[webkit-changes] [158608] trunk

[fpizlo]

Title: [158608] trunk

Revision

158608

Author

fpi...@apple.com

Date

2013-11-04 16:05:02 -0800 (Mon, 04 Nov 2013)

Log Message

DFG NewArray/NewArrayBuffer shouldn't be constructing with negative indexing
https://bugs.webkit.org/show_bug.cgi?id=123760
<rdar://problem/15356705>

Reviewed by Mark Hahnenberg and Oliver Hunt.

Source/_javascript_Core: 

* dfg/DFGOperations.cpp:

LayoutTests: 

* js/dfg-new-array-buffer-while-having-a-bad-time-expected.txt: Added.
* js/dfg-new-array-buffer-while-having-a-bad-time.html: Added.
* js/dfg-new-array-while-having-a-bad-time-expected.txt: Added.
* js/dfg-new-array-while-having-a-bad-time.html: Added.
* js/script-tests/dfg-new-array-buffer-while-having-a-bad-time.js: Added.
(foo):
* js/script-tests/dfg-new-array-while-having-a-bad-time.js: Added.
(foo):

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGOperations.cpp

Added Paths

• trunk/LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time-expected.txt
• trunk/LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time.html
• trunk/LayoutTests/js/dfg-new-array-while-having-a-bad-time-expected.txt
• trunk/LayoutTests/js/dfg-new-array-while-having-a-bad-time.html
• trunk/LayoutTests/js/script-tests/dfg-new-array-buffer-while-having-a-bad-time.js
• trunk/LayoutTests/js/script-tests/dfg-new-array-while-having-a-bad-time.js

Diff

Modified: trunk/LayoutTests/ChangeLog (158607 => 158608)

--- trunk/LayoutTests/ChangeLog	2013-11-04 23:59:30 UTC (rev 158607)
+++ trunk/LayoutTests/ChangeLog	2013-11-05 00:05:02 UTC (rev 158608)
@@ -1,3 +1,20 @@
+2013-11-04  Filip Pizlo  <fpi...@apple.com>
+
+        DFG NewArray/NewArrayBuffer shouldn't be constructing with negative indexing
+        https://bugs.webkit.org/show_bug.cgi?id=123760
+        <rdar://problem/15356705>
+
+        Reviewed by Mark Hahnenberg and Oliver Hunt.
+
+        * js/dfg-new-array-buffer-while-having-a-bad-time-expected.txt: Added.
+        * js/dfg-new-array-buffer-while-having-a-bad-time.html: Added.
+        * js/dfg-new-array-while-having-a-bad-time-expected.txt: Added.
+        * js/dfg-new-array-while-having-a-bad-time.html: Added.
+        * js/script-tests/dfg-new-array-buffer-while-having-a-bad-time.js: Added.
+        (foo):
+        * js/script-tests/dfg-new-array-while-having-a-bad-time.js: Added.
+        (foo):
+
 2013-11-04  Hans Muller  <hmul...@adobe.com>
 
         [CSS Shapes] image valued shape element margin can cause an ASSERT fail

Added: trunk/LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time-expected.txt (0 => 158608)

--- trunk/LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time-expected.txt	2013-11-05 00:05:02 UTC (rev 158608)
@@ -0,0 +1,12 @@
+Tests that DFG NewArrayBuffer works when having a bad time.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo()[0] is "foo" on all iterations including after DFG tier-up.
+PASS foo()[1] is 42 on all iterations including after DFG tier-up.
+PASS foo()[2] is 23.5 on all iterations including after DFG tier-up.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time.html (0 => 158608)

--- trunk/LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time.html	                        (rev 0)
+++ trunk/LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time.html	2013-11-05 00:05:02 UTC (rev 158608)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/js/dfg-new-array-while-having-a-bad-time-expected.txt (0 => 158608)

--- trunk/LayoutTests/js/dfg-new-array-while-having-a-bad-time-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/js/dfg-new-array-while-having-a-bad-time-expected.txt	2013-11-05 00:05:02 UTC (rev 158608)
@@ -0,0 +1,12 @@
+Tests that DFG NewArray works when having a bad time.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo()[0] is "foo" on all iterations including after DFG tier-up.
+PASS foo()[1] is 42 on all iterations including after DFG tier-up.
+PASS foo()[2].f is 23 on all iterations including after DFG tier-up.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/js/dfg-new-array-while-having-a-bad-time.html (0 => 158608)

--- trunk/LayoutTests/js/dfg-new-array-while-having-a-bad-time.html	                        (rev 0)
+++ trunk/LayoutTests/js/dfg-new-array-while-having-a-bad-time.html	2013-11-05 00:05:02 UTC (rev 158608)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/js/script-tests/dfg-new-array-buffer-while-having-a-bad-time.js (0 => 158608)

--- trunk/LayoutTests/js/script-tests/dfg-new-array-buffer-while-having-a-bad-time.js	                        (rev 0)
+++ trunk/LayoutTests/js/script-tests/dfg-new-array-buffer-while-having-a-bad-time.js	2013-11-05 00:05:02 UTC (rev 158608)
@@ -0,0 +1,10 @@
+description("Tests that DFG NewArrayBuffer works when having a bad time.");
+
+Array.prototype.__defineSetter__("100", function() { debug("Ouch!"); });
+
+function foo() { return ["foo", 42, 23.5]; }
+
+dfgShouldBe(foo, "foo()[0]", "\"foo\"");
+dfgShouldBe(foo, "foo()[1]", "42");
+dfgShouldBe(foo, "foo()[2]", "23.5");
+

Added: trunk/LayoutTests/js/script-tests/dfg-new-array-while-having-a-bad-time.js (0 => 158608)

--- trunk/LayoutTests/js/script-tests/dfg-new-array-while-having-a-bad-time.js	                        (rev 0)
+++ trunk/LayoutTests/js/script-tests/dfg-new-array-while-having-a-bad-time.js	2013-11-05 00:05:02 UTC (rev 158608)
@@ -0,0 +1,10 @@
+description("Tests that DFG NewArray works when having a bad time.");
+
+Array.prototype.__defineSetter__("100", function() { debug("Ouch!"); });
+
+function foo() { return ["foo", 42, {f:23}]; }
+
+dfgShouldBe(foo, "foo()[0]", "\"foo\"");
+dfgShouldBe(foo, "foo()[1]", "42");
+dfgShouldBe(foo, "foo()[2].f", "23");
+

Modified: trunk/Source/_javascript_Core/ChangeLog (158607 => 158608)

--- trunk/Source/_javascript_Core/ChangeLog	2013-11-04 23:59:30 UTC (rev 158607)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-11-05 00:05:02 UTC (rev 158608)
@@ -1,3 +1,13 @@
+2013-11-04  Filip Pizlo  <fpi...@apple.com>
+
+        DFG NewArray/NewArrayBuffer shouldn't be constructing with negative indexing
+        https://bugs.webkit.org/show_bug.cgi?id=123760
+        <rdar://problem/15356705>
+
+        Reviewed by Mark Hahnenberg and Oliver Hunt.
+
+        * dfg/DFGOperations.cpp:
+
 2013-11-04  Michael Saboff  <msab...@apple.com>
 
         Eliminate HostCall bit from JSC Stack CallerFrame

Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (158607 => 158608)

--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2013-11-04 23:59:30 UTC (rev 158607)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2013-11-05 00:05:02 UTC (rev 158608)
@@ -614,7 +614,7 @@
     VM* vm = &exec->vm();
     NativeCallFrameTracer tracer(vm, exec);
     
-    return bitwise_cast<char*>(constructArrayNegativeIndexed(exec, arrayStructure, static_cast<JSValue*>(buffer), size));
+    return bitwise_cast<char*>(constructArray(exec, arrayStructure, static_cast<JSValue*>(buffer), size));
 }
 
 char* JIT_OPERATION operationNewEmptyArray(ExecState* exec, Structure* arrayStructure)
@@ -640,7 +640,7 @@
 {
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
-    return bitwise_cast<char*>(constructArrayNegativeIndexed(exec, arrayStructure, exec->codeBlock()->constantBuffer(start), size));
+    return bitwise_cast<char*>(constructArray(exec, arrayStructure, exec->codeBlock()->constantBuffer(start), size));
 }
 
 char* JIT_OPERATION operationNewInt8ArrayWithSize(

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes