Skip to site navigation (Press enter)

[webkit-changes] [248234] releases/WebKitGTK/webkit-2.24

mcatanzaro Sat, 03 Aug 2019 20:24:16 -0700

Title: [248234] releases/WebKitGTK/webkit-2.24

Revision: 248234
Author: [email protected]
Date: 2019-08-03 20:23:17 -0700 (Sat, 03 Aug 2019)

Log Message

Merge r246071 - Argument elimination should check for negative indices in GetByVal
https://bugs.webkit.org/show_bug.cgi?id=198302
<rdar://problem/51188095>


Reviewed by Filip Pizlo.

JSTests:

* stress/eliminate-arguments-negative-rest-access.js: Added.
(inlinee):
(opt):

Source/_javascript_Core:

In DFG::ArgumentEliminationPhase, the index is treated as unsigned, but there's no check
for overflow in the addition. In compileGetMyArgumentByVal, there's a check for overflow,
but the index is treated as signed, resulting in an index lower than numberOfArgumentsToSkip.

* dfg/DFGArgumentsEliminationPhase.cpp:
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):

Modified Paths

releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog
releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog

Diff

Modified: releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog (248233 => 248234)


--- releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog	2019-08-04 03:23:15 UTC (rev 248233)
+++ releases/WebKitGTK/webkit-2.24/JSTests/ChangeLog	2019-08-04 03:23:17 UTC (rev 248234)
@@ -1,3 +1,15 @@
+2019-06-04  Tadeu Zagallo  <[email protected]>
+
+        Argument elimination should check for negative indices in GetByVal
+        https://bugs.webkit.org/show_bug.cgi?id=198302
+        <rdar://problem/51188095>
+
+        Reviewed by Filip Pizlo.
+
+        * stress/eliminate-arguments-negative-rest-access.js: Added.
+        (inlinee):
+        (opt):
+
 2019-05-28  Michael Saboff  <[email protected]>
 
         [YARR] Properly handle RegExp's that require large ParenContext space

Modified: releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog (248233 => 248234)


--- releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog	2019-08-04 03:23:15 UTC (rev 248233)
+++ releases/WebKitGTK/webkit-2.24/Source/_javascript_Core/ChangeLog	2019-08-04 03:23:17 UTC (rev 248234)
@@ -1,3 +1,19 @@
+2019-06-04  Tadeu Zagallo  <[email protected]>
+
+        Argument elimination should check for negative indices in GetByVal
+        https://bugs.webkit.org/show_bug.cgi?id=198302
+        <rdar://problem/51188095>
+
+        Reviewed by Filip Pizlo.
+
+        In DFG::ArgumentEliminationPhase, the index is treated as unsigned, but there's no check
+        for overflow in the addition. In compileGetMyArgumentByVal, there's a check for overflow,
+        but the index is treated as signed, resulting in an index lower than numberOfArgumentsToSkip.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
+
 2019-06-04  Yusuke Suzuki  <[email protected]>
 
         Unreviewed, update exception scope for putByIndexBeyondVectorLength

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes