Title: [244057] trunk
- Revision
- 244057
- Author
- ysuz...@apple.com
- Date
- 2019-04-08 16:33:05 -0700 (Mon, 08 Apr 2019)
Log Message
[JSC] to_index_string should not assume incoming value is Uint32
https://bugs.webkit.org/show_bug.cgi?id=196713
Reviewed by Saam Barati.
JSTests:
* stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
(foo):
Source/_javascript_Core:
The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
this assumption since DFG may decide we should have it double format. This patch removes this
assumption, and instead, we should assume that incoming value is AnyInt and the range of this
is within Uint32.
* runtime/CommonSlowPaths.cpp:
(JSC::SLOW_PATH_DECL):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (244056 => 244057)
--- trunk/JSTests/ChangeLog 2019-04-08 22:49:20 UTC (rev 244056)
+++ trunk/JSTests/ChangeLog 2019-04-08 23:33:05 UTC (rev 244057)
@@ -1,5 +1,15 @@
2019-04-08 Yusuke Suzuki <ysuz...@apple.com>
+ [JSC] to_index_string should not assume incoming value is Uint32
+ https://bugs.webkit.org/show_bug.cgi?id=196713
+
+ Reviewed by Saam Barati.
+
+ * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js: Added.
+ (foo):
+
+2019-04-08 Yusuke Suzuki <ysuz...@apple.com>
+
[JSC] Add more tests for r243966
https://bugs.webkit.org/show_bug.cgi?id=196711
Added: trunk/JSTests/stress/to-index-string-should-not-assume-incoming-value-is-uint32.js (0 => 244057)
--- trunk/JSTests/stress/to-index-string-should-not-assume-incoming-value-is-uint32.js (rev 0)
+++ trunk/JSTests/stress/to-index-string-should-not-assume-incoming-value-is-uint32.js 2019-04-08 23:33:05 UTC (rev 244057)
@@ -0,0 +1,13 @@
+//@ runDefault("--useMaximalFlushInsertionPhase=1", "--useRandomizingFuzzerAgent=1")
+
+function foo() {
+ for (var x in ['a', 'b']) {
+ if (x === '') {
+ break;
+ }
+ }
+ return false && Object.prototype.hasOwnProperty
+}
+
+for (var i = 0; i < 10000; ++i)
+ foo();
Modified: trunk/Source/_javascript_Core/ChangeLog (244056 => 244057)
--- trunk/Source/_javascript_Core/ChangeLog 2019-04-08 22:49:20 UTC (rev 244056)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-04-08 23:33:05 UTC (rev 244057)
@@ -1,3 +1,18 @@
+2019-04-08 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] to_index_string should not assume incoming value is Uint32
+ https://bugs.webkit.org/show_bug.cgi?id=196713
+
+ Reviewed by Saam Barati.
+
+ The slow path of to_index_string assumes that incoming value is Uint32. But we should not have
+ this assumption since DFG may decide we should have it double format. This patch removes this
+ assumption, and instead, we should assume that incoming value is AnyInt and the range of this
+ is within Uint32.
+
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+
2019-04-08 Justin Fan <justin_...@apple.com>
[Web GPU] Fix Web GPU experimental feature on iOS
Modified: trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (244056 => 244057)
--- trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2019-04-08 22:49:20 UTC (rev 244056)
+++ trunk/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2019-04-08 23:33:05 UTC (rev 244057)
@@ -995,7 +995,12 @@
{
BEGIN();
auto bytecode = pc->as<OpToIndexString>();
- RETURN(jsString(exec, Identifier::from(exec, GET(bytecode.m_index).jsValue().asUInt32()).string()));
+ JSValue indexValue = GET(bytecode.m_index).jsValue();
+ ASSERT(indexValue.isAnyInt());
+ ASSERT(indexValue.asAnyInt() <= UINT32_MAX);
+ ASSERT(indexValue.asAnyInt() >= 0);
+ uint32_t index = static_cast<uint32_t>(indexValue.asAnyInt());
+ RETURN(jsString(exec, Identifier::from(exec, index).string()));
}
SLOW_PATH_DECL(slow_path_profile_type_clear_log)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes