Fix crash in SpeculativeJIT::compile() when loading theblaze.com

author Carlos Garcia Campos <carlosgc@webkit.org>

Fri, 6 Mar 2015 07:33:11 +0000 (07:33 +0000)

committer Alberto Garcia <berto@igalia.com>

Fri, 6 Mar 2015 07:33:11 +0000 (07:33 +0000)
author Carlos Garcia Campos <carlosgc@webkit.org>
Fri, 6 Mar 2015 07:33:11 +0000 (07:33 +0000)
committer Alberto Garcia <berto@igalia.com>
Fri, 6 Mar 2015 07:33:11 +0000 (07:33 +0000)
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

index 82a0b28a512166cfa113f1e9ee14f7896d69eda8..ac57b380a497c0f507c31d6688180764aa8d77f9 100644 (file)
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
@@ -1692,7 +1692,26 @@ void SpeculativeJIT::compile(Node* node)
          break;
  
      case Identity: {
-        RELEASE_ASSERT_NOT_REACHED();
+        speculate(node, node->child1());
+        switch (node->child1().useKind()) {
+        case DoubleRepUse:
+        case DoubleRepRealUse: {
+            SpeculateDoubleOperand op(this, node->child1());
+            doubleResult(op.fpr(), node);
+            break;
+        }
+        case Int52RepUse: 
+        case MachineIntUse:
+        case DoubleRepMachineIntUse: {
+            RELEASE_ASSERT_NOT_REACHED();   
+            break;
+        }
+        default: {
+            JSValueOperand op(this, node->child1());
+            jsValueResult(op.tagGPR(), op.payloadGPR(), node);
+            break;
+        }
+        } // switch
          break;
      }
  
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

index b78cfbb460848f621e7314b0b61072fc23201b0f..627f01932579a0888a1d9c23fae37e9f39c01a73 100644 (file)
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
@@ -1795,8 +1795,26 @@ void SpeculativeJIT::compile(Node* node)
          break;
  
      case Identity: {
-        // CSE should always eliminate this.
-        DFG_CRASH(m_jit.graph(), node, "Unexpected Identity node");
+        speculate(node, node->child1());
+        switch (node->child1().useKind()) {
+        case DoubleRepUse:
+        case DoubleRepRealUse:
+        case DoubleRepMachineIntUse: {
+            SpeculateDoubleOperand op(this, node->child1());
+            doubleResult(op.fpr(), node);
+            break;
+        }
+        case Int52RepUse: {
+            SpeculateInt52Operand op(this, node->child1());
+            int52Result(op.gpr(), node);
+            break;
+        }
+        default: {
+            JSValueOperand op(this, node->child1());
+            jsValueResult(op.gpr(), node);
+            break;
+        }
+        } // switch
          break;
      }
author	Carlos Garcia Campos <carlosgc@webkit.org>
	Fri, 6 Mar 2015 07:33:11 +0000 (07:33 +0000)
committer	Alberto Garcia <berto@igalia.com>
	Fri, 6 Mar 2015 07:33:11 +0000 (07:33 +0000)
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp		patch \| blob \| history
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp		patch \| blob \| history