Title: [182562] trunk
- Revision
- 182562
- Author
- [email protected]
- Date
- 2015-04-08 13:22:53 -0700 (Wed, 08 Apr 2015)
Log Message
DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
https://bugs.webkit.org/show_bug.cgi?id=143532
Reviewed by Gavin Barraclough.
Oh the irony! We were protecting an optimization that only worked if there was no wrap-around in _javascript_.
But the C++ code had wrap-around, which is undef in C++. So, if the compiler was smart enough, our compiler
would think that there never was wrap-around.
This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
* dfg/DFGIntegerCheckCombiningPhase.cpp:
(JSC::DFG::IntegerCheckCombiningPhase::isValid):
Modified Paths
Diff
Modified: trunk/Makefile.shared (182561 => 182562)
--- trunk/Makefile.shared 2015-04-08 20:09:59 UTC (rev 182561)
+++ trunk/Makefile.shared 2015-04-08 20:22:53 UTC (rev 182562)
@@ -12,6 +12,8 @@
XCODE_OPTIONS += _ONLY_ACTIVE_ARCH_=NO
endif
+XCODE_OPTIONS += TOOLCHAINS=com.apple.dt.toolchain.OSX10_11
+
DEFAULT_VERBOSITY := $(shell defaults read org.webkit.BuildConfiguration BuildTranscriptVerbosity 2>/dev/null || echo "default")
VERBOSITY ?= $(DEFAULT_VERBOSITY)
Modified: trunk/Source/_javascript_Core/ChangeLog (182561 => 182562)
--- trunk/Source/_javascript_Core/ChangeLog 2015-04-08 20:09:59 UTC (rev 182561)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-04-08 20:22:53 UTC (rev 182562)
@@ -1,3 +1,19 @@
+2015-04-08 Filip Pizlo <[email protected]>
+
+ DFG::IntegerCheckCombiningPhase's wrap-around check shouldn't trigger C++ undef behavior on wrap-around
+ https://bugs.webkit.org/show_bug.cgi?id=143532
+
+ Reviewed by Gavin Barraclough.
+
+ Oh the irony! We were protecting an optimization that only worked if there was no wrap-around in _javascript_.
+ But the C++ code had wrap-around, which is undef in C++. So, if the compiler was smart enough, our compiler
+ would think that there never was wrap-around.
+
+ This fixes a failure in stress/tricky-array-boiunds-checks.js when JSC is compiled with bleeding-edge clang.
+
+ * dfg/DFGIntegerCheckCombiningPhase.cpp:
+ (JSC::DFG::IntegerCheckCombiningPhase::isValid):
+
2015-04-07 Michael Saboff <[email protected]>
Lazily initialize LogToSystemConsole flag to reduce memory usage
Modified: trunk/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp (182561 => 182562)
--- trunk/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp 2015-04-08 20:09:59 UTC (rev 182561)
+++ trunk/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp 2015-04-08 20:22:53 UTC (rev 182562)
@@ -355,8 +355,17 @@
return false;
switch (key.m_kind) {
- case ArrayBounds:
- return (range.m_maxBound - range.m_minBound) >= 0;
+ case ArrayBounds: {
+ // Have to do this carefully because C++ compilers are too smart. But all we're really doing is detecting if
+ // the difference between the bounds is 2^31 or more. If it was, then we'd have to worry about wrap-around.
+ // The way we'd like to write this _expression_ is (range.m_maxBound - range.m_minBound) >= 0, but that is a
+ // signed subtraction and compare, which allows the C++ compiler to do anything it wants in case of
+ // wrap-around.
+ uint32_t maxBound = range.m_maxBound;
+ uint32_t minBound = range.m_minBound;
+ uint32_t unsignedDifference = maxBound - minBound;
+ return !(unsignedDifference >> 31);
+ }
default:
return true;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
