Title: [288190] releases/WebKitGTK/webkit-2.34/Source/_javascript_Core
- Revision
- 288190
- Author
- ape...@igalia.com
- Date
- 2022-01-19 04:53:33 -0800 (Wed, 19 Jan 2022)
Log Message
Merge r284585 - [JSC] ArithAbs should care about INT32_MIN
https://bugs.webkit.org/show_bug.cgi?id=232051
rdar://84338648
Reviewed by Michael Saboff.
ArithAbs (without overflow check) can return negative value if the input is INT32_MIN with Int32Use.
* dfg/DFGIntegerRangeOptimizationPhase.cpp:
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog (288189 => 288190)
--- releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog 2022-01-19 12:53:29 UTC (rev 288189)
+++ releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog 2022-01-19 12:53:33 UTC (rev 288190)
@@ -1,3 +1,15 @@
+2021-10-20 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] ArithAbs should care about INT32_MIN
+ https://bugs.webkit.org/show_bug.cgi?id=232051
+ rdar://84338648
+
+ Reviewed by Michael Saboff.
+
+ ArithAbs (without overflow check) can return negative value if the input is INT32_MIN with Int32Use.
+
+ * dfg/DFGIntegerRangeOptimizationPhase.cpp:
+
2021-10-20 Michael Saboff <msab...@apple.com>
Add missing overflow checks to DFGIntegerRangeOptimizationPhase::isEquivalentTo()
Modified: releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp (288189 => 288190)
--- releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp 2022-01-19 12:53:29 UTC (rev 288189)
+++ releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp 2022-01-19 12:53:33 UTC (rev 288190)
@@ -1400,7 +1400,25 @@
case ArithAbs: {
if (node->child1().useKind() != Int32Use)
break;
- setRelationship(Relationship(node, m_zero, Relationship::GreaterThan, -1));
+
+ // If ArithAbs cares about overflow, then INT32_MIN input will cause OSR exit.
+ // Thus we can safely say `x >= 0`.
+ if (shouldCheckOverflow(node->arithMode())) {
+ setRelationship(Relationship(node, m_zero, Relationship::GreaterThan, -1));
+ break;
+ }
+
+ // If ArithAbs does not care about overflow, it can return INT32_MIN if the input is INT32_MIN.
+ // If minValue is not INT32_MIN, we can still say it is `x >= 0`.
+ int minValue = std::numeric_limits<int>::min();
+ auto iter = m_relationships.find(node->child1().node());
+ if (iter != m_relationships.end()) {
+ for (Relationship relationship : iter->value)
+ minValue = std::max(minValue, relationship.minValueOfLeft());
+ }
+
+ if (minValue > std::numeric_limits<int>::min())
+ setRelationship(Relationship(node, m_zero, Relationship::GreaterThan, -1));
break;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
