Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 73a98da7fb81b965b76a7e5ee474a0a89936e5ea
https://github.com/WebKit/WebKit/commit/73a98da7fb81b965b76a7e5ee474a0a89936e5ea
Author: Keith Miller <[email protected]>
Date: 2024-12-13 (Fri, 13 Dec 2024)
Changed paths:
A JSTests/stress/put-by-val-alias-out-of-bounds.js
M Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
M Source/JavaScriptCore/dfg/DFGClobberize.h
M Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
M Source/JavaScriptCore/dfg/DFGHeapLocation.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Log Message:
-----------
TypedArray OutOfBounds gets ArrayModes need to report this to `def`
https://bugs.webkit.org/show_bug.cgi?id=282450
rdar://138178696
Reviewed by Yusuke Suzuki.
Now that TypedArrays don't force an OSR exit on an out of bounds access we could
incorrectly convert a PutByVal to a PutByValAlias. In particular, if we have
something
like:
```
18 1 28: D@69:<!3:-> GetByVal(KnownCell:D@49, Int32:D@64,
Check:Untyped:D@139, JS|MustGen|VarArgs|PureInt|UseAsInt,
BoolInt32|NonBoolInt32|Other,
Int32Array+OriginalNonArray+OutOfBounds+AsIs+Read,
R:TypedArrayProperties,MiscFields, Exits, bc#60, ExitValid) predicting
BoolInt32|Other
19 1 28: D@70:<!0:-> MovHint(Check:Untyped:D@69, MustGen, loc9,
W:SideState, ClobbersExit, bc#60, ExitInvalid)
20 1 28: D@72:< 1:-> JSConstant(JS|PureInt|UseAsInt, NonBoolInt32,
Int32: 65535, bc#66, ExitValid)
21 1 28: D@140:< 1:-> ValueToInt32(NotCellNorBigInt:D@69,
Int32|PureInt|UseAsInt, Int32, Exits, bc#66, ExitValid)
22 1 28: D@73:< 2:-> ArithBitAnd(KnownInt32:D@140, Int32:D@72,
Int32|PureNum|NeedsNegZero|NeedsNaNOrInfinity|UseAsOther, Int32, Exits, bc#66,
ExitValid)
23 1 28: D@86:<!0:-> Phantom(Check:Untyped:D@69, MustGen, bc#66,
ExitValid)
24 1 28: D@74:<!0:-> MovHint(Check:Untyped:D@73, MustGen, loc9,
W:SideState, ClobbersExit, bc#66, ExitInvalid)
25 1 28: D@76:<!0:-> PutByVal(KnownCell:D@49, Int32:D@64, Int32:D@73,
Check:Untyped:D@139, MustGen|VarArgs,
Int32Array+OriginalNonArray+InBounds+AsIs+Write, R:MiscFields,
W:TypedArrayProperties, Exits, ClobbersExit, bc#72, ExitValid)
```
The above PutByVal will be converted to a PutByValAlias since it appears to
`def` write the same HeapLocation `GetByVal` says it defs.
TypedArrays should now report that the HeapLocation they're writing to is
OutOfBoundsSaneChain. We don't have to actually check the
prototype chain for typed arrays since they don't consult it for indexed
properties.
* JSTests/stress/put-by-val-alias-out-of-bounds.js: Added.
(test):
* Source/JavaScriptCore/dfg/DFGCSEPhase.cpp:
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
(WTF::printInternal): Deleted.
* Source/JavaScriptCore/dfg/DFGHeapLocation.h:
(JSC::DFG::indexedPropertyLocToOutOfBoundsSaneChain):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileContiguousPutByVal):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
Originally-landed-as: 283286.410@safari-7620-branch (903f38de509c).
rdar://141317752
Canonical link: https://commits.webkit.org/287805@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
