[webkit-changes] [281826] trunk/Source/JavaScriptCore

Tue, 31 Aug 2021 15:46:15 -0700

Title: [281826] trunk/Source/_javascript_Core
Revision
281826
Author
sbar...@apple.com
Date
2021-08-31 15:46:05 -0700 (Tue, 31 Aug 2021)

Log Message

Baseline JIT's in_by_val and emitHasPrivate should load the property before branching on if the base is a cell
https://bugs.webkit.org/show_bug.cgi?id=229725

Reviewed by Keith Miller.

If the base isn't a cell, we're calling the slow path with a random value
in the property. This works, because the slow paths first branch on if
the base is a cell or not, and throw an exception. But we fix this for our
own sanity, since it's never a good idea to go to a slow path with a
JSValue argument containing unknown bits.

* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_in_by_val):
(JSC::JIT::emitHasPrivate):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (281825 => 281826)


--- trunk/Source/_javascript_Core/ChangeLog	2021-08-31 22:08:04 UTC (rev 281825)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-08-31 22:46:05 UTC (rev 281826)
@@ -1,3 +1,20 @@
+2021-08-31  Saam Barati  <sbar...@apple.com>
+
+        Baseline JIT's in_by_val and emitHasPrivate should load the property before branching on if the base is a cell
+        https://bugs.webkit.org/show_bug.cgi?id=229725
+
+        Reviewed by Keith Miller.
+
+        If the base isn't a cell, we're calling the slow path with a random value
+        in the property. This works, because the slow paths first branch on if
+        the base is a cell or not, and throw an exception. But we fix this for our
+        own sanity, since it's never a good idea to go to a slow path with a
+        JSValue argument containing unknown bits.
+
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_in_by_val):
+        (JSC::JIT::emitHasPrivate):
+
 2021-08-31  Aditi Singh  <asi...@igalia.com>
 
         Implement Object.hasOwn()

Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (281825 => 281826)


--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp	2021-08-31 22:08:04 UTC (rev 281825)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp	2021-08-31 22:46:05 UTC (rev 281826)
@@ -1514,8 +1514,8 @@
     ArrayProfile* profile = ""
 
     emitGetVirtualRegister(base, regT0);
+    emitGetVirtualRegister(property, regT1);
     emitJumpSlowCaseIfNotJSCell(regT0, base);
-    emitGetVirtualRegister(property, regT1);
     emitArrayProfilingSiteWithCell(regT0, profile, regT2);
 
     JITInByValGenerator gen(
@@ -1584,8 +1584,8 @@
 void JIT::emitHasPrivate(VirtualRegister dst, VirtualRegister base, VirtualRegister propertyOrBrand, AccessType type)
 {
     emitGetVirtualRegister(base, regT0);
+    emitGetVirtualRegister(propertyOrBrand, regT1);
     emitJumpSlowCaseIfNotJSCell(regT0, base);
-    emitGetVirtualRegister(propertyOrBrand, regT1);
 
     JITInByValGenerator gen(
         m_codeBlock, JITType::BaselineJIT, CodeOrigin(m_bytecodeIndex), CallSiteIndex(m_bytecodeIndex), type, RegisterSet::stubUnavailableRegisters(),

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to