From 53e7f27d262249310bd6b7ad452e7df334c92b7d Mon Sep 17 00:00:00 2001 From: Daniel Liu Date: Wed, 13 Nov 2024 12:27:15 -0800 Subject: [PATCH] Cherry-pick ded4d02c0a93. https://bugs.webkit.org/show_bug.cgi?id=283063 Don't allocate DFG register after a slow path https://bugs.webkit.org/show_bug.cgi?id=283063 rdar://139747120 Reviewed by Yusuke Suzuki. Allocating a DFG register after a slow path means that if the slow path is taken, we end up with an incorrect global state. * Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray): Canonical link: https://commits.webkit.org/282416.295@webkitglib/2.46 --- Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp index 356d52b21a12..d041b63e8ba9 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp @@ -3528,6 +3528,14 @@ void SpeculativeJIT::compilePutByValForIntTypedArray(Node* node, TypedArrayType } } + GPRReg scratch2GPR = InvalidGPRReg; +#if USE(JSVALUE64) + if (node->arrayMode().mayBeResizableOrGrowableSharedTypedArray()) { + scratch2.emplace(this); + scratch2GPR = scratch2->gpr(); + } +#endif + bool result = getIntTypedArrayStoreOperand( value, propertyReg, #if USE(JSVALUE32_64) @@ -3539,14 +3547,6 @@ void SpeculativeJIT::compilePutByValForIntTypedArray(Node* node, TypedArrayType return; } - GPRReg scratch2GPR = InvalidGPRReg; -#if USE(JSVALUE64) - if (node->arrayMode().mayBeResizableOrGrowableSharedTypedArray()) { - scratch2.emplace(this); - scratch2GPR = scratch2->gpr(); - } -#endif - GPRReg valueGPR = value.gpr(); GPRReg scratchGPR = scratch.gpr(); #if USE(JSVALUE32_64) -- 2.47.0