1 files changed, 17 insertions, 4 deletions

diff --git a/Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h b/Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h
index 0c5dc2a93..9c7d47a42 100644
--- a/Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h
+++ b/Source/JavaScriptCore/dfg/DFGArrayifySlowPathGenerator.h
@@ -26,6 +26,8 @@
 #ifndef DFGArrayifySlowPathGenerator_h
 #define DFGArrayifySlowPathGenerator_h
 
+#include <wtf/Platform.h>
+
 #if ENABLE(DFG_JIT)
 
 #include "DFGArrayMode.h"
@@ -101,7 +103,10 @@ protected:
             jit->callOperation(operationEnsureDouble, m_tempGPR, m_baseGPR);
             break;
         case Array::Contiguous:
-            jit->callOperation(operationEnsureContiguous, m_tempGPR, m_baseGPR);
+            if (m_arrayMode.conversion() == Array::RageConvert)
+                jit->callOperation(operationRageEnsureContiguous, m_tempGPR, m_baseGPR);
+            else
+                jit->callOperation(operationEnsureContiguous, m_tempGPR, m_baseGPR);
             break;
         case Array::ArrayStorage:
         case Array::SlowPutArrayStorage:
@@ -113,19 +118,27 @@ protected:
         }
         for (unsigned i = m_plans.size(); i--;)
             jit->silentFill(m_plans[i], GPRInfo::regT0);
-        jit->m_jit.exceptionCheck();
         
         if (m_op == ArrayifyToStructure) {
             ASSERT(m_structure);
             m_badIndexingTypeJump.fill(
-                jit, jit->m_jit.branchWeakStructure(MacroAssembler::NotEqual, MacroAssembler::Address(m_baseGPR, JSCell::structureIDOffset()), m_structure));
+                jit, jit->m_jit.branchWeakPtr(
+                    MacroAssembler::NotEqual,
+                    MacroAssembler::Address(m_baseGPR, JSCell::structureOffset()),
+                    m_structure));
         } else {
+            // Alas, we need to reload the structure because silent spilling does not save
+            // temporaries. Nor would it be useful for it to do so. Either way we're talking
+            // about a load.
+            jit->m_jit.loadPtr(
+                MacroAssembler::Address(m_baseGPR, JSCell::structureOffset()), m_structureGPR);
+            
             // Finally, check that we have the kind of array storage that we wanted to get.
             // Note that this is a backwards speculation check, which will result in the 
             // bytecode operation corresponding to this arrayification being reexecuted.
             // That's fine, since arrayification is not user-visible.
             jit->m_jit.load8(
-                MacroAssembler::Address(m_baseGPR, JSCell::indexingTypeOffset()), m_structureGPR);
+                MacroAssembler::Address(m_structureGPR, Structure::indexingTypeOffset()), m_structureGPR);
             m_badIndexingTypeJump.fill(
                 jit, jit->jumpSlowForUnwantedArrayMode(m_structureGPR, m_arrayMode));
         }