[webkit-changes] [271573] trunk

Sun, 17 Jan 2021 23:56:53 -0800

Title: [271573] trunk
Revision
271573
Author
[email protected]
Date
2021-01-17 23:56:44 -0800 (Sun, 17 Jan 2021)

Log Message

[JSC] DFG/FTL Atomics should not accept Float32/Float64 typed arrays
https://bugs.webkit.org/show_bug.cgi?id=220692
<rdar://problem/73238369>

Reviewed by Mark Lam.

JSTests:

* stress/atomics-float-edge.js: Added.
(foo):

Source/_javascript_Core:

We accidentally accept Float32/Float64 typed arrays. We should accept only integer TypedArrays (Int8, Uint8, ... etc.)
as specified in [1]. If the other types come, we just make it Array::Generic and call slow path which can handle them.

[1]: https://tc39.es/ecma262/#sec-validateintegertypedarray

* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::isOneOfTypedArrayView const): Deleted.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (271572 => 271573)


--- trunk/JSTests/ChangeLog	2021-01-18 07:41:42 UTC (rev 271572)
+++ trunk/JSTests/ChangeLog	2021-01-18 07:56:44 UTC (rev 271573)
@@ -1,5 +1,16 @@
 2021-01-17  Yusuke Suzuki  <[email protected]>
 
+        [JSC] DFG/FTL Atomics should not accept Float32/Float64 typed arrays
+        https://bugs.webkit.org/show_bug.cgi?id=220692
+        <rdar://problem/73238369>
+
+        Reviewed by Mark Lam.
+
+        * stress/atomics-float-edge.js: Added.
+        (foo):
+
+2021-01-17  Yusuke Suzuki  <[email protected]>
+
         [JSC] FTL OSR entry FlushFormat array is reversed
         https://bugs.webkit.org/show_bug.cgi?id=220695
         <rdar://problem/72930932>

Added: trunk/JSTests/stress/atomics-float-edge.js (0 => 271573)


--- trunk/JSTests/stress/atomics-float-edge.js	                        (rev 0)
+++ trunk/JSTests/stress/atomics-float-edge.js	2021-01-18 07:56:44 UTC (rev 271573)
@@ -0,0 +1,21 @@
+//@ runDefault("--jitPolicyScale=0")
+let a = new Float32Array(new ArrayBuffer());
+
+function foo(f) {
+  try {
+    f();
+  } catch {}
+}
+
+for (let x of [null, null, null, null, null, null, null, a, a, a, a,]) {
+  foo(() => Atomics.sub(x));
+  foo(() => Atomics.sub(x));
+  foo(() => {
+    'use strict';
+    return Atomics.sub(x, 0, 0);
+  });
+  foo(() => Atomics.sub());
+  foo(() => Atomics.sub());
+}
+
+for (let z of '') {}

Modified: trunk/Source/_javascript_Core/ChangeLog (271572 => 271573)


--- trunk/Source/_javascript_Core/ChangeLog	2021-01-18 07:41:42 UTC (rev 271572)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-01-18 07:56:44 UTC (rev 271573)
@@ -1,5 +1,23 @@
 2021-01-17  Yusuke Suzuki  <[email protected]>
 
+        [JSC] DFG/FTL Atomics should not accept Float32/Float64 typed arrays
+        https://bugs.webkit.org/show_bug.cgi?id=220692
+        <rdar://problem/73238369>
+
+        Reviewed by Mark Lam.
+
+        We accidentally accept Float32/Float64 typed arrays. We should accept only integer TypedArrays (Int8, Uint8, ... etc.)
+        as specified in [1]. If the other types come, we just make it Array::Generic and call slow path which can handle them.
+
+        [1]: https://tc39.es/ecma262/#sec-validateintegertypedarray
+
+        * dfg/DFGArrayMode.h:
+        (JSC::DFG::ArrayMode::isOneOfTypedArrayView const): Deleted.
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
+2021-01-17  Yusuke Suzuki  <[email protected]>
+
         [JSC] FTL OSR entry FlushFormat array is reversed
         https://bugs.webkit.org/show_bug.cgi?id=220695
         <rdar://problem/72930932>

Modified: trunk/Source/_javascript_Core/dfg/DFGArrayMode.h (271572 => 271573)


--- trunk/Source/_javascript_Core/dfg/DFGArrayMode.h	2021-01-18 07:41:42 UTC (rev 271572)
+++ trunk/Source/_javascript_Core/dfg/DFGArrayMode.h	2021-01-18 07:56:44 UTC (rev 271573)
@@ -508,13 +508,6 @@
         return type() == Array::AnyTypedArray || isTypedView(typedArrayType());
     }
 
-    bool isOneOfTypedArrayView() const
-    {
-        if (type() == Array::AnyTypedArray)
-            return false;
-        return isTypedView(typedArrayType());
-    }
-    
     bool operator==(const ArrayMode& other) const
     {
         return type() == other.type()

Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (271572 => 271573)


--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2021-01-18 07:41:42 UTC (rev 271572)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2021-01-18 07:56:44 UTC (rev 271573)
@@ -1335,34 +1335,46 @@
                 node->arrayMode().refine(
                     m_graph, node, base->prediction(), index->prediction()));
             
-            if (!node->arrayMode().isOneOfTypedArrayView()) {
+            switch (node->arrayMode().type()) {
+            case Array::Int8Array:
+            case Array::Uint8Array:
+            case Array::Int16Array:
+            case Array::Uint16Array:
+            case Array::Int32Array:
+            case Array::Uint32Array: {
+                for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
+                    Edge& child = m_graph.child(node, 2 + i);
+                    if (child->shouldSpeculateInt32())
+                        fixIntOrBooleanEdge(child);
+                    else if (child->shouldSpeculateInt52())
+                        fixEdge<Int52RepUse>(child);
+                    else {
+                        RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
+                        fixDoubleOrBooleanEdge(child);
+                    }
+                }
+
+                blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
+                if (node->arrayMode().type() != Array::Generic) {
+                    fixEdge<CellUse>(base);
+                    fixEdge<Int32Use>(index);
+
+                    if (node->arrayMode().type() == Array::Uint32Array) {
+                        // NOTE: This means basically always doing Int52.
+                        if (node->shouldSpeculateInt52())
+                            node->setResult(NodeResultInt52);
+                        else
+                            node->setResult(NodeResultDouble);
+                    }
+                }
+                break;
+            }
+            default: {
+                // Make it Array::Generic.
                 node->setArrayMode(ArrayMode(Array::Generic, node->arrayMode().action()));
                 break;
             }
-            
-            for (unsigned i = numExtraAtomicsArgs(node->op()); i--;) {
-                Edge& child = m_graph.child(node, 2 + i);
-                if (child->shouldSpeculateInt32())
-                    fixIntOrBooleanEdge(child);
-                else if (child->shouldSpeculateInt52())
-                    fixEdge<Int52RepUse>(child);
-                else {
-                    RELEASE_ASSERT(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL());
-                    fixDoubleOrBooleanEdge(child);
-                }
             }
-            
-            blessArrayOperation(base, index, m_graph.child(node, 2 + numExtraAtomicsArgs(node->op())));
-            fixEdge<CellUse>(base);
-            fixEdge<Int32Use>(index);
-            
-            if (node->arrayMode().type() == Array::Uint32Array) {
-                // NOTE: This means basically always doing Int52.
-                if (node->shouldSpeculateInt52())
-                    node->setResult(NodeResultInt52);
-                else
-                    node->setResult(NodeResultDouble);
-            }
             break;
         }
             

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to