Title: [246332] trunk
- Revision
- 246332
- Author
- tzaga...@apple.com
- Date
- 2019-06-11 14:06:45 -0700 (Tue, 11 Jun 2019)
Log Message
AI BitURShift's result should not be unsigned
https://bugs.webkit.org/show_bug.cgi?id=198689
<rdar://problem/51550063>
Reviewed by Saam Barati.
JSTests:
* stress/urshift-int32-overflow.js: Added.
(foo.):
(foo):
Source/_javascript_Core:
Treating BitURShift's result as unsigned in the abstract interpreter incorrectly overflows it.
This breaks the DFG and FTL, since they assume that BitURShift's result is an int32 value, but
get a double constant from AI. Since the result will be converted to unsigned by UInt32ToNumber,
all we have to do is store the result as a signed int32.
* dfg/DFGAbstractInterpreterInlines.h:
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (246331 => 246332)
--- trunk/JSTests/ChangeLog 2019-06-11 20:34:16 UTC (rev 246331)
+++ trunk/JSTests/ChangeLog 2019-06-11 21:06:45 UTC (rev 246332)
@@ -1,3 +1,15 @@
+2019-06-10 Tadeu Zagallo <tzaga...@apple.com>
+
+ AI BitURShift's result should not be unsigned
+ https://bugs.webkit.org/show_bug.cgi?id=198689
+ <rdar://problem/51550063>
+
+ Reviewed by Saam Barati.
+
+ * stress/urshift-int32-overflow.js: Added.
+ (foo.):
+ (foo):
+
2019-06-11 Guillaume Emont <guijem...@igalia.com>
Skip stress/ftl-gettypedarrayoffset-wasteful.js on Arm/Linux
Added: trunk/JSTests/stress/urshift-int32-overflow.js (0 => 246332)
--- trunk/JSTests/stress/urshift-int32-overflow.js (rev 0)
+++ trunk/JSTests/stress/urshift-int32-overflow.js 2019-06-11 21:06:45 UTC (rev 246332)
@@ -0,0 +1,18 @@
+//@ requireOptions("--forceEagerCompilation=1")
+
+function foo() {
+ const v22 = [];
+ for (let i = 0; i < 3; i++) {
+ for (let j = 0; j < 8; j++) {
+ ({x: -766834598 >>> !v22});
+ }
+ (function v31(v32) { })();
+ }
+ return {};
+}
+
+const v2 = [];
+const proxy = new Proxy(Array, { getPrototypeOf: foo });
+for (let i = 0; i < 1000; i++) {
+ v2.__proto__ = proxy;
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (246331 => 246332)
--- trunk/Source/_javascript_Core/ChangeLog 2019-06-11 20:34:16 UTC (rev 246331)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-06-11 21:06:45 UTC (rev 246332)
@@ -1,3 +1,18 @@
+2019-06-10 Tadeu Zagallo <tzaga...@apple.com>
+
+ AI BitURShift's result should not be unsigned
+ https://bugs.webkit.org/show_bug.cgi?id=198689
+ <rdar://problem/51550063>
+
+ Reviewed by Saam Barati.
+
+ Treating BitURShift's result as unsigned in the abstract interpreter incorrectly overflows it.
+ This breaks the DFG and FTL, since they assume that BitURShift's result is an int32 value, but
+ get a double constant from AI. Since the result will be converted to unsigned by UInt32ToNumber,
+ all we have to do is store the result as a signed int32.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+
2019-06-11 Michael Catanzaro <mcatanz...@igalia.com>
Unreviewed build warning fixes
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (246331 => 246332)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2019-06-11 20:34:16 UTC (rev 246331)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2019-06-11 21:06:45 UTC (rev 246332)
@@ -499,13 +499,13 @@
setConstant(node, JSValue(a ^ b));
break;
case BitRShift:
- setConstant(node, JSValue(a >> static_cast<uint32_t>(b)));
+ setConstant(node, JSValue(a >> (static_cast<uint32_t>(b) & 0x1f)));
break;
case BitLShift:
- setConstant(node, JSValue(a << static_cast<uint32_t>(b)));
+ setConstant(node, JSValue(a << (static_cast<uint32_t>(b) & 0x1f)));
break;
case BitURShift:
- setConstant(node, JSValue(static_cast<uint32_t>(a) >> static_cast<uint32_t>(b)));
+ setConstant(node, JSValue(static_cast<int32_t>(static_cast<uint32_t>(a) >> (static_cast<uint32_t>(b) & 0x1f))));
break;
default:
RELEASE_ASSERT_NOT_REACHED();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
