1. 24 Jul, 2013 1 commit
    • oliver@apple.com's avatar
      fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds · 211b3bec
      oliver@apple.com authored
      https://bugs.webkit.org/show_bug.cgi?id=117906
      
      Source/JavaScriptCore:
      
      Reviewed by Mark Hahnenberg.
      
      This does the obvious thing, but also makes sure that out-of-bounds accesses
      don't fall off into a C call, but try to do the fast thing if the prototype
      chain is sane. We ought to probably do this for other array accesses in the
      future, as well, since it's so darn easy.
      
      * dfg/DFGAbstractState.cpp:
      (JSC::DFG::AbstractState::executeEffects):
      * dfg/DFGFixupPhase.cpp:
      (JSC::DFG::FixupPhase::fixupNode):
      * dfg/DFGOperations.cpp:
      * dfg/DFGOperations.h:
      * dfg/DFGSpeculativeJIT.cpp:
      (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
      * dfg/DFGSpeculativeJIT.h:
      (JSC::DFG::SpeculativeJIT::callOperation):
      * runtime/JSGlobalObject.cpp:
      (JSC::JSGlobalObject::objectPrototypeIsSane):
      (JSC):
      (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
      (JSC::JSGlobalObject::stringPrototypeChainIsSane):
      * runtime/JSGlobalObject.h:
      (JSGlobalObject):
      
      LayoutTests:
      
      Reviewed by Mark Hahnenberg.
      
      The out-of-bounds benchmark that isn't insane speeds up by 22x in this
      patch.
      
      * fast/js/regress/script-tests/string-get-by-val-out-of-bounds-insane.js: Added.
      (foo):
      * fast/js/regress/script-tests/string-get-by-val-out-of-bounds.js: Added.
      (foo):
      * fast/js/regress/string-get-by-val-out-of-bounds-expected.txt: Added.
      * fast/js/regress/string-get-by-val-out-of-bounds-insane-expected.txt: Added.
      * fast/js/regress/string-get-by-val-out-of-bounds-insane.html: Added.
      * fast/js/regress/string-get-by-val-out-of-bounds.html: Added.
      
      git-svn-id: http://svn.webkit.org/repository/webkit/trunk@153244 268f45cc-cd09-0410-ab3c-d52691b4dbfc
      211b3bec