Diff
Modified: trunk/LayoutTests/ChangeLog (116360 => 116361)
--- trunk/LayoutTests/ChangeLog 2012-05-07 22:29:10 UTC (rev 116360)
+++ trunk/LayoutTests/ChangeLog 2012-05-07 22:52:52 UTC (rev 116361)
@@ -1,3 +1,15 @@
+2012-05-07 Oliver Hunt <[email protected]>
+
+ LLInt doesn't check for Ropes when performing a character switch
+ https://bugs.webkit.org/show_bug.cgi?id=85837
+
+ Reviewed by Filip Pizlo.
+
+ Add a few tests to force the use of ropes on switch statements.
+
+ * fast/js/script-tests/switch-behaviour.js:
+ * fast/js/switch-behaviour-expected.txt:
+
2012-05-07 Raymond Toy <[email protected]>
ConvolverNode setBuffer() should not ASSERT on null buffer
Modified: trunk/LayoutTests/fast/js/script-tests/switch-behaviour.js (116360 => 116361)
--- trunk/LayoutTests/fast/js/script-tests/switch-behaviour.js 2012-05-07 22:29:10 UTC (rev 116360)
+++ trunk/LayoutTests/fast/js/script-tests/switch-behaviour.js 2012-05-07 22:52:52 UTC (rev 116361)
@@ -231,6 +231,12 @@
}
// Character switch
+var emptyString1 = "";
+var emptyString2 = "";
+shouldBe("characterSwitch('A' + emptyString1)", '"A"');
+shouldBe("characterSwitch('A' + emptyString1 + emptyString2)", '"A"');
+shouldBe("characterSwitch(emptyString1 + emptyString2)", '"default"');
+
shouldBe("characterSwitch('\0')", '"\0"');
shouldBe("characterSwitch('A')", '"A"');
shouldBe("characterSwitch('a')", '"a"');
Modified: trunk/LayoutTests/fast/js/switch-behaviour-expected.txt (116360 => 116361)
--- trunk/LayoutTests/fast/js/switch-behaviour-expected.txt 2012-05-07 22:29:10 UTC (rev 116360)
+++ trunk/LayoutTests/fast/js/switch-behaviour-expected.txt 2012-05-07 22:52:52 UTC (rev 116361)
@@ -3,6 +3,9 @@
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+PASS characterSwitch('A' + emptyString1) is "A"
+PASS characterSwitch('A' + emptyString1 + emptyString2) is "A"
+PASS characterSwitch(emptyString1 + emptyString2) is "default"
PASS characterSwitch('\0') is "\0"
PASS characterSwitch('A') is "A"
PASS characterSwitch('a') is "a"
Modified: trunk/Source/_javascript_Core/ChangeLog (116360 => 116361)
--- trunk/Source/_javascript_Core/ChangeLog 2012-05-07 22:29:10 UTC (rev 116360)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-05-07 22:52:52 UTC (rev 116361)
@@ -1,3 +1,19 @@
+2012-05-07 Oliver Hunt <[email protected]>
+
+ LLInt doesn't check for Ropes when performing a character switch
+ https://bugs.webkit.org/show_bug.cgi?id=85837
+
+ Reviewed by Filip Pizlo.
+
+ Make LLint check if the scrutinee of a char switch is a rope, and if
+ so fall back to a slow case.
+
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ (LLInt):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+
2012-05-07 Eric Seidel <[email protected]>
Add ENABLE_IFRAME_SEAMLESS so Apple can turn off SEAMLESS if needed
Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (116360 => 116361)
--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2012-05-07 22:29:10 UTC (rev 116360)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2012-05-07 22:52:52 UTC (rev 116361)
@@ -1167,6 +1167,20 @@
LLINT_END();
}
+LLINT_SLOW_PATH_DECL(slow_path_switch_char)
+{
+ LLINT_BEGIN();
+ JSValue scrutinee = LLINT_OP_C(3).jsValue();
+ ASSERT(scrutinee.isString());
+ JSString* value = asString(scrutinee);
+ ASSERT(value->length() == 1);
+ int defaultOffset = pc[2].u.operand;
+ StringImpl* impl = asString(scrutinee)->value(exec).impl();
+ CodeBlock* codeBlock = exec->codeBlock();
+ pc += codeBlock->characterSwitchJumpTable(pc[1].u.operand).offsetForValue((*impl)[0], defaultOffset);
+ LLINT_END();
+}
+
LLINT_SLOW_PATH_DECL(slow_path_switch_string)
{
LLINT_BEGIN();
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (116360 => 116361)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2012-05-07 22:29:10 UTC (rev 116360)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2012-05-07 22:52:52 UTC (rev 116361)
@@ -1446,8 +1446,9 @@
bineq t1, CellTag, .opSwitchCharFallThrough
loadp JSCell::m_structure[t0], t1
bbneq Structure::m_typeInfo + TypeInfo::m_type[t1], StringType, .opSwitchCharFallThrough
+ bineq JSString::m_length[t0], 1, .opSwitchCharFallThrough
loadp JSString::m_value[t0], t0
- bineq StringImpl::m_length[t0], 1, .opSwitchCharFallThrough
+ btpz t0, .opSwitchOnRope
loadp StringImpl::m_data8[t0], t1
btinz StringImpl::m_hashAndFlags[t0], HashFlags8BitBuffer, .opSwitchChar8Bit
loadh [t1], t0
@@ -1465,7 +1466,11 @@
.opSwitchCharFallThrough:
dispatchBranch(8[PC])
+.opSwitchOnRope:
+ callSlowPath(_llint_slow_path_switch_char)
+ dispatch(0)
+
_llint_op_new_func:
traceExecution()
btiz 12[PC], .opNewFuncUnchecked
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (116360 => 116361)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2012-05-07 22:29:10 UTC (rev 116360)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2012-05-07 22:52:52 UTC (rev 116361)
@@ -1292,8 +1292,9 @@
btpnz t1, tagMask, .opSwitchCharFallThrough
loadp JSCell::m_structure[t1], t0
bbneq Structure::m_typeInfo + TypeInfo::m_type[t0], StringType, .opSwitchCharFallThrough
+ bineq JSString::m_length[t1], 1, .opSwitchCharFallThrough
loadp JSString::m_value[t1], t0
- bineq StringImpl::m_length[t0], 1, .opSwitchCharFallThrough
+ btpz t0, .opSwitchOnRope
loadp StringImpl::m_data8[t0], t1
btinz StringImpl::m_hashAndFlags[t0], HashFlags8BitBuffer, .opSwitchChar8Bit
loadh [t1], t0
@@ -1311,7 +1312,11 @@
.opSwitchCharFallThrough:
dispatchInt(16[PB, PC, 8])
+.opSwitchOnRope:
+ callSlowPath(_llint_slow_path_switch_char)
+ dispatch(0)
+
_llint_op_new_func:
traceExecution()
btiz 24[PB, PC, 8], .opNewFuncUnchecked
