[webkit-changes] [264067] releases/WebKitGTK/webkit-2.28/Source/JavaScriptCore

Wed, 08 Jul 2020 02:02:49 -0700

Title: [264067] releases/WebKitGTK/webkit-2.28/Source/_javascript_Core
Revision
264067
Author
carlo...@webkit.org
Date
2020-07-08 02:01:40 -0700 (Wed, 08 Jul 2020)

Log Message

Merge r258452 - Missing arithMode for ArithAbs and ArithNegate in DFGClobberize
https://bugs.webkit.org/show_bug.cgi?id=208685
<rdar://problem/60115088>

Reviewed by Saam Barati.

In the pure case of ArithNegate and ArithAbs in DFGClobberize, their PureValues did not include their
respective ArithMode. That means that e.g. a CheckOverflow ArithNegate/Abs could be considered equivalent
to an Unchecked version of the same node.

Thanks to Samuel Groß of Google Project Zero for identifying this bug.

* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-2.28/Source/_javascript_Core/ChangeLog (264066 => 264067)


--- releases/WebKitGTK/webkit-2.28/Source/_javascript_Core/ChangeLog	2020-07-08 09:01:36 UTC (rev 264066)
+++ releases/WebKitGTK/webkit-2.28/Source/_javascript_Core/ChangeLog	2020-07-08 09:01:40 UTC (rev 264067)
@@ -1,3 +1,20 @@
+2020-03-13  Tadeu Zagallo  <tzaga...@apple.com>
+
+        Missing arithMode for ArithAbs and ArithNegate in DFGClobberize
+        https://bugs.webkit.org/show_bug.cgi?id=208685
+        <rdar://problem/60115088>
+
+        Reviewed by Saam Barati.
+
+        In the pure case of ArithNegate and ArithAbs in DFGClobberize, their PureValues did not include their
+        respective ArithMode. That means that e.g. a CheckOverflow ArithNegate/Abs could be considered equivalent
+        to an Unchecked version of the same node.
+
+        Thanks to Samuel Groß of Google Project Zero for identifying this bug.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2020-02-17  Tadeu Zagallo  <tzaga...@apple.com>
 
         [Wasm] REGRESSION(r256665): Wasm->JS call IC needs to save memory size register

Modified: releases/WebKitGTK/webkit-2.28/Source/_javascript_Core/dfg/DFGClobberize.h (264066 => 264067)


--- releases/WebKitGTK/webkit-2.28/Source/_javascript_Core/dfg/DFGClobberize.h	2020-07-08 09:01:36 UTC (rev 264066)
+++ releases/WebKitGTK/webkit-2.28/Source/_javascript_Core/dfg/DFGClobberize.h	2020-07-08 09:01:40 UTC (rev 264067)
@@ -228,7 +228,7 @@
 
     case ArithAbs:
         if (node->child1().useKind() == Int32Use || node->child1().useKind() == DoubleRepUse)
-            def(PureValue(node));
+            def(PureValue(node, node->arithMode()));
         else {
             read(World);
             write(Heap);
@@ -248,7 +248,7 @@
         if (node->child1().useKind() == Int32Use
             || node->child1().useKind() == DoubleRepUse
             || node->child1().useKind() == Int52RepUse)
-            def(PureValue(node));
+            def(PureValue(node, node->arithMode()));
         else {
             read(World);
             write(Heap);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to