[Webkit-unassigned] [Bug 145992] Strict Equality on objects should only check that one of the two sides is an object.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jun 18 15:52:18 PDT 2015
https://bugs.webkit.org/show_bug.cgi?id=145992
Filip Pizlo <fpizlo at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #255137|review?, commit-queue? |review-, commit-queue-
Flags| |
--- Comment #24 from Filip Pizlo <fpizlo at apple.com> ---
Comment on attachment 255137
--> https://bugs.webkit.org/attachment.cgi?id=255137
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=255137&action=review
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1188
> + SpeculateCellOperand op1(this, node->child1());
> + JSValueOperand op2(this, node->child2());
> +
> + GPRReg op1GPR = op1.gpr();
> +#if USE(JSVALUE64)
> + GPRReg op2GPR = op2.gpr();
> +#else
> + GPRReg op2GPR = op2.payloadGPR();
> +#endif
> + DFG_TYPE_CHECK(
> + JSValueSource::unboxedCell(op1GPR), node->child1(), SpecObject, m_jit.branchIfNotObject(op1GPR));
> +
> + branchPtr(condition, op1GPR, op2GPR, taken);
This appears wrong on 32-bit, since there you still have to test the tag word. Also, you could avoid the #if's by doing:
JSValueRegs op2Regs = op2.jsValueRegs();
GPRReg op2Payload = op2Regs.payloadGPR();
But that doesn't really help you with the tag issue on 32-bit.
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:1204
> + SpeculateCellOperand op1(this, node->child1());
> + JSValueOperand op2(this, node->child2());
> +
> + GPRReg op1GPR = op1.gpr();
> + GPRReg op2GPR = op2.payloadGPR();
> +
> + DFG_TYPE_CHECK(
> + JSValueSource::unboxedCell(op1GPR), node->child1(), SpecObject, m_jit.branchIfNotObject(op1GPR));
> +
> + GPRTemporary resultPayload(this, Reuse, op1);
> + GPRReg resultPayloadGPR = resultPayload.gpr();
> +
> + // At this point we know that we can perform a straight-forward equality comparison on pointer
> + // values because we are doing strict equality.
> + m_jit.compare32(MacroAssembler::Equal, op1GPR, op2GPR, resultPayloadGPR);
> + booleanResult(resultPayloadGPR, node);
Ditto. Need a story for the tag word on 32-bit.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150618/6c16fd35/attachment.html>
More information about the webkit-unassigned
mailing list