Title: [154304] trunk
- Revision
- 154304
- Author
- [email protected]
- Date
- 2013-08-19 15:40:17 -0700 (Mon, 19 Aug 2013)
Log Message
<https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
Reviewed by Geoffrey Garen.
Source/_javascript_Core:
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
LayoutTests:
* fast/js/dfg-cross-global-object-new-array.html: Added.
* fast/js/dfg-cross-global-object-new-array-expected.txt: Added.
* fast/js/script-tests/dfg-cross-global-object-new-array.js: Added.
(foo):
(runTest):
(doit):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (154303 => 154304)
--- trunk/LayoutTests/ChangeLog 2013-08-19 22:36:46 UTC (rev 154303)
+++ trunk/LayoutTests/ChangeLog 2013-08-19 22:40:17 UTC (rev 154304)
@@ -1,3 +1,16 @@
+2013-08-18 Filip Pizlo <[email protected]>
+
+ <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
+
+ Reviewed by Geoffrey Garen.
+
+ * fast/js/dfg-cross-global-object-new-array.html: Added.
+ * fast/js/dfg-cross-global-object-new-array-expected.txt: Added.
+ * fast/js/script-tests/dfg-cross-global-object-new-array.js: Added.
+ (foo):
+ (runTest):
+ (doit):
+
2013-08-19 Alexey Proskuryakov <[email protected]>
https://bugs.webkit.org/show_bug.cgi?id=119915
Added: trunk/LayoutTests/fast/js/dfg-cross-global-object-new-array-expected.txt (0 => 154304)
--- trunk/LayoutTests/fast/js/dfg-cross-global-object-new-array-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-cross-global-object-new-array-expected.txt 2013-08-19 22:40:17 UTC (rev 154304)
@@ -0,0 +1,10 @@
+This tests that function inlining in the DFG JIT doesn't get confused about the global object to use for array allocation.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Array doesn't have the main global object's array prototype
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/js/dfg-cross-global-object-new-array.html (0 => 154304)
--- trunk/LayoutTests/fast/js/dfg-cross-global-object-new-array.html (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-cross-global-object-new-array.html 2013-08-19 22:40:17 UTC (rev 154304)
@@ -0,0 +1,11 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<div id="frameparent"></div>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/fast/js/script-tests/dfg-cross-global-object-new-array.js (0 => 154304)
--- trunk/LayoutTests/fast/js/script-tests/dfg-cross-global-object-new-array.js (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/dfg-cross-global-object-new-array.js 2013-08-19 22:40:17 UTC (rev 154304)
@@ -0,0 +1,42 @@
+description(
+"This tests that function inlining in the DFG JIT doesn't get confused about the global object to use for array allocation."
+);
+
+window.jsTestIsAsync = true;
+
+function foo(o) {
+ return new o.arrayConstructor();
+}
+
+function runTest(arrayConstructor) {
+ var o = {arrayConstructor: arrayConstructor};
+
+ noInline(foo);
+ while (!dfgCompiled({f:foo}))
+ foo(o);
+
+ var array = foo(o);
+
+ if (array.__proto__ == Array.prototype)
+ testFailed("Array has the main global object's array prototype");
+ else
+ testPassed("Array doesn't have the main global object's array prototype");
+ finishJSTest();
+}
+
+function doit() {
+ document.getElementById("frameparent").innerHTML = "";
+ document.getElementById("frameparent").innerHTML = "<iframe id='testframe'>";
+ var testFrame = document.getElementById("testframe");
+ testFrame.contentDocument.open();
+
+ code = "<!DOCTYPE html>\n<head></head><body><script type=\"text/_javascript_\">\n";
+ code += "window.parent.runTest(Array);\n";
+ code += "</script></body></html>";
+
+ testFrame.contentDocument.write(code);
+ testFrame.contentDocument.close();
+}
+
+window.setTimeout(doit, 0);
+
Modified: trunk/Source/_javascript_Core/ChangeLog (154303 => 154304)
--- trunk/Source/_javascript_Core/ChangeLog 2013-08-19 22:36:46 UTC (rev 154303)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-08-19 22:40:17 UTC (rev 154304)
@@ -1,3 +1,12 @@
+2013-08-18 Filip Pizlo <[email protected]>
+
+ <https://webkit.org/b/119994> DFG new Array() inlining could get confused about global objects
+
+ Reviewed by Geoffrey Garen.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
+
2013-08-18 Gavin Barraclough <[email protected]>
https://bugs.webkit.org/show_bug.cgi?id=119995
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (154303 => 154304)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2013-08-19 22:36:46 UTC (rev 154303)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2013-08-19 22:40:17 UTC (rev 154304)
@@ -1599,6 +1599,9 @@
UNUSED_PARAM(prediction); // Remove this once we do more things.
if (function->classInfo() == ArrayConstructor::info()) {
+ if (function->globalObject() != m_inlineStackTop->m_codeBlock->globalObject())
+ return false;
+
if (argumentCountIncludingThis == 2) {
set(resultOperand,
addToGraph(NewArrayWithSize, OpInfo(ArrayWithUndecided), get(registerOffset + argumentToOperand(1))));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
