Skip to site navigation (Press enter)

[webkit-changes] [246998] releases/WebKitGTK/webkit-2.24

carlosgc Mon, 01 Jul 2019 04:04:59 -0700

Title: [246998] releases/WebKitGTK/webkit-2.24

Revision: 246998
Author: [email protected]
Date: 2019-07-01 04:04:03 -0700 (Mon, 01 Jul 2019)

Log Message

Merge r246332 - AI BitURShift's result should not be unsigned
https://bugs.webkit.org/show_bug.cgi?id=198689
<rdar://problem/51550063>


Reviewed by Saam Barati.

JSTests:

* stress/urshift-int32-overflow.js: Added.
(foo.):
(foo):

Source/_javascript_Core:

Treating BitURShift's result as unsigned in the abstract interpreter incorrectly overflows it.
This breaks the DFG and FTL, since they assume that BitURShift's result is an int32 value, but
get a double constant from AI. Since the result will be converted to unsigned by UInt32ToNumber,
all we have to do is store the result as a signed int32.

* dfg/DFGAbstractInterpreterInlines.h:

Modified Paths

releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog
releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h

Added Paths

releases/WebKitGTK/webkit-2.24/JSTests/stress/urshift-int32-overflow.js

Diff

Modified: releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog (246997 => 246998)


--- releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog	2019-07-01 11:04:00 UTC (rev 246997)
+++ releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog	2019-07-01 11:04:03 UTC (rev 246998)
@@ -1,3 +1,15 @@
+2019-06-10  Tadeu Zagallo  <[email protected]>
+
+        AI BitURShift's result should not be unsigned
+        https://bugs.webkit.org/show_bug.cgi?id=198689
+        <rdar://problem/51550063>
+
+        Reviewed by Saam Barati.
+
+        * stress/urshift-int32-overflow.js: Added.
+        (foo.):
+        (foo):
+
 2019-05-07  Yusuke Suzuki  <[email protected]>
 
         [JSC] DFG_ASSERT failed in lowInt52

Added: releases/WebKitGTK/webkit-2.24/JSTests/stress/urshift-int32-overflow.js (0 => 246998)


--- releases/WebKitGTK/webkit-2.24/JSTests/stress/urshift-int32-overflow.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.24/JSTests/stress/urshift-int32-overflow.js	2019-07-01 11:04:03 UTC (rev 246998)
@@ -0,0 +1,18 @@
+//@ requireOptions("--forceEagerCompilation=1")
+
+function foo() {
+    const v22 = [];
+    for (let i = 0; i < 3; i++) {
+        for (let j = 0; j < 8; j++) {
+            ({x: -766834598 >>> !v22});
+        }
+        (function v31(v32) { })();
+    }
+    return {};
+}
+
+const v2 = [];
+const proxy = new Proxy(Array, { getPrototypeOf: foo });
+for (let i = 0; i < 1000; i++) {
+    v2.__proto__ = proxy;
+}

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog (246997 => 246998)


--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog	2019-07-01 11:04:00 UTC (rev 246997)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog	2019-07-01 11:04:03 UTC (rev 246998)
@@ -1,3 +1,18 @@
+2019-06-10  Tadeu Zagallo  <[email protected]>
+
+        AI BitURShift's result should not be unsigned
+        https://bugs.webkit.org/show_bug.cgi?id=198689
+        <rdar://problem/51550063>
+
+        Reviewed by Saam Barati.
+
+        Treating BitURShift's result as unsigned in the abstract interpreter incorrectly overflows it.
+        This breaks the DFG and FTL, since they assume that BitURShift's result is an int32 value, but
+        get a double constant from AI. Since the result will be converted to unsigned by UInt32ToNumber,
+        all we have to do is store the result as a signed int32.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+
 2019-06-06  Michael Catanzaro  <[email protected]>
 
         aarch64: ‘JSC::ARM64Assembler::LinkRecord::<unnamed union>::RealTypes::m_compareRegister’ is too small to hold all values of ‘JSC::ARM64Assembler::RegisterID’ {aka ‘enum JSC::ARM64Registers::RegisterID’}

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (246997 => 246998)


--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2019-07-01 11:04:00 UTC (rev 246997)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2019-07-01 11:04:03 UTC (rev 246998)
@@ -433,13 +433,13 @@
                 setConstant(node, JSValue(a ^ b));
                 break;
             case BitRShift:
-                setConstant(node, JSValue(a >> static_cast<uint32_t>(b)));
+                setConstant(node, JSValue(a >> (static_cast<uint32_t>(b) & 0x1f)));
                 break;
             case BitLShift:
-                setConstant(node, JSValue(a << static_cast<uint32_t>(b)));
+                setConstant(node, JSValue(a << (static_cast<uint32_t>(b) & 0x1f)));
                 break;
             case BitURShift:
-                setConstant(node, JSValue(static_cast<uint32_t>(a) >> static_cast<uint32_t>(b)));
+                setConstant(node, JSValue(static_cast<int32_t>(static_cast<uint32_t>(a) >> (static_cast<uint32_t>(b) & 0x1f))));
                 break;
             default:
                 RELEASE_ASSERT_NOT_REACHED();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes