Title: [265112] trunk
- Revision
- 265112
- Author
- ticaiol...@gmail.com
- Date
- 2020-07-30 15:17:10 -0700 (Thu, 30 Jul 2020)
Log Message
[JSC][32-bits] interator_next should check for EmptyValue instead of undefined to execute LLInt fast path
https://bugs.webkit.org/show_bug.cgi?id=214963
Reviewed by Yusuke Suzuki.
JSTests:
* stress/invalidate-array-iterator-prototype-next.js: Added.
Source/_javascript_Core:
There was a bug in previous implementation that allows execution of
`interator_next` fast path if we set ArrayIterator.prototype.next to
0. This happened because we were not properly checking `ValueEmpty`
from `m_next`. This patch is fixing such issue and doing the proper
verification.
* llint/LowLevelInterpreter32_64.asm:
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (265111 => 265112)
--- trunk/JSTests/ChangeLog 2020-07-30 22:08:19 UTC (rev 265111)
+++ trunk/JSTests/ChangeLog 2020-07-30 22:17:10 UTC (rev 265112)
@@ -1,3 +1,12 @@
+2020-07-30 Caio Lima <ticaiol...@gmail.com>
+
+ [JSC][32-bits] interator_next should check for EmptyValue instead of undefined to execute LLInt fast path
+ https://bugs.webkit.org/show_bug.cgi?id=214963
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/invalidate-array-iterator-prototype-next.js: Added.
+
2020-07-30 Yusuke Suzuki <ysuz...@apple.com>
Unreviewed, fix bottom-tuple.js test
Added: trunk/JSTests/stress/invalidate-array-iterator-prototype-next.js (0 => 265112)
--- trunk/JSTests/stress/invalidate-array-iterator-prototype-next.js (rev 0)
+++ trunk/JSTests/stress/invalidate-array-iterator-prototype-next.js 2020-07-30 22:17:10 UTC (rev 265112)
@@ -0,0 +1,13 @@
+Array.prototype[Symbol.iterator]().__proto__.next = 0;
+
+let arr = [1, 2, 3];
+
+try {
+ for (let ele of arr) {
+ throw new Error("It should never execute");
+ }
+} catch(e) {
+ if (!e instanceof TypeError)
+ throw new Error("It should throw a TypeError, but it threw " + e);
+}
+
Modified: trunk/Source/_javascript_Core/ChangeLog (265111 => 265112)
--- trunk/Source/_javascript_Core/ChangeLog 2020-07-30 22:08:19 UTC (rev 265111)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-07-30 22:17:10 UTC (rev 265112)
@@ -1,3 +1,18 @@
+2020-07-30 Caio Lima <ticaiol...@gmail.com>
+
+ [JSC][32-bits] interator_next should check for EmptyValue instead of undefined to execute LLInt fast path
+ https://bugs.webkit.org/show_bug.cgi?id=214963
+
+ Reviewed by Yusuke Suzuki.
+
+ There was a bug in previous implementation that allows execution of
+ `interator_next` fast path if we set ArrayIterator.prototype.next to
+ 0. This happened because we were not properly checking `ValueEmpty`
+ from `m_next`. This patch is fixing such issue and doing the proper
+ verification.
+
+ * llint/LowLevelInterpreter32_64.asm:
+
2020-07-30 Saam Barati <sbar...@apple.com>
Strip pointers instead of authing for byteOffset to not allow for a possible way to guess data pac
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (265111 => 265112)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2020-07-30 22:08:19 UTC (rev 265111)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2020-07-30 22:17:10 UTC (rev 265112)
@@ -2769,8 +2769,7 @@
llintOpWithMetadata(op_iterator_next, OpIteratorNext, macro (size, get, dispatch, metadata, return)
loadVariable(get, m_next, t0, t1, t0)
- bieq t1, UndefinedTag, .iteratorNextGeneric
- btinz t0, .iteratorNextGeneric
+ bineq t1, EmptyValueTag, .iteratorNextGeneric
macro fastNarrow()
callSlowPath(_iterator_next_try_fast_narrow)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
