• oliver@apple.com's avatar
    fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds · 211b3bec
    oliver@apple.com authored
    https://bugs.webkit.org/show_bug.cgi?id=117906
    
    Source/JavaScriptCore:
    
    Reviewed by Mark Hahnenberg.
    
    This does the obvious thing, but also makes sure that out-of-bounds accesses
    don't fall off into a C call, but try to do the fast thing if the prototype
    chain is sane. We ought to probably do this for other array accesses in the
    future, as well, since it's so darn easy.
    
    * dfg/DFGAbstractState.cpp:
    (JSC::DFG::AbstractState::executeEffects):
    * dfg/DFGFixupPhase.cpp:
    (JSC::DFG::FixupPhase::fixupNode):
    * dfg/DFGOperations.cpp:
    * dfg/DFGOperations.h:
    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
    * dfg/DFGSpeculativeJIT.h:
    (JSC::DFG::SpeculativeJIT::callOperation):
    * runtime/JSGlobalObject.cpp:
    (JSC::JSGlobalObject::objectPrototypeIsSane):
    (JSC):
    (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
    (JSC::JSGlobalObject::stringPrototypeChainIsSane):
    * runtime/JSGlobalObject.h:
    (JSGlobalObject):
    
    LayoutTests:
    
    Reviewed by Mark Hahnenberg.
    
    The out-of-bounds benchmark that isn't insane speeds up by 22x in this
    patch.
    
    * fast/js/regress/script-tests/string-get-by-val-out-of-bounds-insane.js: Added.
    (foo):
    * fast/js/regress/script-tests/string-get-by-val-out-of-bounds.js: Added.
    (foo):
    * fast/js/regress/string-get-by-val-out-of-bounds-expected.txt: Added.
    * fast/js/regress/string-get-by-val-out-of-bounds-insane-expected.txt: Added.
    * fast/js/regress/string-get-by-val-out-of-bounds-insane.html: Added.
    * fast/js/regress/string-get-by-val-out-of-bounds.html: Added.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153244 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    211b3bec
JSGlobalObject.cpp 34.1 KB