Title: [258452] trunk/Source/_javascript_Core
- Revision
- 258452
- Author
- tzaga...@apple.com
- Date
- 2020-03-13 17:19:24 -0700 (Fri, 13 Mar 2020)
Log Message
Missing arithMode for ArithAbs and ArithNegate in DFGClobberize
https://bugs.webkit.org/show_bug.cgi?id=208685
<rdar://problem/60115088>
Reviewed by Saam Barati.
In the pure case of ArithNegate and ArithAbs in DFGClobberize, their PureValues did not include their
respective ArithMode. That means that e.g. a CheckOverflow ArithNegate/Abs could be considered equivalent
to an Unchecked version of the same node.
Thanks to Samuel Groß of Google Project Zero for identifying this bug.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (258451 => 258452)
--- trunk/Source/_javascript_Core/ChangeLog 2020-03-14 00:05:31 UTC (rev 258451)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-03-14 00:19:24 UTC (rev 258452)
@@ -1,3 +1,20 @@
+2020-03-13 Tadeu Zagallo <tzaga...@apple.com>
+
+ Missing arithMode for ArithAbs and ArithNegate in DFGClobberize
+ https://bugs.webkit.org/show_bug.cgi?id=208685
+ <rdar://problem/60115088>
+
+ Reviewed by Saam Barati.
+
+ In the pure case of ArithNegate and ArithAbs in DFGClobberize, their PureValues did not include their
+ respective ArithMode. That means that e.g. a CheckOverflow ArithNegate/Abs could be considered equivalent
+ to an Unchecked version of the same node.
+
+ Thanks to Samuel Groß of Google Project Zero for identifying this bug.
+
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+
2020-03-13 Myles C. Maxfield <mmaxfi...@apple.com>
[Cocoa] Push applicationSDKVersion() down from WebCore into WTF
Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (258451 => 258452)
--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2020-03-14 00:05:31 UTC (rev 258451)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2020-03-14 00:19:24 UTC (rev 258452)
@@ -228,7 +228,7 @@
case ArithAbs:
if (node->child1().useKind() == Int32Use || node->child1().useKind() == DoubleRepUse)
- def(PureValue(node));
+ def(PureValue(node, node->arithMode()));
else {
read(World);
write(Heap);
@@ -248,7 +248,7 @@
if (node->child1().useKind() == Int32Use
|| node->child1().useKind() == DoubleRepUse
|| node->child1().useKind() == Int52RepUse)
- def(PureValue(node));
+ def(PureValue(node, node->arithMode()));
else {
read(World);
write(Heap);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes