Arrayify neglects to inform the clobberizer that it might fire watchpoints https://bugs.webkit.org/show_bug.cgi?id=133340 Reviewed by Mark Lam. * dfg/DFGClobberize.h: (JSC::DFG::clobberize): Be honest. * llint/LowLevelInterpreter32_64.asm: Profile the object, not its structure. * tests/stress/arrayify-fires-watchpoint.js: Added. (foo): (test): (makeObjectArray): * tests/stress/arrayify-structure-bad-test.js: Added. (foo): (test): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@169428 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: 08ec40f6d1ae5bb298716099746dc3f87a6da283 [log] [tgz]
author: fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed May 28 18:59:38 2014 +0000
committer: fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed May 28 18:59:38 2014 +0000
tree: f7ac7f29690a733d361bc17a14111e64f8be1988
parent: 5980b79e54c69973f5d23bd139d5f261558c27a2 [diff] [blame]
diff --git a/Source/JavaScriptCore/tests/stress/arrayify-structure-bad-test.js b/Source/JavaScriptCore/tests/stress/arrayify-structure-bad-test.js
new file mode 100644
index 0000000..88edb36
--- /dev/null
+++ b/Source/JavaScriptCore/tests/stress/arrayify-structure-bad-test.js

@@ -0,0 +1,22 @@
+function foo(a, b) {
+    var x = b.f;
+    x += a[0];
+    return x + b.f;
+}
+
+noInline(foo);
+
+function test(a, b, c) {
+    var result = foo(a, b);
+    if (result != c)
+        throw new Error("bad result: expected " + c + " but got: " + result);
+}
+
+var p = {f:42};
+p[0] = 5;
+for (var i = 0; i < 100000; ++i) {
+    test([4], p, 88);
+    test([4.5], p, 88.5);
+}
+
+test(p, p, 89);
commit	08ec40f6d1ae5bb298716099746dc3f87a6da283	[log] [tgz]
author	fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Wed May 28 18:59:38 2014 +0000
committer	fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Wed May 28 18:59:38 2014 +0000
tree	f7ac7f29690a733d361bc17a14111e64f8be1988
parent	5980b79e54c69973f5d23bd139d5f261558c27a2 [diff] [blame]