[webkit-changes] [137951] trunk

[fpizlo]

Title: [137951] trunk

Revision

137951

Author

fpi...@apple.com

Date

2012-12-17 15:10:41 -0800 (Mon, 17 Dec 2012)

Log Message

_javascript_ integer overflow
https://bugs.webkit.org/show_bug.cgi?id=104967

Reviewed by Mark Hahnenberg.

Source/_javascript_Core: 

Fix PutScopedVar backward flow.

* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):

LayoutTests: 

* fast/js/dfg-put-scoped-var-backward-flow-expected.txt: Added.
* fast/js/dfg-put-scoped-var-backward-flow.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-put-scoped-var-backward-flow.js: Added.
(sum):

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/fast/js/jsc-test-list
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp

Added Paths

• trunk/LayoutTests/fast/js/dfg-put-scoped-var-backward-flow-expected.txt
• trunk/LayoutTests/fast/js/dfg-put-scoped-var-backward-flow.html
• trunk/LayoutTests/fast/js/script-tests/dfg-put-scoped-var-backward-flow.js

Diff

Modified: trunk/LayoutTests/ChangeLog (137950 => 137951)

--- trunk/LayoutTests/ChangeLog	2012-12-17 23:08:20 UTC (rev 137950)
+++ trunk/LayoutTests/ChangeLog	2012-12-17 23:10:41 UTC (rev 137951)
@@ -1,3 +1,16 @@
+2012-12-17  Filip Pizlo  <fpi...@apple.com>
+
+        _javascript_ integer overflow
+        https://bugs.webkit.org/show_bug.cgi?id=104967
+
+        Reviewed by Mark Hahnenberg.
+
+        * fast/js/dfg-put-scoped-var-backward-flow-expected.txt: Added.
+        * fast/js/dfg-put-scoped-var-backward-flow.html: Added.
+        * fast/js/jsc-test-list:
+        * fast/js/script-tests/dfg-put-scoped-var-backward-flow.js: Added.
+        (sum):
+
 2012-12-17  Tab Atkins  <jackalm...@gmail.com>
 
         Chromium rebaseline fast/gradients/css3-linear-angle-gradients.html

Added: trunk/LayoutTests/fast/js/dfg-put-scoped-var-backward-flow-expected.txt (0 => 137951)

--- trunk/LayoutTests/fast/js/dfg-put-scoped-var-backward-flow-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-put-scoped-var-backward-flow-expected.txt	2012-12-17 23:10:41 UTC (rev 137951)
@@ -0,0 +1,209 @@
+Tests that the DFG treats the operand to PutScopedVar as escaping in an unconstrained way.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS sum([2147483646, 2147483644]) is 4294967290
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/dfg-put-scoped-var-backward-flow.html (0 => 137951)

--- trunk/LayoutTests/fast/js/dfg-put-scoped-var-backward-flow.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-put-scoped-var-backward-flow.html	2012-12-17 23:10:41 UTC (rev 137951)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Modified: trunk/LayoutTests/fast/js/jsc-test-list (137950 => 137951)

--- trunk/LayoutTests/fast/js/jsc-test-list	2012-12-17 23:08:20 UTC (rev 137950)
+++ trunk/LayoutTests/fast/js/jsc-test-list	2012-12-17 23:10:41 UTC (rev 137951)
@@ -157,6 +157,7 @@
 fast/js/dfg-poison-fuzz
 fast/js/dfg-proto-access-inline-osr-exit
 fast/js/dfg-put-by-id-prototype-check
+fast/js/dfg-put-scoped-var-backward-flow
 fast/js/dfg-putbyval-cfa-clobber
 fast/js/dfg-redundant-load-of-captured-variable-proven-constant
 fast/js/dfg-side-effect-assignment-osr-exit

Added: trunk/LayoutTests/fast/js/script-tests/dfg-put-scoped-var-backward-flow.js (0 => 137951)

--- trunk/LayoutTests/fast/js/script-tests/dfg-put-scoped-var-backward-flow.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/dfg-put-scoped-var-backward-flow.js	2012-12-17 23:10:41 UTC (rev 137951)
@@ -0,0 +1,15 @@
+description(
+"Tests that the DFG treats the operand to PutScopedVar as escaping in an unconstrained way."
+);
+
+function sum(nums) {
+    var total = 0;
+    nums.forEach(function (num) {
+        total += num;
+    });
+    return total;
+}
+
+for (var i = 0; i < 200; ++i)
+    shouldBe("sum([2147483646, 2147483644])", "4294967290");
+

Modified: trunk/Source/_javascript_Core/ChangeLog (137950 => 137951)

--- trunk/Source/_javascript_Core/ChangeLog	2012-12-17 23:08:20 UTC (rev 137950)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-12-17 23:10:41 UTC (rev 137951)
@@ -1,3 +1,15 @@
+2012-12-17  Filip Pizlo  <fpi...@apple.com>
+
+        _javascript_ integer overflow
+        https://bugs.webkit.org/show_bug.cgi?id=104967
+
+        Reviewed by Mark Hahnenberg.
+
+        Fix PutScopedVar backward flow.
+
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+
 2012-12-16  Filip Pizlo  <fpi...@apple.com>
 
         Rationalize array profiling for out-of-bounds and hole cases

Modified: trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp (137950 => 137951)

--- trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp	2012-12-17 23:08:20 UTC (rev 137950)
+++ trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp	2012-12-17 23:10:41 UTC (rev 137951)
@@ -723,6 +723,10 @@
             break;
 
         case PutScopedVar:
+            changed |= m_graph[node.child1()].mergeFlags(NodeUsedAsValue);
+            changed |= m_graph[node.child3()].mergeFlags(NodeUsedAsValue);
+            break;
+            
         case Return:
         case Throw:
             changed |= m_graph[node.child1()].mergeFlags(NodeUsedAsValue);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes