[webkit-changes] [287626] branches/safari-612-branch

Wed, 05 Jan 2022 10:21:46 -0800

Title: [287626] branches/safari-612-branch
Revision
287626
Author
repst...@apple.com
Date
2022-01-05 10:20:59 -0800 (Wed, 05 Jan 2022)

Log Message

Cherry-pick r286283. rdar://problem/87125362

    [JSC] jumpForTypedArrayOutOfBounds should use asAnyInt since it uses isAnyInt
    https://bugs.webkit.org/show_bug.cgi?id=233610
    rdar://85820476

    Reviewed by Saam Barati.

    JSTests:

    * stress/anyint-index.js: Added.
    (foo):

    Source/_javascript_Core:

    Since we are using isAnyInt, then we should use asAnyInt. asUInt32 will crash
    if the value is double AnyInt etc.

    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286283 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Added Paths

Diff

Modified: branches/safari-612-branch/JSTests/ChangeLog (287625 => 287626)


--- branches/safari-612-branch/JSTests/ChangeLog	2022-01-05 18:20:56 UTC (rev 287625)
+++ branches/safari-612-branch/JSTests/ChangeLog	2022-01-05 18:20:59 UTC (rev 287626)
@@ -1,5 +1,41 @@
 2022-01-05  Russell Epstein  <repst...@apple.com>
 
+        Cherry-pick r286283. rdar://problem/87125362
+
+    [JSC] jumpForTypedArrayOutOfBounds should use asAnyInt since it uses isAnyInt
+    https://bugs.webkit.org/show_bug.cgi?id=233610
+    rdar://85820476
+    
+    Reviewed by Saam Barati.
+    
+    JSTests:
+    
+    * stress/anyint-index.js: Added.
+    (foo):
+    
+    Source/_javascript_Core:
+    
+    Since we are using isAnyInt, then we should use asAnyInt. asUInt32 will crash
+    if the value is double AnyInt etc.
+    
+    * dfg/DFGSpeculativeJIT.cpp:
+    (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286283 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-11-29  Yusuke Suzuki  <ysuz...@apple.com>
+
+            [JSC] jumpForTypedArrayOutOfBounds should use asAnyInt since it uses isAnyInt
+            https://bugs.webkit.org/show_bug.cgi?id=233610
+            rdar://85820476
+
+            Reviewed by Saam Barati.
+
+            * stress/anyint-index.js: Added.
+            (foo):
+
+2022-01-05  Russell Epstein  <repst...@apple.com>
+
         Cherry-pick r286275. rdar://problem/87125258
 
     [JSC] slice should be aware of TerminationException

Added: branches/safari-612-branch/JSTests/stress/anyint-index.js (0 => 287626)


--- branches/safari-612-branch/JSTests/stress/anyint-index.js	                        (rev 0)
+++ branches/safari-612-branch/JSTests/stress/anyint-index.js	2022-01-05 18:20:59 UTC (rev 287626)
@@ -0,0 +1,14 @@
+let ta = new Uint8Array(1);
+
+function foo(arg0) {
+  'a'.__defineGetter__('x', () => {
+    arg0;
+  });
+  arg0 **= 0;
+  ta[arg0];
+}
+
+
+for (let i = 0; i < 10000; i++) {
+  foo(0);
+}

Modified: branches/safari-612-branch/Source/_javascript_Core/ChangeLog (287625 => 287626)


--- branches/safari-612-branch/Source/_javascript_Core/ChangeLog	2022-01-05 18:20:56 UTC (rev 287625)
+++ branches/safari-612-branch/Source/_javascript_Core/ChangeLog	2022-01-05 18:20:59 UTC (rev 287626)
@@ -1,5 +1,44 @@
 2022-01-05  Russell Epstein  <repst...@apple.com>
 
+        Cherry-pick r286283. rdar://problem/87125362
+
+    [JSC] jumpForTypedArrayOutOfBounds should use asAnyInt since it uses isAnyInt
+    https://bugs.webkit.org/show_bug.cgi?id=233610
+    rdar://85820476
+    
+    Reviewed by Saam Barati.
+    
+    JSTests:
+    
+    * stress/anyint-index.js: Added.
+    (foo):
+    
+    Source/_javascript_Core:
+    
+    Since we are using isAnyInt, then we should use asAnyInt. asUInt32 will crash
+    if the value is double AnyInt etc.
+    
+    * dfg/DFGSpeculativeJIT.cpp:
+    (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286283 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-11-29  Yusuke Suzuki  <ysuz...@apple.com>
+
+            [JSC] jumpForTypedArrayOutOfBounds should use asAnyInt since it uses isAnyInt
+            https://bugs.webkit.org/show_bug.cgi?id=233610
+            rdar://85820476
+
+            Reviewed by Saam Barati.
+
+            Since we are using isAnyInt, then we should use asAnyInt. asUInt32 will crash
+            if the value is double AnyInt etc.
+
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
+
+2022-01-05  Russell Epstein  <repst...@apple.com>
+
         Cherry-pick r286275. rdar://problem/87125258
 
     [JSC] slice should be aware of TerminationException

Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (287625 => 287626)


--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2022-01-05 18:20:56 UTC (rev 287625)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2022-01-05 18:20:59 UTC (rev 287626)
@@ -3247,7 +3247,7 @@
     if (view) {
         size_t length = view->length();
         Node* indexNode = m_jit.graph().child(node, 1).node();
-        if (indexNode->isAnyIntConstant() && indexNode->asUInt32() < length)
+        if (indexNode->isAnyIntConstant() && static_cast<uint64_t>(indexNode->asAnyInt()) < length)
             return JITCompiler::Jump();
 #if USE(LARGE_TYPED_ARRAYS)
         m_jit.signExtend32ToPtr(indexGPR, scratchGPR);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to