[webkit-changes] [260522] trunk

[ysuzuki]

Title: [260522] trunk

Revision

260522

Author

ysuz...@apple.com

Date

2020-04-22 11:12:34 -0700 (Wed, 22 Apr 2020)

Log Message

[JSC] JSBigInt inc operation does not produce right HeapBigInt zero
https://bugs.webkit.org/show_bug.cgi?id=210860

Reviewed by Mark Lam.

JSTests:

* stress/bigint-zero-canonicalized.js: Added.
(shouldBe):

Source/_javascript_Core:

JSBigInt::inc can produce signed HeapBigInt zero, which is not meeting the invariant of JSBigInt.
This patch fixes it by checking zero status before setting `setSign(true)`.

* runtime/JSBigInt.cpp:
(JSC::JSBigInt::inc):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::dumpInContextAssumingStructure const):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSBigInt.cpp
• trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp

Added Paths

• trunk/JSTests/stress/bigint-zero-canonicalized.js

Diff

Modified: trunk/JSTests/ChangeLog (260521 => 260522)

--- trunk/JSTests/ChangeLog	2020-04-22 18:08:18 UTC (rev 260521)
+++ trunk/JSTests/ChangeLog	2020-04-22 18:12:34 UTC (rev 260522)
@@ -1,3 +1,13 @@
+2020-04-22  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] JSBigInt inc operation does not produce right HeapBigInt zero
+        https://bugs.webkit.org/show_bug.cgi?id=210860
+
+        Reviewed by Mark Lam.
+
+        * stress/bigint-zero-canonicalized.js: Added.
+        (shouldBe):
+
 2020-04-22  Saam Barati  <sbar...@apple.com>
 
         ValueBitNot is wrong in FTL with AnyBigIntUse

Added: trunk/JSTests/stress/bigint-zero-canonicalized.js (0 => 260522)

--- trunk/JSTests/stress/bigint-zero-canonicalized.js	                        (rev 0)
+++ trunk/JSTests/stress/bigint-zero-canonicalized.js	2020-04-22 18:12:34 UTC (rev 260522)
@@ -0,0 +1,10 @@
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+var zero1 = createHeapBigInt(0n);
+var zero2 = createHeapBigInt(-1n);
+zero2++;
+
+shouldBe(zero1 === zero2, true);

Modified: trunk/Source/_javascript_Core/ChangeLog (260521 => 260522)

--- trunk/Source/_javascript_Core/ChangeLog	2020-04-22 18:08:18 UTC (rev 260521)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-04-22 18:12:34 UTC (rev 260522)
@@ -1,3 +1,18 @@
+2020-04-22  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] JSBigInt inc operation does not produce right HeapBigInt zero
+        https://bugs.webkit.org/show_bug.cgi?id=210860
+
+        Reviewed by Mark Lam.
+
+        JSBigInt::inc can produce signed HeapBigInt zero, which is not meeting the invariant of JSBigInt.
+        This patch fixes it by checking zero status before setting `setSign(true)`.
+
+        * runtime/JSBigInt.cpp:
+        (JSC::JSBigInt::inc):
+        * runtime/JSCJSValue.cpp:
+        (JSC::JSValue::dumpInContextAssumingStructure const):
+
 2020-04-22  Devin Rousso  <drou...@apple.com>
 
         Web Inspector: Debugger: Step Over should only step through comma expressions if they are comma statements

Modified: trunk/Source/_javascript_Core/runtime/JSBigInt.cpp (260521 => 260522)

--- trunk/Source/_javascript_Core/runtime/JSBigInt.cpp	2020-04-22 18:08:18 UTC (rev 260521)
+++ trunk/Source/_javascript_Core/runtime/JSBigInt.cpp	2020-04-22 18:12:34 UTC (rev 260522)
@@ -446,6 +446,8 @@
     if (!x->sign())
         return absoluteAddOne(globalObject, x, SignOption::Unsigned);
     JSBigInt* result = absoluteSubOne(globalObject, x, x->length());
+    if (result->isZero())
+        return result;
     result->setSign(true);
     return result;
 }

Modified: trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp (260521 => 260522)

--- trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp	2020-04-22 18:08:18 UTC (rev 260521)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValue.cpp	2020-04-22 18:12:34 UTC (rev 260522)
@@ -312,7 +312,7 @@
         else if (structure->classInfo()->isSubClassOf(Structure::info()))
             out.print("Structure: ", inContext(*jsCast<Structure*>(asCell()), context));
         else if (isHeapBigInt())
-            out.print("BigInt[heap-allocated]: addr=", RawPointer(asCell()));
+            out.print("BigInt[heap-allocated]: addr=", RawPointer(asCell()), ", length=", jsCast<JSBigInt*>(asCell())->length(), ", sign=", jsCast<JSBigInt*>(asCell())->sign());
         else if (structure->classInfo()->isSubClassOf(JSObject::info())) {
             out.print("Object: ", RawPointer(asCell()));
             out.print(" with butterfly ", RawPointer(asObject(asCell())->butterfly()));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes