Title: [286283] trunk
- Revision
- 286283
- Author
- [email protected]
- Date
- 2021-11-29 20:43:51 -0800 (Mon, 29 Nov 2021)
Log Message
[JSC] jumpForTypedArrayOutOfBounds should use asAnyInt since it uses isAnyInt
https://bugs.webkit.org/show_bug.cgi?id=233610
rdar://85820476
Reviewed by Saam Barati.
JSTests:
* stress/anyint-index.js: Added.
(foo):
Source/_javascript_Core:
Since we are using isAnyInt, then we should use asAnyInt. asUInt32 will crash
if the value is double AnyInt etc.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (286282 => 286283)
--- trunk/JSTests/ChangeLog 2021-11-30 04:23:14 UTC (rev 286282)
+++ trunk/JSTests/ChangeLog 2021-11-30 04:43:51 UTC (rev 286283)
@@ -1,3 +1,14 @@
+2021-11-29 Yusuke Suzuki <[email protected]>
+
+ [JSC] jumpForTypedArrayOutOfBounds should use asAnyInt since it uses isAnyInt
+ https://bugs.webkit.org/show_bug.cgi?id=233610
+ rdar://85820476
+
+ Reviewed by Saam Barati.
+
+ * stress/anyint-index.js: Added.
+ (foo):
+
2021-11-29 Saam Barati <[email protected]>
FTL's implementation of HasIndexedProperty for InBounds accesses checks the inverse of what it should be checking when exiting by seeing a hole
Added: trunk/JSTests/stress/anyint-index.js (0 => 286283)
--- trunk/JSTests/stress/anyint-index.js (rev 0)
+++ trunk/JSTests/stress/anyint-index.js 2021-11-30 04:43:51 UTC (rev 286283)
@@ -0,0 +1,14 @@
+let ta = new Uint8Array(1);
+
+function foo(arg0) {
+ 'a'.__defineGetter__('x', () => {
+ arg0;
+ });
+ arg0 **= 0;
+ ta[arg0];
+}
+
+
+for (let i = 0; i < 10000; i++) {
+ foo(0);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (286282 => 286283)
--- trunk/Source/_javascript_Core/ChangeLog 2021-11-30 04:23:14 UTC (rev 286282)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-11-30 04:43:51 UTC (rev 286283)
@@ -1,3 +1,17 @@
+2021-11-29 Yusuke Suzuki <[email protected]>
+
+ [JSC] jumpForTypedArrayOutOfBounds should use asAnyInt since it uses isAnyInt
+ https://bugs.webkit.org/show_bug.cgi?id=233610
+ rdar://85820476
+
+ Reviewed by Saam Barati.
+
+ Since we are using isAnyInt, then we should use asAnyInt. asUInt32 will crash
+ if the value is double AnyInt etc.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
+
2021-11-29 Saam Barati <[email protected]>
FTL's implementation of HasIndexedProperty for InBounds accesses checks the inverse of what it should be checking when exiting by seeing a hole
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (286282 => 286283)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-11-30 04:23:14 UTC (rev 286282)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-11-30 04:43:51 UTC (rev 286283)
@@ -3537,7 +3537,7 @@
if (view) {
size_t length = view->length();
Node* indexNode = m_jit.graph().child(node, 1).node();
- if (indexNode->isAnyIntConstant() && indexNode->asUInt32() < length)
+ if (indexNode->isAnyIntConstant() && static_cast<uint64_t>(indexNode->asAnyInt()) < length)
return JITCompiler::Jump();
#if USE(LARGE_TYPED_ARRAYS)
m_jit.signExtend32ToPtr(indexGPR, scratchGPR);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
