<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[191937] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/191937">191937</a></dd>
<dt>Author</dt> <dd>msaboff@apple.com</dd>
<dt>Date</dt> <dd>2015-11-02 21:34:01 -0800 (Mon, 02 Nov 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
https://bugs.webkit.org/show_bug.cgi?id=150745
Reviewed by Geoffrey Garen.
Source/JavaScriptCore:
During OSR exit, reifyInlinedCallFrames() was using the call kind from a tail call to
find the CallLinkInfo / StubInfo to find the return PC. Instead we need to get the call
type of the true caller, that is the function we'll be returning to.
This can be found by remembering the last call type we find while walking up the inlined
frames in InlineCallFrame::getCallerSkippingDeadFrames().
We can also return directly back to a getter or setter callsite without using a thunk.
* bytecode/InlineCallFrame.h:
(JSC::InlineCallFrame::computeCallerSkippingDeadFrames):
(JSC::InlineCallFrame::getCallerSkippingDeadFrames):
* dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_get_by_id): Need to eliminate the stack pointer check, as it is wrong
for reified inlined frames created during OSR exit.
* jit/ThunkGenerators.cpp:
(JSC::baselineGetterReturnThunkGenerator): Deleted.
(JSC::baselineSetterReturnThunkGenerator): Deleted.
* jit/ThunkGenerators.h:
LayoutTests:
New regression tests.
* js/regress-150745-expected.txt: Added.
* js/regress-150745.html: Added.
* js/script-tests/regress-150745.js: Added.
(Test):
(Test.prototype.get sum):
(Test.prototype.doSum):
(getSum):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsChangeLog">trunk/LayoutTests/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeInlineCallFrameh">trunk/Source/JavaScriptCore/bytecode/InlineCallFrame.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSRExitCompilerCommoncpp">trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITPropertyAccesscpp">trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitThunkGeneratorscpp">trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitThunkGeneratorsh">trunk/Source/JavaScriptCore/jit/ThunkGenerators.h</a></li>
<li><a href="#trunkSourceWebCoreWebCorexcodeprojprojectpbxproj">trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkLayoutTestsjsregress150745expectedtxt">trunk/LayoutTests/js/regress-150745-expected.txt</a></li>
<li><a href="#trunkLayoutTestsjsregress150745html">trunk/LayoutTests/js/regress-150745.html</a></li>
<li><a href="#trunkLayoutTestsjsscripttestsregress150745js">trunk/LayoutTests/js/script-tests/regress-150745.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkLayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/LayoutTests/ChangeLog (191936 => 191937)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/ChangeLog 2015-11-03 05:19:45 UTC (rev 191936)
+++ trunk/LayoutTests/ChangeLog 2015-11-03 05:34:01 UTC (rev 191937)
</span><span class="lines">@@ -1,3 +1,20 @@
</span><ins>+2015-11-02 Michael Saboff <msaboff@apple.com>
+
+ WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
+ https://bugs.webkit.org/show_bug.cgi?id=150745
+
+ Reviewed by Geoffrey Garen.
+
+ New regression tests.
+
+ * js/regress-150745-expected.txt: Added.
+ * js/regress-150745.html: Added.
+ * js/script-tests/regress-150745.js: Added.
+ (Test):
+ (Test.prototype.get sum):
+ (Test.prototype.doSum):
+ (getSum):
+
</ins><span class="cx"> 2015-11-02 Myles C. Maxfield <mmaxfield@apple.com>
</span><span class="cx">
</span><span class="cx"> [Vertical Writing Mode] Rename "vertical-right" CSS value to match spec
</span></span></pre></div>
<a id="trunkLayoutTestsjsregress150745expectedtxt"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress-150745-expected.txt (0 => 191937)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress-150745-expected.txt (rev 0)
+++ trunk/LayoutTests/js/regress-150745-expected.txt 2015-11-03 05:34:01 UTC (rev 191937)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+Regression test for 150745
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Able to OSR exit from an inlined tail callee of a getter.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
</ins></span></pre></div>
<a id="trunkLayoutTestsjsregress150745html"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/regress-150745.html (0 => 191937)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/regress-150745.html (rev 0)
+++ trunk/LayoutTests/js/regress-150745.html 2015-11-03 05:34:01 UTC (rev 191937)
</span><span class="lines">@@ -0,0 +1,10 @@
</span><ins>+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/regress-150745.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
</ins></span></pre></div>
<a id="trunkLayoutTestsjsscripttestsregress150745js"></a>
<div class="addfile"><h4>Added: trunk/LayoutTests/js/script-tests/regress-150745.js (0 => 191937)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/LayoutTests/js/script-tests/regress-150745.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/regress-150745.js 2015-11-03 05:34:01 UTC (rev 191937)
</span><span class="lines">@@ -0,0 +1,47 @@
</span><ins>+description("Regression test for 150745");
+
+// We should be able to ORS exit from an inlined tail callee of a getter. This test shouldn't crash.
+
+"use strict";
+
+class Test {
+ constructor(a, b)
+ {
+ this.a = a;
+ this.b = b;
+ this.callCount = 0;
+ }
+
+ get sum()
+ {
+ return this.doSum(1, 2);
+ }
+
+ doSum(dummy1, dummy2)
+ {
+ this.callCount++;
+
+ if (this.callCount == 49000)
+ this.dfgCompiled = true;
+
+ if (this.callCount == 199000)
+ this.ftlCompiled = true;
+
+ return this.a + this.b;
+ }
+}
+
+var testObj = new Test(40, 2);
+
+function getSum(o)
+{
+ return o.sum;
+}
+
+for (var i = 0; i < 500000; i++) {
+ var result = getSum(testObj);
+ if (result != 42)
+ testFailed("Expected 42 from \"sum\" getter, got " + result);
+}
+
+testPassed("Able to OSR exit from an inlined tail callee of a getter.");
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (191936 => 191937)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-11-03 05:19:45 UTC (rev 191936)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-11-03 05:34:01 UTC (rev 191937)
</span><span class="lines">@@ -1,3 +1,32 @@
</span><ins>+2015-11-02 Michael Saboff <msaboff@apple.com>
+
+ WebInspector crashed while viewing Timeline when refreshing cnn.com while it was already loading
+ https://bugs.webkit.org/show_bug.cgi?id=150745
+
+ Reviewed by Geoffrey Garen.
+
+ During OSR exit, reifyInlinedCallFrames() was using the call kind from a tail call to
+ find the CallLinkInfo / StubInfo to find the return PC. Instead we need to get the call
+ type of the true caller, that is the function we'll be returning to.
+
+ This can be found by remembering the last call type we find while walking up the inlined
+ frames in InlineCallFrame::getCallerSkippingDeadFrames().
+
+ We can also return directly back to a getter or setter callsite without using a thunk.
+
+ * bytecode/InlineCallFrame.h:
+ (JSC::InlineCallFrame::computeCallerSkippingDeadFrames):
+ (JSC::InlineCallFrame::getCallerSkippingDeadFrames):
+ * dfg/DFGOSRExitCompilerCommon.cpp:
+ (JSC::DFG::reifyInlinedCallFrames):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_by_id): Need to eliminate the stack pointer check, as it is wrong
+ for reified inlined frames created during OSR exit.
+ * jit/ThunkGenerators.cpp:
+ (JSC::baselineGetterReturnThunkGenerator): Deleted.
+ (JSC::baselineSetterReturnThunkGenerator): Deleted.
+ * jit/ThunkGenerators.h:
+
</ins><span class="cx"> 2015-11-02 Saam barati <sbarati@apple.com>
</span><span class="cx">
</span><span class="cx"> Wrong value recovery for DFG try/catch with a getter that throws during an IC miss
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (191936 => 191937)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2015-11-03 05:19:45 UTC (rev 191936)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2015-11-03 05:34:01 UTC (rev 191937)
</span><span class="lines">@@ -3199,7 +3199,7 @@
</span><span class="cx"> 70B0A9D01A9B66200001306A /* RuntimeFlags.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = RuntimeFlags.h; sourceTree = "<group>"; };
</span><span class="cx"> 70DC3E071B2DF2C700054299 /* IteratorPrototype.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = IteratorPrototype.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 70DC3E081B2DF2C700054299 /* IteratorPrototype.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = IteratorPrototype.h; sourceTree = "<group>"; };
</span><del>- 70DE9A081BE7D670005D89D9 /* LLIntAssembly.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = LLIntAssembly.h; path = LLIntAssembly.h; sourceTree = "<group>"; };
</del><ins>+ 70DE9A081BE7D670005D89D9 /* LLIntAssembly.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LLIntAssembly.h; sourceTree = "<group>"; };
</ins><span class="cx"> 70EC0EBC1AA0D7DA00B6AAFA /* JSStringIterator.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSStringIterator.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 70EC0EBD1AA0D7DA00B6AAFA /* JSStringIterator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSStringIterator.h; sourceTree = "<group>"; };
</span><span class="cx"> 70EC0EC01AA0D7DA00B6AAFA /* StringIteratorPrototype.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = StringIteratorPrototype.cpp; sourceTree = "<group>"; };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeInlineCallFrameh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/InlineCallFrame.h (191936 => 191937)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/InlineCallFrame.h 2015-11-03 05:19:45 UTC (rev 191936)
+++ trunk/Source/JavaScriptCore/bytecode/InlineCallFrame.h 2015-11-03 05:34:01 UTC (rev 191937)
</span><span class="lines">@@ -146,23 +146,30 @@
</span><span class="cx"> return isTail(static_cast<Kind>(kind));
</span><span class="cx"> }
</span><span class="cx">
</span><del>- static CodeOrigin* computeCallerSkippingDeadFrames(InlineCallFrame* inlineCallFrame)
</del><ins>+ static CodeOrigin* computeCallerSkippingDeadFrames(InlineCallFrame* inlineCallFrame, Kind* callerCallKind = nullptr)
</ins><span class="cx"> {
</span><span class="cx"> CodeOrigin* codeOrigin;
</span><span class="cx"> bool tailCallee;
</span><ins>+ int callKind;
</ins><span class="cx"> do {
</span><span class="cx"> tailCallee = inlineCallFrame->isTail();
</span><ins>+ callKind = inlineCallFrame->kind;
</ins><span class="cx"> codeOrigin = &inlineCallFrame->directCaller;
</span><span class="cx"> inlineCallFrame = codeOrigin->inlineCallFrame;
</span><span class="cx"> } while (inlineCallFrame && tailCallee);
</span><ins>+
</ins><span class="cx"> if (tailCallee)
</span><span class="cx"> return nullptr;
</span><ins>+
+ if (callerCallKind)
+ *callerCallKind = static_cast<Kind>(callKind);
+
</ins><span class="cx"> return codeOrigin;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- CodeOrigin* getCallerSkippingDeadFrames()
</del><ins>+ CodeOrigin* getCallerSkippingDeadFrames(Kind* callerCallKind = nullptr)
</ins><span class="cx"> {
</span><del>- return computeCallerSkippingDeadFrames(this);
</del><ins>+ return computeCallerSkippingDeadFrames(this, callerCallKind);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> InlineCallFrame* getCallerInlineFrameSkippingDeadFrames()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSRExitCompilerCommoncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp (191936 => 191937)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp 2015-11-03 05:19:45 UTC (rev 191936)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp 2015-11-03 05:34:01 UTC (rev 191937)
</span><span class="lines">@@ -146,8 +146,8 @@
</span><span class="cx"> for (codeOrigin = &exit.m_codeOrigin; codeOrigin && codeOrigin->inlineCallFrame; codeOrigin = codeOrigin->inlineCallFrame->getCallerSkippingDeadFrames()) {
</span><span class="cx"> InlineCallFrame* inlineCallFrame = codeOrigin->inlineCallFrame;
</span><span class="cx"> CodeBlock* baselineCodeBlock = jit.baselineCodeBlockFor(*codeOrigin);
</span><del>- CodeOrigin* trueCaller = inlineCallFrame->getCallerSkippingDeadFrames();
- void* trueReturnPC = nullptr;
</del><ins>+ InlineCallFrame::Kind trueCallerCallKind;
+ CodeOrigin* trueCaller = inlineCallFrame->getCallerSkippingDeadFrames(&trueCallerCallKind);
</ins><span class="cx"> GPRReg callerFrameGPR = GPRInfo::callFrameRegister;
</span><span class="cx">
</span><span class="cx"> if (!trueCaller) {
</span><span class="lines">@@ -161,7 +161,7 @@
</span><span class="cx"> unsigned callBytecodeIndex = trueCaller->bytecodeIndex;
</span><span class="cx"> void* jumpTarget = nullptr;
</span><span class="cx">
</span><del>- switch (inlineCallFrame->kind) {
</del><ins>+ switch (trueCallerCallKind) {
</ins><span class="cx"> case InlineCallFrame::Call:
</span><span class="cx"> case InlineCallFrame::Construct:
</span><span class="cx"> case InlineCallFrame::CallVarargs:
</span><span class="lines">@@ -182,23 +182,15 @@
</span><span class="cx"> baselineCodeBlockForCaller->findStubInfo(CodeOrigin(callBytecodeIndex));
</span><span class="cx"> RELEASE_ASSERT(stubInfo);
</span><span class="cx">
</span><del>- switch (inlineCallFrame->kind) {
- case InlineCallFrame::GetterCall:
- jumpTarget = jit.vm()->getCTIStub(baselineGetterReturnThunkGenerator).code().executableAddress();
- break;
- case InlineCallFrame::SetterCall:
- jumpTarget = jit.vm()->getCTIStub(baselineSetterReturnThunkGenerator).code().executableAddress();
- break;
- default:
- RELEASE_ASSERT_NOT_REACHED();
- break;
- }
-
- trueReturnPC = stubInfo->callReturnLocation.labelAtOffset(
</del><ins>+ jumpTarget = stubInfo->callReturnLocation.labelAtOffset(
</ins><span class="cx"> stubInfo->patch.deltaCallToDone).executableAddress();
</span><span class="cx"> break;
</span><del>- } }
</del><ins>+ }
</ins><span class="cx">
</span><ins>+ default:
+ RELEASE_ASSERT_NOT_REACHED();
+ }
+
</ins><span class="cx"> if (trueCaller->inlineCallFrame) {
</span><span class="cx"> jit.addPtr(
</span><span class="cx"> AssemblyHelpers::TrustedImm32(trueCaller->inlineCallFrame->stackOffset * sizeof(EncodedJSValue)),
</span><span class="lines">@@ -210,9 +202,6 @@
</span><span class="cx"> jit.storePtr(AssemblyHelpers::TrustedImmPtr(jumpTarget), AssemblyHelpers::addressForByteOffset(inlineCallFrame->returnPCOffset()));
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (trueReturnPC)
- jit.storePtr(AssemblyHelpers::TrustedImmPtr(trueReturnPC), AssemblyHelpers::addressFor(inlineCallFrame->stackOffset + virtualRegisterForArgument(inlineCallFrame->arguments.size()).offset()));
-
</del><span class="cx"> jit.storePtr(AssemblyHelpers::TrustedImmPtr(baselineCodeBlock), AssemblyHelpers::addressFor((VirtualRegister)(inlineCallFrame->stackOffset + JSStack::CodeBlock)));
</span><span class="cx">
</span><span class="cx"> // Restore the inline call frame's callee save registers.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITPropertyAccesscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp (191936 => 191937)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp 2015-11-03 05:19:45 UTC (rev 191936)
+++ trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp 2015-11-03 05:34:01 UTC (rev 191937)
</span><span class="lines">@@ -561,7 +561,6 @@
</span><span class="cx">
</span><span class="cx"> emitValueProfilingSite();
</span><span class="cx"> emitPutVirtualRegister(resultVReg);
</span><del>- assertStackPointerOffset();
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void JIT::emitSlow_op_get_by_id(Instruction* currentInstruction, Vector<SlowCaseEntry>::iterator& iter)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitThunkGeneratorscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp (191936 => 191937)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp 2015-11-03 05:19:45 UTC (rev 191936)
+++ trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp 2015-11-03 05:34:01 UTC (rev 191937)
</span><span class="lines">@@ -530,83 +530,6 @@
</span><span class="cx"> return FINALIZE_CODE(patchBuffer, ("unreachable thunk"));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-MacroAssemblerCodeRef baselineGetterReturnThunkGenerator(VM* vm)
-{
- JSInterfaceJIT jit(vm);
-
-#if USE(JSVALUE64)
- jit.move(GPRInfo::returnValueGPR, GPRInfo::regT0);
-#else
- jit.setupResults(GPRInfo::regT0, GPRInfo::regT1);
-#endif
-
- unsigned numberOfParameters = 0;
- numberOfParameters++; // The 'this' argument.
- numberOfParameters++; // The true return PC.
-
- unsigned numberOfRegsForCall =
- JSStack::CallFrameHeaderSize + numberOfParameters;
-
- unsigned numberOfBytesForCall =
- numberOfRegsForCall * sizeof(Register) - sizeof(CallerFrameAndPC);
-
- unsigned alignedNumberOfBytesForCall =
- WTF::roundUpToMultipleOf(stackAlignmentBytes(), numberOfBytesForCall);
-
- // The real return address is stored above the arguments. We passed one argument, which is
- // 'this'. So argument at index 1 is the return address.
- jit.loadPtr(
- AssemblyHelpers::Address(
- AssemblyHelpers::stackPointerRegister,
- (virtualRegisterForArgument(1).offset() - JSStack::CallerFrameAndPCSize) * sizeof(Register)),
- GPRInfo::regT2);
-
- jit.addPtr(
- AssemblyHelpers::TrustedImm32(alignedNumberOfBytesForCall),
- AssemblyHelpers::stackPointerRegister);
-
- jit.jump(GPRInfo::regT2);
-
- LinkBuffer patchBuffer(*vm, jit, GLOBAL_THUNK_ID);
- return FINALIZE_CODE(patchBuffer, ("baseline getter return thunk"));
-}
-
-MacroAssemblerCodeRef baselineSetterReturnThunkGenerator(VM* vm)
-{
- JSInterfaceJIT jit(vm);
-
- unsigned numberOfParameters = 0;
- numberOfParameters++; // The 'this' argument.
- numberOfParameters++; // The value to set.
- numberOfParameters++; // The true return PC.
-
- unsigned numberOfRegsForCall =
- JSStack::CallFrameHeaderSize + numberOfParameters;
-
- unsigned numberOfBytesForCall =
- numberOfRegsForCall * sizeof(Register) - sizeof(CallerFrameAndPC);
-
- unsigned alignedNumberOfBytesForCall =
- WTF::roundUpToMultipleOf(stackAlignmentBytes(), numberOfBytesForCall);
-
- // The real return address is stored above the arguments. We passed two arguments, so
- // the argument at index 2 is the return address.
- jit.loadPtr(
- AssemblyHelpers::Address(
- AssemblyHelpers::stackPointerRegister,
- (virtualRegisterForArgument(2).offset() - JSStack::CallerFrameAndPCSize) * sizeof(Register)),
- GPRInfo::regT2);
-
- jit.addPtr(
- AssemblyHelpers::TrustedImm32(alignedNumberOfBytesForCall),
- AssemblyHelpers::stackPointerRegister);
-
- jit.jump(GPRInfo::regT2);
-
- LinkBuffer patchBuffer(*vm, jit, GLOBAL_THUNK_ID);
- return FINALIZE_CODE(patchBuffer, ("baseline setter return thunk"));
-}
-
</del><span class="cx"> static void stringCharLoad(SpecializedThunkJIT& jit, VM* vm)
</span><span class="cx"> {
</span><span class="cx"> // load string
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitThunkGeneratorsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/ThunkGenerators.h (191936 => 191937)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/ThunkGenerators.h 2015-11-03 05:19:45 UTC (rev 191936)
+++ trunk/Source/JavaScriptCore/jit/ThunkGenerators.h 2015-11-03 05:34:01 UTC (rev 191937)
</span><span class="lines">@@ -49,9 +49,6 @@
</span><span class="cx"> MacroAssemblerCodeRef arityFixupGenerator(VM*);
</span><span class="cx"> MacroAssemblerCodeRef unreachableGenerator(VM*);
</span><span class="cx">
</span><del>-MacroAssemblerCodeRef baselineGetterReturnThunkGenerator(VM* vm);
-MacroAssemblerCodeRef baselineSetterReturnThunkGenerator(VM* vm);
-
</del><span class="cx"> MacroAssemblerCodeRef charCodeAtThunkGenerator(VM*);
</span><span class="cx"> MacroAssemblerCodeRef charAtThunkGenerator(VM*);
</span><span class="cx"> MacroAssemblerCodeRef clz32ThunkGenerator(VM*);
</span></span></pre></div>
<a id="trunkSourceWebCoreWebCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (191936 => 191937)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2015-11-03 05:19:45 UTC (rev 191936)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2015-11-03 05:34:01 UTC (rev 191937)
</span><span class="lines">@@ -14976,6 +14976,7 @@
</span><span class="cx"> runOnlyForDeploymentPostprocessing = 0;
</span><span class="cx"> };
</span><span class="cx"> /* End PBXFrameworksBuildPhase section */
</span><ins>+
</ins><span class="cx"> /* Begin PBXGroup section */
</span><span class="cx"> 00B9318013BA867F0035A948 /* parser */ = {
</span><span class="cx"> isa = PBXGroup;
</span></span></pre>
</div>
</div>
</body>
</html>