Changeset 153286 in webkit for trunk/Source/JavaScriptCore/API/JSCTestRunnerUtils.cpp

Timestamp:

Jul 24, 2013, 9:05:12 PM (12 years ago)

Author:

[email protected]

Message:

fourthTier: String GetByVal out-of-bounds handling is so wrong
​https://bugs.webkit.org/show_bug.cgi?id=118935

Source/JavaScriptCore:

Reviewed by Geoffrey Garen.

Bunch of String GetByVal out-of-bounds fixes:

• Even if the string proto chain is sane, we need to watch out for negative indices. They may get values or call getters in the prototypes, since proto sanity doesn't check for negative indexed properties, as they are not technically indexed properties.

• GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be given this information.

• GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be given this information.

Also fixed some other things:

• If the DFG is disabled, the testRunner should pretend that we've done a bunch of DFG compiles. That's necessary to prevent the tests from timing out.

• Disassembler shouldn't try to dump source code since it's not safe in the concurrent JIT.

• API/JSCTestRunnerUtils.cpp:

(JSC::numberOfDFGCompiles):

• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

• dfg/DFGDisassembler.cpp:

(JSC::DFG::Disassembler::dumpHeader):

• dfg/DFGGraph.h:

(JSC::DFG::Graph::byValIsPure):

• dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.

(DFG):
(SaneStringGetByValSlowPathGenerator):
(JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
(JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnString):

LayoutTests:

Reviewed by Geoffrey Garen.

• fast/js/dfg-string-out-of-bounds-check-structure-expected.txt: Added.
• fast/js/dfg-string-out-of-bounds-check-structure.html: Added.
• fast/js/dfg-string-out-of-bounds-cse-expected.txt: Added.
• fast/js/dfg-string-out-of-bounds-cse.html: Added.
• fast/js/dfg-string-out-of-bounds-negative-check-structure-expected.txt: Added.
• fast/js/dfg-string-out-of-bounds-negative-check-structure.html: Added.
• fast/js/dfg-string-out-of-bounds-negative-proto-value-expected.txt: Added.
• fast/js/dfg-string-out-of-bounds-negative-proto-value.html: Added.
• fast/js/jsc-test-list:
• fast/js/script-tests/dfg-string-out-of-bounds-check-structure.js: Added.

(foo):

• fast/js/script-tests/dfg-string-out-of-bounds-cse.js: Added.

(foo):

• fast/js/script-tests/dfg-string-out-of-bounds-negative-check-structure.js: Added.

(foo):
(while):

• fast/js/script-tests/dfg-string-out-of-bounds-negative-proto-value.js: Added.

(foo):

File:

• trunk/Source/JavaScriptCore/API/JSCTestRunnerUtils.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/API/JSCTestRunnerUtils.cpp

@@ -49 +49 @@
 JSValueRef numberOfDFGCompiles(JSContextRef context, JSValueRef theFunctionValueRef)
 {
+    bool pretendToHaveManyCompiles = false;
+#if ENABLE(DFG_JIT)
+    if (!Options::useJIT() || !Options::useDFGJIT())
+        pretendToHaveManyCompiles = true;
+#else
+    pretendToHaveManyCompiles = true;
+#endif
+    
     if (FunctionExecutable* executable = getExecutable(context, theFunctionValueRef)) {
         CodeBlock* baselineCodeBlock = executable->baselineCodeBlockFor(CodeForCall);
@@ -55 +63 @@
             return JSValueMakeNumber(context, 0);
 
-#if ENABLE(DFG_JIT)        
+        if (pretendToHaveManyCompiles)
+            return JSValueMakeNumber(context, 1000000.0);
         return JSValueMakeNumber(context, baselineCodeBlock->numberOfDFGCompiles());
-#else
-        return JSValueMakeNumber(context, 1000000.0);
-#endif
     }