Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: fb4ca5da0f8e84a9e186efd411a0f14d709de0b4
https://github.com/WebKit/WebKit/commit/fb4ca5da0f8e84a9e186efd411a0f14d709de0b4
Author: Yusuke Suzuki <[email protected]>
Date: 2023-05-22 (Mon, 22 May 2023)
Changed paths:
A
JSTests/stress/ftl-bound-check-for-enumerator-next-update-index-and-mode.js
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
FTL missing bound check of for-in loop
https://bugs.webkit.org/show_bug.cgi?id=252801
rdar://105820083
Reviewed by Michael Saboff.
EnumeratorNextUpdateIndexAndMode for IndexedMode uses HasIndexProperty
internally. But
this node does not do bound check when ArrayMode is inBounds in FTL since FTL
SSALowering
phase extracts this bound check as a separate CheckInBounds node. But
EnumeratorNextUpdateIndexAndMode,
we cannot do that since EnumeratorNextUpdateIndexAndMode's index is incremented
internally. Thus,
we need to do bound check inside EnumeratorNextUpdateIndexAndMode when it is
not done in HasIndexProperty's
code.
* JSTests/stress/ftl-bound-check-for-enumerator-next-update-index-and-mode.js:
Added.
(shouldBe):
(opt):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Originally-landed-as: 259548.377@safari-7615-branch (25a414a61f3e).
rdar://105820083
Canonical link: https://commits.webkit.org/264326@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
