DFG NewArray/NewArrayBuffer shouldn't be constructing with negative indexing
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Nov 2013 00:05:02 +0000 (00:05 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Nov 2013 00:05:02 +0000 (00:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=123760
<rdar://problem/15356705>

Reviewed by Mark Hahnenberg and Oliver Hunt.

Source/JavaScriptCore:

* dfg/DFGOperations.cpp:

LayoutTests:

* js/dfg-new-array-buffer-while-having-a-bad-time-expected.txt: Added.
* js/dfg-new-array-buffer-while-having-a-bad-time.html: Added.
* js/dfg-new-array-while-having-a-bad-time-expected.txt: Added.
* js/dfg-new-array-while-having-a-bad-time.html: Added.
* js/script-tests/dfg-new-array-buffer-while-having-a-bad-time.js: Added.
(foo):
* js/script-tests/dfg-new-array-while-having-a-bad-time.js: Added.
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@158608 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time-expected.txt [new file with mode: 0644]
LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time.html [new file with mode: 0644]
LayoutTests/js/dfg-new-array-while-having-a-bad-time-expected.txt [new file with mode: 0644]
LayoutTests/js/dfg-new-array-while-having-a-bad-time.html [new file with mode: 0644]
LayoutTests/js/script-tests/dfg-new-array-buffer-while-having-a-bad-time.js [new file with mode: 0644]
LayoutTests/js/script-tests/dfg-new-array-while-having-a-bad-time.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGOperations.cpp

index c64cd73..3c42eb2 100644 (file)
@@ -1,3 +1,20 @@
+2013-11-04  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG NewArray/NewArrayBuffer shouldn't be constructing with negative indexing
+        https://bugs.webkit.org/show_bug.cgi?id=123760
+        <rdar://problem/15356705>
+
+        Reviewed by Mark Hahnenberg and Oliver Hunt.
+
+        * js/dfg-new-array-buffer-while-having-a-bad-time-expected.txt: Added.
+        * js/dfg-new-array-buffer-while-having-a-bad-time.html: Added.
+        * js/dfg-new-array-while-having-a-bad-time-expected.txt: Added.
+        * js/dfg-new-array-while-having-a-bad-time.html: Added.
+        * js/script-tests/dfg-new-array-buffer-while-having-a-bad-time.js: Added.
+        (foo):
+        * js/script-tests/dfg-new-array-while-having-a-bad-time.js: Added.
+        (foo):
+
 2013-11-04  Hans Muller  <hmuller@adobe.com>
 
         [CSS Shapes] image valued shape element margin can cause an ASSERT fail
diff --git a/LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time-expected.txt b/LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time-expected.txt
new file mode 100644 (file)
index 0000000..045ab0b
--- /dev/null
@@ -0,0 +1,12 @@
+Tests that DFG NewArrayBuffer works when having a bad time.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo()[0] is "foo" on all iterations including after DFG tier-up.
+PASS foo()[1] is 42 on all iterations including after DFG tier-up.
+PASS foo()[2] is 23.5 on all iterations including after DFG tier-up.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time.html b/LayoutTests/js/dfg-new-array-buffer-while-having-a-bad-time.html
new file mode 100644 (file)
index 0000000..a676ffb
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/dfg-new-array-buffer-while-having-a-bad-time.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/js/dfg-new-array-while-having-a-bad-time-expected.txt b/LayoutTests/js/dfg-new-array-while-having-a-bad-time-expected.txt
new file mode 100644 (file)
index 0000000..f8a446a
--- /dev/null
@@ -0,0 +1,12 @@
+Tests that DFG NewArray works when having a bad time.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo()[0] is "foo" on all iterations including after DFG tier-up.
+PASS foo()[1] is 42 on all iterations including after DFG tier-up.
+PASS foo()[2].f is 23 on all iterations including after DFG tier-up.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/js/dfg-new-array-while-having-a-bad-time.html b/LayoutTests/js/dfg-new-array-while-having-a-bad-time.html
new file mode 100644 (file)
index 0000000..a277eb2
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/dfg-new-array-while-having-a-bad-time.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/js/script-tests/dfg-new-array-buffer-while-having-a-bad-time.js b/LayoutTests/js/script-tests/dfg-new-array-buffer-while-having-a-bad-time.js
new file mode 100644 (file)
index 0000000..0245ac5
--- /dev/null
@@ -0,0 +1,10 @@
+description("Tests that DFG NewArrayBuffer works when having a bad time.");
+
+Array.prototype.__defineSetter__("100", function() { debug("Ouch!"); });
+
+function foo() { return ["foo", 42, 23.5]; }
+
+dfgShouldBe(foo, "foo()[0]", "\"foo\"");
+dfgShouldBe(foo, "foo()[1]", "42");
+dfgShouldBe(foo, "foo()[2]", "23.5");
+
diff --git a/LayoutTests/js/script-tests/dfg-new-array-while-having-a-bad-time.js b/LayoutTests/js/script-tests/dfg-new-array-while-having-a-bad-time.js
new file mode 100644 (file)
index 0000000..98731ba
--- /dev/null
@@ -0,0 +1,10 @@
+description("Tests that DFG NewArray works when having a bad time.");
+
+Array.prototype.__defineSetter__("100", function() { debug("Ouch!"); });
+
+function foo() { return ["foo", 42, {f:23}]; }
+
+dfgShouldBe(foo, "foo()[0]", "\"foo\"");
+dfgShouldBe(foo, "foo()[1]", "42");
+dfgShouldBe(foo, "foo()[2].f", "23");
+
index 505ace6..8201a6b 100644 (file)
@@ -1,3 +1,13 @@
+2013-11-04  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG NewArray/NewArrayBuffer shouldn't be constructing with negative indexing
+        https://bugs.webkit.org/show_bug.cgi?id=123760
+        <rdar://problem/15356705>
+
+        Reviewed by Mark Hahnenberg and Oliver Hunt.
+
+        * dfg/DFGOperations.cpp:
+
 2013-11-04  Michael Saboff  <msaboff@apple.com>
 
         Eliminate HostCall bit from JSC Stack CallerFrame
index 21b742d..bd67936 100644 (file)
@@ -614,7 +614,7 @@ char* JIT_OPERATION operationNewArray(ExecState* exec, Structure* arrayStructure
     VM* vm = &exec->vm();
     NativeCallFrameTracer tracer(vm, exec);
     
-    return bitwise_cast<char*>(constructArrayNegativeIndexed(exec, arrayStructure, static_cast<JSValue*>(buffer), size));
+    return bitwise_cast<char*>(constructArray(exec, arrayStructure, static_cast<JSValue*>(buffer), size));
 }
 
 char* JIT_OPERATION operationNewEmptyArray(ExecState* exec, Structure* arrayStructure)
@@ -640,7 +640,7 @@ char* JIT_OPERATION operationNewArrayBuffer(ExecState* exec, Structure* arrayStr
 {
     VM& vm = exec->vm();
     NativeCallFrameTracer tracer(&vm, exec);
-    return bitwise_cast<char*>(constructArrayNegativeIndexed(exec, arrayStructure, exec->codeBlock()->constantBuffer(start), size));
+    return bitwise_cast<char*>(constructArray(exec, arrayStructure, exec->codeBlock()->constantBuffer(start), size));
 }
 
 char* JIT_OPERATION operationNewInt8ArrayWithSize(