Title: [292992] branches/safari-613-branch
- Revision
- 292992
- Author
- alanc...@apple.com
- Date
- 2022-04-18 17:49:48 -0700 (Mon, 18 Apr 2022)
Log Message
Cherry-pick r292484. rdar://problem/89253391
[JSC] Substring resolving should check 8bit / 16bit again
https://bugs.webkit.org/show_bug.cgi?id=236775
<rdar://problem/89253391>
Reviewed by Saam Barati.
JSTests:
* stress/8bit-16bit-atomize-conversion.js: Added.
(main.v64):
(main):
Source/_javascript_Core:
Substring JSString is wrapping JSString. Thus it is possible that underlying JSString's 8Bit / 16Bit status
becomes different from substring JSString wrapper's bit. We should not assume they are the same.
* runtime/JSString.cpp:
(JSC::JSRopeString::resolveRopeInternal const):
(JSC::JSRopeString::resolveRopeToAtomString const):
(JSC::JSRopeString::resolveRopeToExistingAtomString const):
(JSC::JSRopeString::resolveRopeInternal8 const): Deleted.
(JSC::JSRopeString::resolveRopeInternal16 const): Deleted.
* runtime/JSString.h:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@292484 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-613-branch/JSTests/ChangeLog (292991 => 292992)
--- branches/safari-613-branch/JSTests/ChangeLog 2022-04-19 00:49:45 UTC (rev 292991)
+++ branches/safari-613-branch/JSTests/ChangeLog 2022-04-19 00:49:48 UTC (rev 292992)
@@ -1,3 +1,46 @@
+2022-04-18 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r292484. rdar://problem/89253391
+
+ [JSC] Substring resolving should check 8bit / 16bit again
+ https://bugs.webkit.org/show_bug.cgi?id=236775
+ <rdar://problem/89253391>
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/8bit-16bit-atomize-conversion.js: Added.
+ (main.v64):
+ (main):
+
+ Source/_javascript_Core:
+
+ Substring JSString is wrapping JSString. Thus it is possible that underlying JSString's 8Bit / 16Bit status
+ becomes different from substring JSString wrapper's bit. We should not assume they are the same.
+
+ * runtime/JSString.cpp:
+ (JSC::JSRopeString::resolveRopeInternal const):
+ (JSC::JSRopeString::resolveRopeToAtomString const):
+ (JSC::JSRopeString::resolveRopeToExistingAtomString const):
+ (JSC::JSRopeString::resolveRopeInternal8 const): Deleted.
+ (JSC::JSRopeString::resolveRopeInternal16 const): Deleted.
+ * runtime/JSString.h:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@292484 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-04-06 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] Substring resolving should check 8bit / 16bit again
+ https://bugs.webkit.org/show_bug.cgi?id=236775
+ <rdar://problem/89253391>
+
+ Reviewed by Saam Barati.
+
+ * stress/8bit-16bit-atomize-conversion.js: Added.
+ (main.v64):
+ (main):
+
2022-03-21 Alan Coon <alanc...@apple.com>
Cherry-pick r290981. rdar://problem/83326232
Added: branches/safari-613-branch/JSTests/stress/8bit-16bit-atomize-conversion.js (0 => 292992)
--- branches/safari-613-branch/JSTests/stress/8bit-16bit-atomize-conversion.js (rev 0)
+++ branches/safari-613-branch/JSTests/stress/8bit-16bit-atomize-conversion.js 2022-04-19 00:49:48 UTC (rev 292992)
@@ -0,0 +1,18 @@
+function main() {
+ for (let v27 = 0; v27 < 100; v27++) {
+ const v44 = [0,0,1.1];
+ const v61 = v44.toLocaleString();
+ const v62 = eval(Math);
+ v63 = v61.substring(v62,v27);
+
+ function v64() {
+ if (v62) {
+ Math[v61] = [];
+ }
+ const v82 = (-1.0).__proto__;
+ delete v82[v63];
+ }
+ v64();
+ }
+}
+main();
Modified: branches/safari-613-branch/Source/_javascript_Core/ChangeLog (292991 => 292992)
--- branches/safari-613-branch/Source/_javascript_Core/ChangeLog 2022-04-19 00:49:45 UTC (rev 292991)
+++ branches/safari-613-branch/Source/_javascript_Core/ChangeLog 2022-04-19 00:49:48 UTC (rev 292992)
@@ -1,5 +1,55 @@
2022-04-18 Kocsen Chung <kocsen_ch...@apple.com>
+ Cherry-pick r292484. rdar://problem/89253391
+
+ [JSC] Substring resolving should check 8bit / 16bit again
+ https://bugs.webkit.org/show_bug.cgi?id=236775
+ <rdar://problem/89253391>
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/8bit-16bit-atomize-conversion.js: Added.
+ (main.v64):
+ (main):
+
+ Source/_javascript_Core:
+
+ Substring JSString is wrapping JSString. Thus it is possible that underlying JSString's 8Bit / 16Bit status
+ becomes different from substring JSString wrapper's bit. We should not assume they are the same.
+
+ * runtime/JSString.cpp:
+ (JSC::JSRopeString::resolveRopeInternal const):
+ (JSC::JSRopeString::resolveRopeToAtomString const):
+ (JSC::JSRopeString::resolveRopeToExistingAtomString const):
+ (JSC::JSRopeString::resolveRopeInternal8 const): Deleted.
+ (JSC::JSRopeString::resolveRopeInternal16 const): Deleted.
+ * runtime/JSString.h:
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@292484 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2022-04-06 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] Substring resolving should check 8bit / 16bit again
+ https://bugs.webkit.org/show_bug.cgi?id=236775
+ <rdar://problem/89253391>
+
+ Reviewed by Saam Barati.
+
+ Substring JSString is wrapping JSString. Thus it is possible that underlying JSString's 8Bit / 16Bit status
+ becomes different from substring JSString wrapper's bit. We should not assume they are the same.
+
+ * runtime/JSString.cpp:
+ (JSC::JSRopeString::resolveRopeInternal const):
+ (JSC::JSRopeString::resolveRopeToAtomString const):
+ (JSC::JSRopeString::resolveRopeToExistingAtomString const):
+ (JSC::JSRopeString::resolveRopeInternal8 const): Deleted.
+ (JSC::JSRopeString::resolveRopeInternal16 const): Deleted.
+ * runtime/JSString.h:
+
+2022-04-18 Kocsen Chung <kocsen_ch...@apple.com>
+
Cherry-pick r292475. rdar://problem/91078546
CSE should be more careful with values that have WritesPinned, ExitsSideways, or are of different sizes
Modified: branches/safari-613-branch/Source/_javascript_Core/runtime/JSString.cpp (292991 => 292992)
--- branches/safari-613-branch/Source/_javascript_Core/runtime/JSString.cpp 2022-04-19 00:49:45 UTC (rev 292991)
+++ branches/safari-613-branch/Source/_javascript_Core/runtime/JSString.cpp 2022-04-19 00:49:48 UTC (rev 292992)
@@ -152,10 +152,17 @@
static constexpr unsigned maxLengthForOnStackResolve = 2048;
-void JSRopeString::resolveRopeInternal8(LChar* buffer) const
+template<typename CharacterType>
+void JSRopeString::resolveRopeInternal(CharacterType* buffer) const
{
if (isSubstring()) {
- StringImpl::copyCharacters(buffer, substringBase()->valueInternal().characters8() + substringOffset(), length());
+ // It is possible that underlying string becomes 8bit/16bit while wrapper substring is saying it is 16bit/8bit.
+ // But It is definitely true that substring part can be represented as its parent's status 8bit/16bit, which is described as CharacterType.
+ auto& string = substringBase()->valueInternal();
+ if (string.is8Bit())
+ StringImpl::copyCharacters(buffer, string.characters8() + substringOffset(), length());
+ else
+ StringImpl::copyCharacters(buffer, string.characters16() + substringOffset(), length());
return;
}
@@ -162,17 +169,6 @@
resolveRopeInternalNoSubstring(buffer);
}
-void JSRopeString::resolveRopeInternal16(UChar* buffer) const
-{
- if (isSubstring()) {
- StringImpl::copyCharacters(
- buffer, substringBase()->valueInternal().characters16() + substringOffset(), length());
- return;
- }
-
- resolveRopeInternalNoSubstring(buffer);
-}
-
template<typename CharacterType>
void JSRopeString::resolveRopeInternalNoSubstring(CharacterType* buffer) const
{
@@ -210,11 +206,11 @@
if (is8Bit()) {
LChar buffer[maxLengthForOnStackResolve];
- resolveRopeInternal8(buffer);
+ resolveRopeInternal(buffer);
convertToNonRope(AtomStringImpl::add(buffer, length()));
} else {
UChar buffer[maxLengthForOnStackResolve];
- resolveRopeInternal16(buffer);
+ resolveRopeInternal(buffer);
convertToNonRope(AtomStringImpl::add(buffer, length()));
}
@@ -255,7 +251,7 @@
if (is8Bit()) {
LChar buffer[maxLengthForOnStackResolve];
- resolveRopeInternal8(buffer);
+ resolveRopeInternal(buffer);
if (RefPtr<AtomStringImpl> existingAtomString = AtomStringImpl::lookUp(buffer, length())) {
convertToNonRope(*existingAtomString);
return existingAtomString;
@@ -262,7 +258,7 @@
}
} else {
UChar buffer[maxLengthForOnStackResolve];
- resolveRopeInternal16(buffer);
+ resolveRopeInternal(buffer);
if (RefPtr<AtomStringImpl> existingAtomString = AtomStringImpl::lookUp(buffer, length())) {
convertToNonRope(*existingAtomString);
return existingAtomString;
Modified: branches/safari-613-branch/Source/_javascript_Core/runtime/JSString.h (292991 => 292992)
--- branches/safari-613-branch/Source/_javascript_Core/runtime/JSString.h 2022-04-19 00:49:45 UTC (rev 292991)
+++ branches/safari-613-branch/Source/_javascript_Core/runtime/JSString.h 2022-04-19 00:49:48 UTC (rev 292992)
@@ -606,8 +606,7 @@
template<typename CharacterType> void resolveRopeInternalNoSubstring(CharacterType*) const;
Identifier toIdentifier(JSGlobalObject*) const;
void outOfMemory(JSGlobalObject* nullOrGlobalObjectForOOM) const;
- void resolveRopeInternal8(LChar*) const;
- void resolveRopeInternal16(UChar*) const;
+ template<typename CharacterType> void resolveRopeInternal(CharacterType*) const;
StringView unsafeView(JSGlobalObject*) const;
StringViewWithUnderlyingString viewWithUnderlyingString(JSGlobalObject*) const;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
