Title: [128822] trunk/Source/_javascript_Core
- Revision
- 128822
- Author
- [email protected]
- Date
- 2012-09-17 16:36:21 -0700 (Mon, 17 Sep 2012)
Log Message
32-bit LLInt get_by_val does vector length checks incorrectly
https://bugs.webkit.org/show_bug.cgi?id=96893
<rdar://problem/12311678>
Reviewed by Mark Hahnenberg.
* llint/LowLevelInterpreter32_64.asm:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (128821 => 128822)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-17 23:34:26 UTC (rev 128821)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-17 23:36:21 UTC (rev 128822)
@@ -1,5 +1,15 @@
2012-09-17 Filip Pizlo <[email protected]>
+ 32-bit LLInt get_by_val does vector length checks incorrectly
+ https://bugs.webkit.org/show_bug.cgi?id=96893
+ <rdar://problem/12311678>
+
+ Reviewed by Mark Hahnenberg.
+
+ * llint/LowLevelInterpreter32_64.asm:
+
+2012-09-17 Filip Pizlo <[email protected]>
+
We don't have a bad enough time if an object's prototype chain crosses global objects
https://bugs.webkit.org/show_bug.cgi?id=96962
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (128821 => 128822)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2012-09-17 23:34:26 UTC (rev 128821)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2012-09-17 23:36:21 UTC (rev 128822)
@@ -1313,7 +1313,7 @@
loadi 12[PC], t3
loadConstantOrVariablePayload(t3, Int32Tag, t1, .opGetByValSlow)
loadp JSObject::m_butterfly[t0], t3
- biaeq t1, -sizeof IndexingHeader + IndexingHeader::m_vectorLength[t0], .opGetByValSlow
+ biaeq t1, -sizeof IndexingHeader + IndexingHeader::m_vectorLength[t3], .opGetByValSlow
loadi 4[PC], t0
loadi ArrayStorage::m_vector + TagOffset[t3, t1, 8], t2
loadi ArrayStorage::m_vector + PayloadOffset[t3, t1, 8], t1
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
