2009-04-26 Gavin Barraclough <barraclough@apple.com>

        Reviewed by Weinig Sam.

        Fix for https://bugs.webkit.org/show_bug.cgi?id=25416
        "Cached prototype accesses unsafely hoist property storage load above structure checks."
        
        Do not hoist the load of the pointer to the property storage array.

        No performance impact.

        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::privateCompileGetByIdProto):
        (JSC::JIT::privateCompileGetByIdProtoList):



git-svn-id: svn://svn.chromium.org/blink/trunk@42884 bbb929c8-8fbe-4397-9dbb-9b2b20218538

third_party/WebKit/JavaScriptCore/ChangeLog

+2009-04-26  Gavin Barraclough  <barraclough@apple.com>
+
+        Reviewed by Weinig Sam.
+
+        Fix for https://bugs.webkit.org/show_bug.cgi?id=25416
+        "Cached prototype accesses unsafely hoist property storage load above structure checks."
+        
+        Do not hoist the load of the pointer to the property storage array.
+
+        No performance impact.
+
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::privateCompileGetByIdProto):
+        (JSC::JIT::privateCompileGetByIdProtoList):
+
 2009-04-26  Gavin Barraclough  <barraclough@apple.com>
 
         Reviewed by Geoffrey "Gaffe or energy?" Garen.

third_party/WebKit/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -370,8 +370,6 @@ void JIT::privateCompileGetByIdProto(StructureStubInfo* stubInfo, Structure* str
     // The prototype object definitely exists (if this stub exists the CodeBlock is referencing a Structure that is
     // referencing the prototype object - let's speculatively load it's table nice and early!)
     JSObject* protoObject = asObject(structure->prototypeForLookup(callFrame));
-    PropertyStorage* protoPropertyStorage = &protoObject->m_propertyStorage;
-    loadPtr(static_cast<void*>(protoPropertyStorage), regT1);
 
     // Check eax is an object of the right Structure.
     Jump failureCases1 = checkStructure(regT0, structure);
@@ -386,6 +384,8 @@ void JIT::privateCompileGetByIdProto(StructureStubInfo* stubInfo, Structure* str
 #endif
 
     // Checks out okay! - getDirectOffset
+    PropertyStorage* protoPropertyStorage = &protoObject->m_propertyStorage;
+    loadPtr(static_cast<void*>(protoPropertyStorage), regT1);
     loadPtr(Address(regT1, cachedOffset * sizeof(JSValuePtr)), regT0);
 
     Jump success = jump();
@@ -412,8 +412,6 @@ void JIT::privateCompileGetByIdProto(StructureStubInfo* stubInfo, Structure* str
     // The prototype object definitely exists (if this stub exists the CodeBlock is referencing a Structure that is
     // referencing the prototype object - let's speculatively load it's table nice and early!)
     JSObject* protoObject = asObject(structure->prototypeForLookup(callFrame));
-    PropertyStorage* protoPropertyStorage = &protoObject->m_propertyStorage;
-    loadPtr(protoPropertyStorage, regT1);
 
     // Check eax is an object of the right Structure.
     Jump failureCases1 = emitJumpIfNotJSCell(regT0);
@@ -424,6 +422,8 @@ void JIT::privateCompileGetByIdProto(StructureStubInfo* stubInfo, Structure* str
     Jump failureCases3 = branchPtr(NotEqual, AbsoluteAddress(prototypeStructureAddress), ImmPtr(prototypeStructure));
 
     // Checks out okay! - getDirectOffset
+    PropertyStorage* protoPropertyStorage = &protoObject->m_propertyStorage;
+    loadPtr(protoPropertyStorage, regT1);
     loadPtr(Address(regT1, cachedOffset * sizeof(JSValuePtr)), regT0);
 
     ret();
@@ -478,8 +478,6 @@ void JIT::privateCompileGetByIdProtoList(StructureStubInfo* stubInfo, Polymorphi
     // The prototype object definitely exists (if this stub exists the CodeBlock is referencing a Structure that is
     // referencing the prototype object - let's speculatively load it's table nice and early!)
     JSObject* protoObject = asObject(structure->prototypeForLookup(callFrame));
-    PropertyStorage* protoPropertyStorage = &protoObject->m_propertyStorage;
-    loadPtr(protoPropertyStorage, regT1);
 
     // Check eax is an object of the right Structure.
     Jump failureCases1 = checkStructure(regT0, structure);
@@ -494,6 +492,8 @@ void JIT::privateCompileGetByIdProtoList(StructureStubInfo* stubInfo, Polymorphi
 #endif
 
     // Checks out okay! - getDirectOffset
+    PropertyStorage* protoPropertyStorage = &protoObject->m_propertyStorage;
+    loadPtr(protoPropertyStorage, regT1);
     loadPtr(Address(regT1, cachedOffset * sizeof(JSValuePtr)), regT0);
 
     Jump success = jump();