JavaScriptCore-1218.35.tar.gz

[apple/javascriptcore.git] / dfg / DFGSpeculativeJIT32_64.cpp

diff --git a/dfg/DFGSpeculativeJIT32_64.cpp b/dfg/DFGSpeculativeJIT32_64.cpp
index 0ab170d8ecddb2544eaef212016bc6a3100e2e4b..d31749506e1f403e023160dd88859a3a8a35604b 100644 (file)
--- a/dfg/DFGSpeculativeJIT32_64.cpp
+++ b/dfg/DFGSpeculativeJIT32_64.cpp
@@ -1106,6 +1106,10 @@ GPRReg SpeculativeJIT::fillSpeculateCell(Edge edge)
 
     switch (info.registerFormat()) {
     case DataFormatNone: {
+        if (info.spillFormat() == DataFormatInteger || info.spillFormat() == DataFormatDouble) {
+            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+            return allocate();
+        }
 
         if (edge->hasConstant()) {
             JSValue jsValue = valueOfJSConstant(edge.node());
@@ -4401,7 +4405,7 @@ void SpeculativeJIT::compile(Node* node)
 
         JITCompiler::Jump isNotCell = m_jit.branch32(JITCompiler::NotEqual, tagGPR, JITCompiler::TrustedImm32(JSValue::CellTag));
         if (node->child1().useKind() != UntypedUse)
-            speculationCheck(BadType, JSValueRegs(tagGPR, payloadGPR), node->child1(), isNotCell);
+            DFG_TYPE_CHECK(JSValueRegs(tagGPR, payloadGPR), node->child1(), SpecCell, isNotCell);
 
         if (!node->child1()->shouldSpeculateObject() || node->child1().useKind() == StringUse) {
             m_jit.loadPtr(JITCompiler::Address(payloadGPR, JSCell::structureOffset()), tempGPR);
@@ -4957,6 +4961,10 @@ void SpeculativeJIT::compile(Node* node)
         noResult(node);
         break;
 
+    case Unreachable:
+        RELEASE_ASSERT_NOT_REACHED();
+        break;
+
     case Nop:
     case LastNodeType:
         RELEASE_ASSERT_NOT_REACHED();