[Webkit-unassigned] [Bug 145992] Strict Equality on objects should only check that one of the two sides is an object.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jun 18 15:52:18 PDT 2015


https://bugs.webkit.org/show_bug.cgi?id=145992

Filip Pizlo <fpizlo at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #255137|review?, commit-queue?      |review-, commit-queue-
              Flags|                            |

--- Comment #24 from Filip Pizlo <fpizlo at apple.com> ---
Comment on attachment 255137
  --> https://bugs.webkit.org/attachment.cgi?id=255137
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=255137&action=review

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1188
> +    SpeculateCellOperand op1(this, node->child1());
> +    JSValueOperand op2(this, node->child2());
> +
> +    GPRReg op1GPR = op1.gpr();
> +#if USE(JSVALUE64)
> +    GPRReg op2GPR = op2.gpr();
> +#else
> +    GPRReg op2GPR = op2.payloadGPR();
> +#endif
> +    DFG_TYPE_CHECK(
> +        JSValueSource::unboxedCell(op1GPR), node->child1(), SpecObject, m_jit.branchIfNotObject(op1GPR));
> +
> +    branchPtr(condition, op1GPR, op2GPR, taken);

This appears wrong on 32-bit, since there you still have to test the tag word.  Also, you could avoid the #if's by doing:

JSValueRegs op2Regs = op2.jsValueRegs();
GPRReg op2Payload = op2Regs.payloadGPR();

But that doesn't really help you with the tag issue on 32-bit.

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:1204
> +    SpeculateCellOperand op1(this, node->child1());
> +    JSValueOperand op2(this, node->child2());
> +
> +    GPRReg op1GPR = op1.gpr();
> +    GPRReg op2GPR = op2.payloadGPR();
> +
> +    DFG_TYPE_CHECK(
> +        JSValueSource::unboxedCell(op1GPR), node->child1(), SpecObject, m_jit.branchIfNotObject(op1GPR));
> +
> +    GPRTemporary resultPayload(this, Reuse, op1);
> +    GPRReg resultPayloadGPR = resultPayload.gpr();
> +
> +    // At this point we know that we can perform a straight-forward equality comparison on pointer
> +    // values because we are doing strict equality.
> +    m_jit.compare32(MacroAssembler::Equal, op1GPR, op2GPR, resultPayloadGPR);
> +    booleanResult(resultPayloadGPR, node);

Ditto.  Need a story for the tag word on 32-bit.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150618/6c16fd35/attachment.html>


More information about the webkit-unassigned mailing list