-
fpizlo@apple.com authored
https://bugs.webkit.org/show_bug.cgi?id=74695 Source/JavaScriptCore: Reviewed by Oliver Hunt. The code that reads from the scratch buffer now explicitly knows which locations to read from. No new tests, since this patch covers a case so uncommon that I don't know how to make a test for it. * dfg/DFGOSRExitCompiler.h: (JSC::DFG::OSRExitCompiler::badIndex): (JSC::DFG::OSRExitCompiler::initializePoisoned): (JSC::DFG::OSRExitCompiler::poisonIndex): * dfg/DFGOSRExitCompiler32_64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): * dfg/DFGOSRExitCompiler64.cpp: (JSC::DFG::OSRExitCompiler::compileExit): LayoutTests: Rubber stamped by Gavin Barraclough. Wrote a custom fuzzer that does 2048 different combinations of integer and float temporaries and induces a failure whilst all of them are live. If poisoning doesn't work correctly, a large number (>hundred) of the fuzzing cases fail. * fast/js/dfg-poison-fuzz-expected.txt: Added. * fast/js/dfg-poison-fuzz.html: Added. * fast/js/script-tests/dfg-poison-fuzz.js: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@103127 268f45cc-cd09-0410-ab3c-d52691b4dbfc
32776a52