-
oliver@apple.com authored
https://bugs.webkit.org/show_bug.cgi?id=117906 Source/JavaScriptCore: Reviewed by Mark Hahnenberg. This does the obvious thing, but also makes sure that out-of-bounds accesses don't fall off into a C call, but try to do the fast thing if the prototype chain is sane. We ought to probably do this for other array accesses in the future, as well, since it's so darn easy. * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::executeEffects): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnString): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): * runtime/JSGlobalObject.cpp: (JSC::JSGlobalObject::objectPrototypeIsSane): (JSC): (JSC::JSGlobalObject::arrayPrototypeChainIsSane): (JSC::JSGlobalObject::stringPrototypeChainIsSane): * runtime/JSGlobalObject.h: (JSGlobalObject): LayoutTests: Reviewed by Mark Hahnenberg. The out-of-bounds benchmark that isn't insane speeds up by 22x in this patch. * fast/js/regress/script-tests/string-get-by-val-out-of-bounds-insane.js: Added. (foo): * fast/js/regress/script-tests/string-get-by-val-out-of-bounds.js: Added. (foo): * fast/js/regress/string-get-by-val-out-of-bounds-expected.txt: Added. * fast/js/regress/string-get-by-val-out-of-bounds-insane-expected.txt: Added. * fast/js/regress/string-get-by-val-out-of-bounds-insane.html: Added. * fast/js/regress/string-get-by-val-out-of-bounds.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153244 268f45cc-cd09-0410-ab3c-d52691b4dbfc
211b3bec