Skip to content
  • oliver@apple.com's avatar
    fourthTier: String GetByVal out-of-bounds handling is so wrong · e642774f
    oliver@apple.com authored
    https://bugs.webkit.org/show_bug.cgi?id=118935
    
    Source/JavaScriptCore:
    
    Reviewed by Geoffrey Garen.
    
    Bunch of String GetByVal out-of-bounds fixes:
    
    - Even if the string proto chain is sane, we need to watch out for negative
      indices. They may get values or call getters in the prototypes, since proto
      sanity doesn't check for negative indexed properties, as they are not
      technically indexed properties.
    
    - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
      given this information.
    
    - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
      given this information.
    
    Also fixed some other things:
    
    - If the DFG is disabled, the testRunner should pretend that we've done a
      bunch of DFG compiles. That's necessary to prevent the tests from timing
      out.
    
    - Disassembler shouldn't try to dump source code since it's not safe in the
      concurrent JIT.
    
    * API/JSCTestRunnerUtils.cpp:
    (JSC::numberOfDFGCompiles):
    * JavaScriptCore.xcodeproj/project.pbxproj:
    * dfg/DFGAbstractInterpreterInlines.h:
    (JSC::DFG::::executeEffects):
    * dfg/DFGDisassembler.cpp:
    (JSC::DFG::Disassembler::dumpHeader):
    * dfg/DFGGraph.h:
    (JSC::DFG::Graph::byValIsPure):
    * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
    (DFG):
    (SaneStringGetByValSlowPathGenerator):
    (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
    (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
    
    LayoutTests:
    
    Reviewed by Geoffrey Garen.
    
    * fast/js/dfg-string-out-of-bounds-check-structure-expected.txt: Added.
    * fast/js/dfg-string-out-of-bounds-check-structure.html: Added.
    * fast/js/dfg-string-out-of-bounds-cse-expected.txt: Added.
    * fast/js/dfg-string-out-of-bounds-cse.html: Added.
    * fast/js/dfg-string-out-of-bounds-negative-check-structure-expected.txt: Added.
    * fast/js/dfg-string-out-of-bounds-negative-check-structure.html: Added.
    * fast/js/dfg-string-out-of-bounds-negative-proto-value-expected.txt: Added.
    * fast/js/dfg-string-out-of-bounds-negative-proto-value.html: Added.
    * fast/js/jsc-test-list:
    * fast/js/script-tests/dfg-string-out-of-bounds-check-structure.js: Added.
    (foo):
    * fast/js/script-tests/dfg-string-out-of-bounds-cse.js: Added.
    (foo):
    * fast/js/script-tests/dfg-string-out-of-bounds-negative-check-structure.js: Added.
    (foo):
    (while):
    * fast/js/script-tests/dfg-string-out-of-bounds-negative-proto-value.js: Added.
    (foo):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153286 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    e642774f