From 0a3506ebe5d7f431f0dd4dffa24ac32063b90ff1 Mon Sep 17 00:00:00 2001
From: Konstantin Tokarev <annulen@yandex.ru>
Date: Thu, 1 Jun 2017 15:54:01 +0300
Subject: Import WebKit commit 3ca7a25a550e473d60bbbe321475c6c0ef114b31

Change-Id: I480668a0cb8114dccf7a1195190a993282875759
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm | 6 ++++++
 Source/JavaScriptCore/llint/LowLevelInterpreter64.asm    | 4 ++++
 2 files changed, 10 insertions(+)

(limited to 'Source/JavaScriptCore/llint')

diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
index a92d55aa9..14ffda64e 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
@@ -1514,6 +1514,12 @@ _llint_op_put_by_id:
 
 .opPutByIdTransitionDirect:
     storei t1, JSCell::m_structureID[t0]
+    loadi 12[PC], t1
+    loadConstantOrVariable(t1, t2, t3)
+    loadi 20[PC], t1
+    storePropertyAtVariableOffset(t1, t0, t2, t3)
+    writeBarrierOnOperand(1)
+    dispatch(9)
 
 .opPutByIdNotTransition:
     # The only thing live right now is t0, which holds the base.
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
index 85173bc82..4b3febb3f 100644
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
@@ -1398,6 +1398,10 @@ _llint_op_put_by_id:
 
 .opPutByIdTransitionDirect:
     storei t1, JSCell::m_structureID[t0]
+    writeBarrierOnOperand(1)
+    # Reload base into t0
+    loadisFromInstruction(1, t1)
+    loadConstantOrVariable(t1, t0)
 
 .opPutByIdNotTransition:
     # The only thing live right now is t0, which holds the base.
-- 
cgit v1.2.1