DFG and FTL should have an OSR exit fuzzer
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 3 Jul 2015 01:48:01 +0000 (01:48 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 3 Jul 2015 01:48:01 +0000 (01:48 +0000)
commitf95329a5faaa403d8ebf5574629f68ad8d70436c
tree90b050344d3deecd3aa948b8b1c9454251cbb491
parentcefc2ecf6672f6c987c76d2ea67affaa4f545ec8
DFG and FTL should have an OSR exit fuzzer
https://bugs.webkit.org/show_bug.cgi?id=146562

Reviewed by Benjamin Poulain.

Adds a basic OSR exit fuzzer to JSC. This isn't hooked into any test harnesses yet, but I
spot-checked it on v8-earley-boyer.js and so far found no bugs. I'd like to figure out how
to harness this after I land it.

Since it's turned off by default, it should have no effect on behavior.

* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGOSRExitFuzz.cpp: Added.
(JSC::numberOfOSRExitFuzzChecks):
* dfg/DFGOSRExitFuzz.h: Added.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::emitGetArgumentStart):
(JSC::DFG::SpeculativeJIT::emitOSRExitFuzzCheck):
(JSC::DFG::SpeculativeJIT::speculationCheck):
* dfg/DFGSpeculativeJIT.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::DFG::LowerDFGToLLVM::appendOSRExit):
* jsc.cpp:
(jscmain):
* runtime/Options.h:
* runtime/TestRunnerUtils.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@186252 268f45cc-cd09-0410-ab3c-d52691b4dbfc
12 files changed:
Source/JavaScriptCore/CMakeLists.txt
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj
Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
Source/JavaScriptCore/dfg/DFGOSRExitFuzz.cpp [new file with mode: 0644]
Source/JavaScriptCore/dfg/DFGOSRExitFuzz.h [new file with mode: 0644]
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp
Source/JavaScriptCore/jsc.cpp
Source/JavaScriptCore/runtime/Options.h
Source/JavaScriptCore/runtime/TestRunnerUtils.h