haikuwebkit/LayoutTests/js/dfg-string-out-of-bounds-ch...

Tests what happens when you do a out-of-bounds access on a string and use that to install a getter that clobbers a structure.

On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".


Passed some tests silently.

TEST COMPLETE
fourthTier: String GetByVal out-of-bounds handling is so wrong https://bugs.webkit.org/show_bug.cgi?id=118935 Source/JavaScriptCore: Reviewed by Geoffrey Garen. Bunch of String GetByVal out-of-bounds fixes: - Even if the string proto chain is sane, we need to watch out for negative indices. They may get values or call getters in the prototypes, since proto sanity doesn't check for negative indexed properties, as they are not technically indexed properties. - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be given this information. - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be given this information. Also fixed some other things: - If the DFG is disabled, the testRunner should pretend that we've done a bunch of DFG compiles. That's necessary to prevent the tests from timing out. - Disassembler shouldn't try to dump source code since it's not safe in the concurrent JIT. * API/JSCTestRunnerUtils.cpp: (JSC::numberOfDFGCompiles): * JavaScriptCore.xcodeproj/project.pbxproj: * dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::::executeEffects): * dfg/DFGDisassembler.cpp: (JSC::DFG::Disassembler::dumpHeader): * dfg/DFGGraph.h: (JSC::DFG::Graph::byValIsPure): * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added. (DFG): (SaneStringGetByValSlowPathGenerator): (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator): (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileGetByValOnString): LayoutTests: Reviewed by Geoffrey Garen. * fast/js/dfg-string-out-of-bounds-check-structure-expected.txt: Added. * fast/js/dfg-string-out-of-bounds-check-structure.html: Added. * fast/js/dfg-string-out-of-bounds-cse-expected.txt: Added. * fast/js/dfg-string-out-of-bounds-cse.html: Added. * fast/js/dfg-string-out-of-bounds-negative-check-structure-expected.txt: Added. * fast/js/dfg-string-out-of-bounds-negative-check-structure.html: Added. * fast/js/dfg-string-out-of-bounds-negative-proto-value-expected.txt: Added. * fast/js/dfg-string-out-of-bounds-negative-proto-value.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-string-out-of-bounds-check-structure.js: Added. (foo): * fast/js/script-tests/dfg-string-out-of-bounds-cse.js: Added. (foo): * fast/js/script-tests/dfg-string-out-of-bounds-negative-check-structure.js: Added. (foo): (while): * fast/js/script-tests/dfg-string-out-of-bounds-negative-proto-value.js: Added. (foo): Canonical link: https://commits.webkit.org/137070@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@153286 268f45cc-cd09-0410-ab3c-d52691b4dbfc 2013-07-25 04:05:12 +00:00			`Tests what happens when you do a out-of-bounds access on a string and use that to install a getter that clobbers a structure.`

			`On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".`


			`Passed some tests silently.`

			`TEST COMPLETE`