haikuwebkit/LayoutTests/js/dfg-ensure-array-storage-on...

Checks that trying to arrayify a string to have array storage doesn't crash.

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".


PASS foo("hello") is "0hello"
PASS successfullyParsed is true

TEST COMPLETE
JSObject::ensure<IndexingType> should gracefully handle InterceptsGetOwn..., and should never be called when the 'this' is not an object https://bugs.webkit.org/show_bug.cgi?id=105468 Reviewed by Mark Hahnenberg, Oliver Hunt, and Gavin Barraclough. Source/JavaScriptCore: Changed JSObject::ensure<IndexingType> methods to gracefully handle InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero. Most of them handle it by returning null as a result of indexingShouldBeSparse() returning true, while ensureArrayStorage handles it by entering dictionary indexing mode, which forces the object to behave correctly even if there is proxying or weird prototype stuff going on. Changed DFGOperations entrypoints to reject non-objects, so that JSObject doesn't have to deal with pretending to be JSString. In particular, this would go wrong in the ArrayStorage case since we'd try to resize a butterfly on a JSString, but JSString has something other than m_butterfly at that offset. Finally, removed all InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero from JIT code since those are now redundant. * dfg/DFGOperations.cpp: * dfg/DFGOperations.h: * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::arrayify): * dfg/DFGSpeculativeJIT.h: (JSC::DFG::SpeculativeJIT::callOperation): * runtime/JSObject.cpp: (JSC::JSObject::enterDictionaryIndexingMode): (JSC::JSObject::ensureInt32Slow): (JSC::JSObject::ensureDoubleSlow): (JSC::JSObject::ensureContiguousSlow): (JSC::JSObject::ensureArrayStorageSlow): (JSC): (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes): * runtime/JSObject.h: (JSObject): LayoutTests: * fast/js/dfg-ensure-array-storage-on-string-expected.txt: Added. * fast/js/dfg-ensure-array-storage-on-string.html: Added. * fast/js/dfg-ensure-contiguous-on-string-expected.txt: Added. * fast/js/dfg-ensure-contiguous-on-string.html: Added. * fast/js/jsc-test-list * fast/js/script-tests/dfg-ensure-array-storage-on-string.js: Added. (foo): * fast/js/script-tests/dfg-ensure-contiguous-on-string.js: Added. (foo): Canonical link: https://commits.webkit.org/123696@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@138201 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2012-12-20 00:19:03 +00:00			`Checks that trying to arrayify a string to have array storage doesn't crash.`

			`On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".`


			`PASS foo("hello") is "0hello"`
			`PASS successfullyParsed is true`

			`TEST COMPLETE`