Modified: trunk/LayoutTests/ChangeLog (92039 => 92040)
--- trunk/LayoutTests/ChangeLog 2011-07-30 02:00:35 UTC (rev 92039)
+++ trunk/LayoutTests/ChangeLog 2011-07-30 02:06:58 UTC (rev 92040)
@@ -1,3 +1,21 @@
+2011-07-29 Filip Pizlo <[email protected]>
+
+ LayoutTests does not have a test for array speculation pathologies in the _javascript_Core DFG JIT.
+ https://bugs.webkit.org/show_bug.cgi?id=65397
+
+ Reviewed by Darin Adler.
+
+ This test reproduces the crash seen in https://bugs.webkit.org/show_bug.cgi?id=65327, and is
+ designed to guard itself against possible variants of array speculation failure. It will
+ test both the case where a speculate-array value is actually a non-array object, and the
+ case where it is a number. Particular care is taken to increase the likelihood that the
+ test remains relevant if the JIT performs speculation based on actual argument types and
+ values at the time of compilation.
+
+ * fast/js/array-type-speculation-expected.txt: Added.
+ * fast/js/array-type-speculation.html: Added.
+ * fast/js/script-tests/array-type-speculation.js: Added.
+
2011-07-29 Zhenyao Mo <[email protected]>
Unreviewed, test expectations update, gardener stuff.
Added: trunk/LayoutTests/fast/js/array-type-speculation-expected.txt (0 => 92040)
--- trunk/LayoutTests/fast/js/array-type-speculation-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/array-type-speculation-expected.txt 2011-07-30 02:06:58 UTC (rev 92040)
@@ -0,0 +1,25 @@
+This tests that storing into something that is not array does not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS result is "foo"
+PASS result is "foo"
+PASS result is undefined
+PASS result is undefined
+PASS result is undefined
+PASS result is "foo"
+PASS result is undefined
+PASS result is "foo"
+PASS result is "foo"
+PASS result is undefined
+PASS result is "foo"
+PASS result is undefined
+PASS result is undefined
+PASS result is undefined
+PASS result is "foo"
+PASS result is "foo"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/js/script-tests/array-type-speculation.js (0 => 92040)
--- trunk/LayoutTests/fast/js/script-tests/array-type-speculation.js (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/array-type-speculation.js 2011-07-30 02:06:58 UTC (rev 92040)
@@ -0,0 +1,44 @@
+description(
+"This tests that storing into something that is not array does not crash."
+);
+
+theCode = "\n\
+function storeFooByValOrDoArithmetic(o, p1, p2, v) {\n\
+ var x;\n\
+ if (p1) {\n\
+ x = o.foo;\n\
+ } else {\n\
+ x = v;\n\
+ if (p2) {\n\
+ x--;\n\
+ } else {\n\
+ x++;\n\
+ }\n\
+ }\n\
+ x[5] = \"foo\";\n\
+}\n\
+\n\
+function runTheTest(p1, p2) {\n\
+ var o = new Object();\n\
+ o.foo = new Object();\n\
+ storeFooByValOrDoArithmetic(o, p1, p2, 1);\n\
+ return o.foo[5];\n\
+}\n";
+
+function runWithPredicates(predicateArray) {
+ var myCode = theCode;
+
+ for (var i = 0; i < predicateArray.length; ++i) {
+ myCode += "result = runTheTest(" + predicateArray[i][0] + ", " + predicateArray[i][1] + ");\n";
+ myCode += "shouldBe(\"result\", " + predicateArray[i][2] + ");\n";
+ }
+
+ eval(myCode);
+}
+
+runWithPredicates([[true, true, "\"\\\"foo\\\"\""], [true, false, "\"\\\"foo\\\"\""], [false, true, "\"undefined\""], [false, false, "\"undefined\""]]);
+runWithPredicates([[false, false, "\"undefined\""], [true, false, "\"\\\"foo\\\"\""], [false, true, "\"undefined\""], [true, true, "\"\\\"foo\\\"\""]]);
+runWithPredicates([[true, true, "\"\\\"foo\\\"\""], [false, true, "\"undefined\""], [true, false, "\"\\\"foo\\\"\""], [false, false, "\"undefined\""]]);
+runWithPredicates([[false, false, "\"undefined\""], [false, true, "\"undefined\""], [true, false, "\"\\\"foo\\\"\""], [true, true, "\"\\\"foo\\\"\""]]);
+
+var successfullyParsed = true;
