Diff
Modified: trunk/Source/_javascript_Core/CMakeLists.txt (171349 => 171350)
--- trunk/Source/_javascript_Core/CMakeLists.txt 2014-07-22 18:13:46 UTC (rev 171349)
+++ trunk/Source/_javascript_Core/CMakeLists.txt 2014-07-22 18:27:17 UTC (rev 171350)
@@ -380,7 +380,8 @@
runtime/ErrorHandlingScope.cpp
runtime/ErrorInstance.cpp
runtime/ErrorPrototype.cpp
- runtime/ExceptionHelpers.cpp
+ runtime/ExceptionFuzz.cpp
+ runtime/ExceptionHelpers.cpp
runtime/Executable.cpp
runtime/FunctionConstructor.cpp
runtime/FunctionExecutableDump.cpp
Modified: trunk/Source/_javascript_Core/ChangeLog (171349 => 171350)
--- trunk/Source/_javascript_Core/ChangeLog 2014-07-22 18:13:46 UTC (rev 171349)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-07-22 18:27:17 UTC (rev 171350)
@@ -1,3 +1,24 @@
+2014-07-18 Filip Pizlo <fpi...@apple.com>
+
+ Extend exception fuzzing to the LLInt
+ https://bugs.webkit.org/show_bug.cgi?id=135076
+
+ Reviewed by Oliver Hunt.
+
+ * CMakeLists.txt:
+ * _javascript_Core.vcxproj/_javascript_Core.vcxproj:
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * jit/JITOperations.cpp:
+ (JSC::numberOfExceptionFuzzChecks): Deleted.
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::setUpCall):
+ * runtime/CommonSlowPaths.cpp:
+ * runtime/ExceptionFuzz.cpp: Added.
+ (JSC::numberOfExceptionFuzzChecks):
+ (JSC::doExceptionFuzzing):
+ * runtime/ExceptionFuzz.h: Added.
+ (JSC::doExceptionFuzzingIfEnabled):
+
2014-07-21 Mark Lam <mark....@apple.com>
Refactor ArrayPrototype to use getLength() and putLength() utility functions.
Modified: trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj (171349 => 171350)
--- trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj 2014-07-22 18:13:46 UTC (rev 171349)
+++ trunk/Source/_javascript_Core/_javascript_Core.vcxproj/_javascript_Core.vcxproj 2014-07-22 18:27:17 UTC (rev 171350)
@@ -667,6 +667,7 @@
<ClCompile Include="..\runtime\ErrorHandlingScope.cpp" />
<ClCompile Include="..\runtime\ErrorInstance.cpp" />
<ClCompile Include="..\runtime\ErrorPrototype.cpp" />
+ <ClCompile Include="..\runtime\ExceptionFuzz.cpp" />
<ClCompile Include="..\runtime\ExceptionHelpers.cpp" />
<ClCompile Include="..\runtime\Executable.cpp" />
<ClCompile Include="..\runtime\FunctionConstructor.cpp" />
@@ -1378,6 +1379,7 @@
<ClInclude Include="..\runtime\ErrorHandlingScope.h" />
<ClInclude Include="..\runtime\ErrorInstance.h" />
<ClInclude Include="..\runtime\ErrorPrototype.h" />
+ <ClInclude Include="..\runtime\ExceptionFuzz.h" />
<ClInclude Include="..\runtime\ExceptionHelpers.h" />
<ClInclude Include="..\runtime\Executable.h" />
<ClInclude Include="..\runtime\Float32Array.h" />
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (171349 => 171350)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2014-07-22 18:13:46 UTC (rev 171349)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2014-07-22 18:27:17 UTC (rev 171350)
@@ -92,6 +92,8 @@
0F0CD4C215F1A6070032F1C0 /* PutDirectIndexMode.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F0CD4C015F1A6040032F1C0 /* PutDirectIndexMode.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F0CD4C415F6B6BB0032F1C0 /* SparseArrayValueMap.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F0CD4C315F6B6B50032F1C0 /* SparseArrayValueMap.cpp */; };
0F0FC45A14BD15F500B81154 /* LLIntCallLinkInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F0FC45814BD15F100B81154 /* LLIntCallLinkInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F12DE0F1979D5FD0006FF4E /* ExceptionFuzz.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F12DE0D1979D5FD0006FF4E /* ExceptionFuzz.cpp */; };
+ 0F12DE101979D5FD0006FF4E /* ExceptionFuzz.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F12DE0E1979D5FD0006FF4E /* ExceptionFuzz.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F136D4D174AD69E0075B354 /* DeferGC.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F136D4B174AD69B0075B354 /* DeferGC.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F13912916771C33009CCB07 /* ProfilerBytecodeSequence.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F13912416771C30009CCB07 /* ProfilerBytecodeSequence.cpp */; };
0F13912A16771C36009CCB07 /* ProfilerBytecodeSequence.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F13912516771C30009CCB07 /* ProfilerBytecodeSequence.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -1902,6 +1904,8 @@
0F0CD4C015F1A6040032F1C0 /* PutDirectIndexMode.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PutDirectIndexMode.h; sourceTree = "<group>"; };
0F0CD4C315F6B6B50032F1C0 /* SparseArrayValueMap.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SparseArrayValueMap.cpp; sourceTree = "<group>"; };
0F0FC45814BD15F100B81154 /* LLIntCallLinkInfo.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = LLIntCallLinkInfo.h; sourceTree = "<group>"; };
+ 0F12DE0D1979D5FD0006FF4E /* ExceptionFuzz.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ExceptionFuzz.cpp; sourceTree = "<group>"; };
+ 0F12DE0E1979D5FD0006FF4E /* ExceptionFuzz.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExceptionFuzz.h; sourceTree = "<group>"; };
0F136D4B174AD69B0075B354 /* DeferGC.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DeferGC.h; sourceTree = "<group>"; };
0F13912416771C30009CCB07 /* ProfilerBytecodeSequence.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = ProfilerBytecodeSequence.cpp; path = profiler/ProfilerBytecodeSequence.cpp; sourceTree = "<group>"; };
0F13912516771C30009CCB07 /* ProfilerBytecodeSequence.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ProfilerBytecodeSequence.h; path = profiler/ProfilerBytecodeSequence.h; sourceTree = "<group>"; };
@@ -4231,6 +4235,8 @@
0FFC99D0184EC8AD009C10AB /* ConstantMode.h */,
BCA62DFF0E2826310004F30D /* ConstructData.cpp */,
BC8F3CCF0DAF17BA00577A80 /* ConstructData.h */,
+ 2A111243192FCE79005EE18D /* CustomGetterSetter.cpp */,
+ 2A111244192FCE79005EE18D /* CustomGetterSetter.h */,
0F2B66B017B6B5AB00A7AE3F /* DataView.cpp */,
0F2B66B117B6B5AB00A7AE3F /* DataView.h */,
BCD203450E17135E002C7E82 /* DateConstructor.cpp */,
@@ -4254,6 +4260,8 @@
BC02E98B0E183E38000F9297 /* ErrorInstance.h */,
BC02E9060E1839DB000F9297 /* ErrorPrototype.cpp */,
BC02E9070E1839DB000F9297 /* ErrorPrototype.h */,
+ 0F12DE0D1979D5FD0006FF4E /* ExceptionFuzz.cpp */,
+ 0F12DE0E1979D5FD0006FF4E /* ExceptionFuzz.h */,
1429D8770ED21ACD00B89619 /* ExceptionHelpers.cpp */,
A72701B30DADE94900E548D7 /* ExceptionHelpers.h */,
86CA032D1038E8440028A609 /* Executable.cpp */,
@@ -4279,9 +4287,9 @@
0FB7F38F15ED8E3800F167B2 /* IndexingType.h */,
E178636C0D9BEEC300D74E75 /* InitializeThreading.cpp */,
E178633F0D9BEC0000D74E75 /* InitializeThreading.h */,
+ A7A8AF2B17ADB5F3005AB174 /* Int8Array.h */,
A7A8AF2C17ADB5F3005AB174 /* Int16Array.h */,
A7A8AF2D17ADB5F3005AB174 /* Int32Array.h */,
- A7A8AF2B17ADB5F3005AB174 /* Int8Array.h */,
A78853F717972629001440E4 /* IntendedStructureChain.cpp */,
A78853F817972629001440E4 /* IntendedStructureChain.h */,
BC9BB95B0E19680600DF8855 /* InternalFunction.cpp */,
@@ -4340,9 +4348,9 @@
A59455911824744700CC3843 /* JSGlobalObjectDebuggable.h */,
BC756FC60E2031B200DE7D12 /* JSGlobalObjectFunctions.cpp */,
BC756FC70E2031B200DE7D12 /* JSGlobalObjectFunctions.h */,
+ 0F2B66C917B6B5AB00A7AE3F /* JSInt8Array.h */,
0F2B66CA17B6B5AB00A7AE3F /* JSInt16Array.h */,
0F2B66CB17B6B5AB00A7AE3F /* JSInt32Array.h */,
- 0F2B66C917B6B5AB00A7AE3F /* JSInt8Array.h */,
65EA4C99092AF9E20093D800 /* JSLock.cpp */,
65EA4C9A092AF9E20093D800 /* JSLock.h */,
A700873F17CBE8EB00C3E643 /* JSMap.cpp */,
@@ -4396,10 +4404,10 @@
0F2B66D017B6B5AB00A7AE3F /* JSTypedArrays.cpp */,
0F2B66D117B6B5AB00A7AE3F /* JSTypedArrays.h */,
6507D2970E871E4A00D7D896 /* JSTypeInfo.h */,
+ 0F2B66D217B6B5AB00A7AE3F /* JSUint8Array.h */,
+ 0F2B66D317B6B5AB00A7AE3F /* JSUint8ClampedArray.h */,
0F2B66D417B6B5AB00A7AE3F /* JSUint16Array.h */,
0F2B66D517B6B5AB00A7AE3F /* JSUint32Array.h */,
- 0F2B66D217B6B5AB00A7AE3F /* JSUint8Array.h */,
- 0F2B66D317B6B5AB00A7AE3F /* JSUint8ClampedArray.h */,
BC22A39A0E16E14800AF21C8 /* JSVariableObject.cpp */,
14F252560D08DD8D004ECFFF /* JSVariableObject.h */,
A7CA3AE117DA41AE006538AF /* JSWeakMap.cpp */,
@@ -4541,11 +4549,11 @@
0F2B66DB17B6B5AB00A7AE3F /* TypedArrays.h */,
0F2B66DC17B6B5AB00A7AE3F /* TypedArrayType.cpp */,
0F2B66DD17B6B5AB00A7AE3F /* TypedArrayType.h */,
+ A7A8AF3017ADB5F3005AB174 /* Uint8Array.h */,
+ A7A8AF3117ADB5F3005AB174 /* Uint8ClampedArray.h */,
A7A8AF3217ADB5F3005AB174 /* Uint16Array.h */,
866739D113BFDE710023D87C /* Uint16WithFraction.h */,
A7A8AF3317ADB5F3005AB174 /* Uint32Array.h */,
- A7A8AF3017ADB5F3005AB174 /* Uint8Array.h */,
- A7A8AF3117ADB5F3005AB174 /* Uint8ClampedArray.h */,
E18E3A570DF9278C00D90B34 /* VM.cpp */,
E18E3A560DF9278C00D90B34 /* VM.h */,
FE5932A5183C5A2600A1ECCC /* VMEntryScope.cpp */,
@@ -4563,8 +4571,6 @@
1420BE7A10AA6DDB00F455D2 /* WeakRandom.h */,
A7DCB77912E3D90500911940 /* WriteBarrier.h */,
C2B6D75218A33793004A9301 /* WriteBarrierInlines.h */,
- 2A111243192FCE79005EE18D /* CustomGetterSetter.cpp */,
- 2A111244192FCE79005EE18D /* CustomGetterSetter.h */,
);
path = runtime;
sourceTree = "<group>";
@@ -6166,6 +6172,7 @@
A785F6BC18C553FE00F10626 /* SpillRegistersMode.h in Headers */,
BC18C4550E16F5CD00B34460 /* PropertySlot.h in Headers */,
0FB7F39C15ED8E4600F167B2 /* PropertyStorage.h in Headers */,
+ 0F12DE101979D5FD0006FF4E /* ExceptionFuzz.h in Headers */,
BC18C4560E16F5CD00B34460 /* Protect.h in Headers */,
1474C33B16AA2D950062F01D /* PrototypeMap.h in Headers */,
0F9332A414CA7DD90085F3C6 /* PutByIdStatus.h in Headers */,
@@ -6849,6 +6856,7 @@
A7A8AF3417ADB5F3005AB174 /* ArrayBuffer.cpp in Sources */,
0FFC99D4184EE318009C10AB /* ArrayBufferNeuteringWatchpoint.cpp in Sources */,
A7A8AF3617ADB5F3005AB174 /* ArrayBufferView.cpp in Sources */,
+ 0F12DE0F1979D5FD0006FF4E /* ExceptionFuzz.cpp in Sources */,
147F39BF107EC37600427A48 /* ArrayConstructor.cpp in Sources */,
A7BDAEC617F4EA1400F6140C /* ArrayIteratorConstructor.cpp in Sources */,
A7BDAEC817F4EA1400F6140C /* ArrayIteratorPrototype.cpp in Sources */,
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (171349 => 171350)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2014-07-22 18:13:46 UTC (rev 171349)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2014-07-22 18:27:17 UTC (rev 171350)
@@ -38,6 +38,7 @@
#include "Debugger.h"
#include "Error.h"
#include "ErrorHandlingScope.h"
+#include "ExceptionFuzz.h"
#include "GetterSetter.h"
#include "HostCallReturnValue.h"
#include "JIT.h"
@@ -56,9 +57,6 @@
namespace JSC {
-static unsigned s_numberOfExceptionFuzzChecks;
-unsigned numberOfExceptionFuzzChecks() { return s_numberOfExceptionFuzzChecks; }
-
extern "C" {
#if COMPILER(MSVC)
@@ -1810,21 +1808,11 @@
// testing.
void JIT_OPERATION operationExceptionFuzz()
{
- ASSERT(Options::enableExceptionFuzz());
-
// This probably "just works" for GCC also, but I haven't tried.
#if COMPILER(CLANG)
ExecState* exec = static_cast<ExecState*>(__builtin_frame_address(1));
- DeferGCForAWhile deferGC(exec->vm().heap);
-
- s_numberOfExceptionFuzzChecks++;
-
- unsigned fireTarget = Options::fireExceptionFuzzAt();
- if (fireTarget == s_numberOfExceptionFuzzChecks) {
- printf("JSC EXCEPTION FUZZ: Throwing fuzz exception with call frame %p and return address %p.\n", exec, __builtin_return_address(0));
- exec->vm().throwException(
- exec, createError(exec->lexicalGlobalObject(), ASCIILiteral("Exception Fuzz")));
- }
+ void* returnPC = __builtin_return_address(0);
+ doExceptionFuzzing(exec, "JITOperations", returnPC);
#endif // COMPILER(CLANG)
}
Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (171349 => 171350)
--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2014-07-22 18:13:46 UTC (rev 171349)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2014-07-22 18:27:17 UTC (rev 171350)
@@ -31,6 +31,7 @@
#include "CommonSlowPaths.h"
#include "CommonSlowPathsExceptions.h"
#include "ErrorHandlingScope.h"
+#include "ExceptionFuzz.h"
#include "GetterSetter.h"
#include "HostCallReturnValue.h"
#include "Interpreter.h"
@@ -90,6 +91,7 @@
} while (false)
#define LLINT_CHECK_EXCEPTION() do { \
+ doExceptionFuzzingIfEnabled(exec, "LLIntSlowPaths", pc); \
if (UNLIKELY(vm.exception())) { \
pc = returnToThrow(exec); \
LLINT_END_IMPL(); \
@@ -147,17 +149,20 @@
LLINT_CALL_END_IMPL(0, callToThrow(__ct_exec)); \
} while (false)
-#define LLINT_CALL_CHECK_EXCEPTION(exec) do { \
+#define LLINT_CALL_CHECK_EXCEPTION(exec, execCallee) do { \
ExecState* __cce_exec = (exec); \
+ ExecState* __cce_execCallee = (execCallee); \
+ doExceptionFuzzingIfEnabled(__cce_exec, "LLIntSlowPaths/call", nullptr); \
if (UNLIKELY(vm.exception())) \
- LLINT_CALL_END_IMPL(0, callToThrow(__cce_exec)); \
+ LLINT_CALL_END_IMPL(0, callToThrow(__cce_execCallee)); \
} while (false)
-#define LLINT_CALL_RETURN(exec, callTarget) do { \
+#define LLINT_CALL_RETURN(exec, execCallee, callTarget) do { \
ExecState* __cr_exec = (exec); \
+ ExecState* __cr_execCallee = (execCallee); \
void* __cr_callTarget = (callTarget); \
- LLINT_CALL_CHECK_EXCEPTION(__cr_exec); \
- LLINT_CALL_END_IMPL(__cr_exec, __cr_callTarget); \
+ LLINT_CALL_CHECK_EXCEPTION(__cr_exec, __cr_execCallee); \
+ LLINT_CALL_END_IMPL(__cr_execCallee, __cr_callTarget); \
} while (false)
#define LLINT_RETURN_CALLEE_FRAME(execCallee) do { \
@@ -1041,7 +1046,7 @@
execCallee->setCallee(asObject(callee));
vm.hostCallReturnValue = JSValue::decode(callData.native.function(execCallee));
- LLINT_CALL_RETURN(execCallee, LLInt::getCodePtr(getHostCallReturnValue));
+ LLINT_CALL_RETURN(execCallee, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
}
#if LLINT_SLOW_PATH_TRACING
@@ -1064,7 +1069,7 @@
execCallee->setCallee(asObject(callee));
vm.hostCallReturnValue = JSValue::decode(constructData.native.function(execCallee));
- LLINT_CALL_RETURN(execCallee, LLInt::getCodePtr(getHostCallReturnValue));
+ LLINT_CALL_RETURN(execCallee, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
}
#if LLINT_SLOW_PATH_TRACING
@@ -1077,10 +1082,12 @@
inline SlowPathReturnType setUpCall(ExecState* execCallee, Instruction* pc, CodeSpecializationKind kind, JSValue calleeAsValue, LLIntCallLinkInfo* callLinkInfo = 0)
{
+ ExecState* exec = execCallee->callerFrame();
+
#if LLINT_SLOW_PATH_TRACING
- dataLogF("Performing call with recorded PC = %p\n", execCallee->callerFrame()->currentVPC());
+ dataLogF("Performing call with recorded PC = %p\n", exec->currentVPC());
#endif
-
+
JSCell* calleeAsFunctionCell = getJSFunction(calleeAsValue);
if (!calleeAsFunctionCell)
return handleHostCall(execCallee, pc, calleeAsValue, kind);
@@ -1100,7 +1107,7 @@
JSObject* error = functionExecutable->prepareForExecution(execCallee, callee, &scope, kind);
execCallee->setScope(scope);
if (error)
- LLINT_CALL_THROW(execCallee->callerFrame(), error);
+ LLINT_CALL_THROW(exec, error);
codeBlock = functionExecutable->codeBlockFor(kind);
ASSERT(codeBlock);
ArityCheckMode arity;
@@ -1114,9 +1121,7 @@
ASSERT(!!codePtr);
if (!LLINT_ALWAYS_ACCESS_SLOW && callLinkInfo) {
- ExecState* execCaller = execCallee->callerFrame();
-
- CodeBlock* callerCodeBlock = execCaller->codeBlock();
+ CodeBlock* callerCodeBlock = exec->codeBlock();
ConcurrentJITLocker locker(callerCodeBlock->m_lock);
@@ -1126,10 +1131,10 @@
callLinkInfo->lastSeenCallee.set(vm, callerCodeBlock->ownerExecutable(), callee);
callLinkInfo->machineCodeTarget = codePtr;
if (codeBlock)
- codeBlock->linkIncomingCall(execCaller, callLinkInfo);
+ codeBlock->linkIncomingCall(exec, callLinkInfo);
}
- LLINT_CALL_RETURN(execCallee, codePtr.executableAddress());
+ LLINT_CALL_RETURN(exec, execCallee, codePtr.executableAddress());
}
inline SlowPathReturnType genericCall(ExecState* exec, Instruction* pc, CodeSpecializationKind kind)
@@ -1172,7 +1177,7 @@
ExecState* execCallee = sizeFrameForVarargs(exec, &vm.interpreter->stack(),
LLINT_OP_C(4).jsValue(), pc[5].u.operand, pc[6].u.operand);
- LLINT_CALL_CHECK_EXCEPTION(exec);
+ LLINT_CALL_CHECK_EXCEPTION(exec, exec);
vm.newCallFrameReturnValue = execCallee;
@@ -1191,7 +1196,7 @@
ExecState* execCallee = vm.newCallFrameReturnValue;
loadVarargs(exec, execCallee, LLINT_OP_C(3).jsValue(), LLINT_OP_C(4).jsValue(), pc[6].u.operand);
- LLINT_CALL_CHECK_EXCEPTION(exec);
+ LLINT_CALL_CHECK_EXCEPTION(exec, exec);
execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
execCallee->setCallerFrame(exec);
@@ -1212,7 +1217,7 @@
ExecState* execCallee = vm.newCallFrameReturnValue;
loadVarargs(exec, execCallee, LLINT_OP_C(3).jsValue(), LLINT_OP_C(4).jsValue(), pc[6].u.operand);
- LLINT_CALL_CHECK_EXCEPTION(exec);
+ LLINT_CALL_CHECK_EXCEPTION(exec, exec);
execCallee->uncheckedR(JSStack::Callee) = calleeAsValue;
execCallee->setCallerFrame(exec);
@@ -1240,7 +1245,7 @@
return setUpCall(execCallee, pc, CodeForCall, calleeAsValue);
vm.hostCallReturnValue = eval(execCallee);
- LLINT_CALL_RETURN(execCallee, LLInt::getCodePtr(getHostCallReturnValue));
+ LLINT_CALL_RETURN(exec, execCallee, LLInt::getCodePtr(getHostCallReturnValue));
}
LLINT_SLOW_PATH_DECL(slow_path_tear_off_activation)
Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (171349 => 171350)
--- trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2014-07-22 18:13:46 UTC (rev 171349)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2014-07-22 18:27:17 UTC (rev 171350)
@@ -32,6 +32,7 @@
#include "CodeProfiling.h"
#include "CommonSlowPathsExceptions.h"
#include "ErrorHandlingScope.h"
+#include "ExceptionFuzz.h"
#include "GetterSetter.h"
#include "HostCallReturnValue.h"
#include "Interpreter.h"
@@ -92,6 +93,7 @@
} while (false)
#define CHECK_EXCEPTION() do { \
+ doExceptionFuzzingIfEnabled(exec, "CommonSlowPaths", pc); \
if (UNLIKELY(vm.exception())) { \
RETURN_TO_THROW(exec, pc); \
END_IMPL(); \
Added: trunk/Source/_javascript_Core/runtime/ExceptionFuzz.cpp (0 => 171350)
--- trunk/Source/_javascript_Core/runtime/ExceptionFuzz.cpp (rev 0)
+++ trunk/Source/_javascript_Core/runtime/ExceptionFuzz.cpp 2014-07-22 18:27:17 UTC (rev 171350)
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "ExceptionFuzz.h"
+
+#include "Error.h"
+#include "JSCInlines.h"
+#include "TestRunnerUtils.h"
+
+namespace JSC {
+
+static unsigned s_numberOfExceptionFuzzChecks;
+unsigned numberOfExceptionFuzzChecks() { return s_numberOfExceptionFuzzChecks; }
+
+// Call this only if you know that exception fuzzing is enabled.
+void doExceptionFuzzing(ExecState* exec, const char* where, void* returnPC)
+{
+ ASSERT(Options::enableExceptionFuzz());
+
+ DeferGCForAWhile deferGC(exec->vm().heap);
+
+ s_numberOfExceptionFuzzChecks++;
+
+ unsigned fireTarget = Options::fireExceptionFuzzAt();
+ if (fireTarget == s_numberOfExceptionFuzzChecks) {
+ printf("JSC EXCEPTION FUZZ: Throwing fuzz exception with call frame %p, seen in %s and return address %p.\n", exec, where, returnPC);
+ exec->vm().throwException(
+ exec, createError(exec->lexicalGlobalObject(), ASCIILiteral("Exception Fuzz")));
+ }
+}
+
+} // namespace JSC
+
+
Added: trunk/Source/_javascript_Core/runtime/ExceptionFuzz.h (0 => 171350)
--- trunk/Source/_javascript_Core/runtime/ExceptionFuzz.h (rev 0)
+++ trunk/Source/_javascript_Core/runtime/ExceptionFuzz.h 2014-07-22 18:27:17 UTC (rev 171350)
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef ExceptionFuzz_h
+#define ExceptionFuzz_h
+
+#include "Options.h"
+
+namespace JSC {
+
+class ExecState;
+
+// Call this only if you know that exception fuzzing is enabled.
+void doExceptionFuzzing(ExecState* exec, const char* where, void* returnPC);
+
+// This is what you should call if you don't know if fuzzing is enabled.
+ALWAYS_INLINE void doExceptionFuzzingIfEnabled(ExecState* exec, const char* where, void* returnPC)
+{
+ if (LIKELY(!Options::enableExceptionFuzz()))
+ return;
+ doExceptionFuzzing(exec, where, returnPC);
+}
+
+} // namespace JSC
+
+#endif // ExceptionFuzz_h
+
Modified: trunk/Tools/ChangeLog (171349 => 171350)
--- trunk/Tools/ChangeLog 2014-07-22 18:13:46 UTC (rev 171349)
+++ trunk/Tools/ChangeLog 2014-07-22 18:27:17 UTC (rev 171350)
@@ -1,3 +1,12 @@
+2014-07-18 Filip Pizlo <fpi...@apple.com>
+
+ Extend exception fuzzing to the LLInt
+ https://bugs.webkit.org/show_bug.cgi?id=135076
+
+ Reviewed by Oliver Hunt.
+
+ * Scripts/jsc-stress-test-helpers/js-exception-fuzz:
+
2014-07-22 Jochen Eisinger <joc...@chromium.org>
Fix my email address in contributors.json
Modified: trunk/Tools/Scripts/jsc-stress-test-helpers/js-exception-fuzz (171349 => 171350)
--- trunk/Tools/Scripts/jsc-stress-test-helpers/js-exception-fuzz 2014-07-22 18:13:46 UTC (rev 171349)
+++ trunk/Tools/Scripts/jsc-stress-test-helpers/js-exception-fuzz 2014-07-22 18:27:17 UTC (rev 171350)
@@ -67,6 +67,10 @@
die "Failure for command $commandString with seed $seed, repeat $repeat: $context";
}
+if (shift @ARGV) {
+ die "Ignoring garbage arguments; only the first non-option argument is used as the command string.";
+}
+
open (my $testInput, "$commandString --enableExceptionFuzz=true |") or fail("Cannot execute initial command when getting check count");
while (my $inputLine = <$testInput>) {
chomp($inputLine);