<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[181990] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/181990">181990</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2015-03-25 18:26:56 -0700 (Wed, 25 Mar 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
https://bugs.webkit.org/show_bug.cgi?id=142993
Source/JavaScriptCore:
Reviewed by Geoffrey Garen and Mark Lam.
This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
into using JITCompilationCanFail and having a legit fallback path. This mostly involves
having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
failure, but also involves adding the same kind of thing to the stub generators in
Repatch.
Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
like host call stub generation, could handle a GC, but those get invoked very rarely. So,
this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
printout.
Also add a way of inducing executable allocation failure, so that we can test this.
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::compile):
(JSC::DFG::JITCompiler::compileFunction):
(JSC::DFG::JITCompiler::link): Deleted.
(JSC::DFG::JITCompiler::linkFunction): Deleted.
* dfg/DFGJITCompiler.h:
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* ftl/FTLCompile.cpp:
(JSC::FTL::mmAllocateCodeSection):
(JSC::FTL::mmAllocateDataSection):
* ftl/FTLLink.cpp:
(JSC::FTL::link):
* ftl/FTLState.h:
* jit/ArityCheckFailReturnThunks.cpp:
(JSC::ArityCheckFailReturnThunks::returnPCsFor):
* jit/ExecutableAllocationFuzz.cpp: Added.
(JSC::numberOfExecutableAllocationFuzzChecks):
(JSC::doExecutableAllocationFuzzing):
* jit/ExecutableAllocationFuzz.h: Added.
(JSC::doExecutableAllocationFuzzingIfEnabled):
* jit/ExecutableAllocatorFixedVMPool.cpp:
(JSC::ExecutableAllocator::allocate):
* jit/JIT.cpp:
(JSC::JIT::privateCompile):
* jit/JITCompilationEffort.h:
* jit/Repatch.cpp:
(JSC::generateByIdStub):
(JSC::tryCacheGetByID):
(JSC::tryBuildGetByIDList):
(JSC::emitPutReplaceStub):
(JSC::emitPutTransitionStubAndGetOldStructure):
(JSC::tryCachePutByID):
(JSC::tryBuildPutByIdList):
(JSC::tryRepatchIn):
(JSC::linkPolymorphicCall):
* jsc.cpp:
(jscmain):
* runtime/Options.h:
* runtime/TestRunnerUtils.h:
* runtime/VM.cpp:
* tests/executableAllocationFuzz: Added.
* tests/executableAllocationFuzz.yaml: Added.
* tests/executableAllocationFuzz/v8-raytrace.js: Added.
Tools:
Reviewed by Mark Lam.
Bunch of support for testing executable allocation failure.
* Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: Added.
(fail):
* Scripts/run-javascriptcore-tests:
(runJSCStressTests):
* Scripts/run-jsc-stress-tests:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreCMakeListstxt">trunk/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj">trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGJITCompilercpp">trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGJITCompilerh">trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPlancpp">trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCompilecpp">trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLinkcpp">trunk/Source/JavaScriptCore/ftl/FTLLink.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLStateh">trunk/Source/JavaScriptCore/ftl/FTLState.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitArityCheckFailReturnThunkscpp">trunk/Source/JavaScriptCore/jit/ArityCheckFailReturnThunks.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitExecutableAllocatorFixedVMPoolcpp">trunk/Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITcpp">trunk/Source/JavaScriptCore/jit/JIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITCompilationEfforth">trunk/Source/JavaScriptCore/jit/JITCompilationEffort.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitRepatchcpp">trunk/Source/JavaScriptCore/jit/Repatch.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejsccpp">trunk/Source/JavaScriptCore/jsc.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeOptionsh">trunk/Source/JavaScriptCore/runtime/Options.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTestRunnerUtilsh">trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeVMcpp">trunk/Source/JavaScriptCore/runtime/VM.cpp</a></li>
<li><a href="#trunkToolsChangeLog">trunk/Tools/ChangeLog</a></li>
<li><a href="#trunkToolsScriptsrunjavascriptcoretests">trunk/Tools/Scripts/run-javascriptcore-tests</a></li>
<li><a href="#trunkToolsScriptsrunjscstresstests">trunk/Tools/Scripts/run-jsc-stress-tests</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCorejitExecutableAllocationFuzzcpp">trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitExecutableAllocationFuzzh">trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.h</a></li>
<li>trunk/Source/JavaScriptCore/tests/executableAllocationFuzz/</li>
<li><a href="#trunkSourceJavaScriptCoretestsexecutableAllocationFuzzv8raytracejs">trunk/Source/JavaScriptCore/tests/executableAllocationFuzz/v8-raytrace.js</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsexecutableAllocationFuzzyaml">trunk/Source/JavaScriptCore/tests/executableAllocationFuzz.yaml</a></li>
<li><a href="#trunkToolsScriptsjscstresstesthelpersjsexecutableallocationfuzz">trunk/Tools/Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/CMakeLists.txt (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/CMakeLists.txt 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/CMakeLists.txt 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -326,6 +326,7 @@
</span><span class="cx"> jit/AssemblyHelpers.cpp
</span><span class="cx"> jit/ArityCheckFailReturnThunks.cpp
</span><span class="cx"> jit/BinarySwitch.cpp
</span><ins>+ jit/ExecutableAllocationFuzz.cpp
</ins><span class="cx"> jit/ExecutableAllocator.cpp
</span><span class="cx"> jit/ExecutableAllocatorFixedVMPool.cpp
</span><span class="cx"> jit/GCAwareJITStubRoutine.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -1,3 +1,72 @@
</span><ins>+2015-03-25 Filip Pizlo <fpizlo@apple.com>
+
+ Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
+ https://bugs.webkit.org/show_bug.cgi?id=142993
+
+ Reviewed by Geoffrey Garen and Mark Lam.
+
+ This changes the most commonly invoked paths that relied on JITCompilationMustSucceed
+ into using JITCompilationCanFail and having a legit fallback path. This mostly involves
+ having the FTL JIT do the same trick as the DFG JIT in case of any memory allocation
+ failure, but also involves adding the same kind of thing to the stub generators in
+ Repatch.
+
+ Because of that change, there are relatively few uses of JITCompilationMustSucceed. Most
+ of those uses cannot handle a GC, and so cannot do releaseExecutableMemory(). Only a few,
+ like host call stub generation, could handle a GC, but those get invoked very rarely. So,
+ this patch changes the releaseExecutableMemory() call into a crash with some diagnostic
+ printout.
+
+ Also add a way of inducing executable allocation failure, so that we can test this.
+
+ * CMakeLists.txt:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::compile):
+ (JSC::DFG::JITCompiler::compileFunction):
+ (JSC::DFG::JITCompiler::link): Deleted.
+ (JSC::DFG::JITCompiler::linkFunction): Deleted.
+ * dfg/DFGJITCompiler.h:
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl):
+ * ftl/FTLCompile.cpp:
+ (JSC::FTL::mmAllocateCodeSection):
+ (JSC::FTL::mmAllocateDataSection):
+ * ftl/FTLLink.cpp:
+ (JSC::FTL::link):
+ * ftl/FTLState.h:
+ * jit/ArityCheckFailReturnThunks.cpp:
+ (JSC::ArityCheckFailReturnThunks::returnPCsFor):
+ * jit/ExecutableAllocationFuzz.cpp: Added.
+ (JSC::numberOfExecutableAllocationFuzzChecks):
+ (JSC::doExecutableAllocationFuzzing):
+ * jit/ExecutableAllocationFuzz.h: Added.
+ (JSC::doExecutableAllocationFuzzingIfEnabled):
+ * jit/ExecutableAllocatorFixedVMPool.cpp:
+ (JSC::ExecutableAllocator::allocate):
+ * jit/JIT.cpp:
+ (JSC::JIT::privateCompile):
+ * jit/JITCompilationEffort.h:
+ * jit/Repatch.cpp:
+ (JSC::generateByIdStub):
+ (JSC::tryCacheGetByID):
+ (JSC::tryBuildGetByIDList):
+ (JSC::emitPutReplaceStub):
+ (JSC::emitPutTransitionStubAndGetOldStructure):
+ (JSC::tryCachePutByID):
+ (JSC::tryBuildPutByIdList):
+ (JSC::tryRepatchIn):
+ (JSC::linkPolymorphicCall):
+ * jsc.cpp:
+ (jscmain):
+ * runtime/Options.h:
+ * runtime/TestRunnerUtils.h:
+ * runtime/VM.cpp:
+ * tests/executableAllocationFuzz: Added.
+ * tests/executableAllocationFuzz.yaml: Added.
+ * tests/executableAllocationFuzz/v8-raytrace.js: Added.
+
</ins><span class="cx"> 2015-03-25 Mark Lam <mark.lam@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION(169139): LLINT intermittently fails JSC testapi tests.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -598,6 +598,7 @@
</span><span class="cx"> <ClCompile Include="..\jit\ArityCheckFailReturnThunks.cpp" />
</span><span class="cx"> <ClCompile Include="..\jit\AssemblyHelpers.cpp" />
</span><span class="cx"> <ClCompile Include="..\jit\BinarySwitch.cpp" />
</span><ins>+ <ClCompile Include="..\jit\ExecutableAllocationFuzz.cpp" />
</ins><span class="cx"> <ClCompile Include="..\jit\ExecutableAllocator.cpp" />
</span><span class="cx"> <ClCompile Include="..\jit\ExecutableAllocatorFixedVMPool.cpp" />
</span><span class="cx"> <ClCompile Include="..\jit\GCAwareJITStubRoutine.cpp" />
</span><span class="lines">@@ -1340,6 +1341,7 @@
</span><span class="cx"> <ClInclude Include="..\jit\BinarySwitch.h" />
</span><span class="cx"> <ClInclude Include="..\jit\CCallHelpers.h" />
</span><span class="cx"> <ClInclude Include="..\jit\CompactJITCodeMap.h" />
</span><ins>+ <ClInclude Include="..\jit\ExecutableAllocationFuzz.h" />
</ins><span class="cx"> <ClInclude Include="..\jit\ExecutableAllocator.h" />
</span><span class="cx"> <ClInclude Include="..\jit\FPRInfo.h" />
</span><span class="cx"> <ClInclude Include="..\jit\GCAwareJITStubRoutine.h" />
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -646,6 +646,8 @@
</span><span class="cx"> 0FEE98431A89227500754E93 /* SetupVarargsFrame.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FEE98421A89227500754E93 /* SetupVarargsFrame.cpp */; };
</span><span class="cx"> 0FEFC9AA1681A3B300567F53 /* DFGOSRExitJumpPlaceholder.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FEFC9A71681A3B000567F53 /* DFGOSRExitJumpPlaceholder.cpp */; };
</span><span class="cx"> 0FEFC9AB1681A3B600567F53 /* DFGOSRExitJumpPlaceholder.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FEFC9A81681A3B000567F53 /* DFGOSRExitJumpPlaceholder.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 0FF054F91AC35B4400E5BE57 /* ExecutableAllocationFuzz.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FF054F71AC35B4400E5BE57 /* ExecutableAllocationFuzz.cpp */; };
+ 0FF054FA1AC35B4400E5BE57 /* ExecutableAllocationFuzz.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FF054F81AC35B4400E5BE57 /* ExecutableAllocationFuzz.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0FF0F19916B729F6005DF95B /* DFGLongLivedState.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FB4B51C16B62772003F696B /* DFGLongLivedState.cpp */; };
</span><span class="cx"> 0FF0F19B16B729FA005DF95B /* DFGLongLivedState.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FB4B51D16B62772003F696B /* DFGLongLivedState.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0FF0F19C16B72A03005DF95B /* DFGNode.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FB4B51E16B62772003F696B /* DFGNode.cpp */; };
</span><span class="lines">@@ -2349,6 +2351,8 @@
</span><span class="cx"> 0FEE98421A89227500754E93 /* SetupVarargsFrame.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = SetupVarargsFrame.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0FEFC9A71681A3B000567F53 /* DFGOSRExitJumpPlaceholder.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGOSRExitJumpPlaceholder.cpp; path = dfg/DFGOSRExitJumpPlaceholder.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0FEFC9A81681A3B000567F53 /* DFGOSRExitJumpPlaceholder.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGOSRExitJumpPlaceholder.h; path = dfg/DFGOSRExitJumpPlaceholder.h; sourceTree = "<group>"; };
</span><ins>+ 0FF054F71AC35B4400E5BE57 /* ExecutableAllocationFuzz.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ExecutableAllocationFuzz.cpp; sourceTree = "<group>"; };
+ 0FF054F81AC35B4400E5BE57 /* ExecutableAllocationFuzz.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExecutableAllocationFuzz.h; sourceTree = "<group>"; };
</ins><span class="cx"> 0FF4272F158EBD44004CB9FF /* Disassembler.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = Disassembler.h; path = disassembler/Disassembler.h; sourceTree = "<group>"; };
</span><span class="cx"> 0FF42730158EBD44004CB9FF /* UDis86Disassembler.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = UDis86Disassembler.cpp; path = disassembler/UDis86Disassembler.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0FF42734158EBD94004CB9FF /* udis86_decode.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; name = udis86_decode.c; path = disassembler/udis86/udis86_decode.c; sourceTree = "<group>"; };
</span><span class="lines">@@ -3801,6 +3805,8 @@
</span><span class="cx"> 1429D92C0ED22D7000B89619 /* jit */ = {
</span><span class="cx"> isa = PBXGroup;
</span><span class="cx"> children = (
</span><ins>+ 0FF054F71AC35B4400E5BE57 /* ExecutableAllocationFuzz.cpp */,
+ 0FF054F81AC35B4400E5BE57 /* ExecutableAllocationFuzz.h */,
</ins><span class="cx"> 0F7576D018E1FEE9002EF4CD /* AccessorCallJITStubRoutine.cpp */,
</span><span class="cx"> 0F7576D118E1FEE9002EF4CD /* AccessorCallJITStubRoutine.h */,
</span><span class="cx"> 0F6B1CC718641DF800845D97 /* ArityCheckFailReturnThunks.cpp */,
</span><span class="lines">@@ -5619,6 +5625,7 @@
</span><span class="cx"> A704D90317A0BAA8006BA554 /* DFGAbstractInterpreter.h in Headers */,
</span><span class="cx"> A704D90417A0BAA8006BA554 /* DFGAbstractInterpreterInlines.h in Headers */,
</span><span class="cx"> 0F620177143FCD3F0068B77C /* DFGAbstractValue.h in Headers */,
</span><ins>+ 0FF054FA1AC35B4400E5BE57 /* ExecutableAllocationFuzz.h in Headers */,
</ins><span class="cx"> 0F66E16B14DF3F1600B7B2E4 /* DFGAdjacencyList.h in Headers */,
</span><span class="cx"> 0FFB921816D02EB20055A5DB /* DFGAllocator.h in Headers */,
</span><span class="cx"> A737810C1799EA2E00817533 /* DFGAnalysis.h in Headers */,
</span><span class="lines">@@ -7229,6 +7236,7 @@
</span><span class="cx"> 0F2B66FA17B6B5AB00A7AE3F /* JSTypedArrayConstructors.cpp in Sources */,
</span><span class="cx"> 0F2B66FC17B6B5AB00A7AE3F /* JSTypedArrayPrototypes.cpp in Sources */,
</span><span class="cx"> 0F2B66FE17B6B5AB00A7AE3F /* JSTypedArrays.cpp in Sources */,
</span><ins>+ 0FF054F91AC35B4400E5BE57 /* ExecutableAllocationFuzz.cpp in Sources */,
</ins><span class="cx"> 86E3C61A167BABEE006D760A /* JSValue.mm in Sources */,
</span><span class="cx"> 14BD5A320A3E91F600BAF59C /* JSValueRef.cpp in Sources */,
</span><span class="cx"> 147F39D7107EC37600427A48 /* JSEnvironmentRecord.cpp in Sources */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGJITCompilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -325,10 +325,7 @@
</span><span class="cx"> // Create OSR entry trampolines if necessary.
</span><span class="cx"> m_speculative->createOSREntries();
</span><span class="cx"> setEndOfCode();
</span><del>-}
</del><span class="cx">
</span><del>-void JITCompiler::link()
-{
</del><span class="cx"> auto linkBuffer = std::make_unique<LinkBuffer>(*m_vm, *this, m_codeBlock, JITCompilationCanFail);
</span><span class="cx"> if (linkBuffer->didFailToAllocate()) {
</span><span class="cx"> m_graph.m_plan.finalizer = std::make_unique<FailedFinalizer>(m_graph.m_plan);
</span><span class="lines">@@ -412,7 +409,9 @@
</span><span class="cx"> #else
</span><span class="cx"> thunkReg = GPRInfo::regT5;
</span><span class="cx"> #endif
</span><del>- move(TrustedImmPtr(m_vm->arityCheckFailReturnThunks->returnPCsFor(*m_vm, m_codeBlock->numParameters())), thunkReg);
</del><ins>+ CodeLocationLabel* arityThunkLabels =
+ m_vm->arityCheckFailReturnThunks->returnPCsFor(*m_vm, m_codeBlock->numParameters());
+ move(TrustedImmPtr(arityThunkLabels), thunkReg);
</ins><span class="cx"> loadPtr(BaseIndex(thunkReg, GPRInfo::regT0, timesPtr()), thunkReg);
</span><span class="cx"> m_callArityFixup = call();
</span><span class="cx"> jump(fromArityCheck);
</span><span class="lines">@@ -426,10 +425,7 @@
</span><span class="cx"> // Create OSR entry trampolines if necessary.
</span><span class="cx"> m_speculative->createOSREntries();
</span><span class="cx"> setEndOfCode();
</span><del>-}
</del><span class="cx">
</span><del>-void JITCompiler::linkFunction()
-{
</del><span class="cx"> // === Link ===
</span><span class="cx"> auto linkBuffer = std::make_unique<LinkBuffer>(*m_vm, *this, m_codeBlock, JITCompilationCanFail);
</span><span class="cx"> if (linkBuffer->didFailToAllocate()) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGJITCompilerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -111,9 +111,6 @@
</span><span class="cx"> void compile();
</span><span class="cx"> void compileFunction();
</span><span class="cx">
</span><del>- void link();
- void linkFunction();
-
</del><span class="cx"> // Accessors for properties.
</span><span class="cx"> Graph& graph() { return m_graph; }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPlancpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -299,13 +299,10 @@
</span><span class="cx"> dumpAndVerifyGraph(dfg, "Graph after optimization:");
</span><span class="cx">
</span><span class="cx"> JITCompiler dataFlowJIT(dfg);
</span><del>- if (codeBlock->codeType() == FunctionCode) {
</del><ins>+ if (codeBlock->codeType() == FunctionCode)
</ins><span class="cx"> dataFlowJIT.compileFunction();
</span><del>- dataFlowJIT.linkFunction();
- } else {
</del><ins>+ else
</ins><span class="cx"> dataFlowJIT.compile();
</span><del>- dataFlowJIT.link();
- }
</del><span class="cx">
</span><span class="cx"> return DFGPath;
</span><span class="cx"> }
</span><span class="lines">@@ -404,6 +401,11 @@
</span><span class="cx"> FTL::fail(state);
</span><span class="cx"> return FTLPath;
</span><span class="cx"> }
</span><ins>+
+ if (state.allocationFailed) {
+ FTL::fail(state);
+ return FTLPath;
+ }
</ins><span class="cx">
</span><span class="cx"> if (state.jitCode->stackmaps.stackSize() > Options::llvmMaxStackSize()) {
</span><span class="cx"> FTL::fail(state);
</span><span class="lines">@@ -411,6 +413,12 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> FTL::link(state);
</span><ins>+
+ if (state.allocationFailed) {
+ FTL::fail(state);
+ return FTLPath;
+ }
+
</ins><span class="cx"> return FTLPath;
</span><span class="cx"> #else
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCompilecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -59,8 +59,18 @@
</span><span class="cx">
</span><span class="cx"> RefPtr<ExecutableMemoryHandle> result =
</span><span class="cx"> state.graph.m_vm.executableAllocator.allocate(
</span><del>- state.graph.m_vm, size, state.graph.m_codeBlock, JITCompilationMustSucceed);
</del><ins>+ state.graph.m_vm, size, state.graph.m_codeBlock, JITCompilationCanFail);
</ins><span class="cx">
</span><ins>+ if (!result) {
+ // Signal failure. This compilation will get tossed.
+ state.allocationFailed = true;
+
+ // Fake an allocation, since LLVM cannot handle failures in the memory manager.
+ RefPtr<DataSection> fakeSection = adoptRef(new DataSection(size, jitAllocationGranule));
+ state.jitCode->addDataSection(fakeSection);
+ return bitwise_cast<uint8_t*>(fakeSection->base());
+ }
+
</ins><span class="cx"> // LLVM used to put __compact_unwind in a code section. We keep this here defensively,
</span><span class="cx"> // for clients that use older LLVMs.
</span><span class="cx"> if (!strcmp(sectionName, SECTION_NAME("compact_unwind"))) {
</span><span class="lines">@@ -344,7 +354,11 @@
</span><span class="cx"> checkJIT.jumpToExceptionHandler();
</span><span class="cx">
</span><span class="cx"> auto linkBuffer = std::make_unique<LinkBuffer>(
</span><del>- vm, checkJIT, codeBlock, JITCompilationMustSucceed);
</del><ins>+ vm, checkJIT, codeBlock, JITCompilationCanFail);
+ if (linkBuffer->didFailToAllocate()) {
+ state.allocationFailed = true;
+ return;
+ }
</ins><span class="cx"> linkBuffer->link(callLookupExceptionHandler, FunctionPtr(lookupExceptionHandler));
</span><span class="cx"> linkBuffer->link(callLookupExceptionHandlerFromCallerFrame, FunctionPtr(lookupExceptionHandlerFromCallerFrame));
</span><span class="cx">
</span><span class="lines">@@ -358,7 +372,11 @@
</span><span class="cx"> RELEASE_ASSERT(didSeeUnwindInfo);
</span><span class="cx">
</span><span class="cx"> auto linkBuffer = std::make_unique<LinkBuffer>(
</span><del>- vm, exitThunkGenerator, codeBlock, JITCompilationMustSucceed);
</del><ins>+ vm, exitThunkGenerator, codeBlock, JITCompilationCanFail);
+ if (linkBuffer->didFailToAllocate()) {
+ state.allocationFailed = true;
+ return;
+ }
</ins><span class="cx">
</span><span class="cx"> RELEASE_ASSERT(state.finalizer->osrExit.size() == state.jitCode->osrExit.size());
</span><span class="cx">
</span><span class="lines">@@ -516,7 +534,11 @@
</span><span class="cx"> exceptionTarget.link(&slowPathJIT);
</span><span class="cx"> MacroAssembler::Jump exceptionJump = slowPathJIT.jump();
</span><span class="cx">
</span><del>- state.finalizer->sideCodeLinkBuffer = std::make_unique<LinkBuffer>(vm, slowPathJIT, codeBlock, JITCompilationMustSucceed);
</del><ins>+ state.finalizer->sideCodeLinkBuffer = std::make_unique<LinkBuffer>(vm, slowPathJIT, codeBlock, JITCompilationCanFail);
+ if (state.finalizer->sideCodeLinkBuffer->didFailToAllocate()) {
+ state.allocationFailed = true;
+ return;
+ }
</ins><span class="cx"> state.finalizer->sideCodeLinkBuffer->link(
</span><span class="cx"> exceptionJump, state.finalizer->handleExceptionsLinkBuffer->entrypoint());
</span><span class="cx">
</span><span class="lines">@@ -675,13 +697,17 @@
</span><span class="cx"> dataLog("FATAL: Could not create LLVM execution engine: ", error, "\n");
</span><span class="cx"> CRASH();
</span><span class="cx"> }
</span><ins>+
+ // At this point we no longer own the module.
+ LModule module = state.module;
+ state.module = nullptr;
</ins><span class="cx">
</span><span class="cx"> // The data layout also has to be set in the module. Get the data layout from the MCJIT and apply
</span><span class="cx"> // it to the module.
</span><span class="cx"> LLVMTargetMachineRef targetMachine = llvm->GetExecutionEngineTargetMachine(engine);
</span><span class="cx"> LLVMTargetDataRef targetData = llvm->GetExecutionEngineTargetData(engine);
</span><span class="cx"> char* stringRepOfTargetData = llvm->CopyStringRepOfTargetData(targetData);
</span><del>- llvm->SetDataLayout(state.module, stringRepOfTargetData);
</del><ins>+ llvm->SetDataLayout(module, stringRepOfTargetData);
</ins><span class="cx"> free(stringRepOfTargetData);
</span><span class="cx">
</span><span class="cx"> LLVMPassManagerRef functionPasses = 0;
</span><span class="lines">@@ -707,14 +733,14 @@
</span><span class="cx"> llvm->AddCFGSimplificationPass(modulePasses);
</span><span class="cx"> llvm->AddDeadStoreEliminationPass(modulePasses);
</span><span class="cx">
</span><del>- llvm->RunPassManager(modulePasses, state.module);
</del><ins>+ llvm->RunPassManager(modulePasses, module);
</ins><span class="cx"> } else {
</span><span class="cx"> LLVMPassManagerBuilderRef passBuilder = llvm->PassManagerBuilderCreate();
</span><span class="cx"> llvm->PassManagerBuilderSetOptLevel(passBuilder, Options::llvmOptimizationLevel());
</span><span class="cx"> llvm->PassManagerBuilderUseInlinerWithThreshold(passBuilder, 275);
</span><span class="cx"> llvm->PassManagerBuilderSetSizeLevel(passBuilder, Options::llvmSizeLevel());
</span><span class="cx">
</span><del>- functionPasses = llvm->CreateFunctionPassManagerForModule(state.module);
</del><ins>+ functionPasses = llvm->CreateFunctionPassManagerForModule(module);
</ins><span class="cx"> modulePasses = llvm->CreatePassManager();
</span><span class="cx">
</span><span class="cx"> llvm->AddTargetData(llvm->GetExecutionEngineTargetData(engine), modulePasses);
</span><span class="lines">@@ -725,11 +751,11 @@
</span><span class="cx"> llvm->PassManagerBuilderDispose(passBuilder);
</span><span class="cx">
</span><span class="cx"> llvm->InitializeFunctionPassManager(functionPasses);
</span><del>- for (LValue function = llvm->GetFirstFunction(state.module); function; function = llvm->GetNextFunction(function))
</del><ins>+ for (LValue function = llvm->GetFirstFunction(module); function; function = llvm->GetNextFunction(function))
</ins><span class="cx"> llvm->RunFunctionPassManager(functionPasses, function);
</span><span class="cx"> llvm->FinalizeFunctionPassManager(functionPasses);
</span><span class="cx">
</span><del>- llvm->RunPassManager(modulePasses, state.module);
</del><ins>+ llvm->RunPassManager(modulePasses, module);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> if (shouldShowDisassembly() || verboseCompilationEnabled())
</span><span class="lines">@@ -743,10 +769,14 @@
</span><span class="cx"> llvm->DisposePassManager(modulePasses);
</span><span class="cx"> llvm->DisposeExecutionEngine(engine);
</span><span class="cx"> }
</span><ins>+
</ins><span class="cx"> if (safepointResult.didGetCancelled())
</span><span class="cx"> return;
</span><span class="cx"> RELEASE_ASSERT(!state.graph.m_vm.heap.isCollecting());
</span><span class="cx">
</span><ins>+ if (state.allocationFailed)
+ return;
+
</ins><span class="cx"> if (shouldShowDisassembly()) {
</span><span class="cx"> for (unsigned i = 0; i < state.jitCode->handles().size(); ++i) {
</span><span class="cx"> ExecutableMemoryHandle* handle = state.jitCode->handles()[i].get();
</span><span class="lines">@@ -802,6 +832,8 @@
</span><span class="cx"> fixFunctionBasedOnStackMaps(
</span><span class="cx"> state, state.graph.m_codeBlock, state.jitCode.get(), state.generatedFunction,
</span><span class="cx"> recordMap, didSeeUnwindInfo);
</span><ins>+ if (state.allocationFailed)
+ return;
</ins><span class="cx">
</span><span class="cx"> if (shouldShowDisassembly() || Options::asyncDisassembly()) {
</span><span class="cx"> for (unsigned i = 0; i < state.jitCode->handles().size(); ++i) {
</span><span class="lines">@@ -830,8 +862,6 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx"> }
</span><del>-
- state.module = 0; // We no longer own the module.
</del><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } } // namespace JSC::FTL
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLinkcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLink.cpp (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLink.cpp 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/ftl/FTLLink.cpp 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -171,13 +171,19 @@
</span><span class="cx"> jit.emitFunctionEpilogue();
</span><span class="cx"> mainPathJumps.append(jit.branchTest32(CCallHelpers::Zero, GPRInfo::regT0));
</span><span class="cx"> jit.emitFunctionPrologue();
</span><del>- jit.move(CCallHelpers::TrustedImmPtr(vm.arityCheckFailReturnThunks->returnPCsFor(vm, codeBlock->numParameters())), GPRInfo::regT7);
</del><ins>+ CodeLocationLabel* arityThunkLabels =
+ vm.arityCheckFailReturnThunks->returnPCsFor(vm, codeBlock->numParameters());
+ jit.move(CCallHelpers::TrustedImmPtr(arityThunkLabels), GPRInfo::regT7);
</ins><span class="cx"> jit.loadPtr(CCallHelpers::BaseIndex(GPRInfo::regT7, GPRInfo::regT0, CCallHelpers::timesPtr()), GPRInfo::regT7);
</span><span class="cx"> CCallHelpers::Call callArityFixup = jit.call();
</span><span class="cx"> jit.emitFunctionEpilogue();
</span><span class="cx"> mainPathJumps.append(jit.jump());
</span><span class="cx">
</span><del>- linkBuffer = std::make_unique<LinkBuffer>(vm, jit, codeBlock, JITCompilationMustSucceed);
</del><ins>+ linkBuffer = std::make_unique<LinkBuffer>(vm, jit, codeBlock, JITCompilationCanFail);
+ if (linkBuffer->didFailToAllocate()) {
+ state.allocationFailed = true;
+ return;
+ }
</ins><span class="cx"> linkBuffer->link(callArityCheck, codeBlock->m_isConstructor ? operationConstructArityCheck : operationCallArityCheck);
</span><span class="cx"> linkBuffer->link(callArityFixup, FunctionPtr((vm.getCTIStub(arityFixupGenerator)).code().executableAddress()));
</span><span class="cx"> linkBuffer->link(mainPathJumps, CodeLocationLabel(bitwise_cast<void*>(state.generatedFunction)));
</span><span class="lines">@@ -195,7 +201,11 @@
</span><span class="cx"> jit.emitFunctionEpilogue();
</span><span class="cx"> CCallHelpers::Jump mainPathJump = jit.jump();
</span><span class="cx">
</span><del>- linkBuffer = std::make_unique<LinkBuffer>(vm, jit, codeBlock, JITCompilationMustSucceed);
</del><ins>+ linkBuffer = std::make_unique<LinkBuffer>(vm, jit, codeBlock, JITCompilationCanFail);
+ if (linkBuffer->didFailToAllocate()) {
+ state.allocationFailed = true;
+ return;
+ }
</ins><span class="cx"> linkBuffer->link(mainPathJump, CodeLocationLabel(bitwise_cast<void*>(state.generatedFunction)));
</span><span class="cx">
</span><span class="cx"> state.jitCode->initializeAddressForCall(linkBuffer->locationOf(start));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLStateh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLState.h (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLState.h 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/ftl/FTLState.h 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -66,6 +66,7 @@
</span><span class="cx"> LContext context;
</span><span class="cx"> LModule module;
</span><span class="cx"> LValue function;
</span><ins>+ bool allocationFailed { false }; // Throw out the compilation once LLVM returns.
</ins><span class="cx"> RefPtr<JITCode> jitCode;
</span><span class="cx"> GeneratedFunction generatedFunction;
</span><span class="cx"> JITFinalizer* finalizer;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitArityCheckFailReturnThunkscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/ArityCheckFailReturnThunks.cpp (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/ArityCheckFailReturnThunks.cpp 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/jit/ArityCheckFailReturnThunks.cpp 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -97,7 +97,8 @@
</span><span class="cx"> jit.jump(GPRInfo::regT2);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- LinkBuffer linkBuffer(vm, jit, GLOBAL_THUNK_ID);
</del><ins>+ // Sadly, we cannot fail here because the LLInt may need us.
+ LinkBuffer linkBuffer(vm, jit, GLOBAL_THUNK_ID, JITCompilationMustSucceed);
</ins><span class="cx">
</span><span class="cx"> unsigned returnPCsSize = numExpectedArgumentsIncludingThis / stackAlignmentRegisters() + 1;
</span><span class="cx"> std::unique_ptr<CodeLocationLabel[]> returnPCs =
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitExecutableAllocationFuzzcpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp (0 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.cpp 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -0,0 +1,73 @@
</span><ins>+/*
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "ExecutableAllocationFuzz.h"
+
+#include "TestRunnerUtils.h"
+#include <wtf/Atomics.h>
+#include <wtf/DataLog.h>
+
+namespace JSC {
+
+static Atomic<unsigned> s_numberOfExecutableAllocationFuzzChecks;
+unsigned numberOfExecutableAllocationFuzzChecks()
+{
+ return s_numberOfExecutableAllocationFuzzChecks.load();
+}
+
+ExecutableAllocationFuzzResult doExecutableAllocationFuzzing()
+{
+ ASSERT(Options::enableExecutableAllocationFuzz());
+
+ unsigned oldValue;
+ unsigned newValue;
+ do {
+ oldValue = s_numberOfExecutableAllocationFuzzChecks.load();
+ newValue = oldValue + 1;
+ } while (!s_numberOfExecutableAllocationFuzzChecks.compareExchangeWeak(oldValue, newValue));
+
+ if (newValue == Options::fireExecutableAllocationFuzzAt()) {
+ if (Options::verboseExecutableAllocationFuzz()) {
+ dataLog("Will pretend to fail executable allocation.\n");
+ WTFReportBacktrace();
+ }
+ return PretendToFailExecutableAllocation;
+ }
+
+ if (Options::fireExecutableAllocationFuzzAtOrAfter()
+ && newValue >= Options::fireExecutableAllocationFuzzAtOrAfter()) {
+ if (Options::verboseExecutableAllocationFuzz()) {
+ dataLog("Will pretend to fail executable allocation.\n");
+ WTFReportBacktrace();
+ }
+ return PretendToFailExecutableAllocation;
+ }
+
+ return AllowNormalExecutableAllocation;
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCorejitExecutableAllocationFuzzh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.h (0 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.h (rev 0)
+++ trunk/Source/JavaScriptCore/jit/ExecutableAllocationFuzz.h 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -0,0 +1,51 @@
</span><ins>+/*
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef ExecutableAllocationFuzz_h
+#define ExecutableAllocationFuzz_h
+
+#include "Options.h"
+
+namespace JSC {
+
+enum ExecutableAllocationFuzzResult {
+ AllowNormalExecutableAllocation,
+ PretendToFailExecutableAllocation
+};
+
+ExecutableAllocationFuzzResult doExecutableAllocationFuzzing();
+
+inline ExecutableAllocationFuzzResult doExecutableAllocationFuzzingIfEnabled()
+{
+ if (LIKELY(!Options::enableExecutableAllocationFuzz()))
+ return AllowNormalExecutableAllocation;
+
+ return doExecutableAllocationFuzzing();
+}
+
+} // namespace JSC
+
+#endif // ExecutableAllocationFuzz_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCorejitExecutableAllocatorFixedVMPoolcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/jit/ExecutableAllocatorFixedVMPool.cpp 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -31,6 +31,7 @@
</span><span class="cx"> #if ENABLE(EXECUTABLE_ALLOCATOR_FIXED)
</span><span class="cx">
</span><span class="cx"> #include "CodeProfiling.h"
</span><ins>+#include "ExecutableAllocationFuzz.h"
</ins><span class="cx"> #include <errno.h>
</span><span class="cx"> #if !PLATFORM(WIN)
</span><span class="cx"> #include <unistd.h>
</span><span class="lines">@@ -158,15 +159,24 @@
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-PassRefPtr<ExecutableMemoryHandle> ExecutableAllocator::allocate(VM& vm, size_t sizeInBytes, void* ownerUID, JITCompilationEffort effort)
</del><ins>+PassRefPtr<ExecutableMemoryHandle> ExecutableAllocator::allocate(VM&, size_t sizeInBytes, void* ownerUID, JITCompilationEffort effort)
</ins><span class="cx"> {
</span><ins>+ if (effort != JITCompilationCanFail && Options::reportMustSucceedExecutableAllocations()) {
+ dataLog("Allocating ", sizeInBytes, " bytes of executable memory with JITCompilationMustSucceed.\n");
+ WTFReportBacktrace();
+ }
+
+ if (effort == JITCompilationCanFail
+ && doExecutableAllocationFuzzingIfEnabled() == PretendToFailExecutableAllocation)
+ return nullptr;
+
</ins><span class="cx"> RefPtr<ExecutableMemoryHandle> result = allocator->allocate(sizeInBytes, ownerUID);
</span><span class="cx"> if (!result) {
</span><del>- if (effort == JITCompilationCanFail)
- return result;
- releaseExecutableMemory(vm);
- result = allocator->allocate(sizeInBytes, ownerUID);
- RELEASE_ASSERT(result);
</del><ins>+ if (effort != JITCompilationCanFail) {
+ dataLog("Ran out of executable memory while allocating ", sizeInBytes, " bytes.\n");
+ CRASH();
+ }
+ return nullptr;
</ins><span class="cx"> }
</span><span class="cx"> return result.release();
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JIT.cpp (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JIT.cpp 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/jit/JIT.cpp 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -585,7 +585,9 @@
</span><span class="cx"> #else
</span><span class="cx"> thunkReg = GPRInfo::regT5;
</span><span class="cx"> #endif
</span><del>- move(TrustedImmPtr(m_vm->arityCheckFailReturnThunks->returnPCsFor(*m_vm, m_codeBlock->numParameters())), thunkReg);
</del><ins>+ CodeLocationLabel* failThunkLabels =
+ m_vm->arityCheckFailReturnThunks->returnPCsFor(*m_vm, m_codeBlock->numParameters());
+ move(TrustedImmPtr(failThunkLabels), thunkReg);
</ins><span class="cx"> loadPtr(BaseIndex(thunkReg, regT0, timesPtr()), thunkReg);
</span><span class="cx"> emitNakedCall(m_vm->getCTIStub(arityFixupGenerator).code());
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITCompilationEfforth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITCompilationEffort.h (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITCompilationEffort.h 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/jit/JITCompilationEffort.h 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitRepatchcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/Repatch.cpp (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/Repatch.cpp 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/jit/Repatch.cpp 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -293,7 +293,7 @@
</span><span class="cx"> return FunctionPtr(slot.customSetter());
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static void generateByIdStub(
</del><ins>+static bool generateByIdStub(
</ins><span class="cx"> ExecState* exec, ByIdStubKind kind, const Identifier& propertyName,
</span><span class="cx"> FunctionPtr custom, StructureStubInfo& stubInfo, StructureChain* chain, size_t count,
</span><span class="cx"> PropertyOffset offset, Structure* structure, bool loadTargetFromProxy, WatchpointSet* watchpointSet,
</span><span class="lines">@@ -574,7 +574,9 @@
</span><span class="cx"> }
</span><span class="cx"> emitRestoreScratch(stubJit, needToRestoreScratch, scratchGPR, success, fail, failureCases);
</span><span class="cx">
</span><del>- LinkBuffer patchBuffer(*vm, stubJit, exec->codeBlock());
</del><ins>+ LinkBuffer patchBuffer(*vm, stubJit, exec->codeBlock(), JITCompilationCanFail);
+ if (patchBuffer.didFailToAllocate())
+ return false;
</ins><span class="cx">
</span><span class="cx"> linkRestoreScratch(patchBuffer, needToRestoreScratch, success, fail, failureCases, successLabel, slowCaseLabel);
</span><span class="cx"> if (kind == CallCustomGetter || kind == CallCustomSetter) {
</span><span class="lines">@@ -601,6 +603,8 @@
</span><span class="cx"> stubRoutine = adoptRef(new AccessorCallJITStubRoutine(code, *vm, WTF::move(callLinkInfo)));
</span><span class="cx"> else
</span><span class="cx"> stubRoutine = createJITStubRoutine(code, *vm, codeBlock->ownerExecutable(), true);
</span><ins>+
+ return true;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> enum InlineCacheAction {
</span><span class="lines">@@ -687,7 +691,9 @@
</span><span class="cx">
</span><span class="cx"> emitRestoreScratch(stubJit, needToRestoreScratch, scratchGPR, success, fail, failureCases);
</span><span class="cx">
</span><del>- LinkBuffer patchBuffer(*vm, stubJit, codeBlock);
</del><ins>+ LinkBuffer patchBuffer(*vm, stubJit, codeBlock, JITCompilationCanFail);
+ if (patchBuffer.didFailToAllocate())
+ return GiveUpOnCache;
</ins><span class="cx">
</span><span class="cx"> linkRestoreScratch(patchBuffer, needToRestoreScratch, stubInfo, success, fail, failureCases);
</span><span class="cx">
</span><span class="lines">@@ -717,8 +723,10 @@
</span><span class="cx">
</span><span class="cx"> MacroAssembler::Jump success = stubJit.jump();
</span><span class="cx">
</span><del>- LinkBuffer patchBuffer(*vm, stubJit, codeBlock);
-
</del><ins>+ LinkBuffer patchBuffer(*vm, stubJit, codeBlock, JITCompilationCanFail);
+ if (patchBuffer.didFailToAllocate())
+ return GiveUpOnCache;
+
</ins><span class="cx"> patchBuffer.link(success, stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone));
</span><span class="cx"> patchBuffer.link(failure, stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase));
</span><span class="cx">
</span><span class="lines">@@ -844,11 +852,13 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> RefPtr<JITStubRoutine> stubRoutine;
</span><del>- generateByIdStub(
</del><ins>+ bool result = generateByIdStub(
</ins><span class="cx"> exec, kindFor(slot), ident, customFor(slot), stubInfo, prototypeChain, count, offset,
</span><span class="cx"> structure, loadTargetFromProxy, slot.watchpointSet(),
</span><span class="cx"> stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone),
</span><span class="cx"> CodeLocationLabel(list->currentSlowPathTarget(stubInfo)), stubRoutine);
</span><ins>+ if (!result)
+ return GiveUpOnCache;
</ins><span class="cx">
</span><span class="cx"> GetByIdAccess::AccessType accessType;
</span><span class="cx"> if (slot.isCacheableValue())
</span><span class="lines">@@ -901,7 +911,7 @@
</span><span class="cx"> return operationPutByIdNonStrictBuildList;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-static void emitPutReplaceStub(
</del><ins>+static bool emitPutReplaceStub(
</ins><span class="cx"> ExecState* exec,
</span><span class="cx"> const Identifier&,
</span><span class="cx"> const PutPropertySlot& slot,
</span><span class="lines">@@ -968,7 +978,10 @@
</span><span class="cx"> failure = badStructure;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- LinkBuffer patchBuffer(*vm, stubJit, exec->codeBlock());
</del><ins>+ LinkBuffer patchBuffer(*vm, stubJit, exec->codeBlock(), JITCompilationCanFail);
+ if (patchBuffer.didFailToAllocate())
+ return false;
+
</ins><span class="cx"> patchBuffer.link(success, stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone));
</span><span class="cx"> patchBuffer.link(failure, failureLabel);
</span><span class="cx">
</span><span class="lines">@@ -977,6 +990,8 @@
</span><span class="cx"> ("PutById replace stub for %s, return point %p",
</span><span class="cx"> toCString(*exec->codeBlock()).data(), stubInfo.callReturnLocation.labelAtOffset(
</span><span class="cx"> stubInfo.patch.deltaCallToDone).executableAddress()));
</span><ins>+
+ return true;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static Structure* emitPutTransitionStubAndGetOldStructure(ExecState* exec, VM* vm, Structure*& structure, const Identifier& ident,
</span><span class="lines">@@ -1213,7 +1228,10 @@
</span><span class="cx"> successInSlowPath = stubJit.jump();
</span><span class="cx"> }
</span><span class="cx">
</span><del>- LinkBuffer patchBuffer(*vm, stubJit, exec->codeBlock());
</del><ins>+ LinkBuffer patchBuffer(*vm, stubJit, exec->codeBlock(), JITCompilationCanFail);
+ if (patchBuffer.didFailToAllocate())
+ return nullptr;
+
</ins><span class="cx"> patchBuffer.link(success, stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone));
</span><span class="cx"> if (allocator.didReuseRegisters())
</span><span class="cx"> patchBuffer.link(failure, failureLabel);
</span><span class="lines">@@ -1308,13 +1326,15 @@
</span><span class="cx"> PolymorphicPutByIdList* list;
</span><span class="cx"> list = PolymorphicPutByIdList::from(putKind, stubInfo);
</span><span class="cx">
</span><del>- generateByIdStub(
</del><ins>+ bool result = generateByIdStub(
</ins><span class="cx"> exec, kindFor(slot), ident, customFor(slot), stubInfo, prototypeChain, count,
</span><span class="cx"> offset, structure, false, nullptr,
</span><span class="cx"> stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone),
</span><span class="cx"> stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToSlowCase),
</span><span class="cx"> stubRoutine);
</span><del>-
</del><ins>+ if (!result)
+ return GiveUpOnCache;
+
</ins><span class="cx"> list->addAccess(PutByIdAccess::setter(
</span><span class="cx"> *vm, codeBlock->ownerExecutable(),
</span><span class="cx"> slot.isCacheableSetter() ? PutByIdAccess::Setter : PutByIdAccess::CustomSetter,
</span><span class="lines">@@ -1383,10 +1403,12 @@
</span><span class="cx"> structure->didCachePropertyReplacement(*vm, slot.cachedOffset());
</span><span class="cx">
</span><span class="cx"> // We're now committed to creating the stub. Mogrify the meta-data accordingly.
</span><del>- emitPutReplaceStub(
</del><ins>+ bool result = emitPutReplaceStub(
</ins><span class="cx"> exec, propertyName, slot, stubInfo,
</span><span class="cx"> structure, CodeLocationLabel(list->currentSlowPathTarget()), stubRoutine);
</span><del>-
</del><ins>+ if (!result)
+ return GiveUpOnCache;
+
</ins><span class="cx"> list->addAccess(
</span><span class="cx"> PutByIdAccess::replace(
</span><span class="cx"> *vm, codeBlock->ownerExecutable(),
</span><span class="lines">@@ -1416,13 +1438,15 @@
</span><span class="cx"> PolymorphicPutByIdList* list;
</span><span class="cx"> list = PolymorphicPutByIdList::from(putKind, stubInfo);
</span><span class="cx">
</span><del>- generateByIdStub(
</del><ins>+ bool result = generateByIdStub(
</ins><span class="cx"> exec, kindFor(slot), propertyName, customFor(slot), stubInfo, prototypeChain, count,
</span><span class="cx"> offset, structure, false, nullptr,
</span><span class="cx"> stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.deltaCallToDone),
</span><span class="cx"> CodeLocationLabel(list->currentSlowPathTarget()),
</span><span class="cx"> stubRoutine);
</span><del>-
</del><ins>+ if (!result)
+ return GiveUpOnCache;
+
</ins><span class="cx"> list->addAccess(PutByIdAccess::setter(
</span><span class="cx"> *vm, codeBlock->ownerExecutable(),
</span><span class="cx"> slot.isCacheableSetter() ? PutByIdAccess::Setter : PutByIdAccess::CustomSetter,
</span><span class="lines">@@ -1548,8 +1572,10 @@
</span><span class="cx">
</span><span class="cx"> emitRestoreScratch(stubJit, needToRestoreScratch, scratchGPR, success, fail, failureCases);
</span><span class="cx">
</span><del>- LinkBuffer patchBuffer(*vm, stubJit, exec->codeBlock());
-
</del><ins>+ LinkBuffer patchBuffer(*vm, stubJit, exec->codeBlock(), JITCompilationCanFail);
+ if (patchBuffer.didFailToAllocate())
+ return GiveUpOnCache;
+
</ins><span class="cx"> linkRestoreScratch(patchBuffer, needToRestoreScratch, success, fail, failureCases, successLabel, slowCaseLabel);
</span><span class="cx">
</span><span class="cx"> stubRoutine = FINALIZE_CODE_FOR_STUB(
</span><span class="lines">@@ -1851,7 +1877,11 @@
</span><span class="cx"> stubJit.restoreReturnAddressBeforeReturn(GPRInfo::regT4);
</span><span class="cx"> AssemblyHelpers::Jump slow = stubJit.jump();
</span><span class="cx">
</span><del>- LinkBuffer patchBuffer(*vm, stubJit, callerCodeBlock);
</del><ins>+ LinkBuffer patchBuffer(*vm, stubJit, callerCodeBlock, JITCompilationCanFail);
+ if (patchBuffer.didFailToAllocate()) {
+ linkVirtualFor(exec, callLinkInfo, CodeForCall, registers);
+ return;
+ }
</ins><span class="cx">
</span><span class="cx"> RELEASE_ASSERT(callCases.size() == calls.size());
</span><span class="cx"> for (CallToCodePtr callToCodePtr : calls) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejsccpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jsc.cpp (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jsc.cpp 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/jsc.cpp 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -1498,6 +1498,10 @@
</span><span class="cx"> #if ENABLE(JIT)
</span><span class="cx"> if (Options::enableExceptionFuzz())
</span><span class="cx"> printf("JSC EXCEPTION FUZZ: encountered %u checks.\n", numberOfExceptionFuzzChecks());
</span><ins>+ bool fireAtEnabled =
+ Options::fireExecutableAllocationFuzzAt() || Options::fireExecutableAllocationFuzzAtOrAfter();
+ if (Options::enableExecutableAllocationFuzz() && (!fireAtEnabled || Options::verboseExecutableAllocationFuzz()))
+ printf("JSC EXECUTABLE ALLOCATION FUZZ: encountered %u checks.\n", numberOfExecutableAllocationFuzzChecks());
</ins><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeOptionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Options.h (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Options.h 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/runtime/Options.h 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -97,6 +97,8 @@
</span><span class="cx"> v(bool, useDFGJIT, true) \
</span><span class="cx"> v(bool, useRegExpJIT, true) \
</span><span class="cx"> \
</span><ins>+ v(bool, reportMustSucceedExecutableAllocations, false) \
+ \
</ins><span class="cx"> v(unsigned, maxPerThreadStackUsage, 4 * MB) \
</span><span class="cx"> v(unsigned, reservedZoneSize, 128 * KB) \
</span><span class="cx"> v(unsigned, errorModeReservedZoneSize, 64 * KB) \
</span><span class="lines">@@ -291,7 +293,12 @@
</span><span class="cx"> v(unsigned, numberOfGCCyclesToRecordForVerification, 3) \
</span><span class="cx"> \
</span><span class="cx"> v(bool, enableExceptionFuzz, false) \
</span><del>- v(unsigned, fireExceptionFuzzAt, 0)
</del><ins>+ v(unsigned, fireExceptionFuzzAt, 0) \
+ \
+ v(bool, enableExecutableAllocationFuzz, false) \
+ v(unsigned, fireExecutableAllocationFuzzAt, 0) \
+ v(unsigned, fireExecutableAllocationFuzzAtOrAfter, 0) \
+ v(bool, verboseExecutableAllocationFuzz, false)
</ins><span class="cx">
</span><span class="cx"> class Options {
</span><span class="cx"> public:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTestRunnerUtilsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.h (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.h 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.h 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -45,6 +45,7 @@
</span><span class="cx"> JS_EXPORT_PRIVATE JSValue optimizeNextInvocation(ExecState*);
</span><span class="cx">
</span><span class="cx"> JS_EXPORT_PRIVATE unsigned numberOfExceptionFuzzChecks();
</span><ins>+JS_EXPORT_PRIVATE unsigned numberOfExecutableAllocationFuzzChecks();
</ins><span class="cx">
</span><span class="cx"> } // namespace JSC
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/VM.cpp (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/VM.cpp 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Source/JavaScriptCore/runtime/VM.cpp 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2008, 2011, 2013, 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2008, 2011, 2013-2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsexecutableAllocationFuzzv8raytracejs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/executableAllocationFuzz/v8-raytrace.js (0 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/executableAllocationFuzz/v8-raytrace.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/executableAllocationFuzz/v8-raytrace.js 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -0,0 +1,902 @@
</span><ins>+// The ray tracer code in this file is written by Adam Burmister. It
+// is available in its original form from:
+//
+// http://labs.flog.nz.co/raytracer/
+//
+// It has been modified slightly by Google to work as a standalone
+// benchmark, but the all the computational code remains
+// untouched. This file also contains a copy of parts of the Prototype
+// JavaScript framework which is used by the ray tracer.
+
+// Variable used to hold a number that can be used to verify that
+// the scene was ray traced correctly.
+var checkNumber;
+
+
+// ------------------------------------------------------------------------
+// ------------------------------------------------------------------------
+
+// The following is a copy of parts of the Prototype JavaScript library:
+
+// Prototype JavaScript framework, version 1.5.0
+// (c) 2005-2007 Sam Stephenson
+//
+// Prototype is freely distributable under the terms of an MIT-style license.
+// For details, see the Prototype web site: http://prototype.conio.net/
+
+
+var Class = {
+ create: function() {
+ return function() {
+ this.initialize.apply(this, arguments);
+ }
+ }
+};
+
+
+Object.extend = function(destination, source) {
+ for (var property in source) {
+ destination[property] = source[property];
+ }
+ return destination;
+};
+
+
+// ------------------------------------------------------------------------
+// ------------------------------------------------------------------------
+
+// The rest of this file is the actual ray tracer written by Adam
+// Burmister. It's a concatenation of the following files:
+//
+// flog/color.js
+// flog/light.js
+// flog/vector.js
+// flog/ray.js
+// flog/scene.js
+// flog/material/basematerial.js
+// flog/material/solid.js
+// flog/material/chessboard.js
+// flog/shape/baseshape.js
+// flog/shape/sphere.js
+// flog/shape/plane.js
+// flog/intersectioninfo.js
+// flog/camera.js
+// flog/background.js
+// flog/engine.js
+
+
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+
+Flog.RayTracer.Color = Class.create();
+
+Flog.RayTracer.Color.prototype = {
+ red : 0.0,
+ green : 0.0,
+ blue : 0.0,
+
+ initialize : function(r, g, b) {
+ if(!r) r = 0.0;
+ if(!g) g = 0.0;
+ if(!b) b = 0.0;
+
+ this.red = r;
+ this.green = g;
+ this.blue = b;
+ },
+
+ add : function(c1, c2){
+ var result = new Flog.RayTracer.Color(0,0,0);
+
+ result.red = c1.red + c2.red;
+ result.green = c1.green + c2.green;
+ result.blue = c1.blue + c2.blue;
+
+ return result;
+ },
+
+ addScalar: function(c1, s){
+ var result = new Flog.RayTracer.Color(0,0,0);
+
+ result.red = c1.red + s;
+ result.green = c1.green + s;
+ result.blue = c1.blue + s;
+
+ result.limit();
+
+ return result;
+ },
+
+ subtract: function(c1, c2){
+ var result = new Flog.RayTracer.Color(0,0,0);
+
+ result.red = c1.red - c2.red;
+ result.green = c1.green - c2.green;
+ result.blue = c1.blue - c2.blue;
+
+ return result;
+ },
+
+ multiply : function(c1, c2) {
+ var result = new Flog.RayTracer.Color(0,0,0);
+
+ result.red = c1.red * c2.red;
+ result.green = c1.green * c2.green;
+ result.blue = c1.blue * c2.blue;
+
+ return result;
+ },
+
+ multiplyScalar : function(c1, f) {
+ var result = new Flog.RayTracer.Color(0,0,0);
+
+ result.red = c1.red * f;
+ result.green = c1.green * f;
+ result.blue = c1.blue * f;
+
+ return result;
+ },
+
+ divideFactor : function(c1, f) {
+ var result = new Flog.RayTracer.Color(0,0,0);
+
+ result.red = c1.red / f;
+ result.green = c1.green / f;
+ result.blue = c1.blue / f;
+
+ return result;
+ },
+
+ limit: function(){
+ this.red = (this.red > 0.0) ? ( (this.red > 1.0) ? 1.0 : this.red ) : 0.0;
+ this.green = (this.green > 0.0) ? ( (this.green > 1.0) ? 1.0 : this.green ) : 0.0;
+ this.blue = (this.blue > 0.0) ? ( (this.blue > 1.0) ? 1.0 : this.blue ) : 0.0;
+ },
+
+ distance : function(color) {
+ var d = Math.abs(this.red - color.red) + Math.abs(this.green - color.green) + Math.abs(this.blue - color.blue);
+ return d;
+ },
+
+ blend: function(c1, c2, w){
+ var result = new Flog.RayTracer.Color(0,0,0);
+ result = Flog.RayTracer.Color.prototype.add(
+ Flog.RayTracer.Color.prototype.multiplyScalar(c1, 1 - w),
+ Flog.RayTracer.Color.prototype.multiplyScalar(c2, w)
+ );
+ return result;
+ },
+
+ brightness : function() {
+ var r = Math.floor(this.red*255);
+ var g = Math.floor(this.green*255);
+ var b = Math.floor(this.blue*255);
+ return (r * 77 + g * 150 + b * 29) >> 8;
+ },
+
+ toString : function () {
+ var r = Math.floor(this.red*255);
+ var g = Math.floor(this.green*255);
+ var b = Math.floor(this.blue*255);
+
+ return "rgb("+ r +","+ g +","+ b +")";
+ }
+}
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+
+Flog.RayTracer.Light = Class.create();
+
+Flog.RayTracer.Light.prototype = {
+ position: null,
+ color: null,
+ intensity: 10.0,
+
+ initialize : function(pos, color, intensity) {
+ this.position = pos;
+ this.color = color;
+ this.intensity = (intensity ? intensity : 10.0);
+ },
+
+ toString : function () {
+ return 'Light [' + this.position.x + ',' + this.position.y + ',' + this.position.z + ']';
+ }
+}
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+
+Flog.RayTracer.Vector = Class.create();
+
+Flog.RayTracer.Vector.prototype = {
+ x : 0.0,
+ y : 0.0,
+ z : 0.0,
+
+ initialize : function(x, y, z) {
+ this.x = (x ? x : 0);
+ this.y = (y ? y : 0);
+ this.z = (z ? z : 0);
+ },
+
+ copy: function(vector){
+ this.x = vector.x;
+ this.y = vector.y;
+ this.z = vector.z;
+ },
+
+ normalize : function() {
+ var m = this.magnitude();
+ return new Flog.RayTracer.Vector(this.x / m, this.y / m, this.z / m);
+ },
+
+ magnitude : function() {
+ return Math.sqrt((this.x * this.x) + (this.y * this.y) + (this.z * this.z));
+ },
+
+ cross : function(w) {
+ return new Flog.RayTracer.Vector(
+ -this.z * w.y + this.y * w.z,
+ this.z * w.x - this.x * w.z,
+ -this.y * w.x + this.x * w.y);
+ },
+
+ dot : function(w) {
+ return this.x * w.x + this.y * w.y + this.z * w.z;
+ },
+
+ add : function(v, w) {
+ return new Flog.RayTracer.Vector(w.x + v.x, w.y + v.y, w.z + v.z);
+ },
+
+ subtract : function(v, w) {
+ if(!w || !v) throw 'Vectors must be defined [' + v + ',' + w + ']';
+ return new Flog.RayTracer.Vector(v.x - w.x, v.y - w.y, v.z - w.z);
+ },
+
+ multiplyVector : function(v, w) {
+ return new Flog.RayTracer.Vector(v.x * w.x, v.y * w.y, v.z * w.z);
+ },
+
+ multiplyScalar : function(v, w) {
+ return new Flog.RayTracer.Vector(v.x * w, v.y * w, v.z * w);
+ },
+
+ toString : function () {
+ return 'Vector [' + this.x + ',' + this.y + ',' + this.z + ']';
+ }
+}
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+
+Flog.RayTracer.Ray = Class.create();
+
+Flog.RayTracer.Ray.prototype = {
+ position : null,
+ direction : null,
+ initialize : function(pos, dir) {
+ this.position = pos;
+ this.direction = dir;
+ },
+
+ toString : function () {
+ return 'Ray [' + this.position + ',' + this.direction + ']';
+ }
+}
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+
+Flog.RayTracer.Scene = Class.create();
+
+Flog.RayTracer.Scene.prototype = {
+ camera : null,
+ shapes : [],
+ lights : [],
+ background : null,
+
+ initialize : function() {
+ this.camera = new Flog.RayTracer.Camera(
+ new Flog.RayTracer.Vector(0,0,-5),
+ new Flog.RayTracer.Vector(0,0,1),
+ new Flog.RayTracer.Vector(0,1,0)
+ );
+ this.shapes = new Array();
+ this.lights = new Array();
+ this.background = new Flog.RayTracer.Background(new Flog.RayTracer.Color(0,0,0.5), 0.2);
+ }
+}
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+if(typeof(Flog.RayTracer.Material) == 'undefined') Flog.RayTracer.Material = {};
+
+Flog.RayTracer.Material.BaseMaterial = Class.create();
+
+Flog.RayTracer.Material.BaseMaterial.prototype = {
+
+ gloss: 2.0, // [0...infinity] 0 = matt
+ transparency: 0.0, // 0=opaque
+ reflection: 0.0, // [0...infinity] 0 = no reflection
+ refraction: 0.50,
+ hasTexture: false,
+
+ initialize : function() {
+
+ },
+
+ getColor: function(u, v){
+
+ },
+
+ wrapUp: function(t){
+ t = t % 2.0;
+ if(t < -1) t += 2.0;
+ if(t >= 1) t -= 2.0;
+ return t;
+ },
+
+ toString : function () {
+ return 'Material [gloss=' + this.gloss + ', transparency=' + this.transparency + ', hasTexture=' + this.hasTexture +']';
+ }
+}
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+
+Flog.RayTracer.Material.Solid = Class.create();
+
+Flog.RayTracer.Material.Solid.prototype = Object.extend(
+ new Flog.RayTracer.Material.BaseMaterial(), {
+ initialize : function(color, reflection, refraction, transparency, gloss) {
+ this.color = color;
+ this.reflection = reflection;
+ this.transparency = transparency;
+ this.gloss = gloss;
+ this.hasTexture = false;
+ },
+
+ getColor: function(u, v){
+ return this.color;
+ },
+
+ toString : function () {
+ return 'SolidMaterial [gloss=' + this.gloss + ', transparency=' + this.transparency + ', hasTexture=' + this.hasTexture +']';
+ }
+ }
+);
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+
+Flog.RayTracer.Material.Chessboard = Class.create();
+
+Flog.RayTracer.Material.Chessboard.prototype = Object.extend(
+ new Flog.RayTracer.Material.BaseMaterial(), {
+ colorEven: null,
+ colorOdd: null,
+ density: 0.5,
+
+ initialize : function(colorEven, colorOdd, reflection, transparency, gloss, density) {
+ this.colorEven = colorEven;
+ this.colorOdd = colorOdd;
+ this.reflection = reflection;
+ this.transparency = transparency;
+ this.gloss = gloss;
+ this.density = density;
+ this.hasTexture = true;
+ },
+
+ getColor: function(u, v){
+ var t = this.wrapUp(u * this.density) * this.wrapUp(v * this.density);
+
+ if(t < 0.0)
+ return this.colorEven;
+ else
+ return this.colorOdd;
+ },
+
+ toString : function () {
+ return 'ChessMaterial [gloss=' + this.gloss + ', transparency=' + this.transparency + ', hasTexture=' + this.hasTexture +']';
+ }
+ }
+);
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+if(typeof(Flog.RayTracer.Shape) == 'undefined') Flog.RayTracer.Shape = {};
+
+Flog.RayTracer.Shape.Sphere = Class.create();
+
+Flog.RayTracer.Shape.Sphere.prototype = {
+ initialize : function(pos, radius, material) {
+ this.radius = radius;
+ this.position = pos;
+ this.material = material;
+ },
+
+ intersect: function(ray){
+ var info = new Flog.RayTracer.IntersectionInfo();
+ info.shape = this;
+
+ var dst = Flog.RayTracer.Vector.prototype.subtract(ray.position, this.position);
+
+ var B = dst.dot(ray.direction);
+ var C = dst.dot(dst) - (this.radius * this.radius);
+ var D = (B * B) - C;
+
+ if(D > 0){ // intersection!
+ info.isHit = true;
+ info.distance = (-B) - Math.sqrt(D);
+ info.position = Flog.RayTracer.Vector.prototype.add(
+ ray.position,
+ Flog.RayTracer.Vector.prototype.multiplyScalar(
+ ray.direction,
+ info.distance
+ )
+ );
+ info.normal = Flog.RayTracer.Vector.prototype.subtract(
+ info.position,
+ this.position
+ ).normalize();
+
+ info.color = this.material.getColor(0,0);
+ } else {
+ info.isHit = false;
+ }
+ return info;
+ },
+
+ toString : function () {
+ return 'Sphere [position=' + this.position + ', radius=' + this.radius + ']';
+ }
+}
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+if(typeof(Flog.RayTracer.Shape) == 'undefined') Flog.RayTracer.Shape = {};
+
+Flog.RayTracer.Shape.Plane = Class.create();
+
+Flog.RayTracer.Shape.Plane.prototype = {
+ d: 0.0,
+
+ initialize : function(pos, d, material) {
+ this.position = pos;
+ this.d = d;
+ this.material = material;
+ },
+
+ intersect: function(ray){
+ var info = new Flog.RayTracer.IntersectionInfo();
+
+ var Vd = this.position.dot(ray.direction);
+ if(Vd == 0) return info; // no intersection
+
+ var t = -(this.position.dot(ray.position) + this.d) / Vd;
+ if(t <= 0) return info;
+
+ info.shape = this;
+ info.isHit = true;
+ info.position = Flog.RayTracer.Vector.prototype.add(
+ ray.position,
+ Flog.RayTracer.Vector.prototype.multiplyScalar(
+ ray.direction,
+ t
+ )
+ );
+ info.normal = this.position;
+ info.distance = t;
+
+ if(this.material.hasTexture){
+ var vU = new Flog.RayTracer.Vector(this.position.y, this.position.z, -this.position.x);
+ var vV = vU.cross(this.position);
+ var u = info.position.dot(vU);
+ var v = info.position.dot(vV);
+ info.color = this.material.getColor(u,v);
+ } else {
+ info.color = this.material.getColor(0,0);
+ }
+
+ return info;
+ },
+
+ toString : function () {
+ return 'Plane [' + this.position + ', d=' + this.d + ']';
+ }
+}
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+
+Flog.RayTracer.IntersectionInfo = Class.create();
+
+Flog.RayTracer.IntersectionInfo.prototype = {
+ isHit: false,
+ hitCount: 0,
+ shape: null,
+ position: null,
+ normal: null,
+ color: null,
+ distance: null,
+
+ initialize : function() {
+ this.color = new Flog.RayTracer.Color(0,0,0);
+ },
+
+ toString : function () {
+ return 'Intersection [' + this.position + ']';
+ }
+}
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+
+Flog.RayTracer.Camera = Class.create();
+
+Flog.RayTracer.Camera.prototype = {
+ position: null,
+ lookAt: null,
+ equator: null,
+ up: null,
+ screen: null,
+
+ initialize : function(pos, lookAt, up) {
+ this.position = pos;
+ this.lookAt = lookAt;
+ this.up = up;
+ this.equator = lookAt.normalize().cross(this.up);
+ this.screen = Flog.RayTracer.Vector.prototype.add(this.position, this.lookAt);
+ },
+
+ getRay: function(vx, vy){
+ var pos = Flog.RayTracer.Vector.prototype.subtract(
+ this.screen,
+ Flog.RayTracer.Vector.prototype.subtract(
+ Flog.RayTracer.Vector.prototype.multiplyScalar(this.equator, vx),
+ Flog.RayTracer.Vector.prototype.multiplyScalar(this.up, vy)
+ )
+ );
+ pos.y = pos.y * -1;
+ var dir = Flog.RayTracer.Vector.prototype.subtract(
+ pos,
+ this.position
+ );
+
+ var ray = new Flog.RayTracer.Ray(pos, dir.normalize());
+
+ return ray;
+ },
+
+ toString : function () {
+ return 'Ray []';
+ }
+}
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+
+Flog.RayTracer.Background = Class.create();
+
+Flog.RayTracer.Background.prototype = {
+ color : null,
+ ambience : 0.0,
+
+ initialize : function(color, ambience) {
+ this.color = color;
+ this.ambience = ambience;
+ }
+}
+/* Fake a Flog.* namespace */
+if(typeof(Flog) == 'undefined') var Flog = {};
+if(typeof(Flog.RayTracer) == 'undefined') Flog.RayTracer = {};
+
+Flog.RayTracer.Engine = Class.create();
+
+Flog.RayTracer.Engine.prototype = {
+ canvas: null, /* 2d context we can render to */
+
+ initialize: function(options){
+ this.options = Object.extend({
+ canvasHeight: 100,
+ canvasWidth: 100,
+ pixelWidth: 2,
+ pixelHeight: 2,
+ renderDiffuse: false,
+ renderShadows: false,
+ renderHighlights: false,
+ renderReflections: false,
+ rayDepth: 2
+ }, options || {});
+
+ this.options.canvasHeight /= this.options.pixelHeight;
+ this.options.canvasWidth /= this.options.pixelWidth;
+
+ /* TODO: dynamically include other scripts */
+ },
+
+ setPixel: function(x, y, color){
+ var pxW, pxH;
+ pxW = this.options.pixelWidth;
+ pxH = this.options.pixelHeight;
+
+ if (this.canvas) {
+ this.canvas.fillStyle = color.toString();
+ this.canvas.fillRect (x * pxW, y * pxH, pxW, pxH);
+ } else {
+ if (x === y) {
+ checkNumber += color.brightness();
+ }
+ // print(x * pxW, y * pxH, pxW, pxH);
+ }
+ },
+
+ renderScene: function(scene, canvas){
+ checkNumber = 0;
+ /* Get canvas */
+ if (canvas) {
+ this.canvas = canvas.getContext("2d");
+ } else {
+ this.canvas = null;
+ }
+
+ var canvasHeight = this.options.canvasHeight;
+ var canvasWidth = this.options.canvasWidth;
+
+ for(var y=0; y < canvasHeight; y++){
+ for(var x=0; x < canvasWidth; x++){
+ var yp = y * 1.0 / canvasHeight * 2 - 1;
+ var xp = x * 1.0 / canvasWidth * 2 - 1;
+
+ var ray = scene.camera.getRay(xp, yp);
+
+ var color = this.getPixelColor(ray, scene);
+
+ this.setPixel(x, y, color);
+ }
+ }
+ if (checkNumber !== 2321) {
+ throw new Error("Scene rendered incorrectly");
+ }
+ },
+
+ getPixelColor: function(ray, scene){
+ var info = this.testIntersection(ray, scene, null);
+ if(info.isHit){
+ var color = this.rayTrace(info, ray, scene, 0);
+ return color;
+ }
+ return scene.background.color;
+ },
+
+ testIntersection: function(ray, scene, exclude){
+ var hits = 0;
+ var best = new Flog.RayTracer.IntersectionInfo();
+ best.distance = 2000;
+
+ for(var i=0; i<scene.shapes.length; i++){
+ var shape = scene.shapes[i];
+
+ if(shape != exclude){
+ var info = shape.intersect(ray);
+ if(info.isHit && info.distance >= 0 && info.distance < best.distance){
+ best = info;
+ hits++;
+ }
+ }
+ }
+ best.hitCount = hits;
+ return best;
+ },
+
+ getReflectionRay: function(P,N,V){
+ var c1 = -N.dot(V);
+ var R1 = Flog.RayTracer.Vector.prototype.add(
+ Flog.RayTracer.Vector.prototype.multiplyScalar(N, 2*c1),
+ V
+ );
+ return new Flog.RayTracer.Ray(P, R1);
+ },
+
+ rayTrace: function(info, ray, scene, depth){
+ // Calc ambient
+ var color = Flog.RayTracer.Color.prototype.multiplyScalar(info.color, scene.background.ambience);
+ var oldColor = color;
+ var shininess = Math.pow(10, info.shape.material.gloss + 1);
+
+ for(var i=0; i<scene.lights.length; i++){
+ var light = scene.lights[i];
+
+ // Calc diffuse lighting
+ var v = Flog.RayTracer.Vector.prototype.subtract(
+ light.position,
+ info.position
+ ).normalize();
+
+ if(this.options.renderDiffuse){
+ var L = v.dot(info.normal);
+ if(L > 0.0){
+ color = Flog.RayTracer.Color.prototype.add(
+ color,
+ Flog.RayTracer.Color.prototype.multiply(
+ info.color,
+ Flog.RayTracer.Color.prototype.multiplyScalar(
+ light.color,
+ L
+ )
+ )
+ );
+ }
+ }
+
+ // The greater the depth the more accurate the colours, but
+ // this is exponentially (!) expensive
+ if(depth <= this.options.rayDepth){
+ // calculate reflection ray
+ if(this.options.renderReflections && info.shape.material.reflection > 0)
+ {
+ var reflectionRay = this.getReflectionRay(info.position, info.normal, ray.direction);
+ var refl = this.testIntersection(reflectionRay, scene, info.shape);
+
+ if (refl.isHit && refl.distance > 0){
+ refl.color = this.rayTrace(refl, reflectionRay, scene, depth + 1);
+ } else {
+ refl.color = scene.background.color;
+ }
+
+ color = Flog.RayTracer.Color.prototype.blend(
+ color,
+ refl.color,
+ info.shape.material.reflection
+ );
+ }
+
+ // Refraction
+ /* TODO */
+ }
+
+ /* Render shadows and highlights */
+
+ var shadowInfo = new Flog.RayTracer.IntersectionInfo();
+
+ if(this.options.renderShadows){
+ var shadowRay = new Flog.RayTracer.Ray(info.position, v);
+
+ shadowInfo = this.testIntersection(shadowRay, scene, info.shape);
+ if(shadowInfo.isHit && shadowInfo.shape != info.shape /*&& shadowInfo.shape.type != 'PLANE'*/){
+ var vA = Flog.RayTracer.Color.prototype.multiplyScalar(color, 0.5);
+ var dB = (0.5 * Math.pow(shadowInfo.shape.material.transparency, 0.5));
+ color = Flog.RayTracer.Color.prototype.addScalar(vA,dB);
+ }
+ }
+
+ // Phong specular highlights
+ if(this.options.renderHighlights && !shadowInfo.isHit && info.shape.material.gloss > 0){
+ var Lv = Flog.RayTracer.Vector.prototype.subtract(
+ info.shape.position,
+ light.position
+ ).normalize();
+
+ var E = Flog.RayTracer.Vector.prototype.subtract(
+ scene.camera.position,
+ info.shape.position
+ ).normalize();
+
+ var H = Flog.RayTracer.Vector.prototype.subtract(
+ E,
+ Lv
+ ).normalize();
+
+ var glossWeight = Math.pow(Math.max(info.normal.dot(H), 0), shininess);
+ color = Flog.RayTracer.Color.prototype.add(
+ Flog.RayTracer.Color.prototype.multiplyScalar(light.color, glossWeight),
+ color
+ );
+ }
+ }
+ color.limit();
+ return color;
+ }
+};
+
+
+function renderScene(){
+ var scene = new Flog.RayTracer.Scene();
+
+ scene.camera = new Flog.RayTracer.Camera(
+ new Flog.RayTracer.Vector(0, 0, -15),
+ new Flog.RayTracer.Vector(-0.2, 0, 5),
+ new Flog.RayTracer.Vector(0, 1, 0)
+ );
+
+ scene.background = new Flog.RayTracer.Background(
+ new Flog.RayTracer.Color(0.5, 0.5, 0.5),
+ 0.4
+ );
+
+ var sphere = new Flog.RayTracer.Shape.Sphere(
+ new Flog.RayTracer.Vector(-1.5, 1.5, 2),
+ 1.5,
+ new Flog.RayTracer.Material.Solid(
+ new Flog.RayTracer.Color(0,0.5,0.5),
+ 0.3,
+ 0.0,
+ 0.0,
+ 2.0
+ )
+ );
+
+ var sphere1 = new Flog.RayTracer.Shape.Sphere(
+ new Flog.RayTracer.Vector(1, 0.25, 1),
+ 0.5,
+ new Flog.RayTracer.Material.Solid(
+ new Flog.RayTracer.Color(0.9,0.9,0.9),
+ 0.1,
+ 0.0,
+ 0.0,
+ 1.5
+ )
+ );
+
+ var plane = new Flog.RayTracer.Shape.Plane(
+ new Flog.RayTracer.Vector(0.1, 0.9, -0.5).normalize(),
+ 1.2,
+ new Flog.RayTracer.Material.Chessboard(
+ new Flog.RayTracer.Color(1,1,1),
+ new Flog.RayTracer.Color(0,0,0),
+ 0.2,
+ 0.0,
+ 1.0,
+ 0.7
+ )
+ );
+
+ scene.shapes.push(plane);
+ scene.shapes.push(sphere);
+ scene.shapes.push(sphere1);
+
+ var light = new Flog.RayTracer.Light(
+ new Flog.RayTracer.Vector(5, 10, -1),
+ new Flog.RayTracer.Color(0.8, 0.8, 0.8)
+ );
+
+ var light1 = new Flog.RayTracer.Light(
+ new Flog.RayTracer.Vector(-3, 5, -15),
+ new Flog.RayTracer.Color(0.8, 0.8, 0.8),
+ 100
+ );
+
+ scene.lights.push(light);
+ scene.lights.push(light1);
+
+ var imageWidth = 100; // $F('imageWidth');
+ var imageHeight = 100; // $F('imageHeight');
+ var pixelSize = "5,5".split(','); // $F('pixelSize').split(',');
+ var renderDiffuse = true; // $F('renderDiffuse');
+ var renderShadows = true; // $F('renderShadows');
+ var renderHighlights = true; // $F('renderHighlights');
+ var renderReflections = true; // $F('renderReflections');
+ var rayDepth = 2;//$F('rayDepth');
+
+ var raytracer = new Flog.RayTracer.Engine(
+ {
+ canvasWidth: imageWidth,
+ canvasHeight: imageHeight,
+ pixelWidth: pixelSize[0],
+ pixelHeight: pixelSize[1],
+ "renderDiffuse": renderDiffuse,
+ "renderHighlights": renderHighlights,
+ "renderShadows": renderShadows,
+ "renderReflections": renderReflections,
+ "rayDepth": rayDepth
+ }
+ );
+
+ raytracer.renderScene(scene, null, 0);
+}
+
+for (var i = 0; i < 6; ++i)
+ renderScene();
</ins><span class="cx">Property changes on: trunk/Source/JavaScriptCore/tests/executableAllocationFuzz/v8-raytrace.js
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="allowtabs"></a>
<div class="addfile"><h4>Added: allow-tabs</h4></div>
<a id="trunkSourceJavaScriptCoretestsexecutableAllocationFuzzyaml"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/executableAllocationFuzz.yaml (0 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/executableAllocationFuzz.yaml (rev 0)
+++ trunk/Source/JavaScriptCore/tests/executableAllocationFuzz.yaml 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -0,0 +1,31 @@
</span><ins>+# Copyright (C) 2015 Apple Inc. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+- path: executableAllocationFuzz
+ cmd: |
+ if ($hostOS == "windows")
+ skip
+ else
+ runExecutableAllocationFuzz("default")
+ runExecutableAllocationFuzz("no-cjit", "--enableConcurrentJIT=false")
+ end
</ins></span></pre></div>
<a id="trunkToolsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Tools/ChangeLog (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/ChangeLog 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Tools/ChangeLog 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -1,3 +1,18 @@
</span><ins>+2015-03-25 Filip Pizlo <fpizlo@apple.com>
+
+ Use JITCompilationCanFail in more places, and make the fail path of JITCompilationMustSucceed a crash instead of attempting GC
+ https://bugs.webkit.org/show_bug.cgi?id=142993
+
+ Reviewed by Mark Lam.
+
+ Bunch of support for testing executable allocation failure.
+
+ * Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz: Added.
+ (fail):
+ * Scripts/run-javascriptcore-tests:
+ (runJSCStressTests):
+ * Scripts/run-jsc-stress-tests:
+
</ins><span class="cx"> 2015-03-25 Myles C. Maxfield <mmaxfield@apple.com>
</span><span class="cx">
</span><span class="cx"> Fix Windows build from r181977.
</span></span></pre></div>
<a id="trunkToolsScriptsjscstresstesthelpersjsexecutableallocationfuzz"></a>
<div class="addfile"><h4>Added: trunk/Tools/Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz (0 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz (rev 0)
+++ trunk/Tools/Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -0,0 +1,126 @@
</span><ins>+#!/usr/bin/perl
+
+# Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+use strict;
+use FindBin;
+use Getopt::Long qw(:config pass_through);
+use POSIX;
+
+# We first want to run the test once to determine what the number of encountered
+# checks is. Then we want to run it again some number of times with random check
+# amounts. The test is successful if it doesn't crash.
+
+my $repeat = 20;
+my $seed = time();
+my $verbose = 0;
+
+# We allow flags to be passed via environment variables, which is rather useful for
+# running with the run-jsc-stress-tests harness.
+if (defined($ENV{JS_EAFUZZ_REPEAT})) {
+ $repeat = $ENV{JS_EAFUZZ_REPEAT};
+}
+if (defined($ENV{JS_EAFUZZ_SEED})) {
+ $seed = $ENV{JS_EAFUZZ_SEED};
+}
+if (defined($ENV{JS_EAFUZZ_VERBOSE})) {
+ $verbose = $ENV{JS_EAFUZZ_VERBOSE};
+}
+
+GetOptions(
+ 'repeat=s' => \$repeat,
+ 'seed=s' => \$seed,
+ 'verbose' => \$verbose
+);
+
+my $commandString = shift @ARGV;
+
+my $checkCount;
+
+sub fail {
+ my $context = shift;
+ select((select(STDOUT), $ |= 1)[0]); # This is a perlism for flush. We need to do it this way to support older perls.
+ select((select(STDERR), $ |= 1)[0]);
+ die "Failure for command $commandString with seed $seed, repeat $repeat: $context";
+}
+
+if (shift @ARGV) {
+ die "Ignoring garbage arguments; only the first non-option argument is used as the command string.";
+}
+
+open (my $testInput, "$commandString --enableExecutableAllocationFuzz=true |") or fail("Cannot execute initial command when getting check count");
+while (my $inputLine = <$testInput>) {
+ chomp($inputLine);
+ my $handled = 0;
+ if ($inputLine =~ /JSC EXECUTABLE ALLOCATION FUZZ: encountered ([0-9]+) checks\./) {
+ $checkCount = $1;
+ $handled = 1;
+ }
+ if (!$handled || $verbose) {
+ print "checkCount: $inputLine\n";
+ }
+}
+close($testInput);
+
+if ($verbose) {
+ print "Check count: $checkCount\n";
+ print "Seed: $seed\n";
+}
+
+if (!$checkCount) {
+ print "Executable allocation fuzz testing not supported by jsc binary.\n";
+ exit 0;
+}
+
+# First do some tests where we have one-off failures.
+srand($seed);
+
+for (my $iteration = 0; $iteration < $repeat; ++$iteration) {
+ my $target = int(rand() * $checkCount) + 1;
+ if ($verbose) {
+ print "iteration($iteration) target($target) one-shot: Running.\n";
+ }
+ my $result = system("$commandString --enableExecutableAllocationFuzz=true --fireExecutableAllocationFuzzAt=$target");
+ if ($result != 0) {
+ fail("Cannot execute command on iteration $iteration, status $? for target $target");
+ }
+}
+
+# Then do some tests where we start failing at a particular point, and then permafail.
+srand($seed);
+
+for (my $iteration = 0; $iteration < $repeat; ++$iteration) {
+ my $target = int(rand() * $checkCount) + 1;
+ if ($verbose) {
+ print "iteration($iteration) target($target) at-or-after: Running.\n";
+ }
+ my $result = system("$commandString --enableExecutableAllocationFuzz=true --fireExecutableAllocationFuzzAtOrAfter=$target");
+ if ($result != 0) {
+ fail("Cannot execute command on iteration $iteration, status $? for target $target");
+ }
+}
+
+if ($verbose) {
+ print "Success!\n";
+}
</ins><span class="cx">Property changes on: trunk/Tools/Scripts/jsc-stress-test-helpers/js-executable-allocation-fuzz
</span><span class="cx">___________________________________________________________________
</span></span></pre></div>
<a id="svnexecutable"></a>
<div class="addfile"><h4>Added: svn:executable</h4></div>
<a id="trunkToolsScriptsrunjavascriptcoretests"></a>
<div class="modfile"><h4>Modified: trunk/Tools/Scripts/run-javascriptcore-tests (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/Scripts/run-javascriptcore-tests 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Tools/Scripts/run-javascriptcore-tests 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> #!/usr/bin/perl -w
</span><span class="cx">
</span><del>-# Copyright (C) 2005, 2013-2014 Apple Inc. All rights reserved.
</del><ins>+# Copyright (C) 2005, 2013-2015 Apple Inc. All rights reserved.
</ins><span class="cx"> # Copyright (C) 2007 Eric Seidel <eric@webkit.org>
</span><span class="cx"> #
</span><span class="cx"> # Redistribution and use in source and binary forms, with or without
</span><span class="lines">@@ -269,6 +269,7 @@
</span><span class="cx"> "/usr/bin/env", "ruby", "Tools/Scripts/run-jsc-stress-tests",
</span><span class="cx"> "-j", jscPath($productDir), "-o", $jscStressResultsDir,
</span><span class="cx"> "PerformanceTests/SunSpider/tests/sunspider-1.0",
</span><ins>+ "Source/JavaScriptCore/tests/executableAllocationFuzz.yaml",
</ins><span class="cx"> "Source/JavaScriptCore/tests/exceptionFuzz.yaml",
</span><span class="cx"> "PerformanceTests/SunSpider/no-architecture-specific-optimizations.yaml",
</span><span class="cx"> "PerformanceTests/SunSpider/tests/v8-v6",
</span></span></pre></div>
<a id="trunkToolsScriptsrunjscstresstests"></a>
<div class="modfile"><h4>Modified: trunk/Tools/Scripts/run-jsc-stress-tests (181989 => 181990)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/Scripts/run-jsc-stress-tests 2015-03-26 01:05:20 UTC (rev 181989)
+++ trunk/Tools/Scripts/run-jsc-stress-tests 2015-03-26 01:26:56 UTC (rev 181990)
</span><span class="lines">@@ -1,6 +1,6 @@
</span><span class="cx"> #!/usr/bin/env ruby
</span><span class="cx">
</span><del>-# Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</del><ins>+# Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</ins><span class="cx"> #
</span><span class="cx"> # Redistribution and use in source and binary forms, with or without
</span><span class="cx"> # modification, are permitted provided that the following conditions
</span><span class="lines">@@ -781,6 +781,11 @@
</span><span class="cx"> addRunCommand("exception-fuzz", ["perl", (pathToHelpers + "js-exception-fuzz").to_s, subCommand], silentOutputHandler, simpleErrorHandler)
</span><span class="cx"> end
</span><span class="cx">
</span><ins>+def runExecutableAllocationFuzz(name, *options)
+ subCommand = escapeAll([pathToVM.to_s, $benchmark.to_s] + options)
+ addRunCommand("executable-allocation-fuzz-" + name, ["perl", (pathToHelpers + "js-executable-allocation-fuzz").to_s, subCommand], silentOutputHandler, simpleErrorHandler)
+end
+
</ins><span class="cx"> def runTypeProfiler
</span><span class="cx"> if $enableFTL
</span><span class="cx"> run("ftl-no-cjit-type-profiler", "--enableTypeProfiler=true", *(FTL_OPTIONS + NO_CJIT_OPTIONS))
</span></span></pre>
</div>
</div>
</body>
</html>