[webkitgtk4] Add JIT and CLoop fixes
Tomas Popela
tpopela at fedoraproject.org
Wed Feb 18 10:20:38 UTC 2015
commit d2ff497aca88f23714d8619a02050e0f696e8c38
Author: Tomas Popela <tpopela at redhat.com>
Date: Wed Feb 18 11:20:01 2015 +0100
Add JIT and CLoop fixes
webkitgtk-2.7.90-180234.patch | 630 ++++++++++++++++++++++++++++
webkitgtk-2.7.90-180248.patch | 23 +
webkitgtk-2.7.90-180258.patch | 915 +++++++++++++++++++++++++++++++++++++++++
webkitgtk4.spec | 10 +
4 files changed, 1578 insertions(+), 0 deletions(-)
---
diff --git a/webkitgtk-2.7.90-180234.patch b/webkitgtk-2.7.90-180234.patch
new file mode 100644
index 0000000..fba2e53
--- /dev/null
+++ b/webkitgtk-2.7.90-180234.patch
@@ -0,0 +1,630 @@
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/jit/JITOpcodes.cpp.180234 webkitgtk-2.7.90/Source/JavaScriptCore/jit/JITOpcodes.cpp
+--- webkitgtk-2.7.90/Source/JavaScriptCore/jit/JITOpcodes.cpp.180234 2015-02-04 12:04:40.000000000 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/jit/JITOpcodes.cpp 2015-02-18 11:11:41.206238552 +0100
+@@ -492,6 +492,11 @@ void JIT::emit_op_push_name_scope(Instru
+
+ void JIT::emit_op_catch(Instruction* currentInstruction)
+ {
++ // Gotta restore the tag registers. We could be throwing from FTL, which may
++ // clobber them.
++ move(TrustedImm64(TagTypeNumber), tagTypeNumberRegister);
++ move(TrustedImm64(TagMask), tagMaskRegister);
++
+ move(TrustedImmPtr(m_vm), regT3);
+ load64(Address(regT3, VM::callFrameForThrowOffset()), callFrameRegister);
+ load64(Address(regT3, VM::vmEntryFrameForThrowOffset()), regT0);
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm.180234 webkitgtk-2.7.90/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+--- webkitgtk-2.7.90/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm.180234 2015-02-16 07:56:53.000000000 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm 2015-02-18 11:11:41.203238505 +0100
+@@ -1845,6 +1845,11 @@ _llint_op_to_primitive:
+
+
+ _llint_op_catch:
++ # Gotta restore the tag registers. We could be throwing from FTL, which may
++ # clobber them.
++ move TagTypeNumber, tagTypeNumber
++ move TagMask, tagMask
++
+ # This is where we end up from the JIT's throw trampoline (because the
+ # machine code return address will be set to _llint_op_catch), and from
+ # the interpreter's throw trampoline (see _llint_throw_trampoline).
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/llint/LowLevelInterpreter.asm.180234 webkitgtk-2.7.90/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
+--- webkitgtk-2.7.90/Source/JavaScriptCore/llint/LowLevelInterpreter.asm.180234 2015-02-17 08:08:23.000000000 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/llint/LowLevelInterpreter.asm 2015-02-18 11:11:41.201238475 +0100
+@@ -66,6 +66,8 @@ if JSVALUE64
+ const ValueTrue = TagBitTypeOther | TagBitBool | 1
+ const ValueUndefined = TagBitTypeOther | TagBitUndefined
+ const ValueNull = TagBitTypeOther
++ const TagTypeNumber = 0xffff000000000000
++ const TagMask = TagTypeNumber | TagBitTypeOther
+ else
+ const Int32Tag = -1
+ const BooleanTag = -2
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/tests/stress/throw-from-ftl-call-ic-slow-path-cells.js.180234 webkitgtk-2.7.90/Source/JavaScriptCore/tests/stress/throw-from-ftl-call-ic-slow-path-cells.js
+--- webkitgtk-2.7.90/Source/JavaScriptCore/tests/stress/throw-from-ftl-call-ic-slow-path-cells.js.180234 2015-02-18 11:11:41.205238537 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/tests/stress/throw-from-ftl-call-ic-slow-path-cells.js 2015-02-18 11:11:41.205238537 +0100
+@@ -0,0 +1,192 @@
++// Attempts to induce a crash resulting from the FTL emitting code that clobbers the tag registers and then
++// throwing an exception without restoring those tag registers' values.
++
++function ftlFunction(array, callee) {
++ // Gotta use lots of gprs.
++ var x0 = array[0];
++ var x1 = array[1];
++ var x2 = array[2];
++ var x3 = array[3];
++ var x4 = array[4];
++ var x5 = array[5];
++ var x6 = array[6];
++ var x7 = array[7];
++ var x8 = array[8];
++ var x9 = array[9];
++ var x10 = array[10];
++ var x11 = array[11];
++ var x12 = array[12];
++ var x13 = array[13];
++ var x14 = array[14];
++ var x15 = array[15];
++ var x16 = array[16];
++ var x17 = array[17];
++ var x18 = array[18];
++ var x19 = array[19];
++ var x20 = array[20];
++ var x21 = array[21];
++ var x22 = array[22];
++ var x23 = array[23];
++ var x24 = array[24];
++ var x25 = array[25];
++ var x26 = array[26];
++ var x27 = array[27];
++ var x28 = array[28];
++ var x29 = array[29];
++ var x30 = array[30];
++ var x31 = array[31];
++ var x32 = array[32];
++ var x33 = array[33];
++ var x34 = array[34];
++ var x35 = array[35];
++ var x36 = array[36];
++ var x37 = array[37];
++ var x38 = array[38];
++ var x39 = array[39];
++ var x40 = array[40];
++ var x41 = array[41];
++ var x42 = array[42];
++ var x43 = array[43];
++ var x44 = array[44];
++ var x45 = array[45];
++ var x46 = array[46];
++ var x47 = array[47];
++ var x48 = array[48];
++ var x49 = array[49];
++ var x50 = array[50];
++ var x51 = array[51];
++ var x52 = array[52];
++ var x53 = array[53];
++ var x54 = array[54];
++ var x55 = array[55];
++ var x56 = array[56];
++ var x57 = array[57];
++ var x58 = array[58];
++ var x59 = array[59];
++ var x60 = array[60];
++ var x61 = array[61];
++ var x62 = array[62];
++ var x63 = array[63];
++
++ // Make a call that will throw, when we ask it to.
++ callee("hello");
++
++ // Use all of those crazy values.
++ return [x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28, x29, x30, x31, x32, x33, x34, x35, x36, x37, x38, x39, x40, x41, x42, x43, x44, x45, x46, x47, x48, x49, x50, x51, x52, x53, x54, x55, x56, x57, x58, x59, x60, x61, x62, x63]
++}
++
++noInline(ftlFunction);
++
++// Create some callees that are too crazy to get inlined or devirtualized, but that don't have effects.
++
++function happyCallee0() { return 0 };
++function happyCallee1() { return 1 };
++function happyCallee2() { return 2 };
++function happyCallee3() { return 3 };
++function happyCallee4() { return 4 };
++function happyCallee5() { return 5 };
++function happyCallee6() { return 6 };
++function happyCallee7() { return 7 };
++function happyCallee8() { return 8 };
++function happyCallee9() { return 9 };
++function happyCallee10() { return 10 };
++function happyCallee11() { return 11 };
++function happyCallee12() { return 12 };
++function happyCallee13() { return 13 };
++function happyCallee14() { return 14 };
++function happyCallee15() { return 15 };
++function happyCallee16() { return 16 };
++function happyCallee17() { return 17 };
++function happyCallee18() { return 18 };
++function happyCallee19() { return 19 };
++function happyCallee20() { return 20 };
++function happyCallee21() { return 21 };
++function happyCallee22() { return 22 };
++function happyCallee23() { return 23 };
++function happyCallee24() { return 24 };
++function happyCallee25() { return 25 };
++function happyCallee26() { return 26 };
++function happyCallee27() { return 27 };
++function happyCallee28() { return 28 };
++function happyCallee29() { return 29 };
++function happyCallee30() { return 30 };
++function happyCallee31() { return 31 };
++function happyCallee32() { return 32 };
++function happyCallee33() { return 33 };
++function happyCallee34() { return 34 };
++function happyCallee35() { return 35 };
++function happyCallee36() { return 36 };
++function happyCallee37() { return 37 };
++function happyCallee38() { return 38 };
++function happyCallee39() { return 39 };
++function happyCallee40() { return 40 };
++function happyCallee41() { return 41 };
++function happyCallee42() { return 42 };
++function happyCallee43() { return 43 };
++function happyCallee44() { return 44 };
++function happyCallee45() { return 45 };
++function happyCallee46() { return 46 };
++function happyCallee47() { return 47 };
++function happyCallee48() { return 48 };
++function happyCallee49() { return 49 };
++function happyCallee50() { return 50 };
++function happyCallee51() { return 51 };
++function happyCallee52() { return 52 };
++function happyCallee53() { return 53 };
++function happyCallee54() { return 54 };
++function happyCallee55() { return 55 };
++function happyCallee56() { return 56 };
++function happyCallee57() { return 57 };
++function happyCallee58() { return 58 };
++function happyCallee59() { return 59 };
++function happyCallee60() { return 60 };
++function happyCallee61() { return 61 };
++function happyCallee62() { return 62 };
++function happyCallee63() { return 63 };
++
++var happyCallees = [happyCallee0, happyCallee1, happyCallee2, happyCallee3, happyCallee4, happyCallee5, happyCallee6, happyCallee7, happyCallee8, happyCallee9, happyCallee10, happyCallee11, happyCallee12, happyCallee13, happyCallee14, happyCallee15, happyCallee16, happyCallee17, happyCallee18, happyCallee19, happyCallee20, happyCallee21, happyCallee22, happyCallee23, happyCallee24, happyCallee25, happyCallee26, happyCallee27, happyCallee28, happyCallee29, happyCallee30, happyCallee31, happyCallee32, happyCallee33, happyCallee34, happyCallee35, happyCallee36, happyCallee37, happyCallee38, happyCallee39, happyCallee40, happyCallee41, happyCallee42, happyCallee43, happyCallee44, happyCallee45, happyCallee46, happyCallee47, happyCallee48, happyCallee49, happyCallee50, happyCallee51, happyCallee52, happyCallee53, happyCallee54, happyCallee55, happyCallee56, happyCallee57, happyCallee58, happyCallee59, happyCallee60, happyCallee61, happyCallee62, happyCallee63];
++
++for (var i = 0; i < happyCallees.length; ++i)
++ noInline(happyCallees[i]);
++
++// Unlike the other test (throw-from-ftl-call-ic-slow-path.js), we want to populate the registers with cells in
++// this test.
++var array = new Array();
++for (var i = 0; i < 64; ++i)
++ array[i] = new Object();
++
++// Now, do some warming up.
++for (var i = 0; i < 100000; ++i) {
++ var result = ftlFunction(array, happyCallees[i % happyCallees.length]);
++ if (result.length != array.length)
++ throw "Error: bad length: " + result;
++ for (var j = 0; j < result.length; ++j) {
++ if (result[j] != array[j])
++ throw "Error: bad entry at j = " + j + ": " + result;
++ }
++}
++
++// Finally, attempt to trigger the bug.
++var notACell = 42;
++for (var i = 0; i < 100; ++i) {
++ try {
++ ftlFunction(array, Int8Array);
++ } catch (e) {
++ if (e.message.indexOf("not a function") < 0)
++ throw "Error: bad exception message: " + e.message;
++ var result = notACell.f;
++ if (result !== void 0) {
++ print("Bad outcome of accessing f on notACell.");
++ print("Here's notACell:", notACell, describe(notACell));
++ print("Here's the result:", result, describe(result));
++ throw "Error: bad outcome of accessing f on " + notACell + ": " + result;
++ }
++ var result2 = result + 5;
++ var result3 = notACell + 5;
++ if ("" + result2 != "NaN")
++ throw "Error: bad outcome of adding 5 to result: " + result2;
++ if (result3 != 47)
++ throw "Error: bad outcome of adding 5 to 42: " + result3;
++ }
++}
++
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/tests/stress/throw-from-ftl-call-ic-slow-path.js.180234 webkitgtk-2.7.90/Source/JavaScriptCore/tests/stress/throw-from-ftl-call-ic-slow-path.js
+--- webkitgtk-2.7.90/Source/JavaScriptCore/tests/stress/throw-from-ftl-call-ic-slow-path.js.180234 2015-02-18 11:11:41.204238521 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/tests/stress/throw-from-ftl-call-ic-slow-path.js 2015-02-18 11:11:41.204238521 +0100
+@@ -0,0 +1,192 @@
++// Attempts to induce a crash resulting from the FTL emitting code that clobbers the tag registers and then
++// throwing an exception without restoring those tag registers' values.
++
++function ftlFunction(array, callee) {
++ // Gotta use lots of gprs.
++ var x0 = array[0];
++ var x1 = array[1];
++ var x2 = array[2];
++ var x3 = array[3];
++ var x4 = array[4];
++ var x5 = array[5];
++ var x6 = array[6];
++ var x7 = array[7];
++ var x8 = array[8];
++ var x9 = array[9];
++ var x10 = array[10];
++ var x11 = array[11];
++ var x12 = array[12];
++ var x13 = array[13];
++ var x14 = array[14];
++ var x15 = array[15];
++ var x16 = array[16];
++ var x17 = array[17];
++ var x18 = array[18];
++ var x19 = array[19];
++ var x20 = array[20];
++ var x21 = array[21];
++ var x22 = array[22];
++ var x23 = array[23];
++ var x24 = array[24];
++ var x25 = array[25];
++ var x26 = array[26];
++ var x27 = array[27];
++ var x28 = array[28];
++ var x29 = array[29];
++ var x30 = array[30];
++ var x31 = array[31];
++ var x32 = array[32];
++ var x33 = array[33];
++ var x34 = array[34];
++ var x35 = array[35];
++ var x36 = array[36];
++ var x37 = array[37];
++ var x38 = array[38];
++ var x39 = array[39];
++ var x40 = array[40];
++ var x41 = array[41];
++ var x42 = array[42];
++ var x43 = array[43];
++ var x44 = array[44];
++ var x45 = array[45];
++ var x46 = array[46];
++ var x47 = array[47];
++ var x48 = array[48];
++ var x49 = array[49];
++ var x50 = array[50];
++ var x51 = array[51];
++ var x52 = array[52];
++ var x53 = array[53];
++ var x54 = array[54];
++ var x55 = array[55];
++ var x56 = array[56];
++ var x57 = array[57];
++ var x58 = array[58];
++ var x59 = array[59];
++ var x60 = array[60];
++ var x61 = array[61];
++ var x62 = array[62];
++ var x63 = array[63];
++
++ // Make a call that will throw, when we ask it to.
++ callee("hello");
++
++ // Use all of those crazy values.
++ return [x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28, x29, x30, x31, x32, x33, x34, x35, x36, x37, x38, x39, x40, x41, x42, x43, x44, x45, x46, x47, x48, x49, x50, x51, x52, x53, x54, x55, x56, x57, x58, x59, x60, x61, x62, x63]
++}
++
++noInline(ftlFunction);
++
++// Create some callees that are too crazy to get inlined or devirtualized, but that don't have effects.
++
++function happyCallee0() { return 0 };
++function happyCallee1() { return 1 };
++function happyCallee2() { return 2 };
++function happyCallee3() { return 3 };
++function happyCallee4() { return 4 };
++function happyCallee5() { return 5 };
++function happyCallee6() { return 6 };
++function happyCallee7() { return 7 };
++function happyCallee8() { return 8 };
++function happyCallee9() { return 9 };
++function happyCallee10() { return 10 };
++function happyCallee11() { return 11 };
++function happyCallee12() { return 12 };
++function happyCallee13() { return 13 };
++function happyCallee14() { return 14 };
++function happyCallee15() { return 15 };
++function happyCallee16() { return 16 };
++function happyCallee17() { return 17 };
++function happyCallee18() { return 18 };
++function happyCallee19() { return 19 };
++function happyCallee20() { return 20 };
++function happyCallee21() { return 21 };
++function happyCallee22() { return 22 };
++function happyCallee23() { return 23 };
++function happyCallee24() { return 24 };
++function happyCallee25() { return 25 };
++function happyCallee26() { return 26 };
++function happyCallee27() { return 27 };
++function happyCallee28() { return 28 };
++function happyCallee29() { return 29 };
++function happyCallee30() { return 30 };
++function happyCallee31() { return 31 };
++function happyCallee32() { return 32 };
++function happyCallee33() { return 33 };
++function happyCallee34() { return 34 };
++function happyCallee35() { return 35 };
++function happyCallee36() { return 36 };
++function happyCallee37() { return 37 };
++function happyCallee38() { return 38 };
++function happyCallee39() { return 39 };
++function happyCallee40() { return 40 };
++function happyCallee41() { return 41 };
++function happyCallee42() { return 42 };
++function happyCallee43() { return 43 };
++function happyCallee44() { return 44 };
++function happyCallee45() { return 45 };
++function happyCallee46() { return 46 };
++function happyCallee47() { return 47 };
++function happyCallee48() { return 48 };
++function happyCallee49() { return 49 };
++function happyCallee50() { return 50 };
++function happyCallee51() { return 51 };
++function happyCallee52() { return 52 };
++function happyCallee53() { return 53 };
++function happyCallee54() { return 54 };
++function happyCallee55() { return 55 };
++function happyCallee56() { return 56 };
++function happyCallee57() { return 57 };
++function happyCallee58() { return 58 };
++function happyCallee59() { return 59 };
++function happyCallee60() { return 60 };
++function happyCallee61() { return 61 };
++function happyCallee62() { return 62 };
++function happyCallee63() { return 63 };
++
++var happyCallees = [happyCallee0, happyCallee1, happyCallee2, happyCallee3, happyCallee4, happyCallee5, happyCallee6, happyCallee7, happyCallee8, happyCallee9, happyCallee10, happyCallee11, happyCallee12, happyCallee13, happyCallee14, happyCallee15, happyCallee16, happyCallee17, happyCallee18, happyCallee19, happyCallee20, happyCallee21, happyCallee22, happyCallee23, happyCallee24, happyCallee25, happyCallee26, happyCallee27, happyCallee28, happyCallee29, happyCallee30, happyCallee31, happyCallee32, happyCallee33, happyCallee34, happyCallee35, happyCallee36, happyCallee37, happyCallee38, happyCallee39, happyCallee40, happyCallee41, happyCallee42, happyCallee43, happyCallee44, happyCallee45, happyCallee46, happyCallee47, happyCallee48, happyCallee49, happyCallee50, happyCallee51, happyCallee52, happyCallee53, happyCallee54, happyCallee55, happyCallee56, happyCallee57, happyCallee58, happyCallee59, happyCallee60, happyCallee61, happyCallee62, happyCallee63];
++
++for (var i = 0; i < happyCallees.length; ++i)
++ noInline(happyCallees[i]);
++
++// We want the input array to have an easy-to-deal-with type that isn't exactly the same as the type that
++// ftlFunction will return.
++var array = new Int32Array(64);
++for (var i = 0; i < array.length; ++i)
++ array[i] = i;
++
++// Now, do some warming up.
++for (var i = 0; i < 100000; ++i) {
++ var result = ftlFunction(array, happyCallees[i % happyCallees.length]);
++ if (result.length != array.length)
++ throw "Error: bad length: " + result;
++ for (var j = 0; j < result.length; ++j) {
++ if (result[j] != array[j])
++ throw "Error: bad entry at j = " + j + ": " + result;
++ }
++}
++
++// Finally, attempt to trigger the bug.
++var notACell = 42;
++for (var i = 0; i < 100; ++i) {
++ try {
++ ftlFunction(array, Int8Array);
++ } catch (e) {
++ if (e.message.indexOf("not a function") < 0)
++ throw "Error: bad exception message: " + e.message;
++ var result = notACell.f;
++ if (result !== void 0) {
++ print("Bad outcome of accessing f on notACell.");
++ print("Here's notACell:", notACell, describe(notACell));
++ print("Here's the result:", result, describe(result));
++ throw "Error: bad outcome of accessing f on " + notACell + ": " + result;
++ }
++ var result2 = result + 5;
++ var result3 = notACell + 5;
++ if ("" + result2 != "NaN")
++ throw "Error: bad outcome of adding 5 to result: " + result2;
++ if (result3 != 47)
++ throw "Error: bad outcome of adding 5 to 42: " + result3;
++ }
++}
++
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js.180234 webkitgtk-2.7.90/Source/JavaScriptCore/tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js
+--- webkitgtk-2.7.90/Source/JavaScriptCore/tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js.180234 2015-02-18 11:11:41.204238521 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/tests/stress/throw-from-ftl-call-ic-slow-path-undefined.js 2015-02-18 11:11:41.204238521 +0100
+@@ -0,0 +1,192 @@
++// Attempts to induce a crash resulting from the FTL emitting code that clobbers the tag registers and then
++// throwing an exception without restoring those tag registers' values.
++
++function ftlFunction(array, callee) {
++ // Gotta use lots of gprs.
++ var x0 = array[0];
++ var x1 = array[1];
++ var x2 = array[2];
++ var x3 = array[3];
++ var x4 = array[4];
++ var x5 = array[5];
++ var x6 = array[6];
++ var x7 = array[7];
++ var x8 = array[8];
++ var x9 = array[9];
++ var x10 = array[10];
++ var x11 = array[11];
++ var x12 = array[12];
++ var x13 = array[13];
++ var x14 = array[14];
++ var x15 = array[15];
++ var x16 = array[16];
++ var x17 = array[17];
++ var x18 = array[18];
++ var x19 = array[19];
++ var x20 = array[20];
++ var x21 = array[21];
++ var x22 = array[22];
++ var x23 = array[23];
++ var x24 = array[24];
++ var x25 = array[25];
++ var x26 = array[26];
++ var x27 = array[27];
++ var x28 = array[28];
++ var x29 = array[29];
++ var x30 = array[30];
++ var x31 = array[31];
++ var x32 = array[32];
++ var x33 = array[33];
++ var x34 = array[34];
++ var x35 = array[35];
++ var x36 = array[36];
++ var x37 = array[37];
++ var x38 = array[38];
++ var x39 = array[39];
++ var x40 = array[40];
++ var x41 = array[41];
++ var x42 = array[42];
++ var x43 = array[43];
++ var x44 = array[44];
++ var x45 = array[45];
++ var x46 = array[46];
++ var x47 = array[47];
++ var x48 = array[48];
++ var x49 = array[49];
++ var x50 = array[50];
++ var x51 = array[51];
++ var x52 = array[52];
++ var x53 = array[53];
++ var x54 = array[54];
++ var x55 = array[55];
++ var x56 = array[56];
++ var x57 = array[57];
++ var x58 = array[58];
++ var x59 = array[59];
++ var x60 = array[60];
++ var x61 = array[61];
++ var x62 = array[62];
++ var x63 = array[63];
++
++ // Make a call that will throw, when we ask it to.
++ callee("hello");
++
++ // Use all of those crazy values.
++ return [x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15, x16, x17, x18, x19, x20, x21, x22, x23, x24, x25, x26, x27, x28, x29, x30, x31, x32, x33, x34, x35, x36, x37, x38, x39, x40, x41, x42, x43, x44, x45, x46, x47, x48, x49, x50, x51, x52, x53, x54, x55, x56, x57, x58, x59, x60, x61, x62, x63]
++}
++
++noInline(ftlFunction);
++
++// Create some callees that are too crazy to get inlined or devirtualized, but that don't have effects.
++
++function happyCallee0() { return 0 };
++function happyCallee1() { return 1 };
++function happyCallee2() { return 2 };
++function happyCallee3() { return 3 };
++function happyCallee4() { return 4 };
++function happyCallee5() { return 5 };
++function happyCallee6() { return 6 };
++function happyCallee7() { return 7 };
++function happyCallee8() { return 8 };
++function happyCallee9() { return 9 };
++function happyCallee10() { return 10 };
++function happyCallee11() { return 11 };
++function happyCallee12() { return 12 };
++function happyCallee13() { return 13 };
++function happyCallee14() { return 14 };
++function happyCallee15() { return 15 };
++function happyCallee16() { return 16 };
++function happyCallee17() { return 17 };
++function happyCallee18() { return 18 };
++function happyCallee19() { return 19 };
++function happyCallee20() { return 20 };
++function happyCallee21() { return 21 };
++function happyCallee22() { return 22 };
++function happyCallee23() { return 23 };
++function happyCallee24() { return 24 };
++function happyCallee25() { return 25 };
++function happyCallee26() { return 26 };
++function happyCallee27() { return 27 };
++function happyCallee28() { return 28 };
++function happyCallee29() { return 29 };
++function happyCallee30() { return 30 };
++function happyCallee31() { return 31 };
++function happyCallee32() { return 32 };
++function happyCallee33() { return 33 };
++function happyCallee34() { return 34 };
++function happyCallee35() { return 35 };
++function happyCallee36() { return 36 };
++function happyCallee37() { return 37 };
++function happyCallee38() { return 38 };
++function happyCallee39() { return 39 };
++function happyCallee40() { return 40 };
++function happyCallee41() { return 41 };
++function happyCallee42() { return 42 };
++function happyCallee43() { return 43 };
++function happyCallee44() { return 44 };
++function happyCallee45() { return 45 };
++function happyCallee46() { return 46 };
++function happyCallee47() { return 47 };
++function happyCallee48() { return 48 };
++function happyCallee49() { return 49 };
++function happyCallee50() { return 50 };
++function happyCallee51() { return 51 };
++function happyCallee52() { return 52 };
++function happyCallee53() { return 53 };
++function happyCallee54() { return 54 };
++function happyCallee55() { return 55 };
++function happyCallee56() { return 56 };
++function happyCallee57() { return 57 };
++function happyCallee58() { return 58 };
++function happyCallee59() { return 59 };
++function happyCallee60() { return 60 };
++function happyCallee61() { return 61 };
++function happyCallee62() { return 62 };
++function happyCallee63() { return 63 };
++
++var happyCallees = [happyCallee0, happyCallee1, happyCallee2, happyCallee3, happyCallee4, happyCallee5, happyCallee6, happyCallee7, happyCallee8, happyCallee9, happyCallee10, happyCallee11, happyCallee12, happyCallee13, happyCallee14, happyCallee15, happyCallee16, happyCallee17, happyCallee18, happyCallee19, happyCallee20, happyCallee21, happyCallee22, happyCallee23, happyCallee24, happyCallee25, happyCallee26, happyCallee27, happyCallee28, happyCallee29, happyCallee30, happyCallee31, happyCallee32, happyCallee33, happyCallee34, happyCallee35, happyCallee36, happyCallee37, happyCallee38, happyCallee39, happyCallee40, happyCallee41, happyCallee42, happyCallee43, happyCallee44, happyCallee45, happyCallee46, happyCallee47, happyCallee48, happyCallee49, happyCallee50, happyCallee51, happyCallee52, happyCallee53, happyCallee54, happyCallee55, happyCallee56, happyCallee57, happyCallee58, happyCallee59, happyCallee60, happyCallee61, happyCallee62, happyCallee63];
++
++for (var i = 0; i < happyCallees.length; ++i)
++ noInline(happyCallees[i]);
++
++// Unlike the other test (throw-from-ftl-call-ic-slow-path.js), we want to populate the registers with undefined
++// in this test.
++var array = new Array();
++for (var i = 0; i < 64; ++i)
++ array[i] = void 0;
++
++// Now, do some warming up.
++for (var i = 0; i < 100000; ++i) {
++ var result = ftlFunction(array, happyCallees[i % happyCallees.length]);
++ if (result.length != array.length)
++ throw "Error: bad length: " + result;
++ for (var j = 0; j < result.length; ++j) {
++ if (result[j] != array[j])
++ throw "Error: bad entry at j = " + j + ": " + result;
++ }
++}
++
++// Finally, attempt to trigger the bug.
++var notACell = 42;
++for (var i = 0; i < 100; ++i) {
++ try {
++ ftlFunction(array, Int8Array);
++ } catch (e) {
++ if (e.message.indexOf("not a function") < 0)
++ throw "Error: bad exception message: " + e.message;
++ var result = notACell.f;
++ if (result !== void 0) {
++ print("Bad outcome of accessing f on notACell.");
++ print("Here's notACell:", notACell, describe(notACell));
++ print("Here's the result:", result, describe(result));
++ throw "Error: bad outcome of accessing f on " + notACell + ": " + result;
++ }
++ var result2 = result + 5;
++ var result3 = notACell + 5;
++ if ("" + result2 != "NaN")
++ throw "Error: bad outcome of adding 5 to result: " + result2;
++ if (result3 != 47)
++ throw "Error: bad outcome of adding 5 to 42: " + result3;
++ }
++}
++
diff --git a/webkitgtk-2.7.90-180248.patch b/webkitgtk-2.7.90-180248.patch
new file mode 100644
index 0000000..6fe253b
--- /dev/null
+++ b/webkitgtk-2.7.90-180248.patch
@@ -0,0 +1,23 @@
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp.180248 webkitgtk-2.7.90/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
+--- webkitgtk-2.7.90/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp.180248 2015-02-17 08:08:23.000000000 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp 2015-02-18 11:15:39.060933863 +0100
+@@ -490,6 +490,7 @@ LLINT_SLOW_PATH_DECL(stack_check)
+ LLINT_RETURN_TWO(pc, 0);
+ #endif
+
++ exec = exec->callerFrame(vm.topVMEntryFrame);
+ vm.topCallFrame = exec;
+ ErrorHandlingScope errorScope(vm);
+ CommonSlowPaths::interpreterThrowInCaller(exec, createStackOverflowError(exec));
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/llint/LowLevelInterpreter.asm.180248 webkitgtk-2.7.90/Source/JavaScriptCore/llint/LowLevelInterpreter.asm
+--- webkitgtk-2.7.90/Source/JavaScriptCore/llint/LowLevelInterpreter.asm.180248 2015-02-18 11:14:23.098753714 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/llint/LowLevelInterpreter.asm 2015-02-18 11:15:39.059933848 +0100
+@@ -633,7 +633,7 @@ macro prologue(codeBlockGetter, codeBloc
+ .stackHeightOKGetCodeBlock:
+ # Stack check slow path returned that the stack was ok.
+ # Since they were clobbered, need to get CodeBlock and new sp
+- codeBlockGetter(t1)
++ codeBlockSetter(t1)
+ getFrameRegisterSizeForCodeBlock(t1, t0)
+ subp cfr, t0, t0
+
diff --git a/webkitgtk-2.7.90-180258.patch b/webkitgtk-2.7.90-180258.patch
new file mode 100644
index 0000000..4188f40
--- /dev/null
+++ b/webkitgtk-2.7.90-180258.patch
@@ -0,0 +1,915 @@
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/CMakeLists.txt.180258 webkitgtk-2.7.90/Source/JavaScriptCore/CMakeLists.txt
+--- webkitgtk-2.7.90/Source/JavaScriptCore/CMakeLists.txt.180258 2015-02-11 10:18:42.000000000 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/CMakeLists.txt 2015-02-18 11:15:46.878055310 +0100
+@@ -507,6 +507,7 @@ set(JavaScriptCore_RUNTIME_SOURCES
+ runtime/MapIteratorConstructor.cpp
+ runtime/MapIteratorPrototype.cpp
+ runtime/MapPrototype.cpp
++ runtime/MathCommon.cpp
+ runtime/MathObject.cpp
+ runtime/MemoryStatistics.cpp
+ runtime/NativeErrorConstructor.cpp
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h.180258 webkitgtk-2.7.90/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+--- webkitgtk-2.7.90/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h.180258 2015-02-17 08:08:23.000000000 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2015-02-18 11:15:46.883055387 +0100
+@@ -32,6 +32,7 @@
+ #include "GetByIdStatus.h"
+ #include "GetterSetter.h"
+ #include "JITOperations.h"
++#include "MathCommon.h"
+ #include "Operations.h"
+ #include "PutByIdStatus.h"
+ #include "StringObject.h"
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/jit/JITOperations.cpp.180258 webkitgtk-2.7.90/Source/JavaScriptCore/jit/JITOperations.cpp
+--- webkitgtk-2.7.90/Source/JavaScriptCore/jit/JITOperations.cpp.180258 2015-02-16 07:56:53.000000000 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/jit/JITOperations.cpp 2015-02-18 11:15:46.880055340 +0100
+@@ -1213,395 +1213,6 @@ SlowPathReturnType JIT_OPERATION operati
+ }
+ #endif
+
+-#if PLATFORM(IOS) && CPU(ARM_THUMB2)
+-
+-// The following code is taken from netlib.org:
+-// http://www.netlib.org/fdlibm/fdlibm.h
+-// http://www.netlib.org/fdlibm/e_pow.c
+-// http://www.netlib.org/fdlibm/s_scalbn.c
+-//
+-// And was originally distributed under the following license:
+-
+-/*
+- * ====================================================
+- * Copyright (C) 1993 by Sun Microsystems, Inc. All rights reserved.
+- *
+- * Developed at SunSoft, a Sun Microsystems, Inc. business.
+- * Permission to use, copy, modify, and distribute this
+- * software is freely granted, provided that this notice
+- * is preserved.
+- * ====================================================
+- */
+-/*
+- * ====================================================
+- * Copyright (C) 2004 by Sun Microsystems, Inc. All rights reserved.
+- *
+- * Permission to use, copy, modify, and distribute this
+- * software is freely granted, provided that this notice
+- * is preserved.
+- * ====================================================
+- */
+-
+-/* __ieee754_pow(x,y) return x**y
+- *
+- * n
+- * Method: Let x = 2 * (1+f)
+- * 1. Compute and return log2(x) in two pieces:
+- * log2(x) = w1 + w2,
+- * where w1 has 53-24 = 29 bit trailing zeros.
+- * 2. Perform y*log2(x) = n+y' by simulating muti-precision
+- * arithmetic, where |y'|<=0.5.
+- * 3. Return x**y = 2**n*exp(y'*log2)
+- *
+- * Special cases:
+- * 1. (anything) ** 0 is 1
+- * 2. (anything) ** 1 is itself
+- * 3. (anything) ** NAN is NAN
+- * 4. NAN ** (anything except 0) is NAN
+- * 5. +-(|x| > 1) ** +INF is +INF
+- * 6. +-(|x| > 1) ** -INF is +0
+- * 7. +-(|x| < 1) ** +INF is +0
+- * 8. +-(|x| < 1) ** -INF is +INF
+- * 9. +-1 ** +-INF is NAN
+- * 10. +0 ** (+anything except 0, NAN) is +0
+- * 11. -0 ** (+anything except 0, NAN, odd integer) is +0
+- * 12. +0 ** (-anything except 0, NAN) is +INF
+- * 13. -0 ** (-anything except 0, NAN, odd integer) is +INF
+- * 14. -0 ** (odd integer) = -( +0 ** (odd integer) )
+- * 15. +INF ** (+anything except 0,NAN) is +INF
+- * 16. +INF ** (-anything except 0,NAN) is +0
+- * 17. -INF ** (anything) = -0 ** (-anything)
+- * 18. (-anything) ** (integer) is (-1)**(integer)*(+anything**integer)
+- * 19. (-anything except 0 and inf) ** (non-integer) is NAN
+- *
+- * Accuracy:
+- * pow(x,y) returns x**y nearly rounded. In particular
+- * pow(integer,integer)
+- * always returns the correct integer provided it is
+- * representable.
+- *
+- * Constants :
+- * The hexadecimal values are the intended ones for the following
+- * constants. The decimal values may be used, provided that the
+- * compiler will convert from decimal to binary accurately enough
+- * to produce the hexadecimal values shown.
+- */
+-
+-#define __HI(x) *(1+(int*)&x)
+-#define __LO(x) *(int*)&x
+-
+-static const double
+-bp[] = {1.0, 1.5,},
+-dp_h[] = { 0.0, 5.84962487220764160156e-01,}, /* 0x3FE2B803, 0x40000000 */
+-dp_l[] = { 0.0, 1.35003920212974897128e-08,}, /* 0x3E4CFDEB, 0x43CFD006 */
+-zero = 0.0,
+-one = 1.0,
+-two = 2.0,
+-two53 = 9007199254740992.0, /* 0x43400000, 0x00000000 */
+-huge = 1.0e300,
+-tiny = 1.0e-300,
+- /* for scalbn */
+-two54 = 1.80143985094819840000e+16, /* 0x43500000, 0x00000000 */
+-twom54 = 5.55111512312578270212e-17, /* 0x3C900000, 0x00000000 */
+- /* poly coefs for (3/2)*(log(x)-2s-2/3*s**3 */
+-L1 = 5.99999999999994648725e-01, /* 0x3FE33333, 0x33333303 */
+-L2 = 4.28571428578550184252e-01, /* 0x3FDB6DB6, 0xDB6FABFF */
+-L3 = 3.33333329818377432918e-01, /* 0x3FD55555, 0x518F264D */
+-L4 = 2.72728123808534006489e-01, /* 0x3FD17460, 0xA91D4101 */
+-L5 = 2.30660745775561754067e-01, /* 0x3FCD864A, 0x93C9DB65 */
+-L6 = 2.06975017800338417784e-01, /* 0x3FCA7E28, 0x4A454EEF */
+-P1 = 1.66666666666666019037e-01, /* 0x3FC55555, 0x5555553E */
+-P2 = -2.77777777770155933842e-03, /* 0xBF66C16C, 0x16BEBD93 */
+-P3 = 6.61375632143793436117e-05, /* 0x3F11566A, 0xAF25DE2C */
+-P4 = -1.65339022054652515390e-06, /* 0xBEBBBD41, 0xC5D26BF1 */
+-P5 = 4.13813679705723846039e-08, /* 0x3E663769, 0x72BEA4D0 */
+-lg2 = 6.93147180559945286227e-01, /* 0x3FE62E42, 0xFEFA39EF */
+-lg2_h = 6.93147182464599609375e-01, /* 0x3FE62E43, 0x00000000 */
+-lg2_l = -1.90465429995776804525e-09, /* 0xBE205C61, 0x0CA86C39 */
+-ovt = 8.0085662595372944372e-0017, /* -(1024-log2(ovfl+.5ulp)) */
+-cp = 9.61796693925975554329e-01, /* 0x3FEEC709, 0xDC3A03FD =2/(3ln2) */
+-cp_h = 9.61796700954437255859e-01, /* 0x3FEEC709, 0xE0000000 =(float)cp */
+-cp_l = -7.02846165095275826516e-09, /* 0xBE3E2FE0, 0x145B01F5 =tail of cp_h*/
+-ivln2 = 1.44269504088896338700e+00, /* 0x3FF71547, 0x652B82FE =1/ln2 */
+-ivln2_h = 1.44269502162933349609e+00, /* 0x3FF71547, 0x60000000 =24b 1/ln2*/
+-ivln2_l = 1.92596299112661746887e-08; /* 0x3E54AE0B, 0xF85DDF44 =1/ln2 tail*/
+-
+-inline double fdlibmScalbn (double x, int n)
+-{
+- int k,hx,lx;
+- hx = __HI(x);
+- lx = __LO(x);
+- k = (hx&0x7ff00000)>>20; /* extract exponent */
+- if (k==0) { /* 0 or subnormal x */
+- if ((lx|(hx&0x7fffffff))==0) return x; /* +-0 */
+- x *= two54;
+- hx = __HI(x);
+- k = ((hx&0x7ff00000)>>20) - 54;
+- if (n< -50000) return tiny*x; /*underflow*/
+- }
+- if (k==0x7ff) return x+x; /* NaN or Inf */
+- k = k+n;
+- if (k > 0x7fe) return huge*copysign(huge,x); /* overflow */
+- if (k > 0) /* normal result */
+- {__HI(x) = (hx&0x800fffff)|(k<<20); return x;}
+- if (k <= -54) {
+- if (n > 50000) /* in case integer overflow in n+k */
+- return huge*copysign(huge,x); /*overflow*/
+- else return tiny*copysign(tiny,x); /*underflow*/
+- }
+- k += 54; /* subnormal result */
+- __HI(x) = (hx&0x800fffff)|(k<<20);
+- return x*twom54;
+-}
+-
+-static double fdlibmPow(double x, double y)
+-{
+- double z,ax,z_h,z_l,p_h,p_l;
+- double y1,t1,t2,r,s,t,u,v,w;
+- int i0,i1,i,j,k,yisint,n;
+- int hx,hy,ix,iy;
+- unsigned lx,ly;
+-
+- i0 = ((*(int*)&one)>>29)^1; i1=1-i0;
+- hx = __HI(x); lx = __LO(x);
+- hy = __HI(y); ly = __LO(y);
+- ix = hx&0x7fffffff; iy = hy&0x7fffffff;
+-
+- /* y==zero: x**0 = 1 */
+- if((iy|ly)==0) return one;
+-
+- /* +-NaN return x+y */
+- if(ix > 0x7ff00000 || ((ix==0x7ff00000)&&(lx!=0)) ||
+- iy > 0x7ff00000 || ((iy==0x7ff00000)&&(ly!=0)))
+- return x+y;
+-
+- /* determine if y is an odd int when x < 0
+- * yisint = 0 ... y is not an integer
+- * yisint = 1 ... y is an odd int
+- * yisint = 2 ... y is an even int
+- */
+- yisint = 0;
+- if(hx<0) {
+- if(iy>=0x43400000) yisint = 2; /* even integer y */
+- else if(iy>=0x3ff00000) {
+- k = (iy>>20)-0x3ff; /* exponent */
+- if(k>20) {
+- j = ly>>(52-k);
+- if(static_cast<unsigned>(j<<(52-k))==ly) yisint = 2-(j&1);
+- } else if(ly==0) {
+- j = iy>>(20-k);
+- if((j<<(20-k))==iy) yisint = 2-(j&1);
+- }
+- }
+- }
+-
+- /* special value of y */
+- if(ly==0) {
+- if (iy==0x7ff00000) { /* y is +-inf */
+- if(((ix-0x3ff00000)|lx)==0)
+- return y - y; /* inf**+-1 is NaN */
+- else if (ix >= 0x3ff00000)/* (|x|>1)**+-inf = inf,0 */
+- return (hy>=0)? y: zero;
+- else /* (|x|<1)**-,+inf = inf,0 */
+- return (hy<0)?-y: zero;
+- }
+- if(iy==0x3ff00000) { /* y is +-1 */
+- if(hy<0) return one/x; else return x;
+- }
+- if(hy==0x40000000) return x*x; /* y is 2 */
+- if(hy==0x3fe00000) { /* y is 0.5 */
+- if(hx>=0) /* x >= +0 */
+- return sqrt(x);
+- }
+- }
+-
+- ax = fabs(x);
+- /* special value of x */
+- if(lx==0) {
+- if(ix==0x7ff00000||ix==0||ix==0x3ff00000){
+- z = ax; /*x is +-0,+-inf,+-1*/
+- if(hy<0) z = one/z; /* z = (1/|x|) */
+- if(hx<0) {
+- if(((ix-0x3ff00000)|yisint)==0) {
+- z = (z-z)/(z-z); /* (-1)**non-int is NaN */
+- } else if(yisint==1)
+- z = -z; /* (x<0)**odd = -(|x|**odd) */
+- }
+- return z;
+- }
+- }
+-
+- n = (hx>>31)+1;
+-
+- /* (x<0)**(non-int) is NaN */
+- if((n|yisint)==0) return (x-x)/(x-x);
+-
+- s = one; /* s (sign of result -ve**odd) = -1 else = 1 */
+- if((n|(yisint-1))==0) s = -one;/* (-ve)**(odd int) */
+-
+- /* |y| is huge */
+- if(iy>0x41e00000) { /* if |y| > 2**31 */
+- if(iy>0x43f00000){ /* if |y| > 2**64, must o/uflow */
+- if(ix<=0x3fefffff) return (hy<0)? huge*huge:tiny*tiny;
+- if(ix>=0x3ff00000) return (hy>0)? huge*huge:tiny*tiny;
+- }
+- /* over/underflow if x is not close to one */
+- if(ix<0x3fefffff) return (hy<0)? s*huge*huge:s*tiny*tiny;
+- if(ix>0x3ff00000) return (hy>0)? s*huge*huge:s*tiny*tiny;
+- /* now |1-x| is tiny <= 2**-20, suffice to compute
+- log(x) by x-x^2/2+x^3/3-x^4/4 */
+- t = ax-one; /* t has 20 trailing zeros */
+- w = (t*t)*(0.5-t*(0.3333333333333333333333-t*0.25));
+- u = ivln2_h*t; /* ivln2_h has 21 sig. bits */
+- v = t*ivln2_l-w*ivln2;
+- t1 = u+v;
+- __LO(t1) = 0;
+- t2 = v-(t1-u);
+- } else {
+- double ss,s2,s_h,s_l,t_h,t_l;
+- n = 0;
+- /* take care subnormal number */
+- if(ix<0x00100000)
+- {ax *= two53; n -= 53; ix = __HI(ax); }
+- n += ((ix)>>20)-0x3ff;
+- j = ix&0x000fffff;
+- /* determine interval */
+- ix = j|0x3ff00000; /* normalize ix */
+- if(j<=0x3988E) k=0; /* |x|<sqrt(3/2) */
+- else if(j<0xBB67A) k=1; /* |x|<sqrt(3) */
+- else {k=0;n+=1;ix -= 0x00100000;}
+- __HI(ax) = ix;
+-
+- /* compute ss = s_h+s_l = (x-1)/(x+1) or (x-1.5)/(x+1.5) */
+- u = ax-bp[k]; /* bp[0]=1.0, bp[1]=1.5 */
+- v = one/(ax+bp[k]);
+- ss = u*v;
+- s_h = ss;
+- __LO(s_h) = 0;
+- /* t_h=ax+bp[k] High */
+- t_h = zero;
+- __HI(t_h)=((ix>>1)|0x20000000)+0x00080000+(k<<18);
+- t_l = ax - (t_h-bp[k]);
+- s_l = v*((u-s_h*t_h)-s_h*t_l);
+- /* compute log(ax) */
+- s2 = ss*ss;
+- r = s2*s2*(L1+s2*(L2+s2*(L3+s2*(L4+s2*(L5+s2*L6)))));
+- r += s_l*(s_h+ss);
+- s2 = s_h*s_h;
+- t_h = 3.0+s2+r;
+- __LO(t_h) = 0;
+- t_l = r-((t_h-3.0)-s2);
+- /* u+v = ss*(1+...) */
+- u = s_h*t_h;
+- v = s_l*t_h+t_l*ss;
+- /* 2/(3log2)*(ss+...) */
+- p_h = u+v;
+- __LO(p_h) = 0;
+- p_l = v-(p_h-u);
+- z_h = cp_h*p_h; /* cp_h+cp_l = 2/(3*log2) */
+- z_l = cp_l*p_h+p_l*cp+dp_l[k];
+- /* log2(ax) = (ss+..)*2/(3*log2) = n + dp_h + z_h + z_l */
+- t = (double)n;
+- t1 = (((z_h+z_l)+dp_h[k])+t);
+- __LO(t1) = 0;
+- t2 = z_l-(((t1-t)-dp_h[k])-z_h);
+- }
+-
+- /* split up y into y1+y2 and compute (y1+y2)*(t1+t2) */
+- y1 = y;
+- __LO(y1) = 0;
+- p_l = (y-y1)*t1+y*t2;
+- p_h = y1*t1;
+- z = p_l+p_h;
+- j = __HI(z);
+- i = __LO(z);
+- if (j>=0x40900000) { /* z >= 1024 */
+- if(((j-0x40900000)|i)!=0) /* if z > 1024 */
+- return s*huge*huge; /* overflow */
+- else {
+- if(p_l+ovt>z-p_h) return s*huge*huge; /* overflow */
+- }
+- } else if((j&0x7fffffff)>=0x4090cc00 ) { /* z <= -1075 */
+- if(((j-0xc090cc00)|i)!=0) /* z < -1075 */
+- return s*tiny*tiny; /* underflow */
+- else {
+- if(p_l<=z-p_h) return s*tiny*tiny; /* underflow */
+- }
+- }
+- /*
+- * compute 2**(p_h+p_l)
+- */
+- i = j&0x7fffffff;
+- k = (i>>20)-0x3ff;
+- n = 0;
+- if(i>0x3fe00000) { /* if |z| > 0.5, set n = [z+0.5] */
+- n = j+(0x00100000>>(k+1));
+- k = ((n&0x7fffffff)>>20)-0x3ff; /* new k for n */
+- t = zero;
+- __HI(t) = (n&~(0x000fffff>>k));
+- n = ((n&0x000fffff)|0x00100000)>>(20-k);
+- if(j<0) n = -n;
+- p_h -= t;
+- }
+- t = p_l+p_h;
+- __LO(t) = 0;
+- u = t*lg2_h;
+- v = (p_l-(t-p_h))*lg2+t*lg2_l;
+- z = u+v;
+- w = v-(z-u);
+- t = z*z;
+- t1 = z - t*(P1+t*(P2+t*(P3+t*(P4+t*P5))));
+- r = (z*t1)/(t1-two)-(w+z*w);
+- z = one-(r-z);
+- j = __HI(z);
+- j += (n<<20);
+- if((j>>20)<=0) z = fdlibmScalbn(z,n); /* subnormal output */
+- else __HI(z) += (n<<20);
+- return s*z;
+-}
+-
+-static ALWAYS_INLINE bool isDenormal(double x)
+-{
+- static const uint64_t signbit = 0x8000000000000000ULL;
+- static const uint64_t minNormal = 0x0001000000000000ULL;
+- return (bitwise_cast<uint64_t>(x) & ~signbit) - 1 < minNormal - 1;
+-}
+-
+-static ALWAYS_INLINE bool isEdgeCase(double x)
+-{
+- static const uint64_t signbit = 0x8000000000000000ULL;
+- static const uint64_t infinity = 0x7fffffffffffffffULL;
+- return (bitwise_cast<uint64_t>(x) & ~signbit) - 1 >= infinity - 1;
+-}
+-
+-static ALWAYS_INLINE double mathPowInternal(double x, double y)
+-{
+- if (!isDenormal(x) && !isDenormal(y)) {
+- double libmResult = pow(x, y);
+- if (libmResult || isEdgeCase(x) || isEdgeCase(y))
+- return libmResult;
+- }
+- return fdlibmPow(x, y);
+-}
+-
+-#else
+-
+-ALWAYS_INLINE double mathPowInternal(double x, double y)
+-{
+- return pow(x, y);
+-}
+-
+-#endif
+-
+-double JIT_OPERATION operationMathPow(double x, double y)
+-{
+- if (std::isnan(y))
+- return PNaN;
+- if (std::isinf(y) && fabs(x) == 1)
+- return PNaN;
+- return mathPowInternal(x, y);
+-}
+-
+ void JIT_OPERATION operationPutByIndex(ExecState* exec, EncodedJSValue encodedArrayValue, int32_t index, EncodedJSValue encodedValue)
+ {
+ VM& vm = exec->vm();
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/jit/JITOperations.h.180258 webkitgtk-2.7.90/Source/JavaScriptCore/jit/JITOperations.h
+--- webkitgtk-2.7.90/Source/JavaScriptCore/jit/JITOperations.h.180258 2015-02-16 07:56:53.000000000 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/jit/JITOperations.h 2015-02-18 11:15:46.881055356 +0100
+@@ -281,7 +281,6 @@ void JIT_OPERATION operationDebug(ExecSt
+ #if ENABLE(DFG_JIT)
+ SlowPathReturnType JIT_OPERATION operationOptimize(ExecState*, int32_t) WTF_INTERNAL;
+ #endif
+-double JIT_OPERATION operationMathPow(double x, double y) WTF_INTERNAL;
+ void JIT_OPERATION operationPutByIndex(ExecState*, EncodedJSValue, int32_t, EncodedJSValue);
+ #if USE(JSVALUE64)
+ void JIT_OPERATION operationPutGetterSetter(ExecState*, EncodedJSValue, Identifier*, EncodedJSValue, EncodedJSValue) WTF_INTERNAL;
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/runtime/MathCommon.cpp.180258 webkitgtk-2.7.90/Source/JavaScriptCore/runtime/MathCommon.cpp
+--- webkitgtk-2.7.90/Source/JavaScriptCore/runtime/MathCommon.cpp.180258 2015-02-18 11:15:46.877055294 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/runtime/MathCommon.cpp 2015-02-18 11:15:46.877055294 +0100
+@@ -0,0 +1,423 @@
++/*
++ * Copyright (C) 2015 Apple Inc. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
++ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
++ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
++ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
++ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
++ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
++ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "config.h"
++#include "MathCommon.h"
++
++#include <cmath>
++#include "PureNaN.h"
++
++namespace JSC {
++
++#if PLATFORM(IOS) && CPU(ARM_THUMB2)
++
++// The following code is taken from netlib.org:
++// http://www.netlib.org/fdlibm/fdlibm.h
++// http://www.netlib.org/fdlibm/e_pow.c
++// http://www.netlib.org/fdlibm/s_scalbn.c
++//
++// And was originally distributed under the following license:
++
++/*
++ * ====================================================
++ * Copyright (C) 1993 by Sun Microsystems, Inc. All rights reserved.
++ *
++ * Developed at SunSoft, a Sun Microsystems, Inc. business.
++ * Permission to use, copy, modify, and distribute this
++ * software is freely granted, provided that this notice
++ * is preserved.
++ * ====================================================
++ */
++/*
++ * ====================================================
++ * Copyright (C) 2004 by Sun Microsystems, Inc. All rights reserved.
++ *
++ * Permission to use, copy, modify, and distribute this
++ * software is freely granted, provided that this notice
++ * is preserved.
++ * ====================================================
++ */
++
++/* __ieee754_pow(x,y) return x**y
++ *
++ * n
++ * Method: Let x = 2 * (1+f)
++ * 1. Compute and return log2(x) in two pieces:
++ * log2(x) = w1 + w2,
++ * where w1 has 53-24 = 29 bit trailing zeros.
++ * 2. Perform y*log2(x) = n+y' by simulating muti-precision
++ * arithmetic, where |y'|<=0.5.
++ * 3. Return x**y = 2**n*exp(y'*log2)
++ *
++ * Special cases:
++ * 1. (anything) ** 0 is 1
++ * 2. (anything) ** 1 is itself
++ * 3. (anything) ** NAN is NAN
++ * 4. NAN ** (anything except 0) is NAN
++ * 5. +-(|x| > 1) ** +INF is +INF
++ * 6. +-(|x| > 1) ** -INF is +0
++ * 7. +-(|x| < 1) ** +INF is +0
++ * 8. +-(|x| < 1) ** -INF is +INF
++ * 9. +-1 ** +-INF is NAN
++ * 10. +0 ** (+anything except 0, NAN) is +0
++ * 11. -0 ** (+anything except 0, NAN, odd integer) is +0
++ * 12. +0 ** (-anything except 0, NAN) is +INF
++ * 13. -0 ** (-anything except 0, NAN, odd integer) is +INF
++ * 14. -0 ** (odd integer) = -( +0 ** (odd integer) )
++ * 15. +INF ** (+anything except 0,NAN) is +INF
++ * 16. +INF ** (-anything except 0,NAN) is +0
++ * 17. -INF ** (anything) = -0 ** (-anything)
++ * 18. (-anything) ** (integer) is (-1)**(integer)*(+anything**integer)
++ * 19. (-anything except 0 and inf) ** (non-integer) is NAN
++ *
++ * Accuracy:
++ * pow(x,y) returns x**y nearly rounded. In particular
++ * pow(integer,integer)
++ * always returns the correct integer provided it is
++ * representable.
++ *
++ * Constants :
++ * The hexadecimal values are the intended ones for the following
++ * constants. The decimal values may be used, provided that the
++ * compiler will convert from decimal to binary accurately enough
++ * to produce the hexadecimal values shown.
++ */
++
++#define __HI(x) *(1+(int*)&x)
++#define __LO(x) *(int*)&x
++
++static const double
++bp[] = {1.0, 1.5,},
++dp_h[] = { 0.0, 5.84962487220764160156e-01,}, /* 0x3FE2B803, 0x40000000 */
++dp_l[] = { 0.0, 1.35003920212974897128e-08,}, /* 0x3E4CFDEB, 0x43CFD006 */
++zero = 0.0,
++one = 1.0,
++two = 2.0,
++two53 = 9007199254740992.0, /* 0x43400000, 0x00000000 */
++huge = 1.0e300,
++tiny = 1.0e-300,
++/* for scalbn */
++two54 = 1.80143985094819840000e+16, /* 0x43500000, 0x00000000 */
++twom54 = 5.55111512312578270212e-17, /* 0x3C900000, 0x00000000 */
++/* poly coefs for (3/2)*(log(x)-2s-2/3*s**3 */
++L1 = 5.99999999999994648725e-01, /* 0x3FE33333, 0x33333303 */
++L2 = 4.28571428578550184252e-01, /* 0x3FDB6DB6, 0xDB6FABFF */
++L3 = 3.33333329818377432918e-01, /* 0x3FD55555, 0x518F264D */
++L4 = 2.72728123808534006489e-01, /* 0x3FD17460, 0xA91D4101 */
++L5 = 2.30660745775561754067e-01, /* 0x3FCD864A, 0x93C9DB65 */
++L6 = 2.06975017800338417784e-01, /* 0x3FCA7E28, 0x4A454EEF */
++P1 = 1.66666666666666019037e-01, /* 0x3FC55555, 0x5555553E */
++P2 = -2.77777777770155933842e-03, /* 0xBF66C16C, 0x16BEBD93 */
++P3 = 6.61375632143793436117e-05, /* 0x3F11566A, 0xAF25DE2C */
++P4 = -1.65339022054652515390e-06, /* 0xBEBBBD41, 0xC5D26BF1 */
++P5 = 4.13813679705723846039e-08, /* 0x3E663769, 0x72BEA4D0 */
++lg2 = 6.93147180559945286227e-01, /* 0x3FE62E42, 0xFEFA39EF */
++lg2_h = 6.93147182464599609375e-01, /* 0x3FE62E43, 0x00000000 */
++lg2_l = -1.90465429995776804525e-09, /* 0xBE205C61, 0x0CA86C39 */
++ovt = 8.0085662595372944372e-0017, /* -(1024-log2(ovfl+.5ulp)) */
++cp = 9.61796693925975554329e-01, /* 0x3FEEC709, 0xDC3A03FD =2/(3ln2) */
++cp_h = 9.61796700954437255859e-01, /* 0x3FEEC709, 0xE0000000 =(float)cp */
++cp_l = -7.02846165095275826516e-09, /* 0xBE3E2FE0, 0x145B01F5 =tail of cp_h*/
++ivln2 = 1.44269504088896338700e+00, /* 0x3FF71547, 0x652B82FE =1/ln2 */
++ivln2_h = 1.44269502162933349609e+00, /* 0x3FF71547, 0x60000000 =24b 1/ln2*/
++ivln2_l = 1.92596299112661746887e-08; /* 0x3E54AE0B, 0xF85DDF44 =1/ln2 tail*/
++
++inline double fdlibmScalbn (double x, int n)
++{
++ int k,hx,lx;
++ hx = __HI(x);
++ lx = __LO(x);
++ k = (hx&0x7ff00000)>>20; /* extract exponent */
++ if (k==0) { /* 0 or subnormal x */
++ if ((lx|(hx&0x7fffffff))==0) return x; /* +-0 */
++ x *= two54;
++ hx = __HI(x);
++ k = ((hx&0x7ff00000)>>20) - 54;
++ if (n< -50000) return tiny*x; /*underflow*/
++ }
++ if (k==0x7ff) return x+x; /* NaN or Inf */
++ k = k+n;
++ if (k > 0x7fe) return huge*copysign(huge,x); /* overflow */
++ if (k > 0) /* normal result */
++ {__HI(x) = (hx&0x800fffff)|(k<<20); return x;}
++ if (k <= -54) {
++ if (n > 50000) /* in case integer overflow in n+k */
++ return huge*copysign(huge,x); /*overflow*/
++ else return tiny*copysign(tiny,x); /*underflow*/
++ }
++ k += 54; /* subnormal result */
++ __HI(x) = (hx&0x800fffff)|(k<<20);
++ return x*twom54;
++}
++
++static double fdlibmPow(double x, double y)
++{
++ double z,ax,z_h,z_l,p_h,p_l;
++ double y1,t1,t2,r,s,t,u,v,w;
++ int i0,i1,i,j,k,yisint,n;
++ int hx,hy,ix,iy;
++ unsigned lx,ly;
++
++ i0 = ((*(int*)&one)>>29)^1; i1=1-i0;
++ hx = __HI(x); lx = __LO(x);
++ hy = __HI(y); ly = __LO(y);
++ ix = hx&0x7fffffff; iy = hy&0x7fffffff;
++
++ /* y==zero: x**0 = 1 */
++ if((iy|ly)==0) return one;
++
++ /* +-NaN return x+y */
++ if(ix > 0x7ff00000 || ((ix==0x7ff00000)&&(lx!=0)) ||
++ iy > 0x7ff00000 || ((iy==0x7ff00000)&&(ly!=0)))
++ return x+y;
++
++ /* determine if y is an odd int when x < 0
++ * yisint = 0 ... y is not an integer
++ * yisint = 1 ... y is an odd int
++ * yisint = 2 ... y is an even int
++ */
++ yisint = 0;
++ if(hx<0) {
++ if(iy>=0x43400000) yisint = 2; /* even integer y */
++ else if(iy>=0x3ff00000) {
++ k = (iy>>20)-0x3ff; /* exponent */
++ if(k>20) {
++ j = ly>>(52-k);
++ if(static_cast<unsigned>(j<<(52-k))==ly) yisint = 2-(j&1);
++ } else if(ly==0) {
++ j = iy>>(20-k);
++ if((j<<(20-k))==iy) yisint = 2-(j&1);
++ }
++ }
++ }
++
++ /* special value of y */
++ if(ly==0) {
++ if (iy==0x7ff00000) { /* y is +-inf */
++ if(((ix-0x3ff00000)|lx)==0)
++ return y - y; /* inf**+-1 is NaN */
++ else if (ix >= 0x3ff00000)/* (|x|>1)**+-inf = inf,0 */
++ return (hy>=0)? y: zero;
++ else /* (|x|<1)**-,+inf = inf,0 */
++ return (hy<0)?-y: zero;
++ }
++ if(iy==0x3ff00000) { /* y is +-1 */
++ if(hy<0) return one/x; else return x;
++ }
++ if(hy==0x40000000) return x*x; /* y is 2 */
++ if(hy==0x3fe00000) { /* y is 0.5 */
++ if(hx>=0) /* x >= +0 */
++ return sqrt(x);
++ }
++ }
++
++ ax = fabs(x);
++ /* special value of x */
++ if(lx==0) {
++ if(ix==0x7ff00000||ix==0||ix==0x3ff00000){
++ z = ax; /*x is +-0,+-inf,+-1*/
++ if(hy<0) z = one/z; /* z = (1/|x|) */
++ if(hx<0) {
++ if(((ix-0x3ff00000)|yisint)==0) {
++ z = (z-z)/(z-z); /* (-1)**non-int is NaN */
++ } else if(yisint==1)
++ z = -z; /* (x<0)**odd = -(|x|**odd) */
++ }
++ return z;
++ }
++ }
++
++ n = (hx>>31)+1;
++
++ /* (x<0)**(non-int) is NaN */
++ if((n|yisint)==0) return (x-x)/(x-x);
++
++ s = one; /* s (sign of result -ve**odd) = -1 else = 1 */
++ if((n|(yisint-1))==0) s = -one;/* (-ve)**(odd int) */
++
++ /* |y| is huge */
++ if(iy>0x41e00000) { /* if |y| > 2**31 */
++ if(iy>0x43f00000){ /* if |y| > 2**64, must o/uflow */
++ if(ix<=0x3fefffff) return (hy<0)? huge*huge:tiny*tiny;
++ if(ix>=0x3ff00000) return (hy>0)? huge*huge:tiny*tiny;
++ }
++ /* over/underflow if x is not close to one */
++ if(ix<0x3fefffff) return (hy<0)? s*huge*huge:s*tiny*tiny;
++ if(ix>0x3ff00000) return (hy>0)? s*huge*huge:s*tiny*tiny;
++ /* now |1-x| is tiny <= 2**-20, suffice to compute
++ log(x) by x-x^2/2+x^3/3-x^4/4 */
++ t = ax-one; /* t has 20 trailing zeros */
++ w = (t*t)*(0.5-t*(0.3333333333333333333333-t*0.25));
++ u = ivln2_h*t; /* ivln2_h has 21 sig. bits */
++ v = t*ivln2_l-w*ivln2;
++ t1 = u+v;
++ __LO(t1) = 0;
++ t2 = v-(t1-u);
++ } else {
++ double ss,s2,s_h,s_l,t_h,t_l;
++ n = 0;
++ /* take care subnormal number */
++ if(ix<0x00100000)
++ {ax *= two53; n -= 53; ix = __HI(ax); }
++ n += ((ix)>>20)-0x3ff;
++ j = ix&0x000fffff;
++ /* determine interval */
++ ix = j|0x3ff00000; /* normalize ix */
++ if(j<=0x3988E) k=0; /* |x|<sqrt(3/2) */
++ else if(j<0xBB67A) k=1; /* |x|<sqrt(3) */
++ else {k=0;n+=1;ix -= 0x00100000;}
++ __HI(ax) = ix;
++
++ /* compute ss = s_h+s_l = (x-1)/(x+1) or (x-1.5)/(x+1.5) */
++ u = ax-bp[k]; /* bp[0]=1.0, bp[1]=1.5 */
++ v = one/(ax+bp[k]);
++ ss = u*v;
++ s_h = ss;
++ __LO(s_h) = 0;
++ /* t_h=ax+bp[k] High */
++ t_h = zero;
++ __HI(t_h)=((ix>>1)|0x20000000)+0x00080000+(k<<18);
++ t_l = ax - (t_h-bp[k]);
++ s_l = v*((u-s_h*t_h)-s_h*t_l);
++ /* compute log(ax) */
++ s2 = ss*ss;
++ r = s2*s2*(L1+s2*(L2+s2*(L3+s2*(L4+s2*(L5+s2*L6)))));
++ r += s_l*(s_h+ss);
++ s2 = s_h*s_h;
++ t_h = 3.0+s2+r;
++ __LO(t_h) = 0;
++ t_l = r-((t_h-3.0)-s2);
++ /* u+v = ss*(1+...) */
++ u = s_h*t_h;
++ v = s_l*t_h+t_l*ss;
++ /* 2/(3log2)*(ss+...) */
++ p_h = u+v;
++ __LO(p_h) = 0;
++ p_l = v-(p_h-u);
++ z_h = cp_h*p_h; /* cp_h+cp_l = 2/(3*log2) */
++ z_l = cp_l*p_h+p_l*cp+dp_l[k];
++ /* log2(ax) = (ss+..)*2/(3*log2) = n + dp_h + z_h + z_l */
++ t = (double)n;
++ t1 = (((z_h+z_l)+dp_h[k])+t);
++ __LO(t1) = 0;
++ t2 = z_l-(((t1-t)-dp_h[k])-z_h);
++ }
++
++ /* split up y into y1+y2 and compute (y1+y2)*(t1+t2) */
++ y1 = y;
++ __LO(y1) = 0;
++ p_l = (y-y1)*t1+y*t2;
++ p_h = y1*t1;
++ z = p_l+p_h;
++ j = __HI(z);
++ i = __LO(z);
++ if (j>=0x40900000) { /* z >= 1024 */
++ if(((j-0x40900000)|i)!=0) /* if z > 1024 */
++ return s*huge*huge; /* overflow */
++ else {
++ if(p_l+ovt>z-p_h) return s*huge*huge; /* overflow */
++ }
++ } else if((j&0x7fffffff)>=0x4090cc00 ) { /* z <= -1075 */
++ if(((j-0xc090cc00)|i)!=0) /* z < -1075 */
++ return s*tiny*tiny; /* underflow */
++ else {
++ if(p_l<=z-p_h) return s*tiny*tiny; /* underflow */
++ }
++ }
++ /*
++ * compute 2**(p_h+p_l)
++ */
++ i = j&0x7fffffff;
++ k = (i>>20)-0x3ff;
++ n = 0;
++ if(i>0x3fe00000) { /* if |z| > 0.5, set n = [z+0.5] */
++ n = j+(0x00100000>>(k+1));
++ k = ((n&0x7fffffff)>>20)-0x3ff; /* new k for n */
++ t = zero;
++ __HI(t) = (n&~(0x000fffff>>k));
++ n = ((n&0x000fffff)|0x00100000)>>(20-k);
++ if(j<0) n = -n;
++ p_h -= t;
++ }
++ t = p_l+p_h;
++ __LO(t) = 0;
++ u = t*lg2_h;
++ v = (p_l-(t-p_h))*lg2+t*lg2_l;
++ z = u+v;
++ w = v-(z-u);
++ t = z*z;
++ t1 = z - t*(P1+t*(P2+t*(P3+t*(P4+t*P5))));
++ r = (z*t1)/(t1-two)-(w+z*w);
++ z = one-(r-z);
++ j = __HI(z);
++ j += (n<<20);
++ if((j>>20)<=0) z = fdlibmScalbn(z,n); /* subnormal output */
++ else __HI(z) += (n<<20);
++ return s*z;
++}
++
++static ALWAYS_INLINE bool isDenormal(double x)
++{
++ static const uint64_t signbit = 0x8000000000000000ULL;
++ static const uint64_t minNormal = 0x0001000000000000ULL;
++ return (bitwise_cast<uint64_t>(x) & ~signbit) - 1 < minNormal - 1;
++}
++
++static ALWAYS_INLINE bool isEdgeCase(double x)
++{
++ static const uint64_t signbit = 0x8000000000000000ULL;
++ static const uint64_t infinity = 0x7fffffffffffffffULL;
++ return (bitwise_cast<uint64_t>(x) & ~signbit) - 1 >= infinity - 1;
++}
++
++static ALWAYS_INLINE double mathPowInternal(double x, double y)
++{
++ if (!isDenormal(x) && !isDenormal(y)) {
++ double libmResult = std::pow(x, y);
++ if (libmResult || isEdgeCase(x) || isEdgeCase(y))
++ return libmResult;
++ }
++ return fdlibmPow(x, y);
++}
++
++#else
++
++ALWAYS_INLINE double mathPowInternal(double x, double y)
++{
++ return std::pow(x, y);
++}
++
++#endif
++
++double JIT_OPERATION operationMathPow(double x, double y)
++{
++ if (std::isnan(y))
++ return PNaN;
++ if (std::isinf(y) && fabs(x) == 1)
++ return PNaN;
++ return mathPowInternal(x, y);
++}
++
++} // namespace JSC
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/runtime/MathCommon.h.180258 webkitgtk-2.7.90/Source/JavaScriptCore/runtime/MathCommon.h
+--- webkitgtk-2.7.90/Source/JavaScriptCore/runtime/MathCommon.h.180258 2015-02-18 11:15:46.878055310 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/runtime/MathCommon.h 2015-02-18 11:15:46.877055294 +0100
+@@ -0,0 +1,39 @@
++/*
++ * Copyright (C) 2015 Apple Inc. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
++ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
++ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
++ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
++ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
++ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
++ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
++ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#ifndef MathCommon_h
++#define MathCommon_h
++
++#include "JITOperations.h"
++
++#ifndef JIT_OPERATION
++#define JIT_OPERATION
++#endif
++
++namespace JSC {
++double JIT_OPERATION operationMathPow(double x, double y) WTF_INTERNAL;
++}
++
++#endif // MathCommon_h
+diff -up webkitgtk-2.7.90/Source/JavaScriptCore/runtime/MathObject.cpp.180258 webkitgtk-2.7.90/Source/JavaScriptCore/runtime/MathObject.cpp
+--- webkitgtk-2.7.90/Source/JavaScriptCore/runtime/MathObject.cpp.180258 2015-02-16 07:56:53.000000000 +0100
++++ webkitgtk-2.7.90/Source/JavaScriptCore/runtime/MathObject.cpp 2015-02-18 11:15:46.876055278 +0100
+@@ -21,8 +21,8 @@
+ #include "config.h"
+ #include "MathObject.h"
+
+-#include "JITOperations.h"
+ #include "Lookup.h"
++#include "MathCommon.h"
+ #include "ObjectPrototype.h"
+ #include "JSCInlines.h"
+ #include <time.h>
diff --git a/webkitgtk4.spec b/webkitgtk4.spec
index 3df8d76..3723d31 100644
--- a/webkitgtk4.spec
+++ b/webkitgtk4.spec
@@ -19,6 +19,12 @@ Source0: http://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz
Patch0: webkitgtk-2.7.4-nspluginwrapper.patch
Patch2: webkitgtk-2.5.90-cloop_fix.patch
Patch3: webkitgtk-2.5.2-commit_align.patch
+# https://bugs.webkit.org/show_bug.cgi?id=141717
+Patch4: webkitgtk-2.7.90-180234.patch
+# https://bugs.webkit.org/show_bug.cgi?id=141733
+Patch5: webkitgtk-2.7.90-180248.patch
+# https://bugs.webkit.org/show_bug.cgi?id=141618
+Patch6: webkitgtk-2.7.90-180258.patch
BuildRequires: at-spi2-core-devel
BuildRequires: bison
@@ -94,6 +100,9 @@ This package contains developer documentation for %{name}.
%ifarch %{power64} aarch64 ppc
%patch3 -p1 -b .commit_align
%endif
+%patch4 -p1 -b .180234
+%patch5 -p1 -b .180248
+%patch6 -p1 -b .180258
# Remove bundled libraries
rm -rf Source/ThirdParty/leveldb/
@@ -198,6 +207,7 @@ make %{?_smp_mflags} -C %{_target_platform}
%changelog
* Wed Feb 18 2015 Tomas Popela <tpopela at redhat.com> - 2.7.90-1
- Update to 2.7.90
+- Add JIT and CLoop fixes
* Mon Feb 16 2015 Michael Catanzaro <mcatanzaro at gnome.org> - 2.7.4-7
- Remove disable codec installer patch, not needed in GNOME 3.15.90
More information about the scm-commits
mailing list