[Webkit-unassigned] [Bug 231179] Fix wrong edge type from get-by-val in 32 bits
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Oct 5 10:57:51 PDT 2021
https://bugs.webkit.org/show_bug.cgi?id=231179
Yusuke Suzuki <ysuzuki at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ysuzuki at apple.com
Attachment #440079|review? |review-
Flags| |
--- Comment #2 from Yusuke Suzuki <ysuzuki at apple.com> ---
Comment on attachment 440079
--> https://bugs.webkit.org/attachment.cgi?id=440079
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=440079&action=review
> Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:4518
> + JSValueOperand baseOperand(this, baseEdge);
> + generate(baseOperand.gpr());
base is JSValue, but it only passes payload part of JSValue. In 32bit, there is tag part, which needs to be passed. If it is a JSValue, then we need to use JSValueRegs.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20211005/33eab653/attachment.htm>
More information about the webkit-unassigned
mailing list