Various array access corner cases should take OSR exit feedback
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Feb 2015 22:44:45 +0000 (22:44 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 26 Feb 2015 22:44:45 +0000 (22:44 +0000)
commit6d367772325bfaaaab0370031209f7b33c984afc
treec0e13eac449124ca5e82ce49640f32addb93db39
parentff1c2e2584694f4b195e81534ef46f4f35b391af
Various array access corner cases should take OSR exit feedback
https://bugs.webkit.org/show_bug.cgi?id=142056

Reviewed by Geoffrey Garen.
Source/JavaScriptCore:

Two major changes here:

- Don't keep converting GetById into GetArrayLength if we exited due to any kind of array
  type check.

- Use a generic form of GetByVal/PutByVal if we exited due to any kind of exotic checks,
  like the Arguments safety checks. We use the "ExoticObjectMode" for out-of-bounds on
  arguments for now, since it's a convenient way of forcing out-of-bounds to be handled by
  the Generic array mode.

* bytecode/ExitKind.cpp:
(JSC::exitKindToString):
* bytecode/ExitKind.h:
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
(JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):
* tests/stress/array-length-array-storage-plain-object.js: Added.
(foo):
* tests/stress/array-length-plain-object.js: Added.
(foo):

LayoutTests:

* js/regress/arguments-out-of-bounds-expected.txt: Added.
* js/regress/arguments-out-of-bounds.html: Added.
* js/regress/exit-length-on-plain-object-expected.txt: Added.
* js/regress/exit-length-on-plain-object.html: Added.
* js/regress/script-tests/arguments-out-of-bounds.js: Added.
(foo):
(bar):
* js/regress/script-tests/exit-length-on-plain-object.js: Added.
(foo):
* js/regress/script-tests/string-out-of-bounds.js: Added.
(bar):
* js/regress/string-out-of-bounds-expected.txt: Added.
* js/regress/string-out-of-bounds.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@180703 268f45cc-cd09-0410-ab3c-d52691b4dbfc
18 files changed:
LayoutTests/ChangeLog
LayoutTests/js/regress/arguments-out-of-bounds-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/arguments-out-of-bounds.html [new file with mode: 0644]
LayoutTests/js/regress/exit-length-on-plain-object-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/exit-length-on-plain-object.html [new file with mode: 0644]
LayoutTests/js/regress/script-tests/arguments-out-of-bounds.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/exit-length-on-plain-object.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/string-out-of-bounds.js [new file with mode: 0644]
LayoutTests/js/regress/string-out-of-bounds-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/string-out-of-bounds.html [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/ExitKind.cpp
Source/JavaScriptCore/bytecode/ExitKind.h
Source/JavaScriptCore/dfg/DFGArrayMode.cpp
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/tests/stress/array-length-array-storage-plain-object.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/array-length-plain-object.js [new file with mode: 0644]