Title: [225821] trunk
- Revision
- 225821
- Author
- sbar...@apple.com
- Date
- 2017-12-12 16:32:57 -0800 (Tue, 12 Dec 2017)
Log Message
ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
https://bugs.webkit.org/show_bug.cgi?id=180723
<rdar://problem/35859726>
Reviewed by JF Bastien.
JSTests:
* stress/get-my-argument-by-val-constant-folding.js: Added.
(test):
(catch):
Source/_javascript_Core:
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (225820 => 225821)
--- trunk/JSTests/ChangeLog 2017-12-13 00:31:15 UTC (rev 225820)
+++ trunk/JSTests/ChangeLog 2017-12-13 00:32:57 UTC (rev 225821)
@@ -1,3 +1,15 @@
+2017-12-12 Saam Barati <sbar...@apple.com>
+
+ ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
+ https://bugs.webkit.org/show_bug.cgi?id=180723
+ <rdar://problem/35859726>
+
+ Reviewed by JF Bastien.
+
+ * stress/get-my-argument-by-val-constant-folding.js: Added.
+ (test):
+ (catch):
+
2017-12-12 Caio Lima <ticaiol...@gmail.com>
[ESNext][BigInt] Implement BigInt literals and JSBigInt
Added: trunk/JSTests/stress/get-my-argument-by-val-constant-folding.js (0 => 225821)
--- trunk/JSTests/stress/get-my-argument-by-val-constant-folding.js (rev 0)
+++ trunk/JSTests/stress/get-my-argument-by-val-constant-folding.js 2017-12-13 00:32:57 UTC (rev 225821)
@@ -0,0 +1,14 @@
+function test() {
+ for (var i = 0; i < 1000000; ++i) {
+ try {
+ (function () {
+ return arguments[-9];
+ })(42);
+ } catch (e) {}
+ }
+}
+noInline(test);
+
+try {
+ test(42);
+} catch (e) {}
Modified: trunk/Source/_javascript_Core/ChangeLog (225820 => 225821)
--- trunk/Source/_javascript_Core/ChangeLog 2017-12-13 00:31:15 UTC (rev 225820)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-12-13 00:32:57 UTC (rev 225821)
@@ -1,3 +1,14 @@
+2017-12-12 Saam Barati <sbar...@apple.com>
+
+ ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
+ https://bugs.webkit.org/show_bug.cgi?id=180723
+ <rdar://problem/35859726>
+
+ Reviewed by JF Bastien.
+
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
2017-12-04 Brian Burg <bb...@apple.com>
Web Inspector: modernize InjectedScript a bit
Modified: trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp (225820 => 225821)
--- trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2017-12-13 00:31:15 UTC (rev 225820)
+++ trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2017-12-13 00:32:57 UTC (rev 225821)
@@ -342,11 +342,15 @@
case GetMyArgumentByVal:
case GetMyArgumentByValOutOfBounds: {
JSValue indexValue = m_state.forNode(node->child2()).value();
- if (!indexValue || !indexValue.isInt32())
+ if (!indexValue || !indexValue.isUInt32())
break;
- unsigned index = indexValue.asUInt32() + node->numberOfArgumentsToSkip();
+ Checked<unsigned, RecordOverflow> checkedIndex = indexValue.asUInt32();
+ checkedIndex += node->numberOfArgumentsToSkip();
+ if (checkedIndex.hasOverflowed())
+ break;
+ unsigned index = checkedIndex.unsafeGet();
Node* arguments = node->child1().node();
InlineCallFrame* inlineCallFrame = arguments->origin.semantic.inlineCallFrame;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
