Title: [225517] branches/safari-604-branch
- Revision
- 225517
- Author
- [email protected]
- Date
- 2017-12-04 22:25:50 -0800 (Mon, 04 Dec 2017)
Log Message
Cherry-pick r225239. rdar://problem/35838157
Modified Paths
Added Paths
Diff
Modified: branches/safari-604-branch/JSTests/ChangeLog (225516 => 225517)
--- branches/safari-604-branch/JSTests/ChangeLog 2017-12-05 05:23:14 UTC (rev 225516)
+++ branches/safari-604-branch/JSTests/ChangeLog 2017-12-05 06:25:50 UTC (rev 225517)
@@ -1,3 +1,21 @@
+2017-12-04 Jason Marcell <[email protected]>
+
+ Cherry-pick r225239. rdar://problem/35838157
+
+ 2017-11-27 JF Bastien <[email protected]>
+
+ _javascript_ rest function parameter with negative index leads to bad DFG abstract interpretation
+ https://bugs.webkit.org/show_bug.cgi?id=180051
+ <rdar://problem/35614371>
+
+ Reviewed by Saam Barati.
+
+ * stress/rest-parameter-negative.js: Added.
+ (__f_5484):
+ (catch):
+ (__f_5485):
+ (__v_22598.catch):
+
2017-11-28 Jason Marcell <[email protected]>
Cherry-pick r224539. rdar://problem/35698788
Added: branches/safari-604-branch/JSTests/stress/rest-parameter-negative.js (0 => 225517)
--- branches/safari-604-branch/JSTests/stress/rest-parameter-negative.js (rev 0)
+++ branches/safari-604-branch/JSTests/stress/rest-parameter-negative.js 2017-12-05 06:25:50 UTC (rev 225517)
@@ -0,0 +1,21 @@
+function __f_5484(__v_22596) {
+ if (!__v_22596) throw new Error();
+}
+
+try {
+ noInline(__f_5484);
+} catch (e) {}
+
+function __f_5485(...__v_22597) {
+ return __v_22597[-13];
+}
+
+try {
+ noInline(__f_5485);
+} catch (e) {}
+
+for (let __v_22598 = 0; __v_22598 < 10000; __v_22598++) {
+ try {
+ __f_5484(__f_5485(__v_22598) === __v_22598);
+ } catch (e) {}
+}
Modified: branches/safari-604-branch/Source/_javascript_Core/ChangeLog (225516 => 225517)
--- branches/safari-604-branch/Source/_javascript_Core/ChangeLog 2017-12-05 05:23:14 UTC (rev 225516)
+++ branches/safari-604-branch/Source/_javascript_Core/ChangeLog 2017-12-05 06:25:50 UTC (rev 225517)
@@ -1,3 +1,21 @@
+2017-12-04 Jason Marcell <[email protected]>
+
+ Cherry-pick r225239. rdar://problem/35838157
+
+ 2017-11-27 JF Bastien <[email protected]>
+
+ _javascript_ rest function parameter with negative index leads to bad DFG abstract interpretation
+ https://bugs.webkit.org/show_bug.cgi?id=180051
+ <rdar://problem/35614371>
+
+ Reviewed by Saam Barati.
+
+ Checking for int32 isn't sufficient when uint32 is expected
+ afterwards. While we're here, also use Checked<>.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
2017-11-28 Jason Marcell <[email protected]>
Cherry-pick r224539. rdar://problem/35698788
Modified: branches/safari-604-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (225516 => 225517)
--- branches/safari-604-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2017-12-05 05:23:14 UTC (rev 225516)
+++ branches/safari-604-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2017-12-05 06:25:50 UTC (rev 225517)
@@ -40,6 +40,8 @@
#include "PutByIdStatus.h"
#include "StringObject.h"
+#include <wtf/CheckedArithmetic.h>
+
namespace JSC { namespace DFG {
template<typename AbstractStateType>
@@ -1732,25 +1734,29 @@
JSValue index = forNode(node->child2()).m_value;
InlineCallFrame* inlineCallFrame = node->child1()->origin.semantic.inlineCallFrame;
- if (index && index.isInt32()) {
+ if (index && index.isUInt32()) {
// This pretends to return TOP for accesses that are actually proven out-of-bounds because
// that's the conservative thing to do. Otherwise we'd need to write more code to mark such
// paths as unreachable, or to return undefined. We could implement that eventually.
-
- unsigned argumentIndex = index.asUInt32() + node->numberOfArgumentsToSkip();
- if (inlineCallFrame) {
- if (argumentIndex < inlineCallFrame->arguments.size() - 1) {
- forNode(node) = m_state.variables().operand(
- virtualRegisterForArgument(argumentIndex + 1) + inlineCallFrame->stackOffset);
- m_state.setFoundConstants(true);
- break;
+
+ Checked<unsigned, RecordOverflow> argumentIndexChecked = index.asUInt32();
+ argumentIndexChecked += node->numberOfArgumentsToSkip();
+ unsigned argumentIndex;
+ if (argumentIndexChecked.safeGet(argumentIndex) != CheckedState::DidOverflow) {
+ if (inlineCallFrame) {
+ if (argumentIndex < inlineCallFrame->arguments.size() - 1) {
+ forNode(node) = m_state.variables().operand(
+ virtualRegisterForArgument(argumentIndex + 1) + inlineCallFrame->stackOffset);
+ m_state.setFoundConstants(true);
+ break;
+ }
+ } else {
+ if (argumentIndex < m_state.variables().numberOfArguments() - 1) {
+ forNode(node) = m_state.variables().argument(argumentIndex + 1);
+ m_state.setFoundConstants(true);
+ break;
+ }
}
- } else {
- if (argumentIndex < m_state.variables().numberOfArguments() - 1) {
- forNode(node) = m_state.variables().argument(argumentIndex + 1);
- m_state.setFoundConstants(true);
- break;
- }
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
