJit.store32(
</span><span class="cx"> CCallHelpers::TrustedImm32(JSValue::CellTag),
</span><del>- CCallHelpers::Address(GPRInfo::callFrameRegister, static_cast<ptrdiff_t>(sizeof(Register) * JSStack::ScopeChain) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
</del><ins>+ CCallHelpers::Address(MacroAssembler::stackPointerRegister, static_cast<ptrdiff_t>(sizeof(Register) * JSStack::ScopeChain) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag) + offsetToFrame));
</ins><span class="cx"> #endif
</span><span class="cx">
</span><span class="cx"> AssemblyHelpers::Call call = stubJit.nearCall();
</span><span class="lines">@@ -1391,8 +1400,6 @@
</span><span class="cx"> #endif
</span><span class="cx"> stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation.executableAddress()), GPRInfo::regT2);
</span><span class="cx">
</span><del>- // FIXME: CStack - Think the restoreReturnAddressBeforeReturn() instruction should be a poke
- stubJit.breakpoint();
</del><span class="cx"> stubJit.restoreReturnAddressBeforeReturn(GPRInfo::regT2);
</span><span class="cx"> AssemblyHelpers::Jump slow = stubJit.jump();
</span><span class="cx">
</span></span></pre>
</div>
</div>
</body>
</html>