scriptsman
diff --git a/‎JSTests/ChangeLog‎
Lines changed: 10 additions & 0 deletions b/‎JSTests/ChangeLog‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎JSTests/stress/have-a-bad-time-with-arguments.js‎
Lines changed: 140 additions & 0 deletions b/‎JSTests/stress/have-a-bad-time-with-arguments.js‎
Lines changed: 140 additions & 0 deletions
diff --git a/‎Source/JavaScriptCore/ChangeLog‎
Lines changed: 80 additions & 0 deletions b/‎Source/JavaScriptCore/ChangeLog‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h‎
Lines changed: 4 additions & 0 deletions b/‎Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎Source/JavaScriptCore/dfg/DFGArrayMode.cpp‎
Lines changed: 1 addition & 1 deletion b/‎Source/JavaScriptCore/dfg/DFGArrayMode.cpp‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎Source/JavaScriptCore/dfg/DFGFixupPhase.cpp‎
Lines changed: 5 additions & 1 deletion b/‎Source/JavaScriptCore/dfg/DFGFixupPhase.cpp‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎Source/JavaScriptCore/interpreter/Interpreter.cpp‎
Lines changed: 0 additions & 1 deletion b/‎Source/JavaScriptCore/interpreter/Interpreter.cpp‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎Source/JavaScriptCore/runtime/ClonedArguments.cpp‎
Lines changed: 38 additions & 16 deletions b/‎Source/JavaScriptCore/runtime/ClonedArguments.cpp‎
Lines changed: 38 additions & 16 deletions
@@ -1,3 +1,13 @@
+2016-11-03  Mark Lam  <mark.lam@apple.com>
+
+        ClonedArguments need to also support haveABadTime mode.
+        https://bugs.webkit.org/show_bug.cgi?id=164200
+        <rdar://problem/27211336>
+
+        Reviewed by Geoffrey Garen.
+
+        * stress/have-a-bad-time-with-arguments.js: Added.
+
 2016-11-03  Filip Pizlo  <fpizlo@apple.com>
 
         DFG plays fast and loose with the shadow values of a Phi
 
@@ -0,0 +1,140 @@
+//@ runFTLNoCJIT
+
+// Tests accessing an element in arguments before and after having a bad time.
+// This test should not crash.
+
+let verbose = false;
+
+var utilities =                 'function shouldEqual(testId, actual, expected) {' + '\n' +
+                                '    if (actual != expected)' + '\n' +
+                                '        throw testId + ": ERROR: expect " + expected + ", actual " + actual;' + '\n' +
+                                '}' + '\n';
+
+var haveABadTime =              'Object.defineProperty(Object.prototype, 20, { get() { return 20; } });' + '\n';
+
+var directArgumentsDecl =       '    var args = arguments;' + '\n';
+
+var scopedArgumentsDecl =       '    var args = arguments;' + '\n' +
+                                '    function closure() { return x; }' + '\n';
+
+var clonedArgumentsDecl =       '    "use strict";' + '\n' +
+                                '    var args = arguments;' + '\n';
+
+function testFunction(argsDecl, insertElementAction, indexToReturn) {
+    var script =                'function test(x) {' + '\n' +
+                                     argsDecl +
+                                     insertElementAction +
+                                '    return args[' + indexToReturn + '];' + '\n' +
+                                '}' + '\n' +
+                                'noInline(test);' + '\n';
+    return script;
+}
+
+function warmupFunction(tierWarmupCount, testArgs) {
+    var script =                'function warmup() {' + '\n' +
+                                '    for (var i = 0; i < ' + tierWarmupCount + '; i++) {' + '\n' +
+                                '        test(' + testArgs + ');' + '\n' +
+                                '    }' + '\n' +
+                                '}' + '\n';
+    return script;
+}
+
+let argumentsDecls = {
+    direct: directArgumentsDecl,
+    scoped: scopedArgumentsDecl,
+    cloned: clonedArgumentsDecl
+};
+
+let indicesToReturn = {
+    inBounds: 0,
+    outOfBoundsInsertedElement: 10,
+    outOfBoundsInPrototype: 20
+};
+
+let tierWarmupCounts = {
+    llint: 1,
+    baseline: 50,
+    dfg: 1000,
+    ftl: 10000
+};
+
+let testArgsList = {
+    noArgs:   {
+        args: '',
+        result: {
+            inBounds: { beforeBadTime: 'undefined', afterBadTime: 'undefined', },
+            outOfBoundsInsertedElement: { beforeBadTime: '10', afterBadTime: '10', },
+            outOfBoundsInPrototype: { beforeBadTime: 'undefined', afterBadTime: '20', },
+        }
+    },
+    someArgs: {
+        args: '1, 2, 3',
+        result: {
+            inBounds: { beforeBadTime: '1', afterBadTime: '1', },
+            outOfBoundsInsertedElement: { beforeBadTime: '10', afterBadTime: '10', },
+            outOfBoundsInPrototype: { beforeBadTime: 'undefined', afterBadTime: '20', },
+        }
+    }
+};
+
+let insertElementActions = {
+    insertElement:      '    args[10] = 10;' + '\n',
+    dontInsertElement:  ''
+};
+
+for (let argsDeclIndex in argumentsDecls) {
+    let argsDecl = argumentsDecls[argsDeclIndex];
+
+    for (let indexToReturnIndex in indicesToReturn) {
+        let indexToReturn = indicesToReturn[indexToReturnIndex];
+
+        for (let insertElementActionIndex in insertElementActions) {
+            let insertElementAction = insertElementActions[insertElementActionIndex];
+
+            for (let tierWarmupCountIndex in tierWarmupCounts) {
+                let tierWarmupCount = tierWarmupCounts[tierWarmupCountIndex];
+
+                for (let testArgsIndex in testArgsList) {
+                    let testArgs = testArgsList[testArgsIndex].args;
+                    let expectedResult = testArgsList[testArgsIndex].result[indexToReturnIndex];
+
+                    if (indexToReturnIndex == 'outOfBoundsInsertedElement'
+                        && insertElementActionIndex == 'dontInsertElement')
+                        expectedResult = 'undefined';
+
+                    let testName =
+                        argsDeclIndex + '-' +
+                        indexToReturnIndex + '-' +
+                        insertElementActionIndex + '-' +
+                        tierWarmupCountIndex + '-' +
+                        testArgsIndex;
+
+
+                    let script = utilities +
+                                 testFunction(argsDecl, insertElementAction, indexToReturn) +
+                                 warmupFunction(tierWarmupCount, testArgs) +
+                                 'warmup()' + '\n' +
+                                 'shouldEqual(10000, test(' + testArgs + '), ' + expectedResult['beforeBadTime'] + ');' + '\n';
+                                 haveABadTime +
+                                 'shouldEqual(20000, test(' + testArgs + '), ' + expectedResult['afterBadTime'] + ');' + '\n';
+
+                    if (verbose) {
+                        print('Running test configuration: ' + testName);
+                        print(
+                            'Test script: ====================================================\n' +
+                            script +
+                            '=== END script ==================================================');
+                    }
+
+                    try {
+                        runString(script);
+                    } catch (e) {
+                        print('FAILED test configuration: ' + testName);
+                        print('FAILED test script:\n' + script);
+                        throw e;
+                    }
+                }
+            }
+        }
+    }
+}
@@ -1,3 +1,83 @@
+2016-11-03  Mark Lam  <mark.lam@apple.com>
+
+        ClonedArguments need to also support haveABadTime mode.
+        https://bugs.webkit.org/show_bug.cgi?id=164200
+        <rdar://problem/27211336>
+
+        Reviewed by Geoffrey Garen.
+
+        For those who are not familiar with the parlance, "have a bad time" in the VM
+        means that Object.prototype has been modified in such a way that we can no longer
+        trivially do indexed property accesses without consulting the Object.prototype.
+        This defeats JIT indexed put optimizations, and hence, makes the VM "have a
+        bad time".
+
+        Once the VM enters haveABadTime mode, all existing objects are converted to use
+        slow put storage.  Thereafter, JSArrays are always created with slow put storage.
+        JSObjects are always created with a blank indexing type.  When a new indexed
+        property is put into the new object, its indexing type will be converted to the
+        slow put array indexing type just before we perform the put operation.  This is
+        how we ensure that the objects will also use slow put storage.
+
+        However, ClonedArguments is an object which was previously created unconditionally
+        to use contiguous storage.  Subsequently, if we try to call Object.preventExtensions()
+        on that ClonedArguments object, Object.preventExtensions() will:
+        1. make the ClonedArguments enter dictionary indexing mode, which means it will
+        2. first ensure that the ClonedArguments is using slow put array storage via
+           JSObject::ensureArrayStorageSlow().
+
+        However, JSObject::ensureArrayStorageSlow() expects that we never see an object
+        with contiguous storage once we're in haveABadTime mode.  Our ClonedArguments
+        object did not obey this invariant.
+
+        The fix is to make the ClonedArguments factories create objects that use slow put
+        array storage when in haveABadTime mode.  This means:
+
+        1. JSGlobalObject::haveABadTime() now changes m_clonedArgumentsStructure to use
+           its slow put version.
+
+           Also the caching of the slow put version of m_regExpMatchesArrayStructure,
+           because we only need to create it when we are having a bad time. 
+
+        2. The ClonedArguments factories now allocates a butterfly with slow put array
+           storage if we're in haveABadTime mode.
+
+           Also added some assertions in ClonedArguments' factory methods to ensure that
+           the created object has the slow put indexing type when it needsSlowPutIndexing().
+
+        3. DFGFixupPhase now watches the havingABadTimeWatchpoint because ClonedArguments'
+           structure will change when having a bad time.
+
+        4. DFGArgumentEliminationPhase and DFGVarargsForwardingPhase need not be changed
+           because it is still valid to eliminate the creation of the arguments object
+           even having a bad time, as long as the arguments object does not escape.
+
+        5. The DFGAbstractInterpreterInlines now checks for haveABadTime, and sets the
+           predicted type to be SpecObject.
+
+        Note: this issue does not apply to DirectArguments and ScopedArguments because
+        they use a blank indexing type (just like JSObject).
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::dump):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * runtime/ClonedArguments.cpp:
+        (JSC::ClonedArguments::createEmpty):
+        (JSC::ClonedArguments::createWithInlineFrame):
+        (JSC::ClonedArguments::createWithMachineFrame):
+        (JSC::ClonedArguments::createByCopyingFrom):
+        (JSC::ClonedArguments::createStructure):
+        (JSC::ClonedArguments::createSlowPutStructure):
+        * runtime/ClonedArguments.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::haveABadTime):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+
 2016-11-03  Filip Pizlo  <fpizlo@apple.com>
 
         DFG plays fast and loose with the shadow values of a Phi
 
@@ -1981,6 +1981,10 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
         break;
 
     case CreateClonedArguments:
+        if (!m_graph.isWatchingHavingABadTimeWatchpoint(node)) {
+            forNode(node).setType(m_graph, SpecObject);
+            break;
+        }
         forNode(node).set(m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->clonedArgumentsStructure());
         break;
 
 
@@ -734,7 +734,7 @@ bool ArrayMode::permitsBoundsCheckLowering() const
 
 void ArrayMode::dump(PrintStream& out) const
 {
-    out.print(type(), arrayClass(), speculation(), conversion());
+    out.print(type(), "+", arrayClass(), "+", speculation(), "+", conversion());
 }
 
 } } // namespace JSC::DFG
 
@@ -1550,6 +1550,11 @@ class FixupPhase : public Phase {
             break;
         }
 
+        case CreateClonedArguments: {
+            watchHavingABadTime(node);
+            break;
+        }
+
         case CreateScopedArguments:
         case CreateActivation:
         case NewFunction:
@@ -1776,7 +1781,6 @@ class FixupPhase : public Phase {
         case IsObjectOrNull:
         case IsFunction:
         case CreateDirectArguments:
-        case CreateClonedArguments:
         case Jump:
         case Return:
         case TailCall:
 
@@ -32,7 +32,6 @@
 
 #include "BatchedTransitionOptimizer.h"
 #include "CallFrameClosure.h"
-#include "ClonedArguments.h"
 #include "CodeBlock.h"
 #include "DirectArguments.h"
 #include "Heap.h"
 
@@ -48,16 +48,23 @@ ClonedArguments* ClonedArguments::createEmpty(
     if (vectorLength > MAX_STORAGE_VECTOR_LENGTH)
         return 0;
 
-    void* temp = vm.heap.tryAllocateAuxiliary(nullptr, Butterfly::totalSize(0, structure->outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)));
-    if (!temp)
-        return 0;
-    Butterfly* butterfly = Butterfly::fromBase(temp, 0, structure->outOfLineCapacity());
-    butterfly->setVectorLength(vectorLength);
-    butterfly->setPublicLength(length);
+    Butterfly* butterfly;
+    if (UNLIKELY(structure->needsSlowPutIndexing())) {
+        butterfly = createArrayStorageButterfly(vm, nullptr, structure, length, vectorLength);
+        butterfly->arrayStorage()->m_numValuesInVector = vectorLength;
+
+    } else {
+        void* temp = vm.heap.tryAllocateAuxiliary(nullptr, Butterfly::totalSize(0, structure->outOfLineCapacity(), true, vectorLength * sizeof(EncodedJSValue)));
+        if (!temp)
+            return 0;
+        butterfly = Butterfly::fromBase(temp, 0, structure->outOfLineCapacity());
+        butterfly->setVectorLength(vectorLength);
+        butterfly->setPublicLength(length);
+        
+        for (unsigned i = length; i < vectorLength; ++i)
+            butterfly->contiguous()[i].clear();
+    }
 
-    for (unsigned i = length; i < vectorLength; ++i)
-        butterfly->contiguous()[i].clear();
-
     ClonedArguments* result =
         new (NotNull, allocateCell<ClonedArguments>(vm.heap))
         ClonedArguments(vm, structure, butterfly);
@@ -70,9 +77,12 @@ ClonedArguments* ClonedArguments::createEmpty(
 
 ClonedArguments* ClonedArguments::createEmpty(ExecState* exec, JSFunction* callee, unsigned length)
 {
+    VM& vm = exec->vm();
     // NB. Some clients might expect that the global object of of this object is the global object
     // of the callee. We don't do this for now, but maybe we should.
-    return createEmpty(exec->vm(), exec->lexicalGlobalObject()->clonedArgumentsStructure(), callee, length);
+    ClonedArguments* result = createEmpty(vm, exec->lexicalGlobalObject()->clonedArgumentsStructure(), callee, length);
+    ASSERT(!result->structure(vm)->needsSlowPutIndexing() || shouldUseSlowPut(result->structure(vm)->indexingType()));
+    return result;
 }
 
 ClonedArguments* ClonedArguments::createWithInlineFrame(ExecState* myFrame, ExecState* targetFrame, InlineCallFrame* inlineCallFrame, ArgumentsMode mode)
@@ -117,12 +127,15 @@ ClonedArguments* ClonedArguments::createWithInlineFrame(ExecState* myFrame, Exec
     } }
 
     ASSERT(myFrame->lexicalGlobalObject()->clonedArgumentsStructure() == result->structure());
+    ASSERT(!result->structure(vm)->needsSlowPutIndexing() || shouldUseSlowPut(result->structure(vm)->indexingType()));
     return result;
 }
 
 ClonedArguments* ClonedArguments::createWithMachineFrame(ExecState* myFrame, ExecState* targetFrame, ArgumentsMode mode)
 {
-    return createWithInlineFrame(myFrame, targetFrame, nullptr, mode);
+    ClonedArguments* result = createWithInlineFrame(myFrame, targetFrame, nullptr, mode);
+    ASSERT(!result->structure()->needsSlowPutIndexing() || shouldUseSlowPut(result->structure()->indexingType()));
+    return result;
 }
 
 ClonedArguments* ClonedArguments::createByCopyingFrom(
@@ -134,21 +147,30 @@ ClonedArguments* ClonedArguments::createByCopyingFrom(
 
     for (unsigned i = length; i--;)
         result->initializeIndex(vm, i, argumentStart[i].jsValue());
-
+    ASSERT(!result->structure(vm)->needsSlowPutIndexing() || shouldUseSlowPut(result->structure(vm)->indexingType()));
     return result;
 }
 
-Structure* ClonedArguments::createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+Structure* ClonedArguments::createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, IndexingType indexingType)
 {
-    // We use contiguous storage because optimizations in the FTL assume that cloned arguments creation always produces the same initial structure.
-
-    Structure* structure = Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info(), NonArrayWithContiguous);
+    Structure* structure = Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info(), indexingType);
     PropertyOffset offset;
     structure = structure->addPropertyTransition(vm, structure, vm.propertyNames->length, DontEnum, offset);
     ASSERT(offset == clonedArgumentsLengthPropertyOffset);
     return structure;
 }
 
+Structure* ClonedArguments::createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+{
+    // We use contiguous storage because optimizations in the FTL assume that cloned arguments creation always produces the same initial structure.
+    return createStructure(vm, globalObject, prototype, NonArrayWithContiguous);
+}
+
+Structure* ClonedArguments::createSlowPutStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+{
+    return createStructure(vm, globalObject, prototype, NonArrayWithSlowPutArrayStorage);
+}
+
 bool ClonedArguments::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName ident, PropertySlot& slot)
 {
     ClonedArguments* thisObject = jsCast<ClonedArguments*>(object);
Original file line number	Diff line number	Diff line change
`@@ -734,7 +734,7 @@ bool ArrayMode::permitsBoundsCheckLowering() const`
`734`	`734`
`735`	`735`	`void ArrayMode::dump(PrintStream& out) const`
`736`	`736`	`{`
`737`		`- out.print(type(), arrayClass(), speculation(), conversion());`
	`737`	`+ out.print(type(), "+", arrayClass(), "+", speculation(), "+", conversion());`
`738`	`738`	`}`
`739`	`739`
`740`	`740`	`} } // namespace JSC::DFG`