Diff
Modified: trunk/LayoutTests/ChangeLog (163417 => 163418)
--- trunk/LayoutTests/ChangeLog 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/LayoutTests/ChangeLog 2014-02-05 01:03:21 UTC (rev 163418)
@@ -1,3 +1,20 @@
+2014-02-04 Filip Pizlo <fpi...@apple.com>
+
+ DFG PutByVal on typed arrays should detect OutOfBounds sooner
+ https://bugs.webkit.org/show_bug.cgi?id=128162
+
+ Reviewed by Mark Hahnenberg.
+
+ dfg-string-out-of-blahblah was moved to JSC/tests/stress.
+
+ dfg-convert-this-dom-window was using dfgShouldBe() incorrectly and this got revealed
+ by my TestRunnerUtils refactoring.
+
+ * js/dfg-string-out-of-bounds-negative-proto-value-expected.txt: Removed.
+ * js/dfg-string-out-of-bounds-negative-proto-value.html: Removed.
+ * js/script-tests/dfg-convert-this-dom-window.js:
+ * js/script-tests/dfg-string-out-of-bounds-negative-proto-value.js: Removed.
+
2014-02-04 Brady Eidson <beid...@apple.com>
IDB: indexeddb/mozilla/add-twice-failure.html fails
Deleted: trunk/LayoutTests/js/dfg-string-out-of-bounds-negative-proto-value-expected.txt (163417 => 163418)
--- trunk/LayoutTests/js/dfg-string-out-of-bounds-negative-proto-value-expected.txt 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/LayoutTests/js/dfg-string-out-of-bounds-negative-proto-value-expected.txt 2014-02-05 01:03:21 UTC (rev 163418)
@@ -1,9 +0,0 @@
-Tests what happens when you do a negative out-of-bounds access on a string while the prototype has a negative indexed property.
-
-On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
-
-
-Passed some tests silently.
-
-TEST COMPLETE
-
Deleted: trunk/LayoutTests/js/dfg-string-out-of-bounds-negative-proto-value.html (163417 => 163418)
--- trunk/LayoutTests/js/dfg-string-out-of-bounds-negative-proto-value.html 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/LayoutTests/js/dfg-string-out-of-bounds-negative-proto-value.html 2014-02-05 01:03:21 UTC (rev 163418)
@@ -1,10 +0,0 @@
-<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
-<html>
-<head>
-<script src=""
-</head>
-<body>
-<script src=""
-<script src=""
-</body>
-</html>
Modified: trunk/LayoutTests/js/script-tests/dfg-convert-this-dom-window.js (163417 => 163418)
--- trunk/LayoutTests/js/script-tests/dfg-convert-this-dom-window.js 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/LayoutTests/js/script-tests/dfg-convert-this-dom-window.js 2014-02-05 01:03:21 UTC (rev 163418)
@@ -19,5 +19,5 @@
dfgShouldBe(myFunction, "myFunction.aliasedCall(null)", '[this, "myFunction", undefined]');
dfgShouldBe(myFunction, "myFunction.aliasedCall(undefined)", '[this, "myFunction", undefined]');
dfgShouldBe(myFunctionWithCall.call, "myFunctionWithCall.call(myObject, 'arg1')", '[myFunctionWithCall, "myFunctionWithCall.call", myObject]');
-dfgShouldBe(myFunctionWithCall.aliasedCall, "myFunctionWithCall.aliasedCall(myObject, 'arg1')", '[myObject, "myFunctionWithCall", "arg1"]');
+dfgShouldBe(myFunctionWithCall, "myFunctionWithCall.aliasedCall(myObject, 'arg1')", '[myObject, "myFunctionWithCall", "arg1"]');
Deleted: trunk/LayoutTests/js/script-tests/dfg-string-out-of-bounds-negative-proto-value.js (163417 => 163418)
--- trunk/LayoutTests/js/script-tests/dfg-string-out-of-bounds-negative-proto-value.js 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/LayoutTests/js/script-tests/dfg-string-out-of-bounds-negative-proto-value.js 2014-02-05 01:03:21 UTC (rev 163418)
@@ -1,16 +0,0 @@
-description(
-"Tests what happens when you do a negative out-of-bounds access on a string while the prototype has a negative indexed property."
-);
-
-function foo(s) {
- return s[-1];
-}
-
-noInline(foo);
-silentTestPass = true;
-
-String.prototype[-1] = "hello";
-
-for (var i = 0; i < 2; i = dfgIncrement({f:foo, i:i + 1, n:1, compiles:2}))
- shouldBe("foo(\"hello\")", "\"hello\"");
-
Modified: trunk/Source/_javascript_Core/ChangeLog (163417 => 163418)
--- trunk/Source/_javascript_Core/ChangeLog 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-02-05 01:03:21 UTC (rev 163418)
@@ -1,3 +1,47 @@
+2014-02-04 Filip Pizlo <fpi...@apple.com>
+
+ DFG PutByVal on typed arrays should detect OutOfBounds sooner
+ https://bugs.webkit.org/show_bug.cgi?id=128162
+
+ Reviewed by Mark Hahnenberg.
+
+ Just wire the m_outOfBounds flag in ArrayProfile into the OutOfBounds speculation in
+ DFG::ArrayMode for typed arrays.
+
+ Also make it possible to have tests for convergence.
+
+ Also turn one of the LayoutTests/js/dfg- tests into a stress test because it
+ was relying on a specific number of recompiles. Stress tests instead take
+ the approach of just running for a while. That's more robust.
+
+ * bytecode/CodeBlock.h:
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::fromObserved):
+ (JSC::DFG::ArrayMode::refine):
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::withSpeculationFromProfile):
+ (JSC::DFG::ArrayMode::withProfile):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitIntTypedArrayPutByVal):
+ (JSC::JIT::emitFloatTypedArrayPutByVal):
+ * jsc.cpp:
+ (GlobalObject::finishCreation):
+ (functionReoptimizationRetryCount):
+ * runtime/TestRunnerUtils.cpp:
+ (JSC::getExecutableForFunction):
+ (JSC::getSomeBaselineCodeBlockForFunction):
+ (JSC::numberOfDFGCompiles):
+ (JSC::setNeverInline):
+ * runtime/TestRunnerUtils.h:
+ * tests/stress/float32-repeat-out-of-bounds.js: Added.
+ (foo):
+ * tests/stress/int8-repeat-out-of-bounds.js: Added.
+ (foo):
+ * tests/stress/string-out-of-bounds-negative-proto-value.js: Added.
+ (foo):
+
2014-02-04 Mark Hahnenberg <mhahnenb...@apple.com>
Refactor MarkStackArray to allow more than JSCells to be stored
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (163417 => 163418)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2014-02-05 01:03:21 UTC (rev 163418)
@@ -774,7 +774,7 @@
// When we observe a lot of speculation failures, we trigger a
// reoptimization. But each time, we increase the optimization trigger
// to avoid thrashing.
- unsigned reoptimizationRetryCounter() const;
+ JS_EXPORT_PRIVATE unsigned reoptimizationRetryCounter() const;
void countReoptimization();
#if ENABLE(JIT)
unsigned numberOfDFGCompiles();
Modified: trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp (163417 => 163418)
--- trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp 2014-02-05 01:03:21 UTC (rev 163418)
@@ -49,7 +49,7 @@
case asArrayModes(NonArray):
if (action == Array::Write && !profile->mayInterceptIndexedAccesses(locker))
return ArrayMode(Array::Undecided, nonArray, Array::OutOfBounds, Array::Convert);
- return ArrayMode(Array::SelectUsingPredictions, nonArray);
+ return ArrayMode(Array::SelectUsingPredictions, nonArray).withSpeculationFromProfile(locker, profile, makeSafe);
case asArrayModes(ArrayWithUndecided):
if (action == Array::Write)
@@ -59,7 +59,7 @@
case asArrayModes(NonArray) | asArrayModes(ArrayWithUndecided):
if (action == Array::Write && !profile->mayInterceptIndexedAccesses(locker))
return ArrayMode(Array::Undecided, Array::PossiblyArray, Array::OutOfBounds, Array::Convert);
- return ArrayMode(Array::SelectUsingPredictions);
+ return ArrayMode(Array::SelectUsingPredictions).withSpeculationFromProfile(locker, profile, makeSafe);
case asArrayModes(NonArrayWithInt32):
return ArrayMode(Array::Int32, nonArray, Array::AsIs).withProfile(locker, profile, makeSafe);
@@ -100,7 +100,7 @@
default:
if ((observed & asArrayModes(NonArray)) && profile->mayInterceptIndexedAccesses(locker))
- return ArrayMode(Array::SelectUsingPredictions);
+ return ArrayMode(Array::SelectUsingPredictions).withSpeculationFromProfile(locker, profile, makeSafe);
Array::Type type;
Array::Class arrayClass;
@@ -199,10 +199,10 @@
return withType(Array::Arguments);
ArrayMode result;
- if (graph.hasExitSite(codeOrigin, OutOfBounds))
+ if (graph.hasExitSite(codeOrigin, OutOfBounds) || !isInBounds())
result = withSpeculation(Array::OutOfBounds);
else
- result = *this;
+ result = withSpeculation(Array::InBounds);
if (isInt8ArraySpeculation(base))
return result.withType(Array::Int8Array);
Modified: trunk/Source/_javascript_Core/dfg/DFGArrayMode.h (163417 => 163418)
--- trunk/Source/_javascript_Core/dfg/DFGArrayMode.h 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/Source/_javascript_Core/dfg/DFGArrayMode.h 2014-02-05 01:03:21 UTC (rev 163418)
@@ -173,11 +173,15 @@
return ArrayMode(type(), arrayClass(), speculation, conversion());
}
- ArrayMode withProfile(const ConcurrentJITLocker& locker, ArrayProfile* profile, bool makeSafe) const
+ ArrayMode withArrayClass(Array::Class arrayClass) const
{
+ return ArrayMode(type(), arrayClass, speculation(), conversion());
+ }
+
+ ArrayMode withSpeculationFromProfile(const ConcurrentJITLocker& locker, ArrayProfile* profile, bool makeSafe) const
+ {
Array::Speculation mySpeculation;
- Array::Class myArrayClass;
-
+
if (makeSafe)
mySpeculation = Array::OutOfBounds;
else if (profile->mayStoreToHole(locker))
@@ -185,6 +189,13 @@
else
mySpeculation = Array::InBounds;
+ return withSpeculation(mySpeculation);
+ }
+
+ ArrayMode withProfile(const ConcurrentJITLocker& locker, ArrayProfile* profile, bool makeSafe) const
+ {
+ Array::Class myArrayClass;
+
if (isJSArray()) {
if (profile->usesOriginalArrayStructures(locker) && benefitsFromOriginalArray())
myArrayClass = Array::OriginalArray;
@@ -193,7 +204,7 @@
} else
myArrayClass = arrayClass();
- return ArrayMode(type(), myArrayClass, mySpeculation, conversion());
+ return withArrayClass(myArrayClass).withSpeculationFromProfile(locker, profile, makeSafe);
}
ArrayMode withType(Array::Type type) const
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp (163417 => 163418)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2014-02-05 01:03:21 UTC (rev 163418)
@@ -2217,7 +2217,7 @@
}
}
- if (m_node->arrayMode().isInBounds())
+ if (m_node->arrayMode().isInBounds() || m_node->op() == PutByValAlias)
m_out.store(valueToStore, pointer, refType);
else {
LBasicBlock isInBounds = FTL_NEW_BLOCK(m_out, ("PutByVal typed array in bounds case"));
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (163417 => 163418)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2014-02-05 01:03:21 UTC (rev 163418)
@@ -1281,6 +1281,7 @@
JIT::JumpList JIT::emitIntTypedArrayPutByVal(Instruction* currentInstruction, PatchableJump& badType, TypedArrayType type)
{
+ ArrayProfile* profile = ""
ASSERT(isInt(type));
int value = currentInstruction[3].u.operand;
@@ -1301,7 +1302,10 @@
loadPtr(Address(base, JSCell::structureOffset()), earlyScratch);
badType = patchableBranchPtr(NotEqual, Address(earlyScratch, Structure::classInfoOffset()), TrustedImmPtr(classInfoForType(type)));
- slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
+ Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength()));
+ emitArrayProfileOutOfBoundsSpecialCase(profile);
+ Jump done = jump();
+ inBounds.link(this);
#if USE(JSVALUE64)
emitGetVirtualRegister(value, earlyScratch);
@@ -1342,11 +1346,14 @@
CRASH();
}
+ done.link(this);
+
return slowCases;
}
JIT::JumpList JIT::emitFloatTypedArrayPutByVal(Instruction* currentInstruction, PatchableJump& badType, TypedArrayType type)
{
+ ArrayProfile* profile = ""
ASSERT(isFloat(type));
int value = currentInstruction[3].u.operand;
@@ -1367,7 +1374,10 @@
loadPtr(Address(base, JSCell::structureOffset()), earlyScratch);
badType = patchableBranchPtr(NotEqual, Address(earlyScratch, Structure::classInfoOffset()), TrustedImmPtr(classInfoForType(type)));
- slowCases.append(branch32(AboveOrEqual, property, Address(base, JSArrayBufferView::offsetOfLength())));
+ Jump inBounds = branch32(Below, property, Address(base, JSArrayBufferView::offsetOfLength()));
+ emitArrayProfileOutOfBoundsSpecialCase(profile);
+ Jump done = jump();
+ inBounds.link(this);
#if USE(JSVALUE64)
emitGetVirtualRegister(value, earlyScratch);
@@ -1406,6 +1416,8 @@
CRASH();
}
+ done.link(this);
+
return slowCases;
}
Modified: trunk/Source/_javascript_Core/jsc.cpp (163417 => 163418)
--- trunk/Source/_javascript_Core/jsc.cpp 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/Source/_javascript_Core/jsc.cpp 2014-02-05 01:03:21 UTC (rev 163418)
@@ -112,6 +112,7 @@
static EncodedJSValue JSC_HOST_CALL functionPreciseTime(ExecState*);
static EncodedJSValue JSC_HOST_CALL functionNeverInlineFunction(ExecState*);
static EncodedJSValue JSC_HOST_CALL functionNumberOfDFGCompiles(ExecState*);
+static EncodedJSValue JSC_HOST_CALL functionReoptimizationRetryCount(ExecState*);
static EncodedJSValue JSC_HOST_CALL functionTransferArrayBuffer(ExecState*);
static NO_RETURN_WITH_VALUE EncodedJSValue JSC_HOST_CALL functionQuit(ExecState*);
@@ -234,6 +235,7 @@
addFunction(vm, "neverInlineFunction", functionNeverInlineFunction, 1);
addFunction(vm, "noInline", functionNeverInlineFunction, 1);
addFunction(vm, "numberOfDFGCompiles", functionNumberOfDFGCompiles, 1);
+ addFunction(vm, "reoptimizationRetryCount", functionReoptimizationRetryCount, 1);
addFunction(vm, "transferArrayBuffer", functionTransferArrayBuffer, 1);
#if ENABLE(SAMPLING_FLAGS)
addFunction(vm, "setSamplingFlags", functionSetSamplingFlags, 1);
@@ -505,6 +507,18 @@
return JSValue::encode(numberOfDFGCompiles(exec));
}
+EncodedJSValue JSC_HOST_CALL functionReoptimizationRetryCount(ExecState* exec)
+{
+ if (exec->argumentCount() < 1)
+ return JSValue::encode(jsUndefined());
+
+ CodeBlock* block = getSomeBaselineCodeBlockForFunction(exec->argument(0));
+ if (!block)
+ return JSValue::encode(jsNumber(0));
+
+ return JSValue::encode(jsNumber(block->reoptimizationRetryCounter()));
+}
+
EncodedJSValue JSC_HOST_CALL functionTransferArrayBuffer(ExecState* exec)
{
if (exec->argumentCount() < 1)
Modified: trunk/Source/_javascript_Core/runtime/TestRunnerUtils.cpp (163417 => 163418)
--- trunk/Source/_javascript_Core/runtime/TestRunnerUtils.cpp 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/Source/_javascript_Core/runtime/TestRunnerUtils.cpp 2014-02-05 01:03:21 UTC (rev 163418)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -31,7 +31,7 @@
namespace JSC {
-static FunctionExecutable* getExecutable(JSValue theFunctionValue)
+FunctionExecutable* getExecutableForFunction(JSValue theFunctionValue)
{
JSFunction* theFunction = jsDynamicCast<JSFunction*>(theFunctionValue);
if (!theFunction)
@@ -42,6 +42,20 @@
return executable;
}
+CodeBlock* getSomeBaselineCodeBlockForFunction(JSValue theFunctionValue)
+{
+ FunctionExecutable* executable = getExecutableForFunction(theFunctionValue);
+ if (!executable)
+ return 0;
+
+ CodeBlock* baselineCodeBlock = executable->baselineCodeBlockFor(CodeForCall);
+
+ if (!baselineCodeBlock)
+ baselineCodeBlock = executable->baselineCodeBlockFor(CodeForConstruct);
+
+ return baselineCodeBlock;
+}
+
JSValue numberOfDFGCompiles(JSValue theFunctionValue)
{
bool pretendToHaveManyCompiles = false;
@@ -51,27 +65,19 @@
#else
pretendToHaveManyCompiles = true;
#endif
-
- if (FunctionExecutable* executable = getExecutable(theFunctionValue)) {
- CodeBlock* baselineCodeBlock = executable->baselineCodeBlockFor(CodeForCall);
-
- if (!baselineCodeBlock)
- baselineCodeBlock = executable->baselineCodeBlockFor(CodeForConstruct);
-
- if (!baselineCodeBlock)
- return jsNumber(0);
+ if (CodeBlock* baselineCodeBlock = getSomeBaselineCodeBlockForFunction(theFunctionValue)) {
if (pretendToHaveManyCompiles)
return jsNumber(1000000.0);
return jsNumber(baselineCodeBlock->numberOfDFGCompiles());
}
- return jsUndefined();
+ return jsNumber(0);
}
JSValue setNeverInline(JSValue theFunctionValue)
{
- if (FunctionExecutable* executable = getExecutable(theFunctionValue))
+ if (FunctionExecutable* executable = getExecutableForFunction(theFunctionValue))
executable->setNeverInline(true);
return jsUndefined();
Modified: trunk/Source/_javascript_Core/runtime/TestRunnerUtils.h (163417 => 163418)
--- trunk/Source/_javascript_Core/runtime/TestRunnerUtils.h 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/Source/_javascript_Core/runtime/TestRunnerUtils.h 2014-02-05 01:03:21 UTC (rev 163418)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -30,6 +30,12 @@
namespace JSC {
+class CodeBlock;
+class FunctionExecutable;
+
+JS_EXPORT_PRIVATE FunctionExecutable* getExecutableForFunction(JSValue theFunctionValue);
+JS_EXPORT_PRIVATE CodeBlock* getSomeBaselineCodeBlockForFunction(JSValue theFunctionValue);
+
JS_EXPORT_PRIVATE JSValue numberOfDFGCompiles(JSValue function);
JS_EXPORT_PRIVATE JSValue setNeverInline(JSValue function);
Added: trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js (0 => 163418)
--- trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/float32-repeat-out-of-bounds.js 2014-02-05 01:03:21 UTC (rev 163418)
@@ -0,0 +1,17 @@
+//@ defaultNoEagerRun
+
+function foo(a) {
+ a[0] = 1;
+ a[1] = 2;
+ a[2] = 3;
+}
+
+noInline(foo);
+
+var array = new Float32Array(1);
+
+for (var i = 0; i < 100000; ++i)
+ foo(array);
+
+if (reoptimizationRetryCount(foo))
+ throw "Error: unexpected retry count: " + reoptimizationRetryCount(foo);
Added: trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js (0 => 163418)
--- trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/int8-repeat-out-of-bounds.js 2014-02-05 01:03:21 UTC (rev 163418)
@@ -0,0 +1,17 @@
+//@ defaultNoEagerRun
+
+function foo(a) {
+ a[0] = 1;
+ a[1] = 2;
+ a[2] = 3;
+}
+
+noInline(foo);
+
+var array = new Int8Array(1);
+
+for (var i = 0; i < 100000; ++i)
+ foo(array);
+
+if (reoptimizationRetryCount(foo))
+ throw "Error: unexpected retry count: " + reoptimizationRetryCount(foo);
Added: trunk/Source/_javascript_Core/tests/stress/string-out-of-bounds-negative-proto-value.js (0 => 163418)
--- trunk/Source/_javascript_Core/tests/stress/string-out-of-bounds-negative-proto-value.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/string-out-of-bounds-negative-proto-value.js 2014-02-05 01:03:21 UTC (rev 163418)
@@ -0,0 +1,14 @@
+function foo(s) {
+ return s[-1];
+}
+
+noInline(foo);
+
+String.prototype[-1] = "hello";
+
+for (var i = 0; i < 100000; ++i) {
+ var result = foo("hello");
+ if (result != "hello")
+ throw "Error: bad result: " + result;
+}
+
Modified: trunk/Tools/ChangeLog (163417 => 163418)
--- trunk/Tools/ChangeLog 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/Tools/ChangeLog 2014-02-05 01:03:21 UTC (rev 163418)
@@ -1,5 +1,16 @@
2014-02-04 Filip Pizlo <fpi...@apple.com>
+ DFG PutByVal on typed arrays should detect OutOfBounds sooner
+ https://bugs.webkit.org/show_bug.cgi?id=128162
+
+ Reviewed by Mark Hahnenberg.
+
+ Add a defautNoEagerRun, which is intended to be used for convergence tests.
+
+ * Scripts/run-jsc-stress-tests:
+
+2014-02-04 Filip Pizlo <fpi...@apple.com>
+
export-llvm-build should work with git checkouts
https://bugs.webkit.org/show_bug.cgi?id=128217
Modified: trunk/Tools/Scripts/run-jsc-stress-tests (163417 => 163418)
--- trunk/Tools/Scripts/run-jsc-stress-tests 2014-02-05 00:26:59 UTC (rev 163417)
+++ trunk/Tools/Scripts/run-jsc-stress-tests 2014-02-05 01:03:21 UTC (rev 163418)
@@ -603,6 +603,13 @@
end
end
+# This is expected to not do eager runs because eager runs can have a lot of recompilations
+# for reasons that don't arise in the real world. It's used for tests that assert convergence
+# by counting recompilations.
+def defaultNoEagerRun
+ defaultQuickRun
+end
+
def runProfiler
profilerOutput = uniqueFilename(".json")
if $canRunDisplayProfilerOutput
